RestorePrivacy

Resources to stay safe and secure online

VPN vs Tor 2022 Comparison: One Winner, One to Avoid

By Sven Taylor 6 Comments
VPN vs Tor

Both Tor and VPNs are privacy tools with pros and cons, which we’ll closely examine in this VPN vs Tor guide. So which one of these tools is best for you? That depends on your own unique needs and threat model.

Helping you select the best option for your use case is the goal of this guide. Here are the areas we’re going to examine in comparing Tor vs VPN:

  1. Speed
  2. Encryption and security
  3. Anonymity
  4. Cost
  5. Browsing, streaming, and torrenting
  6. Ease of use
  7. Versatility
  8. Trustworthiness

VPN vs Tor speeds

With speeds, there is a huge difference between VPNs and Tor.

VPN: With VPNs, I can often get around 300 to 400+ Mbps when using a good VPN service. VPN performance has gotten a major boost in the past few years thanks to the WireGuard VPN protocol. WireGuard offers faster speeds, better reliability, and upgraded encryption. Below is a speed test with NordVPN using the WireGuard VPN protocol with a US server:

VPN vs Tor speeds
Using a VPN with WireGuard will be much faster than Tor.

With speeds approaching 450 Mbps, NordVPN is the fastest VPN we have tested so far.

Now let’s look at Tor.

Tor: Although Tor speeds have slightly improved over the years, it is still much slower than VPNs. Tor suffers from high latency because your traffic is routed over three relays. In testing Tor, my speeds average around 5 Mbps, but I can sometimes get 9-10 Mbps if the relays are good, such as below.

Tor vs VPN speed test
Tor usually has high latency (ping) and slow speeds under 10 Mbps.

With this speed comparison, the VPN was almost 50 times faster than Tor. Also notice above the latency is very high with the Tor network. This results in sluggish performance and websites being slower to load. Streaming HD videos will also be challenging.

VPNs easily wins the speed category and are much faster than Tor.

Speed winner: VPN

Encryption and security: VPN vs Tor

Tor: Tor uses a layered system of encryption that incorporates perfect forward secrecy. Traffic is passed through three relays, all of which are encrypted:

  1. Guard relay – The first relay in the circuit, which can see your IP address.
  2. Middle relay
  3. Exit relay – The last relay in the circuit where your traffic exits onto the regular (unencrypted) internet. A malicious exit relay could potentially see your data and modify traffic.

By default, traffic with Tor is routed through these three hops before exiting the Tor network circuit.

With Tor, encryption only works within the browser. This is a huge drawback in comparison to VPNs.

By only encrypting browser traffic, everything else on your operating system remains exposed and could reveal your real IP address and location to third parties. This means that documents, torrent clients, updates, etc. are exposing your traffic and real IP address to the unencrypted internet. You don’t have this problem with a good VPN.

VPN: Most VPNs secure traffic via OpenVPN or IPSec protocols with the connection also being encrypted with perfect forward secrecy. OpenVPN is the most common protocol, usually secured with an AES 256-bit cipher, which is universally considered very secure. WireGuard is also entering the scene, which uses a ChaCha20 cipher. Most VPNs allow you to easily select the ideal VPN protocol (and corresponding encryption cipher) directly in the VPN application. Here is an example of protocol selection with Surfshark VPN:

Tor vs VPN encryption security

Most VPN providers only route traffic through one hop. However, like Tor, there are a few multi-hop VPN services, which can route traffic over 2-4 hops. Two examples of this are with NordVPN and Surfshark that offer double-VPN servers.

Unlike with Tor, a VPN encrypts all traffic on your operating system. This offers a higher level of protection since it is not restricted to only a browser.

Encryption winner: VPN

Anonymity: VPN vs Tor

Anonymity closely ties in to the previous section on security and how strong the underlying encryption is against exploits that could de-anonymize the user.

