Reverse Proxy vs. VPN: How to access your remote web server

‍Reverse Proxy vs. VPN: What’s the Difference?

If you’re a techie who needs to set up access to a remote web server, you typically have two options: a VPN or a reverse proxy. A VPN can establish a secure connection directly to the remote server. This connection is safe and encrypted. However, it’s difficult to share with users. A reverse proxy can provide easy public access, however, this also opens it up to threats, and unintended visitors.

In this article, we try to learn the difference in features and operations of both VPNs and Reverse Proxies, specifically for setting up access to remote web servers, and which one might be ideal for you.

‍Reverse Proxy

A reverse proxy serves as an intermediary server positioned in front of web servers, directing client requests (e.g., from web browsers) to these web servers. The deployment of reverse proxies is primarily intended to provide a public access point, DNS, and to enhance security and performance.

Hosting companies frequently use reverse proxies as a default practice. However, businesses and individuals must deliberately decide to adopt them. For instance, should your web application only be available to an internal team? This could make a reverse proxy much less practical, unless you are very deliberate about its configuration.

Why use a Reverse Proxy?

Anybody running a web service that should be accessed publicly should consider a reverse proxy, why?

Pros

1. Establishes a Centralized Auditing Point

Say you are running a number of servers. You may want to implement a firewall in front of each server. While this solution can work, it is expensive and difficult to scale. With a reverse proxy, you can have all incoming requests handled by a central proxy server with a single firewall.

2. Reduces Server Workload

A reverse proxy has the capability to compress data before transmitting it to different servers within your internal network. This approach negates the necessity for each individual server on your internal network to undertake compression tasks improving their performance.

3. Makes public access easy

A reverse proxy is a simple way to make your server publicly accessible, and to add things like SSL encryption without having to do much configuration.

Cons

1. Creates a Single Point of Failure

If a reverse proxy encounters a failure, anything behind it can become inaccessible or compromised. This is especially problematic if a single reverse proxy is serving many websites.

2. Susceptible to DDoS

Since the reverse proxy is typically accessible over the internet, a DDoS attack is possible, which can make your services unavailable. This typically translates to a brief delay for your customers and visitors before they can access your services. In certain instances, a DDoS is possible even without a bad actor. Misconfigurations in other web apps which use your server may cause them to send way too many requests to the server. Rate limiting is important!

3. Opens you up publicly

While in theory you can lock down a reverse proxy so that only the appropriate users can access it, in practice, this is not done as often as it should. If you go with the default configuration on many proxies, or do not know what you are doing, you may end up exposing your application to users who should not have access.

VPNs

A virtual private network (VPN) is a secure, encrypted connection established over the Internet between a device and a network. This encrypted connection ensures the secure transmission of sensitive data, preventing unauthorized individuals from intercepting the traffic. Moreover, it enables users to engage in remote work while maintaining the confidentiality of their communications.

Why use a VPN?

Pros

1. Only allow identified users

A VPN is secure-by-default, meaning if you configure your web server to be accessible only over VPN, then no one will have access, until you give it to them. This is a great option if only a select number of approved users should access the service.

2. Encrypt all connections

A reverse proxy does not encrypt traffic by default, unless you add something like SSL encryption to the server. Even then, this still leaves open gaps that could be compromised. A VPN offers end-to-end encryption, meaning all traffic remains encrypted from the time it leaves your device to the time it reaches the server.

3. Segment users by intended access

If you are setting up multiple web servers, a VPN allows you to set up Access Control Groups, meaning you are able to allow or deny traffic based on the group of the user. For instance, you could have two groups, “developers”, and “marketing”. The “developers” will have access only to development-related servers, and the “marketers” will have access only to the marketing-related servers.

4. Serve non-HTTP traffic

A VPN can offer “full tunnel” encryption, meaning you can send any sort of traffic to and from the server. A reverse proxy will typically serve only HTTP/S traffic. Some will do more advanced things like raw TCP, UDP, and some can even server traffic like MQTT, but this is more rare and requires advanced configurations to make it secure. If you have many different, non-standard forms of traffic you would like to serve, a VPN is much easier.

Cons

1. Costs

There are many free proxies. There are also some free VPNs, but for remote access, there are surprisingly few unless you want to get very technical with your implementation. For any advanced features you may want, you will probably have to pay.

2. VPN failure means no access

A VPN can fail to establish a connection for various reasons. Perhaps the user just loses their key, or there is something misconfigured on the VPN. Or, maybe the end user’s device does not support the VPN properly. If this is the case, they’re out of luck.

3. Configure user-by-user

The pro of a VPN is it is secure-by-default. The con is that it is secure-by-default. Every user who should have access must be separately configured. Some VPNs have more advanced integration with authentication providers, which can allow you to automate this based on “groups” using Access Controls, but this is still a lot of work (and typically a paid feature), as opposed to just putting a public proxy in place.

Reverse Proxy + VPN

We have discussed how Reverse Proxies helps you expose the services running in your network to the public web through a single gateway, and how VPNs help with securing access to the server through a secure client-server tunnel. 

But let’s say you have a service running in an office or home network, which lacks a public IP, and you want to grant access to that service over the internet. What would be the best way to go about it?

A reverse proxy cannot do it alone very easily, because the device does not have a reachable IP. You could configure some extra routing rules and deploy the proxy in the local environment to make this possible, but a simpler approach would be to put the reverse proxy in the cloud, and create a connection to the remote network using a VPN connection.

The Reverse proxy will give you a public access point, while the VPN tunnel will create a safe and direct connection between the proxy server and the device. Users will access the site publicly, and the reverse proxy will then encrypt this traffic over the VPN tunnel, sending it directly to your device!

Implementing Reverse Proxy + VPN

This 15 minute video explains in detail how to set up a secure and private remote access to your local network by leveraging both a reverse proxy server and VPN connection.

So what should you use?

The answer depends on what you want to achieve. Utilizing a VPN is recommended if you need to be secure by default. Conversely, a reverse proxy is well-suited for providing public access. The combination of the two can also be used in more complex networking scenarios.

We hope this article helps you understand the roles of reverse proxies and VPNs in networking.

Netmaker: An Alternative to Reverse Proxies

Netmaker offers a self-hosted solution, which can be deployed to provide access to local environments via VPN. If you're considering a move away from reverse proxies, you may want to check out Netmaker, to get secure, remote access to your hosted services without exposing them to the public internet.