Tails and VPN Explained

Tails and VPN Explained

Tails is a Linux-based operating system for enhanced privacy while accessing the internet or using a computer. By routing all internet traffic automatically through Tor, it makes it simple for even technical beginners to use the internet safely and securely. This has enormous benefits for people such as human rights activists, who need a safe way to communicate digitally without their governments spying on them, which may save their lives.

A VPN, or “virtual private network”, is a mechanism for enhancing data security by encrypting data and sending it over a public network (like the internet) and routing it through secure servers. VPN is not a standard. There is no “definitive” VPN software or application. Various companies and open source technologies implement VPN’s, such as commercially by Cisco and through open source projects like OpenVPN.

Within the last decade, sophisticated anonymous VPN providers have been established that enhance privacy on the internet. They accomplish this by hosting their servers in countries with strong data protection laws and deleting all access logs and records. When you use an anonymous VPN, your ISP (such as Comcast, Verizon, etc.) is unable to read your data or spy on you, websites you visit don’t know your true IP address, and when downloading files or torrents a corporation cannot detect who you are. Anonymous VPN providers are also much faster than Tor.

Combining VPN and Tails / Tor

By combining anonymous VPN and Tails (over Tor), you can get enhanced privacy and benefits of both technologies.

Interestingly, at the time of this writing, the Tails VPN Support page implies this is a bad idea:

Some users have requested support for VPNs in Tails to “improve” Tor’s anonymity. You know, more hops must be better, right?. That’s just incorrect — if anything VPNs make the situation worse since they basically introduce either a permanent entry guard (if the VPN is set up before Tor) or a permanent exit node (if the VPN is accessed through Tor).

Similarly, we don’t want to support VPNs as a replacement for Tor since that provides terrible anonymity and hence isn’t compatible with Tails’ goal.

This makes it sound like VPN and Tor are a terrible combination! However, the rest of the page explains various use cases for Tor / VPN and their benefits, and even has a pull request to enable this feature, which is a pretty mixed message from the opening statement.

Let’s parse exactly what the quote above means:

Similarly, we don’t want to support VPNs as a replacement for Tor since that provides terrible anonymity and hence isn’t compatible with Tails’ goal.

The author says they don’t want to allow users to replace Tor entirely with a VPN stack, making Tails “Tor-less”, as VPN’s provide “terrible anonymity”.

I agree that allowing users to disable Tor would be a bad decision. Less sophisticated users may not understand the repercussions of such an action. However, saying that VPN’s are inherently insecure is incorrect. Although VPN’s can be considered a black box, if you purchase a VPN account anonymously, and trust the provider, this isn’t necessarily any less safe than Tor, which many people consider at least partially compromised by the US government.

if anything VPNs make the situation worse since they basically introduce either a permanent entry guard (if the VPN is set up before Tor) or a permanent exit node (if the VPN is accessed through Tor).

A “permanent entry guard” means that by having your data travel from your computer, through the VPN, and then into Tor, you are introducing an endpoint (server / IP address) that all data going to Tor flows into first. Is this any different than having all data flow directly from Tor to your own computer? Not really!

When you add a VPN server between your computer and Tor, the Tor entry node thinks that you are the VPN server. If Tor is compromised, then the attacker that compromised Tor would only know that you are the anonymous VPN server. They would also have to compromise the VPN server to get to you!

As long as you trust your VPN provider, this is unquestionably safer than accessing Tor directly if you are worried about Tor being compromised. I would love to hear arguments against this.

A “permanent exit node” means that having your data travel from your computer, through Tor, and then through the VPN, means that all servers receiving requests identify the VPN as the requester, and all Tor exit nodes identify the VPN as the exit node.

I agree that this is less safe than Tor alone, and isn’t much improvement to overall security. If Tor is compromised, eavesdroppers know 1) Who you are, and 2) What you requested. The benefit is that servers who receive your request will think it’s coming from the VPN rather than Tor, which will stop annoying Captcha’s and other techniques websites use to block Tor traffic.

Let’s examine each setup individually.

