If I was in high school, tasked with a writing a term paper about online privacy, I might hand in homework that compared and contrasted Tor, consumer VPNs and VPN routers. Something much like the following.
VPNs can be classified by their target audience. Consumer VPNs are a service sold to individuals. Business VPNs are used by companies to provide employees with secure access to the home office. Site to site VPNs link two physical locations with an always-on encrypted connection. Here, I will be discussing consumer VPNs.
When you sign up with a consumer VPN provider such as TunnelBear, ExpressVPN, Cloak, VyprVPN or Private Internet Access, your computing devices (smartphone, computer, and maybe even a router) get the right to establish an encrypted connection to a VPN server computer run by the VPN company. If things are working well, after making this connection, all data entering and leaving the VPN-connected device is encrypted.
The classic use for a consumer VPN is on public Wi-Fi, where the VPN prevents anyone near you from being able to spy on your activities. Articles on this tend to focus on a hacker across the street, but a VPN also hides your activity from the operator of the public Wi-Fi network itself.
VPNs are also recommended in a hotel, whether connected to the wired or wireless network of the hotel. Even at home, a VPN can keep your online activities hidden from your Internet Service Provider (ISP).
The encryption, however, is only between your device and the VPN server. When outgoing data reaches the VPN server it is decrypted and dumped on the internet. Likewise, any incoming data is not encrypted until it hits the VPN server, which encrypts it and sends it to your device.
The connection between your device and the VPN server is referred to as a tunnel, because, from the outside, you can't see into it.
Looked at another way, VPNs do not offer end-to-end encryption. Protocols such as HTTPS for web pages or IMAPS for email do provide end-to-end encryption. Interestingly, when already-encrypted data is sent through a VPN tunnel, it is double encrypted.
For some VPN users, the encryption in the tunnel is secondary.
As far as the outside world is concerned, your VPN-connected device is located wherever the VPN server it is connected to is located. So, if you live in the U.S., but connect to a VPN server in Canada, all the computers you come in contact with think you are in Canada. I cost myself money doing this back in April.
The software that connects to a VPN server is called VPN client software. Depending on the type of VPN, the operating system on a computing device may be able to make the VPN connection on its own. If not, then the VPN provider will offer client software.
Even if the operating system supports a particular VPN, you still may prefer software from the VPN company because it adds extra features such as easily switching between VPN servers, avoiding trackers or insuring that no data ever leaves the device without going through the VPN.
Everything said so far, also applies to Tor (The Onion Router).
Tor also encrypts data between itself and your device, and, as with a VPN, the encryption is not end-to-end.
Both Tor and a consumer VPN make you appear to be physically located somewhere else, but there are differences.
A big difference is that a VPN lets you control the server you connect to; with Tor you have no control. Many Canadians use VPN servers in the U.S. because Netflix offers more stuff in the U.S. than they do in Canada.
However, what you lose in control with Tor, you gain in anonymity.
From the outset, Tor was designed to hide the physical location (IP address) of your computer. The first Tor computer you communicate with obviously knows where you are, but the last computer in the Tor network handling your connection, the one that dumps your data on the internet, does not know where the data came from.
This last computer is called an "exit node," it is where data exits (and re-enters) the Tor network. The outside world sees you as being physically located wherever the Tor exit node is located.
Tor typically bounces your data between three randomly chosen computers in its network. The exit node only knows about the middle of these three Tor computers. It has no clue where the initial communication into the Tor network came from. It doesn't know who you are.
In contrast, a VPN company typically does know who their customers are. I say "typically" because some VPN providers allow anonymous signups using cash, Bitcoin or gift cards.
All data traveling within the Tor network is encrypted. Data between your device and the first Tor computer is triple encrypted, between that Tor machine and the middle one, data is double encrypted, and between the middle Tor computer and the exit node, data is encrypted just once. As with a VPN, add one to these numbers if the data was encrypted to begin with.
While not a security issue, there is usually a big speed difference between a VPN and Tor. Since data passes through three Tor network computers, all run by volunteers, it is inevitably slower than a VPN which passes data through a single computer run by a commercial company that is judged, in part, on the speed of their connections.
As for the software on your computing device, the only operating system that supports Tor out of the box is Tails, a Linux distribution that sends everything over the Tor network. Getting a running copy of Tails is a huge pain in the neck, but, for anyone who can hack it, it's the most secure way to go.
The Tor project offers software called the Tor browser for Windows, Mac OS X, or Linux. This is not as secure as using Tails because the host operating system may not be secure.
Accessing Tor from Android and iOS is another thing altogether and may not be worth bothering with.
For example, if you want to leak a secret to Glen Greenwald himself, over at The Intercept, then you have to use something called SecureDrop, which is only accessible from within the Tor network. The Intercept has instructions for Tails and the Tor browser, but says nothing about iOS or Android.
The Tor project itself has not produced any iOS software, so using any Tor software on an iDevice means placing a lot of trust in the author. Back in 2014, scam software made it into the app store and Apple was slow to remove it. That said, for web browsing on iOS, I might go for the Onion Browser by Mike Tigas. It's a normal iOS app and, in my opinion, the easiest on-ramp to Tor.
On Android, the Tor project works with The Guardian Project on Orbot, a free proxy app that, in effect, lays the foundation for Tor. Orbot needs to be installed and running before any supported Android app can run through the Tor network.
For web browsing, The Guardian Project offers Orfox, and other compatible apps are listed here. Orfox is based on Firefox, and is currently in beta. It's also a bit behind; Firefox on Android is now at version 48, Orfox is based on version 38.
VPN server routers
On the September 13th episode of Security Now, Steve Gibson was asked his opinion of a particular VPN provider. Rather than discuss one company, he took issue with the basic concept of a consumer VPN.
In our contemporary modern surveillance world, the traditional centralized VPN server model, I would argue, has become maybe a little challenged ... if what people want is true privacy and surveillance avoidance, the concern is that this is not unlike the trouble that Tor exit nodes are known to have ... We know that intelligence and law enforcement agencies are naturally attracted, sort of like bees to honey, to Tor exit nodes because that's where the information is. Something is coming out of there that somebody wanted to obscure ... And a VPN's exit node is ... a data concentrator by nature ... the traffic emerges unencrypted from the VPN encryption tunnel that was carrying it, out onto the Internet, where it is then subject to scrutiny.
In other words, using a VPN or Tor draws attention to yourself. And, nothing stops a spy agency from logging data that leaves a VPN tunnel or the Tor network. While true, this omits an important fact -- the spies don't know where the data came from or who sent it.
Still, Gibson suggests keeping a low profile.
... for many applications I think that running one's own VPN server at home can make much more sense. Then, when you're out on the road, your traffic can be protected on its way to your home base, where you are then able to directly access your home assets - like, Leo, your Drobo, which you've left at home with your 300 Audible books ... But also your traffic can emerge onto the Internet from there, even if you're traveling remotely. So what that avoids is the attention concentration that any commercial service creates.
What Gibson is referring to here is using your home router as a VPN server. Some routers can do this, some cannot. My favorite router, the Pepwave Surf SOHO supports two types of VPN server, PPTP and L2TP/IPsec. Asus supports PPTP and OpenVPN. The Synology RT1900ac supports PPTP, OpenVPN, and L2TP/IPSec.
I am not a fan of using a home router as a VPN server.
While it provides the encryption to protect yourself at a hotel when traveling, it does not let you fake your physical location, other than appearing to be home while traveling.
And, this is only a solution when traveling, it does nothing to protect you at home where your ISP may be watching what you do for advertising purposes. In Texas and Kansas City, AT&T offers two prices, you can pay less and be spied on or pay more and hope they are not spying on you. And lets not forget that Verizon was caught using a supercookie to track customers on their 4G/LTE data service. The FCC went after them for that.