Tor: With Tor, there have been various cases over the years showing that it can be exploited. Specifically, a court case in 2017 proved the FBI can de-anonymize Tor users and determine their real IP address and activities:

In this case, the FBI managed to breach the anonymity Tor promises and the means used to collect the evidence from the dark web make up a sensitive matter. The technique is valuable to the FBI, so the government would rather compromise this case rather than release the source code it used.

There is also other evidence illustrating how government actors can identify Tor users, thereby rendering Tor useless as a tool for anonymity.

Tor vs VPN safety and privacy

Tor has been proven to be vulnerable to various exploits over the years.

VPN: Unlike with Tor, I have not seen any evidence of governments being able to break strong, correctly-configured VPN encryption, such as OpenVPN with an AES-256 cipher. There is evidence that weaker VPN protocols, such as IPSec and PPTP, are vulnerable to exploits, but OpenVPN and WireGuard appear to remain secure when implemented correctly.

When governments have targeted specific VPN users, they have done so not by cracking the encryption, but by pressuring the VPN service to log specific users. Here are a few examples we’ve covered here on Restore Privacy:

  • FBI pressured IPVanish into logging data of a specific user for a criminal case.
  • FBI pressured PureVPN into logging data of a specific user for a cyberstalking case.

These logging cases illustrate the importance of selecting a trustworthy service, preferably a no logs VPN, that operates in a safe jurisdiction.

Exploitation in the wild (the big difference)

This is the big difference between Tor and VPN is how each has been exploited. With Tor, the FBI is able to break/exploit Tor and identify Tor users. (Their methods for doing this are sometimes not clear, and in some cases “classified” — but there are new cases and examples that emerge every few years.)

With VPNs, the FBI could not break the encryption, but instead had to pressure the VPN service itself to target a specific user and log data. The solution to this problem is to use a trustworthy VPN operating in a safe privacy jurisdiction.

Anonymity winner: VPN

Cost: VPN vs Tor

Cost may be a deciding factor for some people.

Tor: One big advantage with Tor is that it’s free. The Tor Project is a non-profit funded by various sources, but mostly the US government (we’ll discuss this more below).

VPN: One drawback of VPNs is that they can be rather expensive.

Costs can vary from about $2 per month all the way up to $10 per month. On a positive note, there are also some cheap VPN services that are more affordable. There are also free VPN apps available, but studies show these to be bad choices that are often riddled with flaws and adware.

Cost winner: Tor

Browsing, streaming, and torrenting: Tor vs VPN

I’ve been testing VPNs and Tor for 6+ years and here’s my impression.

Tor: When using Tor, you will definitely notice a performance tradeoff. Latency (ping) will be much higher and so will your bandwidth speeds.

  • Browsing: Regular browsing will be more sluggish as traffic is routed through three Tor network relays.
  • Streaming: Due to high latency and slow speeds, streaming will not work well. Tor has gotten faster over the years, but streaming videos is still problematic, especially in high definition.
  • Torrenting: You should not use Tor for torrenting, as stated by the Tor Project. Even if you configured a torrent client to route traffic through the Tor network, torrent speeds would be horrible. (Better to use a VPN for torrenting instead.)

Overall, Tor is best used for browsing, not streaming or torrenting. But even with regular browsing, the Tor network can be sluggish.

VPN: If you are using a good VPN, you should not notice any negligible difference in relation to your non-VPN speeds.

  • Browsing: Browsing should be just as fast (little to no difference).
  • Streaming: Streaming should also be good (I regularly stream Netflix with a VPN).
  • Torrenting: VPNs may decrease torrenting speed somewhat, but it shouldn’t be huge. And you should always use a good VPN for torrenting due to copyright issues.

Browsing, streaming, and torrenting winner: VPN

Ease of use: Tor vs VPN

Both Tor and VPNs are easy to use.

Tor: As long as you are using the unmodified Tor browser, then Tor is easy to setup and use.

