DuduVPN

VPN vs proxy: what I reach for when things break

7 min read

I was in a coffee shop, trying to push a hotfix.

Git pulls were fine. Slack loaded. Then my bank app refused to sign in, and the company SSO page looped forever.

That’s the moment you stop arguing “VPN vs proxy” in theory and start caring what each one actually touches.

The quick gut-check I do on public Wi‑Fi

On sketchy Wi‑Fi, I assume two things. The network is watching, and the network is unreliable.

A proxy is mostly about where you appear to be. A VPN is also about who can see the road you’re driving on.

Short sentence: proxies don’t encrypt everything.

With a VPN, your device builds one tunnel from your laptop or phone to a VPN server. From the Wi‑Fi’s point of view, it’s just encrypted packets headed to one IP. That’s why VPNs fix the “hotel Wi‑Fi is messing with DNS” kind of failure so often.

With a proxy, your browser (or a specific app) sends traffic through an extra hop. The catch is right there: it’s usually per-app, not device-wide, unless you jump through hoops.

And yes, a lot of people call both of these “a proxy” because it’s easier than explaining. The network doesn’t care what you call it.

What a proxy actually does (and what it won’t)

A proxy is an intermediary. Your client talks to the proxy, and the proxy talks to the destination.

That sounds VPN-ish until you look at the edges.

If you set a proxy in Firefox, only Firefox uses it. Your system updater, your game launcher, your mail client, and the random helper service you forgot existed will keep using the normal network path. That’s not automatically bad. It’s just different.

A few proxy flavors show up in the real world:

  • HTTP/HTTPS proxies: common in corporate setups and some “web unblocker” services. Great for web traffic, awkward for anything else.
  • SOCKS5: more general-purpose. Tools like Shadowrocket on iOS and Proxifier on Windows can push a lot through SOCKS, but it’s still a client-side decision.
  • Shadowsocks-2022: technically a proxy protocol, but used like a censorship-resistant transport. It’s why apps like NekoBox, Hiddify, and V2RayNG are in so many phones.

Now the “won’t” part.

A proxy won’t magically secure your whole device unless every app is forced through it (which often means a VPN-style tunnel anyway). And an HTTP proxy won’t hide your DNS lookups unless your browser does DNS-over-HTTPS or you’ve configured something like encrypted DNS separately. I keep seeing people run a proxy and still leak plain DNS to the local network. Then they wonder why blocks follow them.

Also, proxies don’t prevent the local network from seeing that you’re connecting to the proxy. They just shift what happens after that.

VPNs are boring, and that’s why they work

VPNs are not exciting. Thank goodness.

When I say “VPN” in 2026, I usually mean WireGuard. It’s fast, it’s simple, it uses UDP, and it behaves well on modern phones compared to older options that feel like they were designed for desktops on Ethernet.

You’ll still run into OpenVPN and IKEv2 in the wild. They can be fine. But on mobile, battery and flaky radio conditions matter more than people admit.

Here’s what changes with a VPN:

  • Traffic scope: typically device-wide, including apps that don’t support proxies.
  • DNS control: many VPN clients can push a specific DNS server and keep lookups inside the tunnel.
  • Network weirdness: captive portals, NAT timeouts, and carrier-grade packet loss can all affect you, but at least you’re debugging one tunnel instead of ten apps.

This is where the “works on my phone” factor kicks in. WireGuard tends to reconnect cleanly when you switch from LTE to Wi‑Fi, or when the elevator turns your signal into mush. It’s not perfect, but it’s the least annoying option most days.

One-sentence paragraph: Latency still goes up.

That’s the tax you pay for privacy and indirection. If you’re gaming or doing low-latency voice, you feel it.

So why do people still use proxies?

Because sometimes a VPN is the wrong hammer.

If you only need one app to look like it’s coming from another place, a proxy can be the cleaner choice. I’ve done this with a browser profile for testing geo-based pricing (yes, it’s a thing), while leaving the rest of my system alone so corporate tools don’t freak out.

Proxies also shine when you’re dealing with services that hate VPN IP ranges. Some streaming platforms and ticketing sites block VPNs aggressively. A residential proxy network can bypass that, but now you’re stepping into a swamp of ethics and trust. If you don’t know who runs the exit nodes, you’re routing your traffic through strangers’ machines. That’s not a hypothetical risk.

Then there’s the censorship angle.

In places where VPN protocols get throttled or fingerprinted, “proxy” often means a stealth transport like VLESS+REALITY or Shadowsocks-2022, wrapped in a client that looks like a normal HTTPS flow on port 443. People run these through clients like V2RayNG on Android or Shadowrocket on iOS because they survive in hostile networks.

