ISP vs VPN vs Tor


I've seen way too many comments about people using VPNs and/or Tor as a shield to any kind of possible breach of privacy and/or security in general. I'm going to attempt to explain very simply what they do, because these are good tools, but using them the wrong way can void their purpose.

Vanilla Internet

This is what things look like when using the Internet without VPN, Tor or proxies.

How it works: ISP

In red is regular Internet traffic. This goes directly from you to the websites (and other resources) you connect to, and back. Your ISP transmits all your Internet packets for you.

Sometimes the traffic is encrypted (HTTPS, TLS, etc), but many times it is not. When it's not, everything being sent is visible to the ISP.

TL;DR The ISP knows where you are connecting to and can read all your unencrypted traffic.

VPN Router

How it works: VPN

A VPN router will create a tunnel between you and itself. Once the tunnel is up, your computer should send all its Internet traffic through that tunnel. The tunnel goes through your ISP, but because the tunnel is encrypted (I hope so), your ISP should only see that you are connected to the VPN.

Once your traffic reaches the VPN server, everything after that is as usual (red). This means that whatever your ISP could see in the previous case, your VPN provider can now see.

TL;DR The VPN router knows where you are connecting to and can see all unencrypted traffic just like your ISP in the vanilla scenario, and your ISP knows you're using the VPN.

Tor (the) Onion Router

How it works: Tor

Imagine Tor as being like a VPN router except that its entry and exit points are separate systems and in between there are a bunch of Tor relay nodes that are also separate systems. The purpose of Tor is to route traffic so that each node only knows of the previous and next hop, in other words, to allow untraceable connections.

The traffic itself is encrypted all the way up to the exit node. From there on the same rules apply as with your ISP in the first case and the VPN in the second. Whatever is not encrypted is visible and connection destinations are known. What shouldn't be known to the exit node is the origin of the traffic, you.

One way of doing it wrong would be if you make insecure connections to personal resources (or even secure connections to personal resources), the exit node can guess who you really are. Once it does that, it can then link your other activities back to you.

The strength and weakness of Tor is linked to the amount of nodes operated by independent entities. Imagine the Tor network like a connect the dots puzzle, each node can see 3 dots (previous, next and current hops). If one entity operates enough nodes then they can draw themselves a clearer picture of what is happening.

In other words The ISP knows you are using Tor, that's all they should see.

TL;DR Your ISP knows you are connected to the Tor network and the Tor exit node can see all your traffic just like in the previous cases. However the exit node shouldn't be able to trace the connection back to you.

Why ? And if so, Which One ?

Once you understand what these things do and what they don't do you should be able to decide for yourself when, where and which. You might also start to prefer using HTTPS and other forms of encryption for any communication because as we've seen, whatever you do, if it's in cleartext, someone can read it.

There are always a few easy reasons to use such things, for example censorship circumvention. Most Internet censorship happens at the ISP, bypassing them can help get around it and for that, a VPN should suffice. If you want to greatly reduce the possibility of tracing the connection back to you, Tor would be better.

Sometimes BT (British Telecom) impersonates websites you visit and displays a fake "404 page not found" error when they should be displaying a page explaining that the website you are trying to reach has been censored. Even Saudi Arabia is more open about what sites are actually censored.

Other reasons may be more technical, for example, more and more ISPs enjoy messing with how the Internet is designed to function. For example, TalkTalk hijacks DNS queries so the results you get aren't real anymore. According to TalkTalk there's no such thing as a non existing DNS record. This isn't even related to banning content, it's just plain tampering with communications and is probably illegal.

There could even be routing issues. For example at some point when in France, when using "Free" (ISP), everything on Youtube would lag because of some dispute between Free and Google. Using a VPN helped get a better route.

Temporary Fixes Shouldn't Become the Norm

Treat your VPN provider like an ISP. Unless you are personally running the VPN server on dedicated hardware, you cannot trust them to not keep logs and do other nasty things. It also helps if you know the network administrator....

These solutions, as well as others (proxies and so on) should be considered temporary. As soon as they become a problem there will be attempts to block users from employing them.



I agree. Nice drawings btw!

Beyond the network issues you pointed out:
Another important point is that ISPs and websites are supposed to keep logs of user activity (in most countries). This means that a 3rd party could for example spy on what my vanilla "Me" - identified by an IP address - has read on Wikipedia. Thist could be interesting to that 3rd party, who could then easily find out who I am, what my interests are without even logging onto that web page. Tor is also useful in this case.

