Tor vs VPN: Which One Should You Use?

What each one actually does

VPN

A VPN sets up an encrypted tunnel between your device and a server you trust (or at least a server you're paying to trust). All your traffic goes through that one server. To websites you visit, your IP looks like the VPN server's IP. To the network you're sitting on — café Wi-Fi, your ISP, an authoritarian government — your traffic is opaque except for "this device is talking to a known VPN endpoint."

Tor

Tor routes your traffic through three randomly-chosen relays. The first relay sees your IP but not your destination. The third (exit) relay sees the destination but not your IP. The middle relay sees neither. No single party can correlate "this user visited this site" — unless they control multiple relays in your circuit, which is a much harder attack.

Threat model differences

• Use a VPN if: You want to hide your traffic from your ISP, bypass geographic blocks, protect yourself on hostile networks, or download/stream things quickly without being identified by IP.
• Use Tor if: You need to make your activity unlinkable to your identity — whistleblowing, researching sensitive topics, accessing onion services, or operating under hostile governments where being known to use a VPN itself attracts attention.

What Tor doesn't do

Tor doesn't make your traffic faster — it makes it slower, often by 5–10×. Tor doesn't hide that you're using Tor (unless you configure pluggable transports like meek or obfs4). Tor doesn't protect you from yourself: logging into Gmail through Tor instantly ties your circuit back to your real identity. And Tor exit nodes have famously been run by hostile actors who passively log what they can see, which is everything that wasn't already inside HTTPS.

Tor browser bundles ship with HTTPS-Only mode on by default for this reason, and exit nodes seeing only encrypted content greatly reduces the risk. But the moment you load anything in plaintext or click through a TLS warning, the exit node sees it.

What VPNs don't do

A VPN shifts your trust from your ISP to the VPN operator. If that operator logs, sells data, or is compelled to hand over connection records, you have no anonymity in the eyes of the destination. Most reputable consumer VPNs have credible no-logs policies and many have been independently audited, but the model is fundamentally one of trust. Tor's model is trustless: no single relay knows enough to deanonymize you, by design.

Tor over VPN (and vice versa)

You can combine them, and which one wraps the other matters.

Tor over VPN (you → VPN → Tor → site)

Your ISP only sees a VPN connection — not that you're using Tor. The Tor entry guard sees the VPN's IP, not yours. Use this when being identified as a Tor user is itself a problem (workplace, country, threat actor). The VPN provider can still see that you're using Tor.

VPN over Tor (you → Tor → VPN → site)

The site sees the VPN's IP. The VPN sees Tor's exit IP, not yours. You get a stable IP across Tor circuits, useful for sites that block Tor exits. Much harder to set up and still has the VPN trust problem.

For most users, Tor over VPN is the sensible combination. Pick a VPN that doesn't block Tor traffic and that supports your country.

Speed reality check

On a 1 Gbps connection with a 50 ms latency to your VPN's nearest PoP, expect roughly:

• Direct: full line rate, 5–10 ms latency to most servers.
• WireGuard VPN: 80–95% of line rate, +10–30 ms.
• Tor: typically 5–30 Mbps, +200–800 ms.
• Tor over VPN: same speed ceiling as Tor alone (the VPN isn't the bottleneck).

You can verify the impact in your own situation using our speed test — run baseline, VPN, and Tor, and compare.