Not really. In my view, VPNs (at least the type discussed here) and proxies are complementary:
VPNs are good at encrypting/redirecting all of your device's traffic, since they're per-computer by default. They're accordingly good at preventing metadata leaks (e.g. visited sites or used apps) on untrusted networks.
Proxies are opt-in, but can accordingly be much more fine-grained. For example, Firefox supports per-domain (via various extensions) or per-tab (via the built-in "containers" feature) proxies – VPNs usually can't do that.
I am not 100% sure but Firefox VPN is an actual VPN based on mullvad. On the main product page[1], it says it is built with Wireguard which is a VPN software.
VPNs can, if they can be routed into via SOCKS or Http Connect gateways, for example. Generally, VPNs (L2/L3) can stoop to the level of proxies (L4) but not vice versa (at least not as cleanly).
Sure, you can bridge in either direction (using e.g. this [1] excellent Wireguard-to-SOCKS adapter), but in my view, if you have bytestream semantics, you're often better off using a bytestream-oriented proxying protocol (like SOCKS, SSH or HTTP) and vice versa.
These bridges/adapters do have their applications though – I have a home router that supports Wireguard natively, but not any of the higher-level protocols; this lets me use my per-tab approach with it.
I don't really get the value proposition of wireproxy. Especially since it seems not to be complete yet.
It is trivial to run a socks proxy on one of the peers and have your browser point to that. Both chrome and firefox can do this on demand and for the sites you select.
I have a docker based proxy running on a vm. (I've tried a bunch of them. They all work fine. None of them are hugely better at the bandwidth levels available to me - around 50-70mbps) The proxy is only listening on the wireguard IP. I have my clients connect to that wireguard peer and use the wireguard IP as the proxy. You can't install a proxy on the remote side? It should be possible seeing that you have to install something anyway. I am not sure about not needing root but it should not be a requirement for a proxy server since all it does is make http requests on your behalf.
Yes, "work" VPNs, site-to-site and many other topologies don't change the default route, but "privacy" VPNs like Mullvad usually do – there is no group of hosts to route traffic for other than simply "the entire internet".
That said, I'm aware of at least one that tries to support an "exempt/excluded hosts" feature, but it does this via some hack using its local DNS resolver and modifying the routing table on the fly, which does not work reliably.
Interesting! Is that actually the letter of the specification, or a common/industry-standard interpretation? I hate VPN setups like that; it often makes videoconferencing, browsing of non-corp sites etc. unnecessarily slow.
It's the letter of the specification, unfortunately:
> 3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
> DISCUSSION
> Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling allows unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement is implemented in remote devices (e.g., notebook computers, smart phones, and tablets) through configuration settings to disable split tunneling in those devices, and by preventing configuration settings from being readily configurable by users. This requirement is implemented in the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling.
And yep, it does indeed cause all of the problems you describe.
VPNs are good at encrypting/redirecting all of your device's traffic, since they're per-computer by default. They're accordingly good at preventing metadata leaks (e.g. visited sites or used apps) on untrusted networks.
Proxies are opt-in, but can accordingly be much more fine-grained. For example, Firefox supports per-domain (via various extensions) or per-tab (via the built-in "containers" feature) proxies – VPNs usually can't do that.