AnonymFlow
privacy-best-practicesINFO

Tor over VPN: 2026 Configuration and Threat Model (Complete Guide)

Tor over VPN vs VPN over Tor: distinct threat models, Tor-friendly providers (Mullvad, IVPN, ProtonVPN), Tor Browser + VPN setup, performance impact, and real use cases (journalists, activists, researchers).

By Eric Gerard · Editor · AnonymFlow14 min readPhoto via Unsplash

Combining Tor and VPN is the most robust privacy architecture available in 2026 - used by investigative journalists (Guardian, ProPublica, Le Monde), activists in restrictive regimes (RSF documents usage), whistleblowers (SecureDrop mandates it) and security researchers analyzing the dark web. For the general context on how the two tools differ and when to combine them, see Tor vs VPN: difference and combination. Configuration isn't magic: there's Tor over VPN and VPN over Tor, with opposite threat models, and the wrong choice can negate the sought anonymity. Here's the step-by-step Tor over VPN setup on Windows, macOS, Linux, the comparison of Tor-friendly VPNs (Mullvad, IVPN, ProtonVPN, NordVPN), legitimate use cases and pitfalls to avoid.

Tor over VPN vs VPN over Tor: choosing the right threat model

The first technical decision is understanding the architecture difference between the two modes.

Tor over VPN (standard architecture):

Your client → VPN tunnel → Tor network (3 relays) → Final site

Your ISP sees only the HTTPS connection to the VPN server - completely invisible ISP-side that you use Tor. The VPN sees your real IP but not your traffic content (encrypted in Tor). The Tor entry node sees the VPN's IP (not your real IP). The exit node sees Tor decrypted traffic going to the final site, without being able to link to you.

VPN over Tor (inverted architecture, rare):

Your client → Tor network (3 relays) → VPN tunnel → Final site

Your ISP sees the connection to Tor entry (so knows you use Tor). The entry node sees your real IP. The exit node sees VPN IP. The VPN sees your traffic but not your real IP (only exit node IP). The final site sees VPN IP.

CriterionTor over VPNVPN over Tor
ISP knows you use TorNoYes
VPN knows your real IPYesNo
SetupSimpleComplex (mandatory Onion-Router VPN)
Recommended use95% of casesInvestigation where VPN partially compromised
LatencyHighVery high
Bypass Tor blocking in restrictive countryYesNo

2026 recommendation: Tor over VPN in 95% of legitimate cases. It's the mode natively supported by Tor-friendly VPNs. VPN over Tor is only useful in exceptional cases where you don't trust the VPN on your real IP (for example journalistic investigation involving the VPN's jurisdiction country).

Which VPNs are truly Tor-friendly in 2026?

Four options dominate the market, with distinct privacy philosophies.

Mullvad (Sweden)

  • Price: ~€5/month flat, no commitment, no multi-year plan.
  • Account anonymity: random numeric identifier generation (no mandatory email). Payment accepted in cash (mailing with euro bills to their Gothenburg address), Monero (XMR), Bitcoin, or credit card if you accept this compromise.
  • Audit: Cure53 2024 (most recent), Assured Cybersecurity 2022, 2018.
  • No-log: no connection logs, confirmed by audit. No activity logs.
  • Tor compatibility: official documentation for Tor over VPN (mullvad.net/help/tor-and-mullvad-vpn).
  • Jurisdiction: Sweden (EU, outside 9/14 Eyes but under EU directives).

Strengths: strict privacy philosophy, genuinely anonymous payment, recent Cure53 audit, publicly named transparent team. Limits: price uncompetitive vs long-term offers, ~700 servers (modest vs 5000+ NordVPN), no dedicated 24/7 support.

IVPN (Gibraltar)

  • Price: ~€6/month on annual plan.
  • Account anonymity: random numeric identifier, no mandatory email. Monero, Bitcoin, cash payment via Privacy.com.
  • Audit: Cure53 2024, 2023, 2022 (regular annual audit).
  • No-log: audit confirms no logs, transparent policy.
  • Tor compatibility: native multihop (chain 2 VPN servers before Tor) - native configuration in the application.
  • Jurisdiction: Gibraltar (outside EU, outside Eyes Alliances, privacy-friendly jurisdiction).

Strengths: annual Cure53 audits (most regular on the market), powerful native multihop, partial open source app code. Limits: niche market, only ~100 servers (but quality > quantity), price higher than budget offers.