Moreover, when using - for example - the Tor Browser Bundle, all users have more or less the same user agent (I guess depending on the default browser language this changes a bit). Which is also a useful feature against "consumer"/user tracking by a 3rd party.

manu -

There are indeed many details (technical and ethical) I left out, the goal being to provide a neutral overview of what these things do. People having a basic theoretical understanding of such concepts is one of the things we need, without it, too many disucssions make no sense at all.

Too much detail would be counter-productive in that it would lose those for whom this posted was written for. Confirmed sysadmins and crypto-privacy specialists should already know this stuff better than I. (I hope so).

But indeed, Tor, when using the Browser bundle, does other cool things like changing your browser's user agent string, but also comes with some default settings and plugins like HTTPS Everywhere, no browsing history and so on.


Is the VPN in 7 dedicated hardware? Then the person owning the pc/system would be the network administrator? Can I get comment updates here on the site? Or must I get them in through email? I'm trying to understand all of this.


Theres something im missing with the above Tor example if u can explain.
The traffic from the exit node (response) back to the ISP is in clear text so ur ISP can see the data coming back from the Tor network and the ISP knows where to forward this data (back to me) so i dont see how Tor allows me to remain anonymous as the ISP can read this clear text data. I understand how the ISP can only tell im connected to Tor only

manu -

Hey GP,

The traffic from the Exit Node doesn't go directly to the ISP, it goes back through the Relay Nodes (encrypted), essentially the same route back.


Thanks Manu
Your response helped.
One more question if i may - once the ISP receives the response from the exit node then any monitoring that may be happening at the ISP will be visible together with my IP address as the ISP would need to know this in irder to forward this data on. So the only thing that Tor prevents is being able to determine the server that has served the response information - the actual redponse info can be seen at the ISP when its being forwarded to me. Is this right?

manu -


The only thing the ISP knows is that the packet originates from the relay node and is supposed to go to you.

Maybe imagine the whole transaction between you and the destination website like sending a letter via the postal service:

In a non-Tor environment the sender and recipients address are on the envelope at every step of the way, the data can be encrypted or not, that depends if you are using HTTPs, but still everyone involved in transmitting this letter knows who is sending the letter and who is receiving it. The same happens when data comes back, you become the recipient and the website is the sender.

Using the Tor network, imagine a "Russian doll envelope", the sender and recipient that can be seen on the envelope is different at each step. When your ISP transmits that letter for you, it sees that you are the sender and the Tor Entry node is the recipient. The data is encrypted regardless if you are using HTTPS or not.

When the Tor Entry node gets the letter, it removes a layer of the envelope, it becomes itself the sender and the next Tor Relay node in line becomes the recipient. This goes on until the packet reaches the destination. So every step of the way, each node becomes the sender and the next node becomes the recipient. Nobody knows anything other than the step right before and right after.

The process is the same for traffic coming back to you. The website is the sender, when the packet arrives at the ISP, all the ISP can see is an encrypted packet coming from a Tor Node being sent to you.

Another way to visualise this process would be to imagine sending letter within a letter, the inside letter has my address on it, the outside letter is to another person, let's say Bob. Bob receives the letter, the postal service knows you sent Bob a letter, then Bob sends the letter that is inside to me. As far as the postal service is concerned, those are 2 unrelated letters.


Man that was a great response - thanks for taking the time. I understood was was said initially abouthe happenings once the data enters the Tor network (between the entry and exit modes).
What i didnt appreciate then, but do now if thst all communication between me and the entry node (the request) and between the exit node and back to me (the response), is encrypted. I mistakenly thought the only encryption taking place was in the Tor network, i.e. Only between the entry and exit nodes.
I get it now. Thanks for your patience and explanation- much appreciated.
Does using Tor make using a VPN redundant then?

manu -

Hey GP,

You're very welcome.

A VPN could be useful if your ISP blocks connections to the Tor network. Your ISP would see you connecting to the VPN and the VPN would see you connecting to the Tor network. This means your ISP will not know you are using Tor.

Patrick Lenotre -

Certaines applications, supportant le fonctionnement avec un proxy SOCKS peuvent ne pas faire passer systématiquement toutes leurs communications par ce proxy. Par exemple, les requêtes DNS (Domain Name System) peuvent être effectuées sans passer par le proxy. Cela s’appelle une fuite DNS. Cette fuite peut représenter un problème pour la vie privée et peut vous laisser vulnérable à un blocage par DNS alors qu'un proxy est habituellement en mesure de contourner ce type de blocage. Ce genre de vulnérabilité par fuite DNS peut varier pour un logiciel selon les versions.

manu -

Patrick Lenotre,

Le DNS de votre FAI ne fonctionnerais pas dans la plupart des cas si vous passez par un VPN. Dans beaucoup de cas, le service VPN va de pair avec un service DNS.

