AnonymFlow
securite-reseauINFO

Tor vs VPN: differences, how they complement each other, and real risks (2026)

How Tor and VPN work, what each actually protects, when to combine them (Tor over VPN or VPN over Tor), and the real limitations you need to understand before confusing anonymity with privacy.

By Eric Gerard · Editor · AnonymFlow19 min readPhoto: Unsplash

Tor and VPN are often mixed up in the media and in online talk, even though they solve two different problems and are not swappable. A VPN is an everyday privacy tool. It masks your IP, encrypts your traffic on untrusted networks, and gets past geographic blocks. Tor is a strong anonymity tool. It splits your real identity from your online activity, at the cost of slower speeds and a worse UX. Mixing the two leads to two matching mistakes: using Tor for Netflix (sure frustration), or using a free VPN for high-stakes tasks (a false sense of safety).

This guide compares the two tools in close detail: how they work, what they promise, their limits, their proper use cases, and ways to pair them. It is for readers who want to grasp what protection they are really buying with each tool, and make a sound choice based on their threat model.

How do Tor and VPN work differently?

VPN routes all your traffic through one encrypted tunnel to one provider server - fast (200–500 Mbps), but the provider sees where you go. Tor sends your traffic through three random volunteer relays. Each one sees only its next-door neighbour, so no single node knows the full path, but speeds drop to 1–5 Mbps. They solve different problems: privacy vs. anonymity.

The best way to grasp the difference is to picture what happens under the hood when you load a web page with each tool. Both encrypt traffic, but the shape of their network is very different.

VPN setup - point-to-point tunnel. When you turn on a VPN client, your device opens an encrypted link to one server run by your provider (NordVPN, ExpressVPN, Mullvad, ProtonVPN). All your IP traffic is wrapped in that tunnel via a protocol such as WireGuard, OpenVPN, or IKEv2. The VPN server decrypts the traffic at its end. Then it sends it on to the target site using its own IP as the source address. The visited site sees the VPN server's IP. Your ISP or hotspot sees only an encrypted flow toward the VPN server. There is no data about where you end up and no data about content. The VPN provider, though, sees everything. It knows who you are (you have a paid account, a source IP, sometimes a linked payment card) and could in theory log where you go. This is why outside no-log audits (PwC for NordVPN, KPMG then Cure53 for ExpressVPN, Cure53 for Mullvad) are the main test when picking a trusted provider.

Tor setup - three-hop onion routing. Tor (The Onion Router) does not link you to one server. It links you to a circuit of three nodes in a row, picked at random from a pool of about 7,000 relays run by volunteers worldwide. Your Tor client encrypts your packet three times - one layer per relay, like the layers of an onion. The entry node (guard) gets your packet, peels the first layer, and sees the address of the next node but not the end target or the content. The middle node peels the second layer. It knows neither where the packet first came from nor where it ends up. The exit node peels the last layer. It sees the content and the end target, but does not know who first sent it. No single node knows the full path. That is the core idea of onion routing, set out in the Tor Project reference documentation and worked out as far back as the 1990s by the US Naval Research Laboratory.

What this means for trust. With a VPN, you put your trust in one single actor (the provider). If that actor is honest, audited, and outside a problem jurisdiction, you are well protected. If not, you have gained nothing. With Tor, you put your trust in the spread of the network. As long as no adversary controls both the entry and exit nodes of your circuit at once, your anonymity holds. That is a statistical guarantee, not an absolute one. An actor that controls 20% of nodes would have a real chance to de-anonymise some circuits over time. The trade-off is clear: VPN = checkable trust in one place, Tor = spread-out but odds-based trust.

The details of Tor's encryption rely on standard building blocks - ntor handshake (NIST P-256), layer-by-layer AES-CTR encryption, TLS between relays - set out in the official Tor specification. For modern VPNs, WireGuard uses Curve25519 for key exchange and ChaCha20-Poly1305 for encryption. It is a lean protocol (4,000 lines of code vs ~70,000 for OpenVPN), formally audited and widely used since 2020.

Tor vs VPN: side-by-side comparison of security, speed, anonymity, and legality

Both are legal everywhere in the UK, US, and EU. A VPN wins on speed (200–500 Mbps vs 1–5 Mbps), ease of use, and streaming. Tor wins on true anonymity - no single actor knows who you are or where you go. VPNs hide traffic from ISPs but not from the provider itself. Tor hides it from everyone, at a big speed cost.

The table below sums up the criteria most often weighed between the two tools. Read it column by column. Each criterion counts for more or less based on your threat model.

CriterionAudited VPNTorTor over VPN
Content encryptionYes (AES-256 or ChaCha20)Yes (AES layer by layer)Yes (both)
Hides IP from visited siteYes (VPN server IP)Yes (exit node IP)Yes (exit node IP)
Hides IP from ISPYesYesYes
Provider knows your activityYes (mitigated by no-log audit)No (no single actor does)VPN knows you use Tor
Typical speed (UK/US)200–500 Mbps1–5 Mbps1–5 Mbps
Latency10–50 ms200–800 ms200–800 ms
Netflix/Disney+ streamingYes (geo-unblocking possible)No (speed insufficient, exit IPs blacklisted)No
Legal in UK/US/EUYesYesYes
Cost£3–12/monthFree£3–12/month (the VPN)
Target adversaryISP, hotspots, commercial sitesMass surveillance, state censorshipMix
Ease of useOne-click activationDedicated Tor Browser downloadCombined setup

How to read this table. For everyday use - safety on public Wi-Fi, masking your IP from ad networks, getting past streaming geo-blocks - the VPN column wins on every practical point. For high-stakes use - protecting a journalist's source, reaching censored content, looking into a politically sensitive topic - the Tor column is the only one with a built-in anonymity guarantee. The Tor over VPN column makes sense in just one case: you need your ISP not to know that you use Tor. That happens either because it is legally risky where you are (China, Iran, certain Gulf states), or because Tor use itself draws attention to your traffic.

On legality - a key point for UK and US users. Both Tor and VPN are legal in the UK, the US, and the EU. The Tor Project often notes that the network is used widely by journalists, NGOs (Amnesty International, Reporters Without Borders use Tor), libraries, and even governments. Any talk of crime in the media is about acts done via Tor, not the use of the network itself. Neither UK courts (including the High Court) nor US federal courts have upheld any rule that limits the use of Tor or VPN by private people.

When should you use Tor, when a VPN, and when both?

Use a VPN for: public Wi-Fi, streaming geo-blocks, hiding activity from your ISP, remote work. Use Tor for: journalism, source protection, reaching censored content under authoritarian regimes. Use Tor over VPN when you need your ISP not to know you're using Tor at all. For 95% of everyday users, an audited VPN is enough.

Rather than pit the two tools against each other in theory, here are the real use cases where each makes sense. They draw on EFF Surveillance Self-Defense advice and on common practice among informed users.

VPN alone - the everyday tool. A traveller on hotel or airport Wi-Fi. A remote worker on a public network. Someone who wants to stop their ISP selling their browsing history. A user watching US Netflix from London. A freelancer getting past a geographic block to reach a service not sold in their country. In all these cases, a top-3 audited VPN (NordVPN, ExpressVPN, Mullvad) with kill switch on is the right tool. Protection is unseen once set up, speeds cover all use cases, and the cost is small. Tor would be useless and frustrating here. The speed is too low for streaming, exit IPs are blacklisted by Netflix, and mainstream sites keep serving captchas. Our Our NordVPN 2026 review covers exactly these use cases.

Tor alone - the tool for strong anonymity. A journalist reaching a source in an authoritarian country. A whistleblower sending documents to a newsroom (via SecureDrop). An activist recording abuses under a censoring regime. A security researcher exploring the dark web for threat intelligence. A citizen in China or Iran reaching blocked sites. In these cases, Tor's built-in anonymity guarantee - no single actor knows both who you are and what you are doing - far outweighs the slowness. Using it from Tails OS (a forgetful live system that boots from USB and wipes everything on shutdown) also closes local leaks (browser history, disk traces). The official Tor Browser is enough for most less sensitive use cases.