ProtonVPN Plus (Switzerland)

  • Price: ~€8/month on 2-year plan.
  • Account anonymity: mandatory email (can be Proton Mail anonymous created in parallel). Bitcoin, mail cash payment accepted.
  • Audit: SEC Consult 2024, 2022, 2021 (regular triennial audit).
  • No-log: audit confirms no logs, but Swiss jurisdiction imposes 6-month metadata retention (no content) per LSIPC 2018. Honestly documented compromise.
  • Tor compatibility: native 'Tor over VPN' feature - dedicated servers automatically routing to Tor (Secure Core + Tor option).
  • Jurisdiction: Switzerland (outside EU, outside Eyes Alliances, but under LSIPC).

Strengths: native Tor integration without Tor Browser config needed, complete ecosystem (Proton Mail, Drive, Calendar, Pass), ex-CERN team. Limits: Swiss jurisdiction weaker than before (LSIPC 2018), limited free plan, higher price than Mullvad/Surfshark.

NordVPN Onion Over VPN (Panama)

  • Price: ~€3-5/month on 2-year plan.
  • Account anonymity: mandatory email. Bitcoin, Monero, gift card payment accepted.
  • Audit: Deloitte 2025, 2024, 2023; PwC 2022. Regular Big Four audits.
  • No-log: audit confirms no activity or connection logs. Transparent policy.
  • Tor compatibility: dedicated 'Onion Over VPN' servers in the client (specialized category) that automatically route traffic to Tor - no separate Tor Browser needed.
  • Jurisdiction: Panama (outside EU, outside Eyes Alliances, privacy-friendly jurisdiction).

Strengths: most competitive price of the four, mature ecosystem, 24/7 multilingual support, 5000+ servers, NordLynx (WireGuard) fastest on market, Onion Over VPN integration without config. Limits: mandatory email (less anonymous than Mullvad/IVPN cash), Panama jurisdiction theoretically excellent but Lithuania EU structure partially subjects to EU pressure.

Editorial pick
4.6 / 5

NordVPN Onion Over VPN - Dedicated Tor servers

Deloitte 2025 audit · Panama jurisdiction · 30-day money back

Deloitte audit 202430-day guarantee14M+ users
See the offer

Step-by-step Tor over VPN setup

A laptop open on a desk
A laptop open on a desk

Step 1 - Prepare the VPN

  1. Subscribe to a Tor-friendly VPN among the four listed. Monero or Bitcoin payment if account anonymity required.
  2. Install the official VPN client (never a third-party version that may be backdoored).
  3. Configure kill switch: enable in system mode (not app mode). Blocks all out-of-tunnel traffic if VPN drops.
  4. Enable DNS Leak Protection in advanced settings.
  5. Disable IPv6 in settings if VPN doesn't handle it natively.
  6. Choose server: Tor-friendly country recommended - Netherlands, Switzerland, Sweden, Romania. Avoid restrictive countries or those with massive history of US authority cooperation (Germany, France, UK).

Step 2 - Verify VPN before Tor

  1. Open ipinfo.io in a classic browser → displayed IP must be VPN server's.
  2. Open dnsleaktest.com Extended Test → only VPN resolvers should respond.
  3. Open browserleaks.com/webrtc → no public IP out of tunnel should appear.

If one of these tests fails, do not launch Tor. Fix VPN first. Full methodology to audit all 5 leak vectors before launching Tor: complete VPN leak test.

Step 3 - Install and launch Tor Browser

  1. Download Tor Browser at torproject.org/download - verify PGP signature of download (gpg --verify) to ensure it wasn't altered in transit.
  2. Install in a dedicated folder, ideally encrypted (Windows BitLocker, macOS FileVault, Linux LUKS).
  3. Launch Tor Browser. On first start, welcome screen with two options:
    • 'Connect': direct connection to Tor network. Choose this option since you're already going through VPN (bridges unnecessary).
    • 'Configure': for obfuscated bridges if Tor is blocked country-level (rare situation with VPN upstream).
  4. Tor Browser establishes the circuit (3 relays) in 5-15 seconds. DuckDuckGo home page displays.

Step 4 - Verify double tunnel

  1. On check.torproject.org → 'Congratulations. This browser is configured to use Tor.' message confirms Tor active.
  2. On ipinfo.io (in Tor Browser this time) → displayed IP must be a Tor exit node, completely different from your VPN.
  3. On dnsleaktest.com → DNS must be exit node's (typically non-ISP public resolvers).
  4. Click shield icon top right of Tor Browser → choose Security Level: Safest to disable JavaScript (recommended for sensitive use).

