Tor to VPN

Hi everyone

Here is a reason I am interested in TOR>VPN. My employer forces me to work remotely on their laptop using our company VPN (Cisco). However, they demand I work from the USA for tax residency reasons. I would like to hide from my employer that I am working from Canada or Europe sometimes, during my travels. So, if I set up TOR on my computer, then start their VPN, will the company sniffing through the VPN think I am remote from the USA (assuming I set the last exit node to USA)?

Any help would be most welcome.

The best might be connecting to a "server" at your home through a ssh, and from there, to the internet. Using a old computer connected to the net might work... although a better "ssh + vpn" option might be available... any other ideas?

How to set up VPN- --> Tor  in Linux?
Using tor-resolve and then what? Setting up VPN and then using which browser?
Can someone please explain step for step to use Tor and hide usage of it for ISP with VPN?

guise, sorry to interrupt, but what I picked up from a blackhat discussion in some random irc is quite opposite to what some of you wrote down in this post. Maybe I am wrong though - I would be certainly happy to receive critical feedback then. What I remember is:
Tor -> VPN = safe, pally VPN -> Tor  = goto jail
The reason for this (if I remember right) was, that all timing and outnode sniffing attacks are renderes useless in case of a VPN behind Tor, because traffic is encrypted. In the meanwhile, all the VPN provider (who must be paid anonymously) gets to see is some exit nodes and your cleartext traffic. As long as you don't put any information about your identity in there, you should be pretty safe for most of the use cases.
While on the other hand a VPN -> Tor connection is complete nonsense, which does not need any further explication in my opinion.
However, please prove me wrong, guys

What I remember is:
Tor -> VPN = safe, pally VPN -> Tor = goto jail
While on the other hand a VPN -> Tor connection is complete nonsense, which does not need any further explication in my opinion.

"Mattew"

It depends on who are you hiding from. So-called Threat Model:
1) Your ISP & police in your country shouldn't know what sites are you visiting.
2) Hoster of a website & police in the hoster's country shouldn't know who is accessing this site.

When using Tor, even third enemy appears:
3) Tor exit node shouldn't see traffic between you and the website.


So if website supports https protocol, and SSL certificate is valid and really belongs to that website (not to random man in the middle) then you don't need VPN at all. Tor is sufficient enough to fight all 1) 2) and 3). But VPN can be useful in some other cases:

a) Website uses plaintext HTTP protocol, and you want to encrypt your traffic while it travels through Tor exit node.
Tor -> VPN is exactly for this case:

Your computer ==> Tor ==> Tor Exit Node ==> VPN Server --> Website.

==> traffic is encrypted
--> traffic is unencrypted


b) You don't want your ISP or authorities in your country know the fact you are using Tor (for example if Tor is illegal in your country or you don't want to fall under suspicion in any way). Then the scheme should look like this:

Your computer ==> VPN ==> Tor ==> Tor Exit Node --> Website.

So in a) you have to trust your VPN server (and hoster of your VPN server, and police that can come and take your VPN server down, or silently put some traffic sniffer in the datacenter)
And in b) you should trust some random Tor Exit Node (and ISP of that node, and police in the country where that exit node operates).

I am not sure which one of these options is worst.

In regards to computer security, or any security for that matter, it always comes down to your own threat model. What is it you're trying to protect yourself from?

VPN over Tor = provides anonymity from your VPN provider. It will also prevent your ISP from knowing you use the Tor network. It will not provide any protection from malicious exit nodes on the Tor network.
Use this method in cases where you are concerned your activities (which, legal or not, might get you in some trouble) are being logged by your VPN and could be turned over to the authorities. Use this method to prevent your ISP, or your government, or anyone else, from knowing that you use Tor. People who live in repressive regimes might like this because simply using privacy enhancing tools is enough to get you thrown in prison or much worse. People who live in supposedly less-repressive countries, but who are in low-density populations where few people use Tor, can really stick out and attract unwanted attention even if their activities are legal. Who wants that? 

