If you’re a techie who needs to set up access to a remote web server, you typically have two options: a VPN or a reverse proxy. A VPN can establish a secure connection directly to the remote server. This connection is safe and encrypted. However, it’s difficult to share with users. A reverse proxy can provide easy public access, however, this also opens it up to threats, and unintended visitors.
In this article, we try to learn the difference in features and operations of both VPNs and Reverse Proxies, specifically for setting up access to remote web servers, and which one might be ideal for you.
A reverse proxy serves as an intermediary server positioned in front of web servers, directing client requests (e.g., from web browsers) to these web servers. The deployment of reverse proxies is primarily intended to provide a public access point, DNS, and to enhance security and performance.
Hosting companies frequently use reverse proxies as a default practice. However, businesses and individuals must deliberately decide to adopt them. For instance, should your web application only be available to an internal team? This could make a reverse proxy much less practical, unless you are very deliberate about its configuration.
Anybody running a web service that should be accessed publicly should consider a reverse proxy, why?
Say you are running a number of servers. You may want to implement a firewall in front of each server. While this solution can work, it is expensive and difficult to scale. With a reverse proxy, you can have all incoming requests handled by a central proxy server with a single firewall.
A reverse proxy has the capability to compress data before transmitting it to different servers within your internal network. This approach negates the necessity for each individual server on your internal network to undertake compression tasks improving their performance.
A reverse proxy is a simple way to make your server publicly accessible, and to add things like SSL encryption without having to do much configuration.
If a reverse proxy encounters a failure, anything behind it can become inaccessible or compromised. This is especially problematic if a single reverse proxy is serving many websites.
Since the reverse proxy is typically accessible over the internet, a DDoS attack is possible, which can make your services unavailable. This typically translates to a brief delay for your customers and visitors before they can access your services. In certain instances, a DDoS is possible even without a bad actor. Misconfigurations in other web apps which use your server may cause them to send way too many requests to the server. Rate limiting is important!
While in theory you can lock down a reverse proxy so that only the appropriate users can access it, in practice, this is not done as often as it should. If you go with the default configuration on many proxies, or do not know what you are doing, you may end up exposing your application to users who should not have access.
A virtual private network (VPN) is a secure, encrypted connection established over the Internet between a device and a network. This encrypted connection ensures the secure transmission of sensitive data, preventing unauthorized individuals from intercepting the traffic. Moreover, it enables users to engage in remote work while maintaining the confidentiality of their communications.
A VPN is secure-by-default, meaning if you configure your web server to be accessible only over VPN, then no one will have access, until you give it to them. This is a great option if only a select number of approved users should access the service.
A reverse proxy does not encrypt traffic by default, unless you add something like SSL encryption to the server. Even then, this still leaves open gaps that could be compromised. A VPN offers end-to-end encryption, meaning all traffic remains encrypted from the time it leaves your device to the time it reaches the server.
If you are setting up multiple web servers, a VPN allows you to set up Access Control Groups, meaning you are able to allow or deny traffic based on the group of the user. For instance, you could have two groups, “developers”, and “marketing”. The “developers” will have access only to development-related servers, and the “marketers” will have access only to the marketing-related servers.
A VPN can offer “full tunnel” encryption, meaning you can send any sort of traffic to and from the server. A reverse proxy will typically serve only HTTP/S traffic. Some will do more advanced things like raw TCP, UDP, and some can even server traffic like MQTT, but this is more rare and requires advanced configurations to make it secure. If you have many different, non-standard forms of traffic you would like to serve, a VPN is much easier.
There are many free proxies. There are also some free VPNs, but for remote access, there are surprisingly few unless you want to get very technical with your implementation. For any advanced features you may want, you will probably have to pay.
A VPN can fail to establish a connection for various reasons. Perhaps the user just loses their key, or there is something misconfigured on the VPN. Or, maybe the end user’s device does not support the VPN properly. If this is the case, they’re out of luck.
The pro of a VPN is it is secure-by-default. The con is that it is secure-by-default. Every user who should have access must be separately configured. Some VPNs have more advanced integration with authentication providers, which can allow you to automate this based on “groups” using Access Controls, but this is still a lot of work (and typically a paid feature), as opposed to just putting a public proxy in place.
We have discussed how Reverse Proxies helps you expose the services running in your network to the public web through a single gateway, and how VPNs help with securing access to the server through a secure client-server tunnel.
But let’s say you have a service running in an office or home network, which lacks a public IP, and you want to grant access to that service over the internet. What would be the best way to go about it?
A reverse proxy cannot do it alone very easily, because the device does not have a reachable IP. You could configure some extra routing rules and deploy the proxy in the local environment to make this possible, but a simpler approach would be to put the reverse proxy in the cloud, and create a connection to the remote network using a VPN connection.
The Reverse proxy will give you a public access point, while the VPN tunnel will create a safe and direct connection between the proxy server and the device. Users will access the site publicly, and the reverse proxy will then encrypt this traffic over the VPN tunnel, sending it directly to your device!
This 15 minute video explains in detail how to set up a secure and private remote access to your local network by leveraging both a reverse proxy server and VPN connection.
The answer depends on what you want to achieve. Utilizing a VPN is recommended if you need to be secure by default. Conversely, a reverse proxy is well-suited for providing public access. The combination of the two can also be used in more complex networking scenarios.
We hope this article helps you understand the roles of reverse proxies and VPNs in networking.