Skip to main content
Explainer · privacy

VPN vs proxy vs Tor

All three reroute your traffic so the destination sees a different IP — but they diverge sharply on what they encrypt, who they hide from, and where they fail. Here is the comparison and the threat model each one actually fits.

The one-line summary

A VPN encrypts everything between you and one trusted server. A proxy relays traffic for specific apps through one server, sometimes encrypted. Tor routes traffic through three volunteer relays so no single one knows both who you are and where you're going. The choice depends entirely on what you're trying to defeat.

Quick comparison

VPNProxy (HTTP / SOCKS)Tor
Hides your IP from the destinationYesYesYes
Encrypts you-to-exit trafficYesHTTPS proxies yes; HTTP/SOCKS no by defaultYes, layered three times
Encrypts DNSIf the client handles DNSRarelyBuilt-in via Tor Browser
Hides VPN/proxy/Tor use from your ISPUse is visible; data isn'tHTTP visible, HTTPS partialVisible unless using a bridge
Trust requiredThe VPN operatorThe proxy operatorNone in theory (distributed)
Typical latency hit30–150 ms30–100 ms500 ms – several seconds
BandwidthNear line-rateNear line-rateThrottled, variable
App scopeSystem-widePer-app (usually)System-wide via Tor Browser

VPN — Virtual Private Network

A VPN client builds an encrypted tunnel from your device to a server somewhere else. All your IP traffic — DNS, HTTPS, video calls, BitTorrent, gaming — is wrapped in that tunnel and sent to the VPN's exit. The destination sees the VPN exit's IP, not yours. The protocols are mostly WireGuard (modern, fast, ~4,000 lines of code) and OpenVPN (older, more widely deployed, more configurable but slower).

What a VPN hides well: the content and destinations of your traffic from your ISP and any other on-path network operator. Coffee-shop Wi-Fi cannot see which sites you visit. Your ISP cannot build a profile from your DNS queries. Your government cannot trivially correlate your traffic to which services you use.

What a VPN doesn't hide: the fact that you're using a VPN — there's a single visible TLS or UDP flow from your IP to a known VPN IP, and it's heavy. Your identity from the VPN operator, who now sees everything your ISP used to see. Anything you log into — your bank still knows you're you, the VPN just changed which IP your login came from.

Common failure modes:

Proxy

A proxy is a server that relays traffic on your behalf. The common varieties:

What a proxy hides: your IP from the destination, and (with HTTPS or SOCKS-over-TLS) the content from your ISP.

What it doesn't hide: apps you didn't configure to use the proxy leak directly. DNS is usually still handled outside the proxy, so your ISP sees the lookups even when the connections themselves go through the relay. Per-app configuration is fragile — forget about one app and you leak.

Tor

Tor is a volunteer-run network of ~7,000 relays. Your traffic enters the network at a "guard" node, bounces through a middle node, and exits at a third — each hop knows only its immediate neighbor's IP. The destination sees the exit-node IP; the exit only knows the middle node; the middle only knows the guard; the guard only knows you. No single relay can correlate "who you are" with "where you're going." The cryptographic layers stack: each hop peels off one envelope.

The Tor Browser bundles a hardened Firefox configuration with anti-fingerprinting defaults, the Tor proxy itself, and sensible privacy-preserving settings. Don't roll your own with a SOCKS proxy and your regular browser — the moment you use it like a normal browser, fingerprinting and login leakage defeat most of the protection.

What Tor hides well: the link between you and the destination, from everyone — your ISP, the relays, the destination — as long as you don't log into anything that ties back to your real identity. You become an anonymous user of the destination service, indistinguishable from the population of all Tor users.

What Tor doesn't hide: the fact that you're using Tor (your ISP sees a TLS connection to a known Tor IP unless you use a "bridge" — an unlisted entry point — to obscure the entry). Exit-node operators can see plain HTTP traffic that traverses them, so end-to-end TLS still matters (and is the default for most modern sites). And Tor cannot protect you from yourself — if you log into a real account, the session is identified regardless of the network path.

Failure modes: traffic analysis if an adversary controls enough of the network or watches both ends of a connection simultaneously. Bad exit nodes that MITM unencrypted HTTP. User error in the form of "using Tor like a regular browser" — leaking via WebRTC if WebRTC isn't disabled, leaking via plugins, leaking by signing into Gmail through the same browser profile.

Which one for which job?

Test after you set up — every time

The default failure mode for all three technologies is "it's running but silently bleeding your real IP through some channel you didn't think to check." After every install and every configuration change, run:

Related reading