Not really. In my view, VPNs (at least the type discussed here) and proxies are complementary:
VPNs are good at encrypting/redirecting all of your device's traffic, since they're per-computer by default. They're accordingly good at preventing metadata leaks (e.g. visited sites or used apps) on untrusted networks.
Proxies are opt-in, but can accordingly be much more fine-grained. For example, Firefox supports per-domain (via various extensions) or per-tab (via the built-in "containers" feature) proxies – VPNs usually can't do that.
VPNs can, if they can be routed into via SOCKS or Http Connect gateways, for example. Generally, VPNs (L2/L3) can stoop to the level of proxies (L4) but not vice versa (at least not as cleanly).
Sure, you can bridge in either direction (using e.g. this [1] excellent Wireguard-to-SOCKS adapter), but in my view, if you have bytestream semantics, you're often better off using a bytestream-oriented proxying protocol (like SOCKS, SSH or HTTP) and vice versa.
These bridges/adapters do have their applications though – I have a home router that supports Wireguard natively, but not any of the higher-level protocols; this lets me use my per-tab approach with it.
Yes, "work" VPNs, site-to-site and many other topologies don't change the default route, but "privacy" VPNs like Mullvad usually do – there is no group of hosts to route traffic for other than simply "the entire internet".
That said, I'm aware of at least one that tries to support an "exempt/excluded hosts" feature, but it does this via some hack using its local DNS resolver and modifying the routing table on the fly, which does not work reliably.
Not really. In my view, VPNs (at least the type discussed here) and proxies are complementary:
VPNs are good at encrypting/redirecting all of your device's traffic, since they're per-computer by default. They're accordingly good at preventing metadata leaks (e.g. visited sites or used apps) on untrusted networks.
Proxies are opt-in, but can accordingly be much more fine-grained. For example, Firefox supports per-domain (via various extensions) or per-tab (via the built-in "containers" feature) proxies – VPNs usually can't do that.
Actually you can with Firefox :-)
https://support.mozilla.org/en-US/kb/protect-your-container-...
Many proxies these days call themselves VPNs for branding reasons.
1 reply →
VPNs can, if they can be routed into via SOCKS or Http Connect gateways, for example. Generally, VPNs (L2/L3) can stoop to the level of proxies (L4) but not vice versa (at least not as cleanly).
Sure, you can bridge in either direction (using e.g. this [1] excellent Wireguard-to-SOCKS adapter), but in my view, if you have bytestream semantics, you're often better off using a bytestream-oriented proxying protocol (like SOCKS, SSH or HTTP) and vice versa.
These bridges/adapters do have their applications though – I have a home router that supports Wireguard natively, but not any of the higher-level protocols; this lets me use my per-tab approach with it.
[1] https://github.com/pufferffish/wireproxy
3 replies →
Dunno about that. Most work proxies I use just forward the LAN subnet not reroute all traffic.
Yes, "work" VPNs, site-to-site and many other topologies don't change the default route, but "privacy" VPNs like Mullvad usually do – there is no group of hosts to route traffic for other than simply "the entire internet".
That said, I'm aware of at least one that tries to support an "exempt/excluded hosts" feature, but it does this via some hack using its local DNS resolver and modifying the routing table on the fly, which does not work reliably.
Lucky you. Any companies that have to follow NIST SP 800-171 have to configure their VPNs to reroute all traffic.
2 replies →