Tor over VPN - a narrow sub-case. This setup runs a VPN first, then starts Tor on top. The main benefit: your ISP does not see that you use Tor. It only sees an encrypted VPN flow. This helps when Tor use itself draws attention or is legally risky (China, Iran, Russia, UAE, Belarus). NordVPN offers an 'Onion over VPN' feature that sets up this flow for you. The trade-off: you trust the VPN provider not to log the fact that you use Tor. Against a weak adversary (a commercial ISP in the UK or US), this is a fair trade-off. Against a strong adversary (a state-level actor with access to VPN logs), it is not enough. You then need Tor alone from Tails on an anonymous network (anonymous Wi-Fi, prepaid mobile hotspot).

VPN over Tor - rare and for one narrow case. The reverse setup, and a more tricky one to run. Tor exits first, then a VPN client connects over the Tor network. The benefit: a stable VPN exit IP (useful if a site blocks known Tor exit nodes) while hiding your real IP from the VPN provider. Downsides: a traffic signature that stands out (very few people do this, so you stick out), a tricky setup, and even worse throughput. Keep it for cases where it is the only way that works - rare in practice.

Shared limitations: what Tor and VPN do NOT protect against

Glowing fibre-optic network cables
Glowing fibre-optic network cables

Neither tool gives full anonymity or full secrecy. Four built-in limits apply to both. Grasping them is key to avoid trusting them too far.

Browser fingerprinting. Visited sites can spot your browser by its unique signature: User-Agent, installed fonts, Canvas and WebGL, timezone, language, screen resolution, plugins. The EFF's Cover Your Tracks project measures this fingerprint live. On a standard browser (Chrome, Safari), it is usually unique among hundreds of thousands of visitors. That means a site can spot you across sessions even when the IP changes. The Tor Browser handles part of this by making the fingerprint the same for all (every Tor Browser has the same rounded resolution and the same User-Agent). A VPN does not touch fingerprinting at all. You need to add a hardened browser (Brave, Firefox with resistFingerprinting, or Tor Browser).

Lasting app identifiers. If you log into Gmail, Facebook, or your bank via Tor or a VPN, the service knows you because you gave your credentials. The encrypted tunnel does not erase the fact that you are signed in. That is exactly why you use it for those everyday services. Anonymity only counts for tasks where you are not tied to any account linked to your real identity.

Timing correlation attacks. An adversary who watches both the traffic going into your device (ISP, employer Wi-Fi) and the traffic coming out the server side at once can match the timing patterns and spot the session. The number of relays in between does not change this. It is the built-in limit of any mixing system: if you can watch both ends, you can break anonymity. Tor blunts this attack by adding more nodes and blending traffic. But for an adversary that watches at Internet scale (a major state actor), it stays doable against high-value targets. VPNs give no cover here. Worse, they herd outbound traffic onto a few very visible server IPs.

Device compromise. Malware on your computer or phone steals data before it enters the encrypted tunnel. No VPN or Tor install guards against a keylogger, screen grabber, or infostealer running on the device. The fix: keep the OS and apps up to date, do not run suspect binaries, use a modern antivirus on Windows. For high-stakes OPSEC, Tails OS on a USB drive is the answer - a throwaway system that stores nothing and reboots fresh for every sensitive session.

Who Tor is genuinely useful for: journalism, censorship, whistleblowing

Tor is not a tool for everyone. Its best fit targets a narrow audience. Knowing who that is helps you make the call.