  1. Download the Tor browser bundle.
  2. Click the button to connect to the Tor network.

You can also connect to the Tor network through the Brave browser.

Tor with browser

However, manually configuring Tor on another browser can be challenging. Setting up apps to go through the Tor network can also be difficult. And you may run into issues when trying to use Tor on mobile devices, but there are options for that as well.

VPN: VPNs are also easy to use.

  1. Sign up for a VPN subscription.
  2. Download the VPN client for your device.
  3. Connect to a VPN server.

Below I’m connected to a double-VPN server configuration with NordVPN:

Double VPN servers vs Tor

In some cases, setup can be slightly more complex, such as installing VPNs on a router or manually configuring a VPN on your operating system (such as with Linux).

Ease of use winner: Tie (both are easy to use)

Versatility: Tor vs VPN

In the context of versatility, I’m looking at the ability to adapt or be used for different functions.

VPN: VPNs can be used in many different ways, aside from simply encrypting traffic on a desktop computer:

  • Most operating systems have VPN functionality built in, such as with the IPSec or WireGuard protocols.
  • VPNs can be easily used on mobile devices with various protocols that are better adapted to intermittent connectivity. For example, WireGuard is ideal for mobile use.
  • VPNs can be combined with different features. For example, some VPNs have ad-blocking features. For example, we see this with both CyberGhost and NordVPN.
  • There are a handful of different VPN protocols available for different use cases, with new ones in development, as we discussed above.

Tor: Tor is not as versatile as VPNs, although it still can be tweaked and configured to a degree.

Tor is not built in to major operating systems, such as Windows, Mac OS, Android, or iOS, but there are a few Linux operating systems that incorporate Tor (see Whonix and Tails).

Versatility winner: VPN

In comparison to Tor, VPNs are more versatile and more comparable (with various devices and operating systems).

Trustworthiness: Tor vs VPN

Trust is a major factor when selecting privacy tools, but it’s also subjective. Nonetheless, here’s my take:

Tor: While some in the privacy community consider Tor to be trustworthy, there are many red flags to consider. Here’s an overview of my findings on Tor that raise questions about its trustworthiness:

  1. Tor is compromised (and not anonymous). There have been various examples and court cases over the past few years confirming this fact. The FBI (and presumably other government agencies) can now de-anonymize Tor users.
  2. Tor developers are cooperating with US government agencies. This is another bombshell that was uncovered by a journalist who sifted through thousands of pages of FOIA requests. In one example, Tor developers tipped off US government agents about Tor vulnerabilities that could be exploited to de-anonymize users.
  3. No warrant is necessary to spy on Tor users. A judge ruled that the US government is perfectly lawful in exploiting Tor to uncover Tor users’ real IP addresses.
  4. Tor was created by the US government (contractors with the Naval Research Lab and DARPA).
  5. Tor is still funded by the US government to the tune of millions of dollars.
  6. Tor is a tool for the US government, specifically the military and intelligence branches. They need regular users on the Tor network so these agents can be camouflaged (as Tor developers have explained).
  7. Anybody can operate Tor nodes, including hackers, spies, and government agencies.
  8. Malicious Tor nodes do exist. One academic study found over 100 malicious Tor relays.

On a positive note, Tor is open source and the code can be examined by anyone. This, however, does not necessarily make it “secure” or impervious to exploits.

VPN: VPNs are also not a silver bullet in the trust category.

  • There have been a few VPNs caught lying about logs, such as PureVPN and also IPVanish.
  • Free VPN services are fraught with controversy, including hidden malware, ads, and data collection. (But this is true of many free products today.)
  • Some VPNs are also flawed and may leak IP addresses and DNS requests. These leaks can be fixed via firewall rules (or just using a good VPN service that doesn’t leak).

OpenVPN, the standard protocol used by most VPN services, is open source and has been publicly audited. There are also various third-party open source VPN apps, such as Tunnelblick (Mac OS) and OpenVPN GUI (Windows).

