VPN + Tor = more anonymity?

Hi everyone,

A question to all the security experts out here. Is there any profit in using both VPN and Tor from the positions of anonymity?
I personally thought there is, for a couple reasons: 1) By using the VPN -> Tor junction you are hiding the fact of using Tor from your ISP, hence looking somewhat less suspicious. 2) You're harder to get traced back, so in case some bad guys happen to control both the entry node and the exit node in your Tor route, and they manage to find a correlation between the incoming and the outgoing traffic, all they can trace me back to is the VPN server address instead of my own.
Lately, i've been presented another opinion coming from the developers of Tails, another Linux distribution which aim is to provide some extra anonymity compared to the "other systems".

Briefly, their position is something like "Tor -> VPN junction might have some use cases, but is hard to implement, while VPN -> Tor is totally useless". That's why Tails doesn't allow users to set up VPN connections.
In Linux VPN connections are allowed, but now i'm wondering if there is any reason to set up a VPN connection anyway.
So, it would be great to hear some educated opinions on this topic. Thanks!

I think that the pros and cons of combining Tor with VPN, as well as different methods of doing so, are well-summarized in the referenced discussion on the Tails forum. In Liberte Linux, VPN -> Tor usecase is supported because many users need VPN for proper Internet access (e.g., PPTP), and because it masks Tor activity from local ISPs / organizations. Tor -> VPN might indeed be useful for reasons such as avoiding site blocks, but is cumbersome to implement correctly.

Not a security expert but I think it all comes down to trusting the VPN, if you're buying access.

Going through more proxies obviously makes you harder to unmask. You increase the security by using a different physical or virtual system to route through. That way Tor vulnerabilities for example could only get your VPN address (Tor->VPN) or only see encrypted VPN traffic (VPN->Tor).

If you go through a commercial VPN last you absolutely need to pay anonymously. Hidden services (.onion) are not available. It hides the fact that you use Tor from the destination. Necessary if they block Tor. You set it up like this: VPN on your anonymized system -> Tor on your router/proxy/host.
Going through VPN first hides the fact that you use Tor from your ISP. In that case you might also be interested in Tor bridges. You set it up like this: Tor on your anonymized system -> VPN on your router/proxy/host.
(If the order of VPN and Tor seems counter-intuitive at first glance, think of the VPN as another onion layer, the outer one will always have to be "pealed" first, the last proxy determines the first hop)

From https:/tails.boum.org/todo/vpn_support/

What we don't want

Some users have requested support for VPNs in Tails to "improve" Tor's anonymity. You know, more hops must be better, right?. That's just incorrect -- if anything VPNs make the situation worse since they basically introduce either a permanent entry guard (if the VPN is set up before Tor) or a permanent exit node (if the VPN is accessed through Tor).

Am I allowed to say that this is ignorant Bullshit? You already have a all-seeing entry node: your ISP, they get to see encrypted traffic, the VPN gets to see encrypted traffic too. They can do tagging attacks (until there is some kind of authenticity in Tor) and they can do passive fingerprinting attacks and timing attacks (always possible in low latency networks). But you haven't compromised your security/anonymity one bit compared to Tor without VPN.
Permanent exit node: That's a good thing for a lot of uses, you don't stand out much in server logs, you don't get blocked for "suspicious behavior" or have to enter captchas all the time. And you get to choose your exit node which has interested in not doing anything too fishy (because you pay them). N.b. while you should be anonymous to them you should check on them before trusting them with clear text communication. But indeed you are only pseudonymous and the VPN provider can build a dossier on you. So use more VPNs for different identities...
There's also a link to https:/trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN A lot more considerate than what the Tails guys cooked up.
(again confusing, their "VPN->Tor" and "Tor->VPN" referrs to the actual flow of your packets across the internet, my terminology referred to the local setup/routing, exactly the opposite order)

Thanks for all the info and opinions you presented guys (i'm the original poster).

Going through VPN first hides the fact that you use Tor from your ISP. In that case you might also be interested in Tor bridges. You set it up like this: Tor on your anonymized system -> VPN on your router/proxy/host.

In fact, my ISP doesn't block Tor, so i can access it without any bridges. But, my intent is make myself the least suspicious to the relays of my internet route which are under the jurisdiction of the country i'm living in. Primarily, the network path controlled by my ISP. So, they could still understand that i'm trying to connect to Tor, which i'd like to avoid. VPN service, on the other hand, belongs to another country, so i personally have more trust in them than in my ISP.
Otherwise, i've gotten the answers for all my questions, and assuming that my VPN service is trustworthy it seems a good idea to implement the "my machine <-> VPN <-> Tor <-> destination" connection scheme.
Thanks again for your input pals!

Tor -> VPN might indeed be useful for reasons such as avoiding site blocks, but is cumbersome to implement correctly.

One more profit from doing the Tor -> VPN juntion as i see it is elimination of the risk of eavesdropping on the exit nodes. Btw, is it really that cumbersome to implement? The VPN service provider Air VPN directly suggests this method. The essence of their solution is to make an OpenVPN connection via the proxy at 127.0.0.1:9050 which is created by the Tor client.
On their forum they also affirmatively answer somebody's question about the possibility to use this solution with Linux.

Hi, I have read Air VPN's suggestion and forum reply wrt. and feel as if something is amiss. Is it just a hack that happens to work because the connection to the Tor entry guard via which the OpenVPN connection is tunneled is never brought down? Because Tor will try to establish new connections over the VPN tunnel, due to the amended routing table. This sounds utterly unreliable. I.e., what happens if there are connection problems and timeouts?

So, with the current way, that Tor -> VPN scheme won't work, okay.
But there is a serious reason to make it work somehow. Especially in the case of Air VPN which accepts anonymous Bitcoin payments. I mean, in that case you're really much more safe in case somebody's on your tail. First, the bad guys would need to get past the VPN guys. And even if the VPN service provider receives a warrant or anything legally obliging to reveal anything they know, all they would be able to give out is a list of Tor exit nodes. And, you will probably receive an email notification about the bad guys' inquiry, so you will be able to lay low and change your ways.
The reason why i wrote that touching passage is that if there is a possible way to make the Tor -> VPN junction safe, even at the cost of it being less automated, i.e. you'd have to manually restart something when you need to, it would be cool to go that way.

I mean, in that case you're really much more safe in case somebody's on your tail.

I don't see how is that more safe than using plain Tor. Adding a VPN step would prevent some site-level blocks, but otherwise it reduces your anonymity, since there are likely less given VPN vendor users than Tor users.

Tor exit bridges, if implemented, would make Tor via VPN arrangement unnecessary, I think. In the meanwhile, it's probably easier to implement post-Tor proxies using transparent proxying on the firewall, while providing essentially the same functionality as post-Tor VPN.

as long as it's a decent VPN solution, I think you shouldn't have any problems with anonymity as they're pretty good at hiding IP addresses.  Some decent options I've found recently are; 1) http://www.hushtunnel.com&nbsp; 2) http://vpncreative.com/review/vpnsecure-me-review/