Operational security: never log into personal accounts from Tor Browser. Behavior patterns compromise anonymity even with perfect configuration.

Step 5 - Secure usage

Hygiene rules during Tor over VPN session:

  • Don't open downloaded files (PDF, DOCX) outside Tor session - metadata can leak real IP at open time.
  • Don't enable JavaScript for very sensitive use (Safest Mode).
  • Don't resize browser window (fingerprint on resolution).
  • Renew circuit (broom icon) if suspicious network behavior.
  • Close Tor Browser then VPN, not the reverse.

Performance and real impact

In terms of speed, the typical order of magnitude is as follows:

  • Without VPN or Tor: you get your line's full throughput.
  • VPN alone: a good modern VPN (WireGuard protocol) only costs a fraction of throughput.
  • VPN + Tor: usable throughput drops sharply, usually to just a few Mbps, with markedly higher latency.

These orders of magnitude vary with your connection, the VPN server chosen and the current Tor circuit - Tor offers no throughput guarantee.

Speed impact is dramatic but conscious: Tor routes your traffic through 3 volunteer relays across the world, and each one limits throughput by its bandwidth. Usable throughput over Tor stays low (a few Mbps) because the network's total capacity depends on the hardware and bandwidth donated by volunteers.

In practice, text web browsing stays fluid and imperceptible - Google or DuckDuckGo searches take 3 to 5 seconds per query, which is highly acceptable. Reading long media-light articles flows fine. SD video streaming is technically possible but choppy, and remains ethically discouraged because it saturates the Tor bandwidth maintained by volunteers for critical use cases. HD or 4K streaming is simply impossible. Heavy file downloads are both technically infeasible and impolite, and video conferencing is excluded because added latency exceeds the operating threshold of modern audio-video protocols.

The speed-vs-anonymity trade-off is conscious and accepted for the legitimate uses this architecture is designed to serve.

Understanding when Tor over VPN is enough and when it isn't

Many privacy beginners adopt Tor over VPN thinking it's the "maximum" option that will cover every possible threat model. That approach is misleading because it conflates two distinct concepts: anonymity (impossibility of associating an activity with an identified individual) and operational security (resistance to specific adversaries with determined capabilities). Tor over VPN considerably improves anonymity but does not guarantee operational security against targeted adversaries.

Tor over VPN is largely sufficient for level 1 and 2 threat models: avoiding commercial profiling by ad networks, escaping passive mass surveillance by ISPs and States in consolidated democracies, bypassing geographic content blocks, and publishing anonymously on forums or sites where the final service operator doesn't actively collaborate with your adversary. For 99% of journalists, academic researchers in sensitive social sciences, and activists operating in democratic countries, this configuration is state of the art.

Tor over VPN becomes insufficient for level 3+ threat models, which imply adversaries with significant capabilities. First case: an adversary controlling both your ISP and the final service you visit. In that scenario, timing correlation techniques can deanonymize even Tor traffic, regardless of VPN. Second case: an adversary able to run code on your endpoint. If your OS or browser is compromised before you launch Tor Browser, network anonymity is useless because the user identifier is exposed at the application layer. Third case: an adversary with access to your physical identity and ability to apply coercive pressure on you personally (state intelligence of an authoritarian state, or organized crime). In that scenario, even the best technical protocol doesn't replace the physical security of your person and equipment.

For these level 3+ threat models, the appropriate configuration combines Tor over VPN with other layers: Tails OS (live amnesic operating system), multi-hop VPN on ProtonVPN Secure Core or IVPN Multihop, physical separation of devices (a laptop dedicated only to sensitive activity, never used for anything else), and strict operational procedures (never cross-contamination between real and Tor identity, never communicate via unencrypted channels about Tor activity). These measures fall under operational security in the military sense and far exceed the scope of a simple VPN+Tor configuration guide.

Legitimate use cases in 2026

Tor over VPN is over-engineering for general privacy use. It's the appropriate architecture for:

Investigative journalism

Many investigative outlets (the Guardian, ProPublica, NY Times, Süddeutsche Zeitung…) run a SecureDrop instance to receive documents from sensitive sources. SecureDrop, the anonymous submission platform built by the Freedom of the Press Foundation, mandates Tor (without Tor, the submitter's IP would be traceable).