At that point, the label stops helping. You’re building an encrypted tunnel, you just aren’t calling it a VPN.

The stuff that bites you in practice

Most comparisons online talk about “encryption” and “privacy” like those are checkboxes. Real life is messier.

1) Split tunneling is useful and dangerous

Split tunneling means some traffic goes through the tunnel and some doesn’t. It can save battery and reduce latency. It can also leak the one thing you actually cared about.

On Android, a lot of VPN apps support per-app routing. On Windows and macOS, it varies. On iOS, you’re often at the mercy of what the client exposes.

If you’re using a proxy, you’re basically doing “split tunneling” by default. That’s fine if you intended it.

2) DNS leaks are still a top-tier footgun

I don’t care how fancy the transport is if your DNS goes out in the clear.

A VPN can force DNS through the tunnel (when configured properly). A proxy often doesn’t. Some proxy apps can handle it (Hiddify can, depending on config), but it’s easy to misconfigure.

Quick check: visit a DNS leak test site, switch networks once, test again. Mobile network transitions are where leaks show up.

3) Mobile packet loss changes everything

On trains and in crowded events, you get bursts of packet loss. Some tunnels recover gracefully. Others stall.

WireGuard is usually resilient. Some TCP-based tunnels over TLS can turn packet loss into full-on misery because TCP over TCP is a recipe for retransmission storms.

4) Trust isn’t abstract, it’s operational

With a VPN, you’re trusting the provider’s exit server. With a proxy, you’re trusting the proxy operator, and sometimes a chain of operators.

Either way, you should assume the exit can see your destination IPs, and can see unencrypted application data. HTTPS protects most web traffic, but not everything is HTTPS, and not every app validates certificates correctly.

Short sentence: Pick your operator carefully.

How I choose between them on a normal week

If I’m trying to protect myself on public Wi‑Fi, it’s VPN without debate.

If I’m debugging a single service that’s geo-fenced, I’ll often use a proxy in just the browser, because I don’t want to reroute my whole workstation.

If I’m in a restrictive network and I need reliability, I care less about the word “VPN” and more about whether the tunnel survives. That’s where setups like VLESS+REALITY, Shadowsocks-2022, or a well-configured WireGuard server tend to win. Tools like Streisand can help you bootstrap infrastructure, but maintaining your own server is a hobby that keeps asking for weekends.

Here’s the only checklist I actually use before I commit to a setup:

  • Does it tunnel DNS, or am I configuring encrypted DNS myself?
  • Can I keep my banking and password manager inside the tunnel?
  • How does it behave when I switch from Wi‑Fi to cellular?
  • Can I tell, quickly, when it disconnects?

That last one matters. Silent failure is brutal.

The “just tell me what to install” reality

On iOS, you’re usually choosing between a VPN app that supports WireGuard (or IKEv2), and a proxy-style client like Shadowrocket that can run Shadowsocks or V2Ray-style configs. iOS is strict about background behavior, so battery and reconnect logic aren’t minor details.

On Android, V2RayNG, NekoBox, and Hiddify give you lots of transport options, but the UI can get dense fast. Honestly, the hardest part is not the cryptography. It’s keeping configs tidy and knowing which outbound is active.

On routers (OpenWrt), a VPN can cover every device in the house, including dumb IoT gear that has no proxy settings. The trade-off is you’re now responsible for that router staying updated and not turning into your weakest link.

If you want a managed option because you’re tired of babysitting configs, I’ve had decent results with DuduVPN for day-to-day WireGuard use, and their Telegram bot https://t.me/duduvpnsbot makes it quick to grab settings when you’re setting up a new phone.

When you’re testing, do it with one sensitive app first (banking, password manager, work email), then flip the switch for everything else once you’ve confirmed DNS and reconnect behavior on both Wi‑Fi and cellular.

Related articles

WireGuard, OpenVPN, REALITY and picking the right tunnel

WireGuard is fast, OpenVPN is stubborn, REALITY is stealthy. Here’s how to choose a VPN protocol based on your network, device, and risks.

What “no-logs” really means when you’re using a VPN

“No-logs” sounds simple, but a VPN can still record plenty. Here’s what can’t be logged, what usually is, and how to judge claims fast.

VPN settings that keep streaming fast (and stop the buffering)

Streaming lag on a VPN usually comes down to protocol, server choice, and a few annoying defaults. Here are settings that actually help on Wi‑Fi and mobile.

WireGuard vs OpenVPN vs REALITY, with real-world picks

A practical look at WireGuard, OpenVPN, and VLESS+REALITY: speed, battery, blocking, and which protocol actually fits your devices and network.