Comment by lxgr
3 years ago
Not really. In my view, VPNs (at least the type discussed here) and proxies are complementary:
VPNs are good at encrypting/redirecting all of your device's traffic, since they're per-computer by default. They're accordingly good at preventing metadata leaks (e.g. visited sites or used apps) on untrusted networks.
Proxies are opt-in, but can accordingly be much more fine-grained. For example, Firefox supports per-domain (via various extensions) or per-tab (via the built-in "containers" feature) proxies – VPNs usually can't do that.
Actually you can with Firefox :-)
https://support.mozilla.org/en-US/kb/protect-your-container-...
Many proxies these days call themselves VPNs for branding reasons.
I am not 100% sure but Firefox VPN is an actual VPN based on mullvad. On the main product page[1], it says it is built with Wireguard which is a VPN software.
[1]: https://www.mozilla.org/fr/products/vpn/
VPNs can, if they can be routed into via SOCKS or Http Connect gateways, for example. Generally, VPNs (L2/L3) can stoop to the level of proxies (L4) but not vice versa (at least not as cleanly).
Sure, you can bridge in either direction (using e.g. this [1] excellent Wireguard-to-SOCKS adapter), but in my view, if you have bytestream semantics, you're often better off using a bytestream-oriented proxying protocol (like SOCKS, SSH or HTTP) and vice versa.
These bridges/adapters do have their applications though – I have a home router that supports Wireguard natively, but not any of the higher-level protocols; this lets me use my per-tab approach with it.
[1] https://github.com/pufferffish/wireproxy
I don't really get the value proposition of wireproxy. Especially since it seems not to be complete yet.
It is trivial to run a socks proxy on one of the peers and have your browser point to that. Both chrome and firefox can do this on demand and for the sites you select.
2 replies →
Dunno about that. Most work proxies I use just forward the LAN subnet not reroute all traffic.
Yes, "work" VPNs, site-to-site and many other topologies don't change the default route, but "privacy" VPNs like Mullvad usually do – there is no group of hosts to route traffic for other than simply "the entire internet".
That said, I'm aware of at least one that tries to support an "exempt/excluded hosts" feature, but it does this via some hack using its local DNS resolver and modifying the routing table on the fly, which does not work reliably.
Lucky you. Any companies that have to follow NIST SP 800-171 have to configure their VPNs to reroute all traffic.
Interesting! Is that actually the letter of the specification, or a common/industry-standard interpretation? I hate VPN setups like that; it often makes videoconferencing, browsing of non-corp sites etc. unnecessarily slow.
1 reply →