Activists in restrictive regimes

Several countries (Russia, Iran, China, UAE…) partially block Tor. An obfuscated VPN upstream renders Tor usage invisible to the ISP. Press-freedom organizations such as Reporters Without Borders publish digital-security guides recommending Tor and bridges for journalists operating in these countries.

Whistleblowers

SecureDrop programs (Freedom of the Press Foundation) mandate Tor for submissions to the newsrooms that host an instance (NY Times, Washington Post, ProPublica, Guardian…). Adding a VPN upstream additionally hides Tor usage from the submitter's ISP.

Security researchers

Cybercriminal market analysis, dark web threat intelligence research, malware infrastructure audit. Accessing these resources through Tor (ideally from an isolated machine such as Whonix/Tails) avoids exposing the researcher's real IP.

Human rights lawyers

Confidential client communication on human rights cases. Protects attorney-client privilege against state interception.

Conversely, for average user seeking privacy: audited no-log VPN alone suffices largely, without requiring Tor.

Known pitfalls to avoid

Pitfall 1 - No system kill switch enabled. If VPN drops during Tor session, your real IP appears to Tor entry node. Always enable kill switch in system mode before launching Tor Browser.

Pitfall 2 - Mixing Tor Browser and classic browser simultaneously. Cross-context cookies, correlated fingerprint, shared identifiers can deanonymize. Tor Browser exclusively during sensitive session.

Pitfall 3 - Personal account login in Tor Browser. Logging into Gmail, Facebook, LinkedIn in Tor identifies exit node with your real identity. Never log to personal accounts in Tor.

Pitfall 4 - IPv6 active. Tor only routes IPv4. If IPv6 is active and not blocked by VPN, your ISP IPv6 prefix can leak. Disable system IPv6 or use VPN with 'Block IPv6'.

Pitfall 5 - Downloaded files opened outside Tor. EXIF photo metadata, GPS, Office document identifiers can leak your real identity at open time outside Tor session. Open only in isolated environment (VM, Tails OS).

Pitfall 6 - Free VPN upstream of Tor. Free VPNs resell data, log sessions, some inject malware. Completely negates Tor anonymity. Always independently audited no-log VPN.

Pitfall 7 - Long Tor session. The longer a session, the more identifiable patterns it accumulates. Renew circuit (NewIdentity) every 30-60 min for sensitive use.

Alternatives to Tor over VPN

For specific use cases where Tor is too slow or its ecosystem incompatible:

  • Multi-hop VPN alone: ProtonVPN Secure Core, Mullvad Multihop, IVPN Multihop. Weaker anonymity (3 hops at same operator vs 3 decentralized Tor hops) but acceptable speed.
  • I2P (Invisible Internet Project): alternative anonymous network optimized for internal services (eepsites). Faster than Tor on P2P.
  • Lokinet: Oxen blockchain onion routing, integrated payment, intermediate speed.
  • Tails OS: USB live system with built-in Tor, zero-trace environment after reboot. Essential for ultra-sensitive use (whistleblower, confidential source).
  • Whonix VM: Tor-only virtual machine secured, OS-level isolation rather than browser only.

For 95% of general privacy cases, audited no-log VPN alone suffices. Tor over VPN is justified when absolute anonymity prevails over speed and UX.

Key takeaways

Tor over VPN is the most robust privacy architecture available in 2026, but also the most demanding: precise configuration, heavily degraded performance (throughput reduced to a few Mbps), operational discipline (no personal accounts, IPv6 disabled, system kill switch). It's the appropriate tool for investigative journalists, restrictive-country activists, whistleblowers, security researchers - not for daily privacy use.

Four VPNs dominate the Tor-friendly market in 2026: Mullvad (Sweden), IVPN (Gibraltar), ProtonVPN Plus (Switzerland), NordVPN (Panama). Each has its philosophy. Choice depends on the trade-off between price, account anonymity, native Tor integration, and network size. For the foundational rationale (data brokers, fingerprinting, breaches) justifying this level of investment, see why digital privacy matters in 2026.

Editorial pick
4.6 / 5

NordVPN - Dedicated Onion Over VPN servers

Tor over VPN without configuration · Deloitte 2025 audit · 30-day money back

Deloitte audit 202430-day guarantee14M+ users
See the offer

Deepen anonymity and advanced privacy

Editorial pick
4.4 / 5

Privacy-first VPN → Proton VPN

Audited no-logs · Swiss jurisdiction · open-source · free tier

SEC Consult audit 2024Swiss jurisdictionOpen-source
See the offer
Everything you need to know.

