VPN Over Tor

Privacy Networking Self-hosting Linux

Route your VPN traffic through Tor for enhanced privacy.

This guide covers setting up your own OpenVPN server with a SOCKS proxy, allowing you to tunnel VPN connections through Tor.

New to VPN over Tor? Read the theory and use cases first.

How It Works

Your Device → Tor Network → VPN Server → SOCKS Proxy → Internet

VPN traffic is encrypted and sent through Tor
The VPN server decrypts and forwards to the local SOCKS proxy
The proxy makes the final connection to the destination
Your real IP is hidden from the VPN server (it only sees a Tor exit node)

Prerequisites

A VPS running Debian 12 (required for dante-server package)
SSH access to the server
Tor running on your local machine (port 9050 or 9060)

Server Setup

Secure SSH Access

After logging in, update your system:

sudo apt update && sudo apt upgrade -y

Edit the SSH configuration:

sudo vim /etc/ssh/sshd_config

Change the following settings (uncomment if needed):

Port 22222
PasswordAuthentication no
UsePAM no

Restart SSH:

sudo systemctl restart sshd

Setup Firewall

sudo apt install ufw -y
sudo ufw allow 22222/tcp
sudo ufw enable

The OpenVPN installer will automatically add iptables rules for port 443.

Install OpenVPN

Use the automated installer:

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

When prompted:

Protocol: TCP
Port: 443
DNS: Quad9 (or your preference)
Client name: Choose a name for your config file

Save the generated .ovpn file — you'll need it on your client.

After installation, a new network interface tun0 is created with IP 10.8.0.1.

Install SOCKS Proxy

Install Dante server:

sudo apt install dante-server -y

Edit the configuration:

sudo vim /etc/danted.conf

Replace the contents with:

logoutput: syslog
internal: 10.8.0.1 port = 1080
external: eth0
socksmethod: none
clientmethod: none

client pass {
    from: 10.8.0.0/24 to: 0.0.0.0/0
    log: connect disconnect
}

socks pass {
    from: 10.8.0.0/24 to: 0.0.0.0/0
    log: connect disconnect
}

If your network interface isn't eth0, check with ip a and update the external line accordingly.

Start the proxy:

sudo systemctl restart danted
sudo systemctl enable danted

The SOCKS proxy runs on 10.8.0.1:1080 and is only accessible through the VPN.

Client Configuration

Modify the OVPN File

Edit the .ovpn file you received from the server. Add these lines before verb 3:

socks-proxy 127.0.0.1 9050
route-nopull
route 10.8.0.1 255.255.255.255

Use port 9050 for standard Tor, or 9060 for Tails/Whonix.

What these options do:

socks-proxy — Routes VPN traffic through your local Tor proxy
route-nopull — Ignores routes pushed by the server
route 10.8.0.1 — Only route traffic to the proxy through the VPN

Configure Firefox

Open Firefox Settings → Network Settings
Select Manual proxy configuration
Set SOCKS Host: 10.8.0.1, Port: 1080
Select SOCKS v5
Check Proxy DNS when using SOCKS v5

Connect

Start the VPN:

sudo openvpn --config client.ovpn

The proxy acts as a kill switch — Firefox can't connect without the VPN active.

Verify Setup

DNS Leak Test

Visit https://dnsleaktest.com/

You should see your VPS provider's DNS servers, not your ISP's.

WebRTC Leak Test

Visit https://mullvad.net/en/check

The WebRTC box should show no leaks.

Using as a Regular VPN

To use the VPN without Tor routing, remove these lines from the .ovpn file:

socks-proxy 127.0.0.1 9050
route-nopull
route 10.8.0.1 255.255.255.255

This routes all traffic through the VPN system-wide using the VPN's DNS.

Traffic Flow Explained

VPN connects — Adds route only for proxy traffic (10.8.0.1)
Firefox request — Sent to proxy at 10.8.0.1:1080
System routing — Sees VPN route, sends through VPN tunnel
VPN tunnel — Encrypted traffic flows through Tor to VPN server
VPN server — Decrypts traffic, sees it's destined for local proxy
SOCKS proxy — Makes final connection to destination website

The VPN server never sees your real IP — only a Tor exit node IP.