Donate
Donate
6 min read|January 9, 2026

What Is Tor? How Onion Routing Works and When to Use It

This guide covers: What Is Tor? How Onion Routing Works and When to Use It.

Tor is a privacy network designed to make it harder to link your browsing activity to your real IP address. Instead of sending traffic directly to the destination, Tor routes it through several relays run by different volunteers around the world. That extra indirection can protect location privacy and reduce straightforward network tracking, but it also changes performance, usability, and risk in ways many people misunderstand.

Illustration of Tor routing traffic through multiple relay nodes

What Tor actually is

Tor stands for The Onion Router. The name comes from the core idea: traffic is wrapped in multiple layers of encryption, then peeled open one layer at a time as it passes through the network. No single relay sees the entire path from you to the destination.

In practice, most people use Tor through the Tor Browser, a hardened Firefox-based browser that is preconfigured to send web traffic through Tor and to reduce common browser fingerprinting mistakes. Tor itself is the network; Tor Browser is the most accessible client for using that network safely.

Tor is not the same thing as a VPN, a proxy list, or the dark web. It is a specific anonymity system with its own relays, directory infrastructure, and client software. Some people use it to reach onion services, but a large share of Tor usage is simply normal web browsing through a privacy-preserving route.

How onion routing works, step by step

A Tor client builds a circuit through the network before sending data. The exact path changes over time, but the normal pattern looks like this:

  1. The client downloads a current directory consensus so it knows which relays are available and trustworthy enough to use.
  2. It chooses a guard relay as the first hop. This relay sees your real IP, but not the final destination.
  3. It chooses one or more middle relays. These relays know only the previous and next hop.
  4. It chooses an exit relay as the last hop. The exit relay connects to the public website or service you requested.
  5. Traffic is encrypted in layers. Each relay removes only the layer it needs in order to forward the packet onward.

The result is a path where the guard knows you but not the site, the exit knows the site but not you, and the middle relay sees only partial routing information. That separation is the reason Tor is useful for anonymity rather than merely IP masking.

What websites see when you use Tor

Most websites see the IP address of the Tor exit node, not your home connection. If you visit an IP checker through Tor, the visible IP will belong to the exit relay's network, often a data center or hosting provider rather than a residential ISP.

You can verify this with a simple command if a local Tor SOCKS proxy is running:

curl --socks5-hostname 127.0.0.1:9050 https://check.torproject.org/api/ip
curl --socks5-hostname 127.0.0.1:9050 https://ifconfig.me

The first command confirms whether the traffic is reaching the internet through Tor. The second shows the exit IP the destination sees. If you feed that address into our IP Address Lookup, you will usually see hosting-style network ownership rather than your own residential ISP.

Tor relay types and related components

  • Guard relay: the first hop. It sees your source IP, so Tor keeps guard selection relatively stable instead of choosing a brand new first hop for every request.
  • Middle relay: an internal hop that forwards traffic between the guard and the exit. It never sees both endpoints at once.
  • Exit relay: the last hop that connects to the public internet. It is the IP websites usually see.
  • Bridge relay: a relay not publicly listed in the main directory consensus. Bridges help users reach Tor from networks where public relays are blocked.
  • Onion service: a service reachable only through Tor, using an .onion address. Onion services avoid the exit relay entirely because both sides stay inside the Tor network.

Where Tor matters in practice

  • Reducing simple IP-based tracking. If a site logs only the source IP and some headers, Tor makes that log less directly attributable to your home connection.
  • Researching from a separate network identity.Journalists, analysts, and security researchers often want to view a site without attaching the visit to their office or personal network.
  • Bypassing local blocking. When a school, workplace, or national network blocks access to a site, Tor can sometimes route around that block, especially with bridges.
  • Accessing onion services. Some sites publish onion endpoints specifically so users can reach them without the normal public DNS and IP path.
  • Testing detection systems. If you build fraud or abuse defenses, Tor exits are a useful real-world signal class for high-risk network traffic.

Tor is not a magic anonymity switch

The biggest mistake is assuming Tor alone makes you anonymous. Tor changes the network path, but it does not erase everything else that can identify you. If you sign into a personal email account, reuse the same browser profile for work and personal tasks, or upload documents containing your real name, the network anonymity Tor provides can be undone by your own actions.

Tor also does not protect plaintext traffic once it leaves the exit relay. If you visit an old HTTP-only site through Tor, the exit relay can read and modify that traffic. HTTPS remains essential. Tor protects the route; TLS protects the content.

Common pitfalls and edge cases

  • Logging into identifying accounts. If you use Tor and then sign into a long-lived Google, Apple, or social account, the destination still learns it is you. Tor hides the source network, not the account identity.
  • Opening downloads outside Tor Browser. A downloaded PDF or document opened in a native app may fetch remote resources over your normal connection and expose your real IP.
  • Using BitTorrent through Tor. Tor is not built for heavy peer-to-peer traffic. Many clients leak identifying information, and the load harms the volunteer network.
  • Assuming all exits are trustworthy. Exit relays are public by design. You should assume the operator can observe destination metadata and plaintext traffic.
  • Confusing slower browsing with a broken circuit. Tor adds latency because traffic crosses multiple relays, often in multiple countries. Some slowdown is normal.
  • Expecting every website to welcome Tor traffic.Many services challenge, rate-limit, or block Tor exits because abuse and account fraud also come through the same shared relays.

How Tor differs from a VPN

A VPN is usually a single trusted hop. Your ISP sees that you connected to the VPN provider, and the VPN provider sees the destinations you use unless end-to-end HTTPS hides the content. The trust model is simple: you are moving trust from your ISP to the VPN company.

