<noinclude>
{{Header}}
</noinclude>{| class="wikitable" style="background-color: #fff;text-align: center"

|-
|
! VPN Installed on the Host OS (outside any virtual machines)
! VPN Installed on {{project_name_gateway_long}}
! VPN Installed on <u>both</u> the Host and {{project_name_gateway_short}}

|-
! All {{project_name_short}} Traffic Routing
| <code>User</code> &rarr; <code>Host</code>'s VPN &rarr; <code>Tor</code> &rarr; <code>Internet</code>
| <code>User</code> &rarr; <code>Gateway</code>'s VPN &rarr; <code>Tor</code> &rarr; <code>Internet</code>
| <code>User</code> &rarr; <code>Host</code>'s VPN &rarr; <code>Gateway</code>'s VPN &rarr; <code>Tor</code> &rarr; <code>Internet</code>

|-
! All Host Traffic Routing
| <code>User</code> &rarr; <code>Host</code>'s VPN &rarr; <code>Internet</code>
| <code>User</code> &rarr; <code>Internet</code>
| <code>User</code> &rarr; <code>Host</code>'s VPN &rarr; <code>Internet</code>
|-

! {{project_name_gateway_short}} Compromise
| Host's VPN Affords Protection
| Nil Protection
| Host's VPN Affords Protection
|-

|}

To decide the best configuration in your circumstances, consider:

* Is it necessary to hide <i>all traffic</i> from the ISP? <ref name=all-traffic>
All traffic generated by the host OS and all applications running on the host. For example, Firefox, NTP, and anything else. This also includes traffic generated by {{project_name_short}}.
</ref> Then install the VPN on the host.
* Should the VPN provider be able to see <i>all traffic</i>? <ref name=all-traffic /> Then install the VPN on the host.
* Should the VPN provider be limited to seeing <i>Tor traffic</i>, but not <i>clearnet traffic</i>? Then install the VPN on {{project_name_gateway_short}}.<noinclude>
{{Footer}}
</noinclude>