Tor + OpenVPN

In the solution we describe in this article:

This solution has the additional advantage that your exit node will be a VPN server, and not an obvious Tor server. This can be useful if you visit websites that block or impede Tor users.

The client in our examples runs Windows 10.

1. Create VPN Account

You need a VPN provider so that you can connect to a VPN server after passing through Tor. Some privacy-focused providers you might consider are IVPN, Mullvad, and AirVPN. These are only possibilities, and not necessarily recommendations. You will need to look for a provider:

As you search for a suitable VPN provider, beware of affiliate pages posing as reviews. Also be skeptical of claims not to keep logs. In the past, at least one provider turned out to be dishonest in this respect. And watch out for free VPNs based in mainland China which are under the control of the Chinese Communist Party.

2. Install Tor Browser

In many countries, you can download Tor Browser from

Some countries block the domain, making it difficult for netizens to get a copy of Tor Browser. The GetTor service can help these users. Simply send an email to [email protected]. It will automatically respond with alternative download links for Tor Browser. These download links point to GitHub, GitLab, the Internet Archive, and Google Drive. At least one of these hosting providers should be accessible from any country. For example, users from China can download Tor Browser from the Tor Project’s GitHub mirror.

At the time of writing, the installer .exe file is about 64 MB. Once you have downloaded it, run the installer to install Tor Browser on your PC.

Do not connect directly, though. First, we need to configure Tor to use a bridge. We do this in the next step.

3. Configure Tor

In countries where you cannot directly connect to the Tor network, you need to use bridges. Bridges are unlisted Tor relays and, depending on the bridge type, they can obfuscate network traffic in a way that’s more difficult for censors to detect.

The simplest method of censorship circumvention in Tor Browser is to use the built-in bridges — a set of a dozen bridges that come with Tor Browser. These bridges are essentially public, which is why more aggresive censorship systems (such as China’s Great Firewall) block them. But they are still effective in many countries, e.g. Iran.

  1. Launch Tor Browser for the first time.
  2. Click Configure.
  3. Select Tor is censored in my country.
  4. Choose Select a built-in bridge.
  5. From the dropdown list, select obfs4.
  6. Now you can click Connect.

If you need alternative bridges, use a Gmail account to email [email protected]. Leave the subject line blank and write get transport obfs4 in the body of the email.

Note that in China you will probably have to use meek-azure instead of obfs4. If your version of Tor Browser offers snowflake, that may also work.

One you have connected, visit to confirm that you are connecting through Tor. You should see the text: “Congratulations. This browser is configured to use Tor.”

4. Download OpenVPN Client

Some VPN providers offer their own client software as an alternative to the standard OpenVPN client. In this scenario, we need to use the standard OpenVPN client.

Using your regular browser, download the 64-bit Microsoft Installer (MSI) for Windows 10 from the OpenVPN website.

Once you have downloaded it, run the .msi installer to install the OpenVPN client on your computer.

At the end, it displays a message to say that there are no connection profiles (i.e. configuration files) yet. This is okay. Just press OK.

5. Download OpenVPN Configuration File

OpenVPN can use either UDP or TCP protocol, but Tor can only handle TCP. For our scenario, we must therefore use TCP.

Choose a location from among those offered by your VPN provider. This will be your exit node after you have passed through Tor.

Download your VPN provider’s configuration file for your chosen location and for protocol TCP. It will have a name that ends in .ovpn.

6. Edit OpenVPN Configuration File

In the windows search box, type notepad. Open the Notepad built-in app. Edit the .ovpn file you just downloaded. We are going to insert a new line that looks like this:

socks-proxy server [port]

This tells the OpenVPN client to connect to the VPN server via a SOCKS5 proxy at address server and port port.

The Tor client that comes with Tor Browser listens on localhost port 9150. Therefore the line you actually insert will be:

socks-proxy 9150

Do File > Save to save the file. Close Notepad.

7. End-to-End Test

If you have not already done so, start Tor Browser, but minimize it. This keeps Tor listening on port 9150.

Find the OpenVPN GUI from the icon in the system tray. Right-click on the icon to bring up the OpenVPN menu.

Select Import file, find your edited .ovpn configuration file, and open it. After the file is imported successfully, click OK.

Again, bring up the OpenVPN menu from the system tray. Now there are more options. Select the menu option Connect to connect to your OpenVPN server.

Enter your username and password for your VPN provider. Check the option to save your password. Click OK.

Open your regular browser and visit You should see the IP address of your provider’s OpenVPN server, not your local client IP address. Your request has reached the OpenVPN server via Tor, using a bridge to reach the Tor network.

8. Note for Linux Clients

As stated in the introduction, this post is for Windows 10 users. If you want to adapt it for Linux, you will need to look at your routing table:

sudo route -n

It may be that starting OpenVPN with the socks-proxy option has caused OpenVPN to add an extra entry for destination This makes sense with an external SOCKS proxy, but not with an internal SOCKS proxy. Therefore you should delete this route:

sudo route del -net gw G.G.G.G netmask

where G.G.G.G is your default gateway.

You also need to tell the routing to reach your Tor entry node outside of the VPN:

sudo route add -net E.E.E.E netmask gw G.G.G.G

where E.E.E.E is your Tor entry node (either a bridge or a guard node) and G.G.G.G is your default gateway. This will only work if your entry node is relatively static.

It should be possible to script these route table changes and invoke them with the OpenVPN route-up option. The corresponding option when taking down the VPN is route-pre-down. Neither of these possibilities has been tested.

9. Get Help and Report Issues

Some avenues to get help and report issues:

Updated 2021-06-19