Tor spreads that trust across multiple relays so no single relay normally sees both endpoints. That makes Tor stronger for anonymity against straightforward network observation, but slower and less compatible with mainstream sites. VPNs are usually better for daily streaming, stable logins, and location shifting. Tor is better when the primary goal is decoupling traffic from your normal network identity.

How to verify Tor behavior with practical tools

You do not need to guess what Tor is doing. A few checks make the picture concrete:

  • Run our IP Address Lookup and confirm the visible IP changes away from your ISP.
  • Use ASN Lookup to see whether the exit IP belongs to a hosting ASN or another public network operator.
  • Use Reverse DNS to check whether the exit IP has a relay-style or hosting-style PTR hostname.
  • Run Proxy Check for a signal-based classification of whether the visible IP looks like a proxy or anonymizing network.
  • If the browser also uses WebRTC or custom DNS settings outside Tor Browser, test with WebRTC Leak Test and DNS Leak Test.

Bridges and onion services solve different problems

Two Tor concepts are easy to confuse: bridges and onion services. Bridges help users reach the Tor network when public relays are blocked or monitored. They are still Tor relays, but they are distributed differently so large-scale blocking is harder.

Onion services solve a different problem. Instead of connecting from Tor out to the public internet through an exit relay, an onion service stays inside Tor end to end. That avoids the exit-relay exposure for the final hop and lets a site be reachable without publishing a conventional public origin in the normal DNS/IP model.

In short: bridges help you enter Tor when access is restricted, while onion services help publishers stay inside Tor when they want the whole connection path to avoid the normal public route.

Useful questions to ask before using Tor

Before you reach for Tor, be clear about what problem you are solving. If the goal is "I want Netflix to think I am in another country," Tor is a poor fit. If the goal is "I need to browse without attaching this session to my home IP," Tor may be appropriate. The right privacy tool depends on what signal you are trying to hide, from whom, and at what cost in speed or convenience.

Why the "dark web" reputation does not match what most Tor users do

Press coverage and TV dramas overwhelmingly associate Tor with the dark web, drug markets, and criminal activity. The actual usage breakdown looks very different. Most measured Tor traffic is ordinary public-internet web browsing: people in countries with heavy censorship reaching news sites and social media, journalists researching from a separate network identity, activists organizing in restrictive environments, security researchers studying malware infrastructure, and a long tail of users who simply do not want to attach a particular session to their home IP.

Onion services (the .onionsites that get the "dark web" label) are a small fraction of Tor activity by traffic volume. And of those, many are entirely legitimate: Facebook's onion mirror, the New York Times onion mirror, BBC News onion mirror, SecureDrop instances run by major newsrooms for whistleblower submissions, ProtonMail's onion endpoint. The technology is neutral; the press attention skews toward the worst examples because they make better headlines.

Tor Browser's anti-fingerprinting design

Tor Browser does not just route traffic through Tor. It is a hardened build of Firefox that actively fights browser fingerprinting, because masking your IP is useless if a site can identify you by your fonts, screen resolution, installed extensions, and timezone. The defenses include:

  • Letterboxing: the browser pads the window so your reported viewport size falls into a small set of common buckets rather than a unique pixel-perfect measurement.
  • Standardized user agent: all Tor Browser users send the same browser identification string, so the user-agent header is useless as a fingerprint.
  • Blocked or randomized canvas, WebGL, and audio context APIs: common fingerprinting techniques are either disabled or return randomized values.
  • No third-party cookies, isolated first-party storage: cross-site tracking gets walled off so cookies cannot link your activity across domains.

This is why using Tor through a regular browser (just configuring Firefox or Chrome to use the Tor SOCKS proxy) is much weaker than using Tor Browser itself. The network anonymity is the same, but the browser-level fingerprint will give you away in seconds.

Frequently asked questions

Does Tor hide your IP address? From the destination website, usually yes. The site typically sees the exit relay IP instead of your home IP. Your ISP can still see that you are connecting to Tor unless you use bridges or an additional privacy layer.

Is Tor illegal? In most countries, no. Using Tor is legal. What matters legally is what you do through it, just as with any other network tool.

Can websites detect Tor? Often yes. Tor exit IPs are public, well known, and widely shared in abuse-defense feeds, so many sites can identify them quickly.

Is Tor the same as the dark web? No. Tor is a network and software stack. Some onion services are part of what people call the dark web, but Tor itself is broader than that.

Can Tor protect me if I reveal my identity myself? No. If you log in, upload identifying files, or reuse accounts and habits that point back to you, Tor cannot undo those signals.

Should I use Tor or a VPN? Use Tor when anonymity and route separation matter most. Use a VPN when you need stable daily use, streaming compatibility, and simpler whole-device protection.

Related reading: Proxy vs VPN, How to Protect Your IP Address, and What Is a VPN?. If you want to inspect the visible exit address directly, start with the IP Address Lookup.

Theodore Uzun
By
Founder and Senior Software Engineer, IP Trackers
Published Editorially reviewed

Keep exploring

Proxy/VPN DetectionReverse DNS (PTR) LookupIP & DNS Glossary
PreviousAre Free Proxies Safe? Risks, Red Flags, and Better OptionsNextWhat Is a DNSBL? Email Blacklist Basics and Lookup Checks

Related reading

How to Protect Your IP Address from Tracking12 min read - April 26, 2026How to Hide My IP: VPN, Proxy, Tor, and What Actually Works10 min read - March 4, 2026What Is a Metropolitan Area Network (MAN)?9 min read - April 4, 2026What Is a Computer Network? Types, Components, and How They Work12 min read - April 4, 2026What Is a Local Area Network (LAN)? How LANs Work10 min read - April 4, 2026What Is WiFi? How Wireless Networks Work Explained11 min read - April 4, 2026

Editorial standards: Editorial Policy and Methodology.