Some VPNs have undergone third-party security audits. See for example with ExpressVPN, ProtonVPN, TunnelBear and NordVPN.

Source of funding

Sources of funding may also influence trustworthiness.

VPN: Paying subscribers are the source of funding for VPN companies, which are generally private businesses. If VPN services do not do a good job for their subscriber base, they will go out of business.

Tor: Various branches of US government (and their subsidiaries) are the largest funding source of Tor, having contributed millions of dollars to the Tor Project over the years.

When Tor was ready for deployment, the Naval Research Lab released it under an open source license with guidance coming from the Electronic Frontier Foundation. Even today, the US government agencies, such as DARPA, State Department, and National Science Foundation remain large sponsors of Tor.

The Tor project admits that donors will get to “influence the direction of our research and development.” Therefore according to the Tor Project, the US government is influencing the research and development of Tor.

Distribution of trust

VPN: With VPNs, you can distribute trust by using more than one VPN at the same time (chaining VPN services). You can easily do this by using VPN1 on your router and VPN2 on your computer. You can also chain two or more VPNs using virtual machines. Most people, however, do not chain VPNs and therefore all trust falls on the VPN provider (in most cases).

To further protect your anonymity with VPNs, you can:

  • Chain VPNs and effectively distribute trust across different VPN services. In this scenario, VPN1 could see your IP address and VPN2 could see your traffic, but neither VPN could see the full picture.
  • Pay for the VPN anonymously thereby ensuring there is no “money trail” (Bitcoin, cryptocurrencies, or with gift cards purchased with cash). The need to pay for VPNs anonymously, however, is overblown as this has zero bearing on the effectiveness, security, or encryption of the VPN – even if your adversary knows what VPN you are using.
  • Use only verified no-logs VPN services

Tor: The problem with Tor is that it is an entire ecosystem you must trust. The ecosystem itself is a single point of failure. And even if you are relaying traffic over different hops, you are still trusting one system, and that doesn’t always work.

The core system that manages the code base, relays, and onion servers must be all trusted by the Tor user. You also need to trust that relay operators, through which your traffic is running, are being honest, which is not always the case.

Unfortunately, there is no vetting mechanism for Tor node operators, which has proven to be a problem (malicious nodes, snooping nodes, etc.)

Trust winner: VPN

Are VPNs or Tor better?

As noted in the introduction, both Tor and VPNs are privacy tools with pros and cons. You should select the best fit for your unique situation.

For most users, a good VPN will probably be the best option because it will provide a high level of privacy and security without a negligible loss in performance. VPNs can also be used easily on a large array of devices and operating systems, with various VPN protocols and configuration options available. The main thing to keep in mind is finding a trustworthy VPN provider that offers the features and security you need.

Tor may be a good choice for certain use cases, especially if you are short on funds and need a free tool for specific tasks. But don’t forget, only traffic within the browser is getting encrypted — everything else remains exposed.

You can also combine Tor with VPNs. We discuss this in our main guide on Tor here.

Further Reading:

Is Tor Trustworthy and Safe? (here on RestorePrivacy)

Tor and its Discontents: Problems with Tor Usage as Panacea

Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries

Tor network exit nodes found to be sniffing passing traffic

On the Effectiveness of Traffic Analysis Against Anonymity Networks Using Flow Records

Judge confirms what many suspected: Feds hired CMU to break Tor

About Sven Taylor

Sven Taylor is a digital privacy expert who has been writing about privacy and security online since 2016. With a passion for digital privacy and online freedom, he created RestorePrivacy to provide you with honest, useful, and up-to-date information about online privacy, security, and related topics.

Reader Interactions

Comments

  1. Anonymous

    Does this mean using a good VPN alongside Tor would render you pretty much untouchable?
    If the exit node is malicious then it doesn’t matter as it can’t see the full path, if Tor is broken then it will just fall back to a VPN who have no logs. Is this correct or am I wrong? I also see the lack of required warrant as a moot point considering the NSA is watching us all without warrant or reason anyway.