Frequently asked questions

What's the concrete difference between Tor over VPN and VPN over Tor?

Two distinct architectures with opposite threat models. **Tor over VPN** (most common): your client → VPN → Tor network → final site. Your ISP only sees the VPN connection, the VPN sees your real IP, the Tor entry node sees the VPN IP (not your real IP), the exit node sees decrypted Tor traffic. Advantage: your ISP doesn't know you use Tor (useful in restrictive countries). Drawback: you trust the VPN on your real IP. **VPN over Tor** (rarer): your client → Tor network → VPN → final site. Your ISP sees Tor entry, entry node sees your real IP, exit node sees VPN IP, site sees VPN IP. Advantage: the VPN doesn't know your real IP. Drawback: your ISP knows you use Tor. For 95% of privacy use cases, Tor over VPN is preferable. VPN over Tor remains useful in specific journalistic investigation cases where the VPN is partially compromised.

Why use Tor over VPN instead of Tor alone?

Three technical benefits. (1) **Hide Tor usage from your ISP**. Without VPN, your ISP sees you connecting to Tor relays (relay IPs are publicly listed on [metrics.torproject.org](https://metrics.torproject.org/)). In restrictive countries (China, Russia, Iran, UAE), Tor is partially blocked and its use can draw attention. With Tor over VPN, your ISP only sees the HTTPS connection to the VPN. (2) **Protection if the entry node is compromised**. The entry node knows your real IP. Because Tor is an open network where anyone can run a relay, some nodes may be operated by malicious or surveillance actors - which is exactly the risk the 3-relay design aims to mitigate. If you hit a compromised entry node without VPN, your real IP is exposed; with VPN, the entry node only sees the VPN IP. (3) **Sometimes improved latency** on certain network paths (rare). Major drawback: you shift trust to the VPN. Solution: independently audited no-log VPN (Mullvad, IVPN, ProtonVPN have all commissioned independent audits in recent years).

Which VPNs are truly Tor-friendly in 2026?

Four VPNs stand out for active Tor compatibility and privacy philosophy. **Mullvad** (Sweden, ~€5/month): anonymous cash/Monero payment accepted, Cure53 2024 audit, port forwarding included, strict no-log, documented Tor over VPN support. **IVPN** (Gibraltar, ~€6/month): Cure53 2024 audit, Monero payment, native multihop (chain multiple VPN servers before Tor), strict no-log. **ProtonVPN Plus** (Switzerland, ~€8/month): Secure Core (multihop Iceland → Sweden → Switzerland → final), SEC 2024 audit, native Tor integration via 'Tor over VPN' feature on certain servers, crypto payment. **NordVPN Onion Over VPN** (Panama, ~€3-5/month): dedicated 'Onion Over VPN' servers that automatically route traffic to Tor without manual configuration, Deloitte 2025 audit. To avoid for Tor: free VPNs, US VPNs (CLOUD Act exposable), VPNs without recent independent audit. These four options represent ~95% of the Tor-friendly market in 2026.

How to configure Tor Browser with a VPN on Windows / macOS?

Standardized procedure in 4 steps. (1) **Connect VPN first**. Launch NordVPN/Mullvad/ProtonVPN, select a server in Tor-friendly country (Netherlands, Switzerland, Sweden). Verify IP changed on [ipinfo.io](https://ipinfo.io/). Enable kill switch in system mode. (2) **Launch Tor Browser** ([torproject.org](https://www.torproject.org/download/)). On first launch, choose 'Connect' directly - no need for bridges since you're already going through VPN. Tor Browser establishes the circuit (3 relays) automatically. (3) **Verify double tunnel**: on [check.torproject.org](https://check.torproject.org/) confirm Tor works. On [ipleak.net](https://ipleak.net/) confirm IP displayed is exit node Tor (different from your VPN). Test DNS leak via dnsleaktest.com - no ISP DNS should appear. (4) **Usage**: navigate normally in Tor Browser. JavaScript disabled by default on Security Level 'Safest' - recommended for sensitive use. Cookies, history, cache erased on each close. To shut down properly: close Tor Browser then disconnect VPN.

Does Tor over VPN really slow speed down a lot?

