A VPN encrypts all your internet traffic and routes it through a private server, while a proxy typically only handles traffic for a specific application (like your web browser) and may or may not encrypt it.
Let’s see this in action. Imagine you’re on a public Wi-Fi network and want to access your bank account.
First, let’s simulate a direct connection (no VPN or proxy).
# On your local machine
curl -v https://www.mybank.com
You’ll see output like this, showing a direct TLS handshake with www.mybank.com. Your ISP and anyone snooping on the public Wi-Fi can see that you’re connecting to your bank’s IP address, even if the content of your communication is encrypted by HTTPS.
Now, let’s set up a simple proxy. We’ll use squid as an example, running on a separate server.
Proxy Server Configuration (squid.conf):
http_port 3128
acl localnet src 192.168.1.0/24 # Assuming your local machine is on this subnet
http_access allow localnet
forwarded_for off # Important for privacy
via off
Start squid: sudo systemctl start squid
On your local machine (using the proxy):
# Configure your browser to use proxy 192.168.1.100:3128
# Then run:
curl -v --proxy http://192.168.1.100:3128 https://www.mybank.com
The output will show curl connecting to 192.168.1.100:3128 first, and then Squid making the connection to www.mybank.com on your behalf. Your ISP and local network snooper only see traffic to the proxy server, not directly to the bank. However, if the proxy server itself is compromised, or if the connection between the proxy and the bank isn’t encrypted (which it is in this HTTPS example), your data could be exposed. Crucially, only traffic configured to use the proxy (like this curl command, or your browser settings) is affected. Other applications on your machine would still connect directly.
Finally, let’s consider a VPN. We’ll simulate a VPN connection using openvpn.
VPN Server Configuration (server.conf):
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 60
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
On your local machine (connecting to VPN):
# Assuming you have client.ovpn with necessary certs/keys
sudo openvpn --config client.ovpn
Once connected, your machine gets a new IP address (e.g., 10.8.0.6). Now, all your internet traffic, regardless of the application, is routed through the VPN server.
# On your local machine, AFTER connecting to VPN
curl -v https://www.mybank.com
The curl command will now show it connecting to an IP address within the 10.8.0.0/24 range (your VPN server’s internal IP), and then that server connects to www.mybank.com. Your ISP and local network snooper see encrypted traffic going to your VPN server’s public IP address. They cannot see you’re connecting to your bank, nor the destination IP of the bank. The traffic between your machine and the VPN server is encrypted by the VPN protocol itself (e.g., AES-256-CBC).
The core problem both VPNs and proxies aim to solve is providing a different path for your internet requests, often for privacy, security, or bypassing geo-restrictions. A proxy acts as an intermediary for specific requests, while a VPN creates a secure tunnel for all your device’s traffic.
Think of a proxy like sending a letter to a friend via a P.O. box. The P.O. box receives your letter and forwards it to your friend. Your friend knows the letter came from the P.O. box, but not directly from you. A VPN is more like hiring a private courier to pick up all your mail, put it in a locked briefcase (encryption), drive it to a secure facility (VPN server), and then send it out from there with a new return address. No one along the way can see what’s in the briefcase or where the mail is ultimately going.
The most significant difference in practice, beyond the scope of traffic, is how they handle DNS requests. By default, when you use a proxy, your DNS requests (which translate domain names like www.google.com into IP addresses) are usually still made by your local machine directly to your ISP’s DNS servers. This means your ISP can still see which websites you’re trying to access, even if the actual web traffic is proxied. A VPN, on the other hand, routes your DNS requests through the VPN tunnel as well, so your ISP cannot see your DNS lookups. This is a critical privacy distinction.
This DNS handling is why simply setting a proxy in your browser might not fully anonymize your browsing if your OS or other applications are still making direct DNS requests.
Once you’ve grasped the difference between VPNs and proxies, the next logical step is understanding different VPN protocols and their trade-offs in speed and security.