Confused about TOR over ProtonVPN

This is the last stumbling block in me signing up to ProtonVPN so it would be great to get some clarification.

When you connect your VPN to a TOR server does that mean you are connecting to a TOR entry node when you leave the VPN or are you connecting to a TOR exit node?

The reason I ask is that if you connect to an entry node then ProtonVPN will have no idea what you are browsing using TOR but if it was an exit node then they could possibly find out.

Would it be better when using TOR to forget the VPN entirely and just use the Tor browser or are there significant advantages to using ProtonVPN Tor servers?

Maybe see How to access the Tor network using Proton VPN | Proton VPN

I haven’t used this facility, but the following is my understanding:

does that mean you are connecting to a TOR entry node when you leave the VPN

Yes.

if you connect to an entry node then ProtonVPN will have no idea what you are browsing using TOR

No, that’s not how this facility works. You run a normal browser such as Firefox, connect to ProtonVPN network, select a ProtonVPN Tor-enabled (really onion-enabled) server.

In the browser, you access an URL such as example.com using HTTPS. The request goes through ProtonVPN, and they can see what domain (IP address) you’re accessing. Their Tor-enabled server sends the request out into the onion network. It does the usual hops, gets to an onion exit node. That node sees the request is to a clearnet site, sends the request out into public internet.

Suppose in the browser, you access an URL such as secret.onion using HTTPS. The request goes through ProtonVPN, and (I’m not sure of this part, someone correct me) they can see what domain (IP address) you’re accessing. Their Tor-enabled server sends the request out into the onion network. It does the usual hops, gets to the onion node that hosts that onion domain.

Would it be better when using TOR to forget the VPN entirely and just use the Tor browser or are there significant advantages to using ProtonVPN Tor servers?

Several things here:

  • The special Tor/onion facility in ProtonVPN lets you access onion domains from a normal browser, so that’s an advantage.

  • The special Tor/onion facility in ProtonVPN routes all your traffic through onion network, which is similar to other systems such as Tails or Whonix or nipe or TorghostNG. So it’s sort of a super-VPN.

  • IMO, always run some VPN, whether or not you’re using Tor at the moment. Your system is always doing internet traffic, from updaters and services and such, and you want your IP address protected in that traffic. Use some VPN 24/365. [Note: doesn’t apply if you’re using Tails or Whonix etc.]

  • If you’re using Tor Browser, any VPN, and this ProtonVPN-onion thing, doesn’t really help or hurt. Use a VPN while running Tor Browser, to protect the other traffic, not the Tor Browser traffic. [Note: doesn’t apply if you’re using Tails or Whonix etc.]

  • Tor Browser does things to try to be more secure than a normal browser. It locks down settings, gives you a security-level slider, encourages you to use a standard display size. So using Firefox-to-specialProtonVPNOnionServer-to-onion is not quite the same as using TorBrowser-to-onion.

Instead of connecting directly to an enter node of Tor, you go through the VPN first which works as your enter node.
Your ISP sees you’re connecting to a VPN service and not to a Tor node (enter/exit nodes are public if I’m not mistaken).

So why do ProtonVPN offer Tor servers then if they are not recommended? I’m just confused at this point.