Yes, the speed degradation is significant and inevitable by design. Tor routes your traffic through 3 successive relays chosen from the network's thousands of nodes, each adding latency and limiting throughput according to its bandwidth. Because those relays are run by volunteers with limited bandwidth, usable throughput over Tor is generally low (on the order of a few Mbps), well below a VPN-only connection. Practical implications: text web browsing fluid, search fluid, SD video possible but choppy, HD video difficult to impossible, large file downloads discouraged (time-consuming and impolite vis-à-vis the Tor network - use BitTorrent or direct download via VPN instead of overloading Tor). The speed vs anonymity trade-off is real and conscious.

Who should actually use Tor over VPN in 2026?

Highly targeted use cases where anonymity justifies the speed trade-off. (1) **Investigative journalism**: corruption investigations, exposing government activities, confidential source communications - one of Tor's historical audiences. (2) **Activists in restrictive countries**: where Tor alone can be traceable ISP-side, the upstream VPN hiding Tor usage. (3) **Whistleblowers**: SecureDrop (Freedom of the Press Foundation) requires Tor for anonymous submissions to many newsrooms (ProPublica, NY Times, Guardian, Washington Post…). (4) **Security researchers analyzing the dark web**: malware analysis on underground marketplaces, threat intelligence research. (5) **Lawyers handling ultra-sensitive files**: confidential client communication on human rights cases. Conversely, **average user seeking privacy**: audited no-log VPN alone is largely sufficient, Tor on top is over-engineering that degrades UX without proportional protection gain.

Are all Tor nodes reliable in 2026?

No, that's precisely why the network uses 3 relays to spread trust. Since Tor is an open, volunteer-run network, anyone can run a relay - so some of them may be operated by hostile or surveillance actors. The Tor project monitors and publishes the list of detected 'bad relays' that get excluded (typically nodes doing SSL stripping, malware injection, or DNS poisoning). The network has several thousand active nodes, a portion of which are exit nodes (live figures on [metrics.torproject.org](https://metrics.torproject.org/)). Concrete risk: an attacker controlling both entry AND exit node simultaneously can attempt temporal correlation (timing attack) and deanonymize. The network is designed to make this unlikely for occasional use, but it remains a real risk for massive or targeted use. Mitigation: use Tor over VPN (VPN hides Tor entry from ISP), regularly change circuit (NewIdentity in Tor Browser), avoid recognizable patterns (personal account login).

Are there alternatives to Tor for strong anonymity?

Four alternatives to know, each with trade-offs. **I2P (Invisible Internet Project)**: alternative peer-to-peer anonymous network, optimized for internal services ('eepsites') rather than classic web. Faster than Tor on P2P, slower on external web. **Freenet / Hyphanet**: distributed storage network for anonymous publication. Not a general anonymizer. **Lokinet**: onion routing network based on Oxen blockchain, integrated payment, faster than Tor but more restricted ecosystem. **Multi-hop VPN alone**: ProtonVPN Secure Core (Iceland → Sweden → Switzerland chain), Mullvad Multihop, IVPN Multihop. Weaker anonymity than Tor (3 hops vs centralized at same VPN operator) but acceptable speed (300+ Mbps possible). For privacy use in 99% of cases, multi-hop VPN suffices; for absolute anonymity (dissident journalism, whistleblower), Tor remains the reference. The Tor over VPN combo remains the gold standard even in 2026.

How to verify my Tor over VPN config doesn't leak?

Six standardized audit tests to run in order after config. (1) **IP visible site-side**: go to [ipinfo.io](https://ipinfo.io/) in Tor Browser. Displayed IP must belong to a Tor exit node (verifiable on [metrics.torproject.org/exonerator](https://metrics.torproject.org/exonerator.html)), different from your VPN IP visible in the VPN client. (2) **DNS leak**: [dnsleaktest.com](https://www.dnsleaktest.com/) Extended Test. DNS resolver must be the exit node's (typically independent public resolvers), not your ISP. (3) **WebRTC leak**: [browserleaks.com/webrtc](https://browserleaks.com/webrtc). Tor Browser disables WebRTC by default, verify no IP appears. (4) **IPv6 leak**: [test-ipv6.com](https://test-ipv6.com/). Tor routes only IPv4. If IPv6 visible, disable system IPv6. (5) **Fingerprinting**: [amiunique.org](https://amiunique.org/). Tor Browser standardizes certain values (screen resolution, fonts) - your fingerprint should be 'common among N visitors'. (6) **Confirm Tor active**: [check.torproject.org](https://check.torproject.org/) must display 'Congratulations. This browser is configured to use Tor.' If a single test fails, reconfigure before sensitive use.