Investigative journalists. The Tor network has been used since the 2010s to protect contact between journalists and sources. Several major outlets (The New York Times, The Washington Post, The Guardian, BBC) run SecureDrop platforms. SecureDrop is a Tor hidden service (.onion) that lets a source send documents without giving away their identity or IP. It has become the default standard for whistleblowers and was used in major cases (Snowden NSA leaks in part, Panama Papers indirectly, various government leaks). For a journalist targeted by a state or company, Tor is the bare minimum, backed by Tails OS and strict OPSEC.

Activists under authoritarian regimes. In China, Iran, Russia, Belarus, and several Gulf states, access to sites like the BBC, the New York Times, or Wikipedia (at certain times) is blocked by government filtering. Tor with hidden bridges (obfs4, meek, snowflake) gets past these blocks without showing Tor use to the local network operator. The Tor Project keeps up-to-date guides on how to slip past blocks in each country. Tor Bridges hands out relays that are not publicly listed, through channels that are hard to enumerate.

Academic research and threat intelligence. Security researchers often explore hidden services (.onion) to gather intelligence - cybercriminal forums, illegal marketplaces, leak platforms. Using Tor lets them reach these resources while keeping that work apart from their work identity. Several threat intelligence teams (Recorded Future, Flashpoint, Kaspersky) run ongoing monitoring via Tor.

Citizens with legal exposure. Lawyers reading sensitive databases for their cases. Doctors looking up medical facts without leaving a trail on the insurer's side. Officials reaching public documents in countries where even reading is tracked. These cases are few in number, but ones where Tor makes a real difference in protection.

Risks specific to Tor: exit nodes, surveillance, bad practices

Tor is not risk-free. The protocol is clever, but that also creates its own weak spots that new users often miss.

Malicious exit nodes. An exit node sees traffic in plaintext, before it reaches the target site. If you use unencrypted HTTP, the exit node can read the content and even inject changes. If you use HTTPS - which should be everywhere in 2026 - the content stays encrypted, but the exit node sees the target domain (SNI) and IP. Researchers have logged since 2007, and again of late, campaigns of exit nodes sniffing credentials or injecting tainted files into downloads. The Tor Project runs a flagging system (BadExit) and shuts out the nodes it catches, but some risk stays. The fix: HTTPS everywhere, certificate checks, doubt about binary downloads via Tor.

State surveillance of entry nodes. Several academic studies (USENIX 2008, MIT/Princeton papers) have modelled correlation attacks. In them, an adversary that controls a real share of guard and exit nodes can de-anonymise sessions over time. Major state actors (NSA, Chinese services, Russian services) likely run Tor nodes to spy. This is logged in the Snowden leaks. For a high-value target, the risk is real. For an average civilian, it is tiny. The Tor Project blunts this through geographic spread of nodes and guard rotation.

User OPSEC mistakes. Most past Tor de-anonymisations have come not from the protocol, but from user errors: logging into a personal Gmail account via Tor, downloading a PDF with macros that calls an outside server beyond the tunnel, using a free VPN that logs, setting up a poorly walled-off proxy. The Silk Road case (Ross Ulbricht) came down to an operational slip - a username reused across a public forum and Silk Road - more than a break in the Tor protocol. For serious OPSEC: Tails + standard Tor Browser + zero personal accounts + zero executable downloads + zero identity mixing is the minimum.

Legal risk based on jurisdiction. In the UK, US, and EU, using Tor is legal. In some countries, use alone is seen as suspect and may set off an investigation. Russia tried to block Tor in 2021 (it failed on the tech side). China has blocked it for years (you can get past it via bridges). If you travel to those countries, just downloading Tor from a hotel hotspot can be risky. Set up your tools before you leave and use hidden bridge mode (Snowflake in particular, which looks like ordinary WebRTC traffic).

Editorial pick
4.6 / 5

Try NordVPN - Onion over VPN included

Deloitte no-log audit 2024 · Native WireGuard (NordLynx) · 30-day money-back guarantee

Deloitte audit 202430-day guarantee14M+ users
See the offer

Summary: choosing based on your threat model

The right question is never 'VPN or Tor' in the abstract, but 'which adversary do I need to protect against, and what can they do on the tech side.' Four typical profiles sum up the call.

