The Proxy and the VPN-Server are both a node in the communication between the client and the server.
Both ways are hiding your IP and therefore can be used to bypass geo blocking. Never use an untrusted Proxy/VPN-Server for hacking, cause you don’t know what they do with these data. A very good example is Hidemyass.com, cause they gave the traffic data from some LulzSec hackers to the FBI. Just if you trust the Proxy/VPN-Server you should use it for you hacks.
For sensitive traffic, like banking, you should force an encrypted communication. Especially if you are in an untrusted network, like a free WiFi AP. You can either set your browser to use HTTPS only or use an encryped VPN communication with a trusted VPN-Server. This blocks an SSL-Stip attack from a Man-in-the-Middle. A Proxy won’t give you any advantages for that scenario.
Proxy – HTTP
Client Proxy Server
|<-- TCP handshake -->| |
|--- HTTP request --->| |
| |<-- TCP handshake -->|
| |--- HTTP request --->|
| |<-- HTTP response ---|
|<-- HTTP response ---| |
-------------------------
Packet (request): | MAC | IP | TCP | HTTP |
-------------------------
- MAC: Dst = <Proxy_MAC>
- IP: Dst = <Proxy_IP>
- TCP: Dst Port = <Proxy_Port>
- HTTP: Destination URI = <Server_URI>
The proxy knows the server via the HTTP request packet.
Proxy - HTTPS
Client Proxy Server
|<-- TCP handshake -->| |
|--- CONNECT site --->| |
| |<-- TCP handshake -->|
|<-- TLS handshake -->|<-- TLS handshake -->|
|--- HTTPS request -->| |
| |--- HTTPS request -->|
| |<-- HTTPS response --|
|<-- HTTPS response --| |
--------------------------
Packet (request): | MAC | IP | TCP | HTTPS |
--------------------------
- MAC: Dst = <Proxy_MAC>
- IP: Dst = <Proxy_IP>
- TCP: Dst Port = <Proxy_Port>
- HTTPS: Encrypted HTTP request
The proxy knows the server via the HTTP CONNECT packet.
VPN - HTTP
Precondition between VPN-Client and VPN-Server:
- Pre-shared keys or TLS handshake
VPN-Client VPN-Server Server
|<----- TCP handshake ----->| |
|--- Packed HTTP request -->| |
| |<-- TCP handshake -->|
| |--- HTTP request --->|
| |<-- HTTP response ---|
|<-- Packed HTTP response --|
------------------------------------------------------
Packet (packed request): | MAC_VPN | IP_VPN | TCP_VPN | MAC | IP | TCP | HTTP |
------------------------------------------------------
\------ Encrypted ------/
- MAC_VPN: Dst = <VPN-Server_MAC>
- IP_VPN: Dst = <VPN-Server_IP>
- TCP_VPN: Dst Port = <VPN-Server_Port>
The VPN-server knows the server after decrypting the packet.
VPN - HTTPS
Precondition between VPN-Client and VPN-Server:
- Pre-shared keys or TLS handshake
VPN-Client VPN-Server Server
|<----- TCP handshake ------>| |
|<----- TLS handshake ------>|<-- TCP/TLS handshake -->|
|--- Packed HTTPS request -->| |
| |----- HTTPS request ---->|
| |<---- HTTPS response ----|
|<-- Packed HTTPS response --|
-------------------------------------------------------
Packet (packed request): | MAC_VPN | IP_VPN | TCP_VPN | MAC | IP | TCP | HTTPS |
-------------------------------------------------------
\------ Encrypted -------/
- MAC_VPN: Dst = <VPN-Server_MAC>
- IP_VPN: Dst = <VPN-Server_IP>
- TCP_VPN: Dst Port = <VPN-Server_Port>
The VPN-server knows the server after decrypting the packet.