Je ne dis pas que la fuite DNS n'est pas un problème, il faut évidement s'assurer qu'en utilisant un VPN que vos serveurs DNS soit aussi en place (soit en utilisant ceux du VPN, soit le votre, au pire ceux d'un tiers).

En revanche, les proxies, je m'en méfie au point ou je ne les considère pas du tout.
Comments in other languages: Français

Informatique sur Rouen -

Comment sécuriser efficacement son Vpn

Lorsque vous utilisez une connexion par VPN, vous pourriez vous attendre à ce que l’ensemble de votre trafic passe par celui-ci et c’est bien évidemment ce que vous recherchez ! Ce n’est malheureusement pas tout le temps le cas…

Le DNS (système de noms de domaine) est utilisé pour traduire un domaine tel que en adresse ip directement utilisable pour l’acheminement des paquets de données sur internet.

Donc lorsque vous entrez une URL dans votre navigateur par exemple, votre ordinateur contacte un serveur DNS. Jusque là tout vas bien.

Seulement il y à un hic ! La plupart des FAI attribuent à leurs clients des serveurs DNS dont ils ont le contrôle ce qui leur permet, entre autres, l'enregistrement de votre activité sur Internet…

Pour commencer on ouvre le panneau de configuration
on clic sur réseau et internet puis sur Centre réseau et partage
puis on clic sur Ethernet.
On clic ensuite sur propriété ... et cliquez sur protocole internet version 4 choisir utilisez les serveurs dns suivant ...

DNS Publics filtrant Yandex (anti malware)
Serveur DNS préféré mettre
Serveur DNS auxiliaire mettre puis sélectionner valider en quittant ..

Dans la barre de recherche en bas on tape cmd et on l exécute en administrateur ....
on tape la ligne de commande ipconfig /flushdns
on se connecte ensuite a son vpn et on retape ipconfig /flushdns
Cette commande dos va vider le cache DNS

il y a une faille de sécurité importante dans Firefox et Google Chrome
il faut désactiver WebRTC
dans la barre d adresse de Firefox ...tapez about:config
Trouvez la ligne media.peerconnection.enabled.
faire un double clic dessus pour la mettre sur false ce qui va désactiver le WebRTC.(cache l isp et l ip privé)

Reste plus qu à tester !

manu -

Salut Informatique Rouen,

Merci pour ces infos, je n'ai pas le temps de répondre en détail mais je vais voir pour les DNS que vous avez recommandé (je ne suis pas certain de faire confiance a Yandex). En générale je préfère utiliser ceux du VPN tant qu'a faire.

Dans le cas idéal vous montez votre propre serveur VPN et la dessus vous installez un resolver DNS (Bind par exemple). La on évite pas mal d'interceptions et filtrages possible.

Cette page avait pour vocation d'expliquer les différences entres VPN et TOR, du coup fallait aussi expliquer comment fonctionne la connexion de base. Ce n'est pas un tutoriel sur comment faire les choses.

En tout cas, merci pour ces ajouts.
: ]

manu -

Je précise deux choses :

1. Les instructions de "Rouen Informatique" sont pour le système Windows. Je ne recommanderais jamais d'utiliser un système non-libre pour des raisons évidentes.

2. Je viens de tester les fuites DNS et WebRTC, visiblement sur Debian avec Iceweasel et Chromium, en utilisant OpenVPN (client et serveur), il n'y a aucun souci.

Je ne connaissais pas, du coup sur la page je vois mes IPs LAN, mais je ne vois pas l'IP de mon ISP/FAI, donc très bien.

Donc, Debian/Jessie + OpenVPN + Bind (en local ou sur le serveur VPN) et on peut laisser WebRTC activé sans trop craindre des fuites.

: ]

Pierre M -

Concernant le filtre par navigateur, il est difficilement réalisable. En effet, quand le tunnel SSH est établi, les paquets sont encapsulés dans le tunnel SSH. Le proxy et/ou firewall ne voit, du coup, que le tunnel SSH qu’il autorise par ailleurs. J’émets quand même une réserve car je n’ai pas pu le tester en live.

manu -

Pierre M, je ne comprends pas bien l'histoire du "filtre par navigateur", il me semble que personne n'en parle sur cette page.
Leave a comment
You may use the following HTML tags: <p> <a> <strong> <b> <em> <i> <cite> <blockquote> <code> <pre>

Your comments WILL NOT be submitted to any third party (not even for anti spam verification).