Profile 1 - Passive local adversary (hotspot, home ISP, employer). You want to stop an airport Wi-Fi, your ISP, or your work network from seeing where you go and your content. An audited VPN is enough - a wide safety margin and a smooth experience. Tor would be too much and would frustrate you.

Profile 2 - Commercial adversary (ad networks, tracking sites). You want to stop visited sites from tracking you across sessions, tying your activity together, and targeting you with ads. VPN + hardened browser (Brave, Firefox containers, uBlock Origin) is the best mix in practice. Tor breaks too many everyday use cases for this profile.

Profile 3 - Moderate state adversary (general intelligence services, court requests). You want your activity to be out of reach via an ordinary legal request to your ISP or a major online service. An audited no-log VPN outside your adversary's jurisdiction covers 90% of cases. For the extra layer of identity split (web aliases, separate accounts), Tor is not needed except for narrow use cases.

Profile 4 - Strong state adversary (at-risk journalism, whistleblowing, activist under authoritarian regime). You face an actor that can watch traffic at scale, seize provider servers, and run targeted operations. Tor alone from Tails OS on an anonymous network - with strict OPSEC. The VPN becomes an added trust risk rather than a protection layer. Tor over VPN, maybe, if hiding Tor use from your ISP is vital.

The classic trap: using too big a tool for your profile (Tor for streaming) or too small a one (a free VPN for high-stakes work). Naming your adversary honestly is the most important call. Everything else follows from there.

Going further

Tor and VPN work side by side, not against each other. The most common mistake is mixing them up or thinking one replaces the other. For most users, a top-3 audited VPN with kill switch covers all everyday privacy needs. For high-stakes use cases, Tor on Tails stays the gold standard, and Tor over VPN is worth it in narrow cases (hiding Tor use under an authoritarian regime). Before you pick a VPN, check that the provider publishes recent outside audits and that its kill switch works on your OS. Our complete VPN security audit in 9 tests covers the quarterly check. To go past VPN alone, our complete privacy tools guide covers the full stack by category.

Going further. Related reading on these topics: a VPN for anonymous crypto trading, whether VPNs are legal in the UK and how obfuscated VPN servers bypass blocks.

See also. Related: What Is a Proxy.

Related guides on network privacy and anonymity


Article published on 29 May 2026. Methodology: synthesis of public Tor Project documentation (official spec, design papers, aggregated statistics), independent audits of major VPN providers (PwC NordVPN 2022, Deloitte NordVPN 2024, KPMG/Cure53 ExpressVPN 2022–2024, Cure53 Mullvad annual), EFF Surveillance Self-Defense recommendations, and USENIX/IEEE Security academic publications on Tor de-anonymisation attacks.

Editorial pick
4.6 / 5

Secure your connection with NordVPN

Threat Protection blocks trackers & malware · kill switch · 30-day money-back

Deloitte audit 202430-day guarantee14M+ users
See the offer
Everything you need to know.

Frequently asked questions

Tor or VPN - which should I use in 2026?

The question is framed wrong. The two tools don't cover the same need. A VPN is built for everyday privacy. It stops your ISP, a public Wi-Fi hotspot, or a visited site from tracking you. It unblocks content and secures an untrusted network. Tor is built for anonymity. It stops the visited site and every watcher in the middle from knowing who you are. The cost is much slower speeds and a worse browsing experience. For 95% of use cases - travel, streaming, remote work, online shopping - an audited VPN (NordVPN, ExpressVPN, Mullvad, ProtonVPN) is more than enough. Tor matters when the stakes are high: investigative journalism, source protection, reaching censored content under an authoritarian regime, looking into sensitive topics. The key question is never 'which is better' but 'which adversary am I protecting against.' If the adversary is a Wi-Fi operator or a shopping site, the VPN wins on comfort. If the adversary is a state-level actor that can match traffic at scale, a VPN alone is not enough and Tor becomes the bare minimum.

