Tor + OpenVPN
The scenario in this article is that you want all your computer’s traffic to go through Tor, but Tor is blocked in your country.
The solution we demonstrate in this article is that we will collect all the computer’s network traffic by installing a virtual private network (VPN) client. To pass our traffic through Tor before it gets to the VPN server, we will define Tor as a SOCKS proxy. To overcome domestic blocking of Tor, we will use a bridge.
This solution has the additional advantage that your exit node will be a VPN server, and not an obvious Tor server. This can be useful if you visit websites that block or impede Tor users.
The client in our examples runs Windows 10.
You need a VPN provider so that you can connect to a VPN server after passing through Tor. Some privacy-focused providers you might consider are IVPN, Mullvad, and AirVPN. These are only possibilities, and not necessarily recommendations. You will need to look for a provider:
- who offers TCP servers
- who allows you to connect to their servers from Tor nodes
- whose payment methods are accessible from your country
As you search for a suitable VPN provider, beware of affiliate pages posing as reviews. Also be skeptical of claims not to keep logs. In the past, at least one provider turned out to be dishonest in this respect. And watch out for free VPNs based in mainland China which are under the control of the Chinese Communist Party.
In many countries, you can download Tor Browser from www.torproject.org.
Some countries block the domain
www.torproject.org, making it difficult for netizens to get a copy of Tor Browser. The GetTor service can help these users. Simply send an email to firstname.lastname@example.org. It will automatically respond with alternative download links for Tor Browser. These download links point to GitHub, GitLab, the Internet Archive, and Google Drive. At least one of these hosting providers should be accessible from any country. For example, users from China can download Tor Browser from the Tor Project’s GitHub mirror.
At the time of writing, the installer
.exe file is about 64 MB. Once you have downloaded it, run the installer to install Tor Browser on your PC.
Do not connect directly. We need to configure Tor to use bridges. We will do this in the next step.
In countries where you cannot directly connect to the Tor network, you need to use bridges. Bridges are unlisted Tor relays and, depending on the bridge type, they can obfuscate network traffic in a way that’s more difficult for censors to detect.
The simplest method of censorship circumvention in Tor Browser is to use the built-in bridges — a set of a dozen bridges that come with Tor Browser. These bridges are essentially public, which is why more effective censorship systems (such as China’s Great Firewall) block them. But they are still effective in many countries, e.g. Iran.
- Launch Tor Browser for the first time.
- Click Configure.
- Select Tor is censored in my country.
- Choose Select a built-in bridge.
- From the dropdown list, select obfs4.
- Now you can click Connect.
If you need alternative bridges, use a Gmail account to email email@example.com. Leave the subject line blank and write
get transport obfs4 in the body of the email.
Note that in China you must use meek-azure instead of obfs4. If your version of Tor Browser offers snowflake, that may also work.
One you have connected, visit check.torproject.org to confirm that you are connecting through Tor. You should see the text: “Congratulations. This browser is configured to use Tor.”
Some VPN providers offer their own client software as an alternative to the standard OpenVPN client. In this scenario, we need to use the standard OpenVPN client.
Using your regular browser, download the 64-bit Microsoft Installer (MSI) for Windows 10 from the OpenVPN website.
Once you have downloaded it, run the
.msi installer to install the OpenVPN client on your computer.
At the end, it displays a message to say that there are no connection profiles (config files) yet. This is okay. Just press OK.
OpenVPN can use either UDP or TCP protocol, but Tor can only handle TCP. For our scenario, we must therefore use TCP.
Choose a location from among those offered by your VPN provider. This will be your exit node after you have passed through Tor.
Download your VPN provider’s configuration file for your chosen location and for protocol TCP. It will have a name that ends in
In the windows search box, type
notepad. Open the Notepad built-in app. Edit the
.ovpn file you just downloaded. We are going to insert a new line that looks like this:
socks-proxy server [port]
This tells the OpenVPN client to connect to the VPN server via a SOCKS5 proxy at address
server and port
The Tor client that comes with Tor Browser listens on localhost port
9150. Therefore the line you actually insert will be:
socks-proxy 127.0.0.1 9150
Do File > Save to save the file. Close Notepad.
If you have not already done so, start Tor Browser, but minimize it. This keeps Tor listening on port 9150.
Find the OpenVPN GUI from the icon in the system tray. Right-click on the icon to bring up the OpenVPN menu.
Select Import file, find your edited
.ovpn configuration file, and open it. After the file is imported successfully, click OK.
Again, bring up the OpenVPN menu from the system tray. Now there are more options. Select the menu option Connect to connect to your OpenVPN server.
Enter your username and password for your VPN provider. Check the option to save your password. Click OK.
Open your regular browser and visit IPchicken.com. You should see the IP address of your provider’s OpenVPN server, not your local client IP address. Your request has reached the OpenVPN server via Tor, using a bridge to reach the Tor network.
As stated in the introduction, this post is for Windows 10 users. If you want to adapt it for Linux, you will need to look at your routing table:
sudo route -n
It may be that starting OpenVPN with the
socks-proxy option has caused OpenVPN to add an extra entry for destination
127.0.0.1. This makes sense with an external SOCKS proxy, but not with an internal SOCKS proxy. Therefore you should delete this route:
sudo route del -net 127.0.0.1 gw G.G.G.G netmask 255.255.255.255
G.G.G.G is your default gateway.
You also need to tell the routing to reach your Tor entry node outside of the VPN:
sudo route add -net E.E.E.E netmask 255.255.255.255 gw G.G.G.G
E.E.E.E is your Tor entry node (either a bridge or a guard node) and
G.G.G.G is your default gateway. This will only work if your entry node is relatively static.
It should be possible to script these route table changes and invoke them with the OpenVPN
route-up option. The corresponding option when taking down the VPN is
route-pre-down. Neither of these possibilities has been tested.
Some avenues to get help and report issues: