The one-line summary
A VPN encrypts everything between you and one trusted server. A proxy relays traffic for specific apps through one server, sometimes encrypted. Tor routes traffic through three volunteer relays so no single one knows both who you are and where you're going. The choice depends entirely on what you're trying to defeat.
Quick comparison
| VPN | Proxy (HTTP / SOCKS) | Tor | |
|---|---|---|---|
| Hides your IP from the destination | Yes | Yes | Yes |
| Encrypts you-to-exit traffic | Yes | HTTPS proxies yes; HTTP/SOCKS no by default | Yes, layered three times |
| Encrypts DNS | If the client handles DNS | Rarely | Built-in via Tor Browser |
| Hides VPN/proxy/Tor use from your ISP | Use is visible; data isn't | HTTP visible, HTTPS partial | Visible unless using a bridge |
| Trust required | The VPN operator | The proxy operator | None in theory (distributed) |
| Typical latency hit | 30–150 ms | 30–100 ms | 500 ms – several seconds |
| Bandwidth | Near line-rate | Near line-rate | Throttled, variable |
| App scope | System-wide | Per-app (usually) | System-wide via Tor Browser |
VPN — Virtual Private Network
A VPN client builds an encrypted tunnel from your device to a server somewhere else. All your IP traffic — DNS, HTTPS, video calls, BitTorrent, gaming — is wrapped in that tunnel and sent to the VPN's exit. The destination sees the VPN exit's IP, not yours. The protocols are mostly WireGuard (modern, fast, ~4,000 lines of code) and OpenVPN (older, more widely deployed, more configurable but slower).
What a VPN hides well: the content and destinations of your traffic from your ISP and any other on-path network operator. Coffee-shop Wi-Fi cannot see which sites you visit. Your ISP cannot build a profile from your DNS queries. Your government cannot trivially correlate your traffic to which services you use.
What a VPN doesn't hide: the fact that you're using a VPN — there's a single visible TLS or UDP flow from your IP to a known VPN IP, and it's heavy. Your identity from the VPN operator, who now sees everything your ISP used to see. Anything you log into — your bank still knows you're you, the VPN just changed which IP your login came from.
Common failure modes:
- DNS leaks — the OS asks the wrong resolver, exposing what you're looking up to your ISP even though the rest of the traffic is tunneled. DNS leak test.
- WebRTC leaks — the browser exposes your real IP via ICE candidate gathering in peer connections. WebRTC leak test.
- IPv6 leaks — many VPNs only carry IPv4 traffic. If your connection is dual-stack, v6 traffic bypasses the tunnel entirely.
- Trust failures — the VPN operator can see everything your ISP used to see, so picking a provider with a clean track record on log policies and government requests matters a lot.
Proxy
A proxy is a server that relays traffic on your behalf. The common varieties:
- HTTP proxy. Handles only HTTP and HTTPS. Per-app configuration — you tell your browser or curl about it; everything else ignores it. CONNECT-method proxies pass HTTPS through transparently, so the proxy can't read the contents; plain HTTP traffic, in contrast, can be inspected and even modified.
- HTTPS proxy. The connection between you and the proxy is itself TLS-protected. Hides destination hostnames from your ISP (because the SNI of your requests to the proxy is the proxy's own hostname, not the destination's). Useful in school or corporate networks that block direct access to the public internet.
- SOCKS proxy. Generic TCP (and SOCKS5: UDP) relay. App-level configuration, but covers protocols other than HTTP — IRC, SSH tunneling, arbitrary client/server tools. Popular as a Tor entry point or to chain through an SSH gateway.
- Residential / mobile proxies. Commercial networks of proxies hosted on real consumer ISPs and mobile carriers, sold by the GB to anyone who wants to look like a "real person" to bot-detection systems. The legitimacy of how the underlying endpoint network is sourced varies — see the FAQ.
What a proxy hides: your IP from the destination, and (with HTTPS or SOCKS-over-TLS) the content from your ISP.
What it doesn't hide: apps you didn't configure to use the proxy leak directly. DNS is usually still handled outside the proxy, so your ISP sees the lookups even when the connections themselves go through the relay. Per-app configuration is fragile — forget about one app and you leak.
Tor
Tor is a volunteer-run network of ~7,000 relays. Your traffic enters the network at a "guard" node, bounces through a middle node, and exits at a third — each hop knows only its immediate neighbor's IP. The destination sees the exit-node IP; the exit only knows the middle node; the middle only knows the guard; the guard only knows you. No single relay can correlate "who you are" with "where you're going." The cryptographic layers stack: each hop peels off one envelope.
The Tor Browser bundles a hardened Firefox configuration with anti-fingerprinting defaults, the Tor proxy itself, and sensible privacy-preserving settings. Don't roll your own with a SOCKS proxy and your regular browser — the moment you use it like a normal browser, fingerprinting and login leakage defeat most of the protection.
What Tor hides well: the link between you and the destination, from everyone — your ISP, the relays, the destination — as long as you don't log into anything that ties back to your real identity. You become an anonymous user of the destination service, indistinguishable from the population of all Tor users.
What Tor doesn't hide: the fact that you're using Tor (your ISP sees a TLS connection to a known Tor IP unless you use a "bridge" — an unlisted entry point — to obscure the entry). Exit-node operators can see plain HTTP traffic that traverses them, so end-to-end TLS still matters (and is the default for most modern sites). And Tor cannot protect you from yourself — if you log into a real account, the session is identified regardless of the network path.
Failure modes: traffic analysis if an adversary controls enough of the network or watches both ends of a connection simultaneously. Bad exit nodes that MITM unencrypted HTTP. User error in the form of "using Tor like a regular browser" — leaking via WebRTC if WebRTC isn't disabled, leaking via plugins, leaking by signing into Gmail through the same browser profile.
Which one for which job?
- Encrypt your traffic from your ISP or a hostile Wi-Fi network: a VPN. Cheapest path to "everything between me and somewhere else is encrypted." Mullvad, ProtonVPN, IVPN are typical good picks; pay with a card the provider doesn't tie to your name if you want maximum separation.
- Bypass a geo-restriction on streaming or news: a VPN with an exit in the destination country. Streaming services actively block ranges known to belong to VPN providers, so success depends on the provider's IP refresh cadence.
- Bypass a rate-limit or anti-bot on a single API: a rotating proxy pool with many IPs. Residential proxies look the most like normal users but often carry ethical baggage about how the endpoint network was sourced.
- Real anonymity — research, whistleblowing, threatened journalism: Tor Browser. Nothing less — every commercial VPN requires you to trust the operator, and operators get subpoenaed.
- BitTorrent privacy: a VPN with a documented no-logs policy and a kill switch (the client drops your traffic if the tunnel dies, preventing inadvertent direct connections). Tor exits forbid BitTorrent traffic and you'd be saturating the network for everyone else.
- Self-host a service reachable from outside without a public IP: not a job for any of these. See port forwarding and reverse-tunnel solutions like Cloudflare Tunnel or Tailscale Funnel.
Test after you set up — every time
The default failure mode for all three technologies is "it's running but silently bleeding your real IP through some channel you didn't think to check." After every install and every configuration change, run:
- IPFerret home page — does the IP shown match the VPN / Tor exit you expect?
- DNS leak test — are your DNS queries actually going through the tunnel?
- WebRTC leak test — is your browser advertising your real IP via peer-connection candidates?
- IPv6 test — if you're on a dual-stack connection and your VPN is IPv4-only, your v6 traffic is bypassing the tunnel entirely.
Related reading
- DNS leak test — the most common VPN failure.
- WebRTC leak test — the other most common VPN failure.
- IP reputation — why exit IPs from commercial VPNs and known Tor nodes carry reputation baggage that affects what sites let you do.
- What is my IP? — the explainer for the underlying object all three of these technologies replace.