Is Tor really free and risk-free?

Free, yes - Tor is an open-source project run by the Tor Project, a US non-profit funded by foundations, donations, and historically the US government (Open Technology Fund). Risk-free is less clear-cut. Three kinds of risk remain. First, exit nodes are run by volunteers. The vast majority are honest, but a small share is known to sniff unencrypted traffic or inject harmful content. That is why using HTTPS everywhere is a must. Second, your ISP can see that you are using Tor, unless you go through a VPN or a hidden Tor bridge. This can draw attention in some countries. Third, timing correlation attacks exist if an adversary controls a large number of both entry and exit nodes. This is in theory only for most users, but serious for state-level targets. The [Tor Project](https://www.torproject.org/) documents these limits in the open, which is a sign of the project's maturity.

Does combining Tor and a VPN actually help?

It depends on the order. Tor over VPN (the VPN runs first, then Tor on top) hides Tor use from your ISP. It also adds an encryption layer before the Tor network. This helps under authoritarian regimes that block or watch Tor users. The trade-off: you must trust the VPN provider, since they can see that you are using Tor. VPN over Tor (Tor first, then VPN on top) is rarer and harder to set up. It mainly gives you a stable exit IP, which helps when a site blocks known exit nodes, while hiding your IP from the VPN. But it leaves a traffic signature that stands out. In practice, **Tor over VPN covers 99% of cases that justify the combination**. NordVPN offers an 'Onion over VPN' feature that sets this up for you. For strict anonymity, though, Tor alone from Tails OS stays the gold standard. The VPN becomes an added trust risk rather than a protection layer.

Is Tor legal in the UK and US?

Yes, fully. Using Tor is legal in the United Kingdom, the United States, and across the European Union. It is free software, and it is used mostly for lawful aims: journalists protecting sources, activists working under authoritarian regimes, citizens reading censored sites, security researchers, and people who care about privacy. The illegal uses that gave Tor its media name (Silk Road, dark-web markets) are a small part of its traffic. A 2020 academic study from the University of Nottingham found that less than 5% of Tor traffic involves illegal content. Downloading, installing, and browsing with Tor is not barred by any special rule of UK or US law. The key point: what you do via Tor still falls under ordinary law. Buying drugs, accessing CSAM, or running a cyberattack are crimes even via Tor. The network does not erase the offence - it only makes the investigation harder.

What speed should I expect with Tor in 2026?

Much slower than a VPN. The Tor Project publishes public bandwidth stats for the network. In 2026, typical download speeds for an average user are between 1 and 5 Mbps, with latency of several hundred milliseconds. Traffic passes through three relays in a row, each picked at random, often spread across many continents. That is enough for text web browsing, email, and secure chat. It is not enough for HD streaming, gaming, or large downloads. A modern VPN running WireGuard or NordLynx usually gives 200–500 Mbps in the UK or US, based on how near the server is. That is roughly 50 to 200 times faster than Tor. This speed gap is exactly why pairing Tor and a VPN only makes sense for narrow use cases (reaching sensitive sources, opening .onion content), not for daily browsing.

Can a VPN be traced back to me?

Your VPN provider can in theory log your account, payment, and session timestamps, unless they run a verified no-log policy. Providers audited by outside firms (NordVPN by PwC 2023, Mullvad by Cure53 2023) have confirmed they keep no connection logs. Law enforcement can still serve a warrant. If nothing is stored, there is nothing to hand over. Paying by cash or Monero (Mullvad supports both) removes the payment link. For truly hostile threat models, Tor from Tails OS offers a stronger built-in guarantee.

Does Tor protect against malware?

No. Tor protects your network anonymity. It hides who is connecting to what. It does not scan traffic for malware, block harmful JavaScript, or guard against browser exploits. The Tor Browser limits some fingerprinting and runs in a sandboxed Firefox. But a site that injects a drive-by exploit still takes over your device, Tor or not. Always pair Tor with up-to-date software. For the most isolation, use it from Tails or Whonix.