    Reply

  2. Mitch

    I’m confused if using your browser without the your network in combo with your own vpn provider , say nordvpn, is as safe and secure as using hardened Firefox? Does all the cons with tor go away if you don’t 7se the tor network and rather your own vpn?

    Reply

  3. JDS

    I honestly think Tor is unnecessary for the vast majority of it’s users who use it for everyday browsing (Like me!). Yeah it’s getting faster but it simply makes more sense to use a VPN with solid privacy features like Perfect Privacy. VPN traffic is more common and will draw much less attention to you. I’m starting to think that using a service like PP (And everything it has to offer) is an excellent alternative to Tor for those of us with a non-interesting threat model seeking a higher level of privacy online.

    With the TrackStop filters, a good browser (I really enjoy using Brave) with decent fingerprinting protection and avoiding using scripts is really all I need (And even all that is probably overkill at this point). With PP I’m finding less reason to bother with Tor.

    Reply

  4. John

    I read the full case about what happened with The Playpen website . Yes , the FBI did manage to deanonymize Tor users . HOWEVER , you have to take into account how this was done.

    Basically what happened is the guy that was running the site had it misconfigured . These hidden services are supposta be firewalled off from the rest of the internet, that was not so with this service. The FBI managed to hack his server and install malware which then was able to go outside the Tor network and thus make them able to discover the servers real IP .

    After they got a warrant and raided the guys place , they took control of the server . When users logged in , the server injected a malicious code that exploited JavaScript in the Tor browser . HOWEVER , this exploit only worked for users on WINDOWS machines that had JavaScript enabled . If the user had JavaScript disabled , or was using Tails , the exploit didn’t work .

    In conclusion : They never really broke the Tor network , they just hacked users machines connected to Tor .

    Reply

    • Anonymous

      This sounds like bs to me personally, look at Richard Huckle, a child abuser who was caught in operation pacifier (playpen attack). The guy was single handedly producing thousands of videos and images and successfully distributing them with zero trace at all. Do you honestly believe he was doing all that whilst running Windows with JavaScript enabled? He would have been using terrorist level OPSEC and yet he still got caught. UK police even have a few of his hard drives which they are still unable to crack. He can make a device impenetrable to every agency in the world, but he does it all off Windows with JavaScript enabled? Come on man, if you believe that then you will believe anything.

      Reply

      • Sly Dawg

        Nope, not BS. For Huckle, It was good detective work, no techno-magic; nothing to do with Javascript.

        Officers with Task Force Argos in Australia knew the creator of the site used an unusual greeting – the word “hiyas”. After exhaustively trawling chatrooms and forums in the open internet, they found a Facebook page of a man who used the same greeting. Although the Facebook page was fake, they identified a picture of a vehicle and that led them to a man called Shannon McCoole – a childcare worker in Adelaide. When officers went through his door, he was actually online running the site.
        They took detailed photographs of McCoole’s hands. On his finger was a freckly which matched exactly one seen in many of the images of abuse. (from From http://www.preda.org/2016/how-child-abuser-richard-huckle-was-caught.)
        Tor has not been cracked. But like a VPN, it can be bypassed. People using it have compromised themselves by their behaviors outside, or by investigators comparing on-line accounts to when a suspect’s IP is active, or by using the same phone number on another account, etc. Do your research.

        This article seems a bit slanted against TOR. True, there are situations where a VPN is satisfactory, and a VPN will encrypt other internet traffic from you PC which passes outside of the browser, but if your are stealing documents from the government or your employer and leaking them, or your government doesn’t allow free speech, and you don’t like prison, the don’t trust ANY VPN to keep you safe when they are presented with a subpoena. Also, I don’t agree that configuring a VPN is as easy as using TOR. For Browser activity, that’s remains the most secure.

        Reply

Leave a Reply

Your email address will not be published.