You might not need to use this if you live in a dense area where it's likely lots of people are using Tor. You can blend in with the masses. Lucky you.

Use this method to prevent general snooping and sniffing outside the Tor circuit in the same way VPN alone would.

Tor over VPN = provides a shield from malicious tor exit nodes by giving you full end to end encryption inside the circuit

Use this method to encrypt the contents of your communication and thwart malicious Tor exit nodes.

Use this if you trust your VPN, or if what you are sending over it has no chance at all to hurt you (or identify you). 

Use this method if it doesn't matter who knows you are using Tor.



As with any security methods, everything has its place depending on your threat model and what you're trying to achieve. In my experience anyone who says  Thing A is all bad and Thing B is all good usually doesn't know what they're talking about....or they're selling Thing B.  ;)

"VPN > Tor = provides privacy from your VPN provider. It will also prevent your ISP from knowing you use the Tor network. It will not provide any protection from malicious exit nodes on the Tor network."
fixed.

--- vpn>tor vs tor>vpn-- With this method (VPN>TOR) your VPN KNOWS you are using tor (including time stamps and first node IP), and they KNOW who you are because they have direct access to your IP also backed up (potentially) by payment information. They don't know WHAT you're sending/recieving. This method is pretty much only useful for hiding tor use from your ISP. In some locales this can be an important feature, but bridges also serve the same purpose. I've read that VPN use is more common and less "suspicious" traffic, however tor use is legal in most places.
I'm not 100% on VPN structure or where it sits on the OSI stack. I do know there are different kinds and it's harder for leakage because VPN's take most if not all your traffic instead of just TCP (TOR). I believe that when you use VPN>TOR your TCP traffic is encrypted for TOR before it ever gets seen by anyone else on your network/VPN If you have any leakage (non TCP traffic, or TCP traffic not properly routed through TOR) your VPN will see your end destination traffic =bad (VPN > TOR).

with TOR>VPN the VPN sees all your outbound traffic but they don't know WHO you are (anonymity). This assumes that they have no payment information or any traffic content which can be linked to you (i.e. browsing your facebook w/ login info). This does provide a single static vector for attack and data can be logged for extended periods of time which can reduce anonymity so you will want to change as frequently as possible. TOR>VPN is good for visiting sites or services which block tor exit nodes, or if you want to hide the fact you are using tor from your end destination.



---- attacks ---- tangent There are attacks which can be implemented against low latency networks (no matter how many nodes). If a global adversary can see all the traffic, they know what's going where, and when. If this is logged privacy & anonymity = gone If they can see most of the data and request for the rest privacy & anonymity = gone. I'm guessing you'd have to be a pretty big fish to get fried this way as it would require a fair amount of resources and a lot of international cooperation. Dont be fooled as there are  monitoring stations that passively collect data. It's a matter of scale, priority, and threat level. Multiple governments use TOR as well so it must be fairly good at what it does. There are other attacks with which I'm less familiar. end-to-end timing - if they can see exit traffic and entry traffic they confirm by timestamping and volume of data.

We also assume that encryption can't be broken in a reasonable of time or expense of resources. I'm willing to bet that governments can crack a lot of encryption schemes but it also requires a lot of resources (back to threat model) and still time. In theory, all data, logs, and traffic could be stored and slowly cracked over time or stored for future use but the amount of traffic generated vs available storage space is unfathomably large. Also, if a person were smart with that kind of tech (serious encryption breaking) it would be used secretly, sparingly, and only for very important tasks.

Controlling stake of TOR relays, MitM most of the attacks mentioned are more geared towards the traffic side of tor, there are other server <-> client attacks which have less to do with tor itself than really client issues such as a compromised machine, fingerprinting, personally identifiable data etc etc.
more on attacks here:

https:/blog.torproject.org/category/tags/attacks
Any corrections or thoughts are welcome.