Being spied on by your ISP is arguably worse than governmental spying on a VPN server or a Tor exit node -- your ISP knows exactly who you are. And, if you have drawn the attention of law enforcement, your ISP may well be feeding them a log of everything you do.
Finally, when traveling, I turn off all my computers. If my home will be empty, the router and modem are turned off too. It's safer that way
VPN client router
The term "VPN router" typically refers to a router than can function as a VPN server. However, some routers can function as VPN clients which, depending on your needs, may well be the more valuable option.
For one thing, a VPN client router can provide VPN connectivity to devices that don't support VPNs at all. It can also funnel more than one device through its VPN tunnel.
ThinkPenguin sells a low end VPN client router, the TPE-R1100 for $49. Or, you may be able to buy a pre-configured VPN client router from a VPN provider. Among the companies offering this are ExpressVPN, Witopia, BlackVPN, TorGuard and StrongVPN. At FlashRouters.com you can buy many different routers configured to work with a wide range of VPN providers. Many Asus routers can function as a VPN client for PPTP, L2TP and OpenVPN type VPNs.
These benefits are not limited to VPNs, some routers can connect to the Tor network on their own. Asus owners willing to install the Merlin firmware can have their routers connect to Tor. I have a list of VPN and Tor routers at RouterSecurity.org.
Still not satisfied? InvizBox, Anonabox and the Tiny Hardware Firewall all claim to support both VPNs and Tor (I have no personal experience with any of them).
As with everything, Tor and VPNs have their strengths and weaknesses.
Computers in the Tor network are run by volunteers. No doubt, spies and assorted bad guys volunteer to run Tor exit nodes -- the computers that see unencrypted data.
In addition to spying, some Tor exit nodes have been found to manipulate data, arguably a bigger danger. Note that data sent with end-to-end encryption can not be modified in-flight.
Tor volunteers may be more likely to make configuration mistakes. VPN servers are more likely to be setup by professionals.
Most VPN providers have servers all over the world. Some like this feature because it lets them access websites restricted in their home country. But it also lets you connect to a VPN server in a country with stricter privacy rules than your own. If, for example, you are concerned about the Five Eyes countries, you can avoid them.
And this choice is not limited to server computers. You can chose a VPN provider based in a country with stricter privacy rules than your own.
As for pricing, Tor is free, whereas most consumer VPNs are priced at around $40 to $150/year. Yes, there are free VPNs, but some things are worth paying for, and to me, a VPN is one of those things.
Finally, Tor is a single entity, one with a huge target painted on its back. Much time and effort is devoted to finding every chink in the Tor armor. Just this week, a new vulnerability was found in the Tor browser.
Speaking of vulnerabilities, I think it's reasonable to expect VPN client software to need fewer updates going forward compared to Tor software. The Tor Browser is based on Firefox and needs to updated fairly regularly. Tails is an entire operating system, and since it was designed not to keep any information, new versions require users to create an entirely new copy of the system. VPN client software is more limited in scope and thus should need fewer updates in the future.
Update: the above was added Sept. 19, 2016
While no single VPN provider may ever be the high profile target that TOR is, the downside is that choosing a VPN company can be overwhelming. The EFF has advice and thatoneprivacysite.net has both comparison charts and refreshingly candid reviews.
Another problem with having hundreds of VPN providers is that one of them could be a front for a spy agency.
If I were a spy, that's what I would do.
- - - - - - - -
Update: Sept. 19, 2016. Whonix is another Linux distribution that supports Tor out of the box. It runs as two operating systems, each in its own virtual machine. You work in one, referred to as the Whonix-Workstation, that can only communicate to the outside world through the other, referred to as the Whonix-Gateway. The Gateway system only communicates over Tor. The system you work in, the Workstation, does not know its IP address, so even if its hacked, there is no secret to reveal. See comparisons with Tails and the Tor browser here and here. Whonix also runs under Qubes.