All three reroute your traffic through some intermediary so the destination site sees a different IP. From there they diverge sharply: who can see what, what's actually encrypted, and what the failure modes look like.
Quick comparison
| VPN | Proxy (HTTP/SOCKS) | Tor | |
|---|---|---|---|
| Hides your IP from the destination | ✅ | ✅ | ✅ |
| Encrypts all traffic between you and the exit | ✅ | HTTPS proxies yes; HTTP/SOCKS no | ✅ (three hops) |
| Encrypts DNS | If the VPN handles DNS | Rarely | Built-in |
| Hides your VPN/proxy use from your ISP | VPN visible as VPN; data hidden | Visible if HTTP, hidden if HTTPS | Visible as Tor unless bridged |
| Trust required | The VPN operator | The proxy operator | None (in theory) — distributed |
| Typical latency hit | 30–150 ms | 30–100 ms | 500 ms – several seconds |
| Bandwidth | Near line-rate | Near line-rate | Throttled, variable |
| App scope | System-wide | Per-app (usually) | System-wide via Tor Browser or transparent proxy |
VPN — Virtual Private Network
A VPN client builds an encrypted tunnel from your device to a server somewhere else. All your IP traffic — DNS, HTTPS, BitTorrent, video calls — gets wrapped and sent through that tunnel. The destination sees the VPN server's IP, not yours.
What it hides well: the content and destination of your traffic from your ISP and local network. What sites you visit, what apps you run, who you talk to.
What it doesn't hide: the fact that you're using a VPN (the connection to the VPN endpoint is a single visible TLS/UDP flow), your identity from the VPN operator itself, and anything you log into. Your bank still knows you're you.
Failure modes:
- DNS leak — the OS asks the wrong resolver, exposing what you're looking up to your ISP. Test for DNS leaks here.
- WebRTC leak — the browser exposes your real IP via the peer-connection ICE protocol. Test for WebRTC leaks here.
- The VPN operator can see everything you'd otherwise show your ISP. You're moving the trust, not eliminating it.
Proxy
A proxy is a server that relays traffic on your behalf. Variants:
- HTTP proxy — only handles HTTP/HTTPS. Per-app config. CONNECT-method proxies pass HTTPS through transparently; plain HTTP can be inspected.
- HTTPS proxy — proxy is itself reached over TLS, so the connection between you and the proxy is encrypted. Hides the destination from your ISP.
- SOCKS proxy — generic TCP (and SOCKS5: UDP) relay. App-level, but covers more protocols than HTTP-only.
- Residential / mobile proxy — proxies hosted on consumer ISPs to bypass rate-limiting and geo-blocks. Usually paid; the legitimacy of the underlying IPs is often dubious.
What it hides: your IP from the destination. Optionally, traffic content if the proxy is HTTPS.
What it doesn't hide: typically DNS is handled outside the proxy, so your ISP still sees the lookups. Per-app config means you forget about it for some app and leak.
Tor
Tor is a volunteer-run network of ~7,000 relays. Your traffic enters at a "guard," bounces through a middle relay, and exits at a third — and each hop only knows its immediate neighbour. The destination sees the exit-node IP; the exit only knows the previous hop's IP. No single relay knows both who you are and where you're going.
Tor Browser bundles Firefox-Tor + sane anti-fingerprinting defaults. Don't roll your own: the second you use it like a regular browser, you've defeated most of the protection.
What it hides well: the link between you and the destination, from everyone — your ISP, the relays, the destination. As long as you don't log into anything, you're a stranger.
What it doesn't hide: the fact that you're using Tor (your ISP sees a TLS connection to a known Tor IP unless you use a "bridge"). Exit-node operators can see plain HTTP traffic. End-to-end TLS still matters.
Failure modes: traffic analysis if an adversary controls enough of the network or watches both ends. Bad exit nodes that MITM HTTP. User error (logging into a real account through Tor links the session back to you).
Which one for which job?
- Hide your traffic from your ISP / coffee-shop Wi-Fi: VPN. Cheapest path to "everything's encrypted between me and somewhere else."
- Bypass geo-restriction: VPN with an exit in the right country. Many streaming services actively block known VPN IP ranges, so YMMV.
- Bypass rate-limit / anti-bot on a single API: rotating proxy pool. Avoid residential proxies on ethical grounds unless you understand where the IPs come from.
- Real anonymity — research, whistleblowing, threatened journalism: Tor Browser. Anything less leaves you trusting an operator.
- Hide BitTorrent activity: VPN with a "no logs" reputation and a kill-switch. Tor exits forbid BitTorrent and you'd kill the network for everyone else.
- Self-host something reachable from outside without a public IP: not a job for any of these — see port forwarding or reverse-tunnel solutions.
Whichever you pick: test for DNS leaks and WebRTC leaks after you set it up. The default failure mode for all three technologies is "it's running but silently bleeding your real IP."