VPN and Tor are based on client - server model.
They form a network where there are large number of nodes capable of communication in one direction (clients) and a small number of nodes capable of communicating in 2 directions (servers).
The vulnerable points in this model are the small number of 2 directional nodes. Some VPN and all Tor services rely on volunteer 2 dir. node providers.
Some of these nodes may be government run which allows tracing of activity…