VPN Security, and Tor: Fact and Fiction.

I would say to be aware of a few things. First is that Tor is good enough if you follow a few rules you don't need to add a VPN:

VPN:
VPN's slow down an already slow Tor, and a VPN does not protect you at all from being tracked even if you paid all cash, despite what other may say. An VPN will create an encrypted tunnel from point A to B and prevent eavesdropping and is relatively fast as there are not layers of encryption happening at each server like Tor. This is great for logging onto a untrusted and maybe not very secure hotspot and tunneling your traffic to other regions on earth only to dump out your searches and browsing traffic at the location. Note that even if you paid all cash for the service it does not protect the IP source of the traffic at all. When looking at the data in wireshark you can see the source and destination IP no matter what. The VPN (if any hiding goes on) only wraps your data with their IP while in their data center but once that traffic re-emerges on the internet it is viewable by anyone with a copy of wireshark. It is true that your geographical location will change because the traffic is spilling out onto the internet from their VPN server hosted in the target location. In other words you don't need to pay cash for your VPN as it's only good to stop locals at the coffee shop from intercepting the data of where you are going, or to tunnel past your ISP and prevent DPI from identifying what type of traffic it is, and maybe censoring your access, or from conducting other types of molestation and therefore not worth going through all the trouble to pay cash. In no way does it hide the "Source" and "Destination" ip found in the Network Layer (3 OSI) from a protocol analyser like Wireshark. Once it leaves the VPN datacenter you are visible...period...or you would never get response from anyone on the internet obviously. Even finding a "bulletproof" VPN provider that does not perform logging is not enough on a Forensic level, you will still, be identified.

Tor:
Tor is VPN also but can have access to websites hosted within the Tor node network only other users of Tor have access to. If you were to leave the Tor network and say go to a non-tor hosted website you would again be visible at let's say google although your connection from Google would be encrypted. That means you conversation with Google would be visible only to google but your Source IP at Google would be Visible to Google employes, same problem as a regular VPN. Tor has servers a geographical location set up and are spaced apart and defined by a "boundary". If your traffic goes into a Tor server and does not cross this "Boundary" it will be traceable to the original source as it was never re-encrypted by another server (thus giving you that sweet, sweet privacy). That said you need to be aware that if you are in California, and browse to a site in Texas, your traffic may not have crossed the "Boundary" and was never re-encrypted thus leaving the source IP visible to other on that server or while in transit. You MUST cross a boundary when selecting a "Circuit" or you will be subject to immediate identification. Be sure to set up Tor to select a "circuit" in which this will apply carefully. Most recent versions of Tor are attempting to correct this and you may not have to set this up manually anymore but be aware of it with older versions as they are ALL subject to this flaw. You may only expect to remain invisible on the web if you stay within the Tor routing network, have forced a boundary to be crossed while selecting a circuit and have no other programs or plugins attached to the browser or accessing the internet on other ports. If you had Lastpass running, for example, and at some point it requested an update from the server on another port, this may expose your IP outside the Tor Circuit as Tor VPN's typically do not "wrap" the entire network stack in Linux or Windows and only covers the common Web access ports 80 and 443. This means that if Lastpass updates on port "1337" you will be immediately identified. Stay inside the Tor network, cross a geographical server boundary, and do not use plugins. Despite all of this, even if you are dutifully vigilant in your practice, but you are a regular at "foo.com", there is still screen and OS fingerprinting that can be used to follow you around inside the Tor routing system. Unlikely, but true. Stay on the move and don't fall into using TAILS (or whatever) at your "favorite" spot, and keep the default screen size, stay inside Tor exclusively, etc.

Remember that site "B" no matter who it is, will be the endpoint that CAN see you even if they aren't telling on you because they are hosting the content... You've been warned educated.

P.s. Let me add one more final thought: Be aware that if a server in or out of the Tor network has been ceased (Silk Road), or the servers Master Certificate Key was otherwise obtained (hackers) that this key can be used to decrypt all previous conversations with that server, with the exception of Perfect Forward Secrecy. PFS is an encryption standard in which each session with the server is re-keyed with a new key (short version). So if anyone were to get the key, they could only see that one session and NOT everything in the past from that IP. Look for PFS in the Sites Certificate details when accessing a site you want privacy from, and be aware that a "Gag" order may prevent you from knowing you are currently under surveillance...