Tails to VPN to Tor


  • Tor network believes you are the anonymous VPN server
  • If Tor is compromised, they also need to compromise the VPN server
  • If Tor is blocked by your ISP, this will route data outside of your ISP first and allow access to Tor


  • If VPN network is compromised, a middleman now potentially knows your data
  • VPN is not free
  • Setting up VPN properly can be difficult


You have two options. One is to install OpenVPN inside of Tails and get everything configured properly. This is difficult and is not what Tails wants you to do.

The other option is to let Tails operate exactly as is designed, and put a VPN server between your Tails computer and the public internet. You can google instructions on how to make an access point inside of another computer and route traffic through it, you could build a Raspberry Pi or similar device to connect to, or you can put the VPN stack inside of a router (which you can get pre-built here). This is something that someone technical with a weekend of time can figure out, but if you go this route, make sure you configure it to never let data flow over the public internet, and use custom DNS servers to prevent DNS leaking.

If you want to put the VPN inside of Tails, you must enable sudo access at boot, install OpenVPN, and reconfigure the network to route data through Tor and then through the OpenVPN network interface. This is difficult, and will not persist between reboots, unless you also install Tails to disk, which then makes many of the benefits of Tails irrelevant. I recommend routing data outside of the Tails computer through another access point as detailed above.

Tails to Tor to VPN


  • Access websites and services that block Tor or make Tor more difficult
  • Access services that are only accessible on VPN


  • Compromised Tor network knows your real IP address
  • Services providers can focus on one place (VPN provider) rather than the entire Tor network if they want to de-anonymize you
  • Cannot access Tor hidden services


Tails VPN support page says:

use a SSH connection with the DynamicForward option. The newly created SOCKS port can be used to have a fixed outgoing IP address. We could write on how to use that in an “unsupported, advanced users only, may kill kittens” part of the documentation.

The SSH command line utility has a “Dynamic Forwarding” option accessible with the -D flag. Read the SSH man page to learn more (Note: if you have no idea what any of this means, I strongly recommend not doing this, it’s too advanced for you right now. Learn more about Linux, terminal / bash, SSH, and so on).

When you run SSH with the -D flag, SSH becomes a Socks proxy server that transparently forwards TCP and UDP packets to a destination address. An example would be:

ssh -D 7777 my_vpn_server.com

This will setup a Socks5 proxy server on port 7777 and forward packets to my_vpn_server.com (replace with real address). If you then configure Tor Browser to use this proxy server, you can have a static IP for your outgoing Tor packets, which will be your anonymous VPN.

I have not tried this myself, I have no idea how safe it is, and very little has been written on the subject. The fact that Tail documentation says “unsupported, advanced users only, may kill kittens” should be a warning to you about how safe this is.


Tails documentation is limited on the Tails / VPN subject, and doesn’t recommend using Tails / Tor over a VPN server. In my opinion, Tails with an anonymous VPN can indeed enhance privacy, as long as it’s setup with Tails going through the VPN and then through Tor. There are concrete benefits to doing this for people who want to increase their privacy, especially if you have concerns that Tor itself is compromised, or want added security.

Comments (2)

  • Leon Stevens Reply

    If I use your router with Tails, what test/command/website can I execute to assure that my traffic is actually reaching the VPN before it gets to Tor. Since a standard IP address check will show the Tor exit node in EITHER situation (data going through VPN or not), what test can I run/do to SHOW that some unusual/unexpected technical issue in either Tails or your router is causing the Tor traffic to bypass the VPN. (I am not looking for the technical information or assurance that this will not happen, but a way I can test it as a user).

    April 6, 2017 at 8:14 am
    • james Reply

      Great question. You can connect to the Easy VPN Router from a normal device and do IP check / DNS leak check and ensure that it’s working properly, then connect from the Tails device. It would be impossible to ensure that the IP connecting to Tor is actually the VPN router (Private Internet Access) unless you owned a Tor entry node and force-connected to it, which would not be advisable from a security perspective. The entire point of the Easy VPN Router is to make sure no traffic ever goes to the real internet. It is my opinion (as someone who has been in this scene for a long time) that I would not trust Tor directly, although many people would strongly disagree with me. I recommend VPN only or Tails + VPN over using Tor alone.

      April 6, 2017 at 2:12 pm

Leave a Reply

Your email address will not be published. Required fields are marked *