Mac O’Clock
Published in

Mac O’Clock

Private relay vs VPN

Apple’s iCloud+ Private Relay: does it eliminate the need for VPN?

Apple has presented a lot of new stuff on this year WWDC, and iCloud+ Private Relay is a significant step towards security and privacy in network communication on Apple platforms, iOS and macOS particularly.

The rumors about VPN from Apple were in the air quite for a long period of time. And finally, these appeals are taken into account. But Apple wouldn’t be Apple if they did this in a common way. In fact, Private Relay is not VPN.

So what Private Relay actually does?

When we type some website in the browser, it must resolve its name to the actual IP to establish the connection with the respective server. This process is called DNS resolution. In order to make it, the client sends a DNS request over UDP protocol to the name server, which shares 2 pieces of data: the server name and own IP address.

DNS resolution request artifacts. Source.

The Private Relay technology makes this process a bit more complicated. It introduces the configuration of two proxy servers:

  • Ingress Proxy server run by Apple. It receives the client request with the only IP address. In this way, the last is available only for network providers and Apple.
Ingress Proxy server part. Source.
  • Egress Proxy server run by a content provider. It receives the request for server name resolution but doesn’t know the client IP address, because it is substituted with the Ingress proxy’s IP.
Egress Proxy server part. Source.

The fact, that all connections are made over HTTP/3 protocol and secured with TLS, means that internet providers cannot read the server name from the request. Once DNS resolution is done, the communication with the target server IP usually happens over HTTPS/TLS and is thus secured as well. In the case of HTTP traffic, i.e. TCP port 80, these insecure connections will be proxied to the Ingress server as well via HTTP/3. This protects from attackers on a network between the client and the Ingress proxy. The part of the chain between Egress and the target server will remain unsecured, but it’s very unlikely to be eavesdropped on, especially because the client IP on this part is eliminated.

Private Relay communication scheme. Source.

So how is it different from VPN?

VPN stands for Virtual Private Network. This technology establishes the secured connection with a VPN server called Tunnel. By secured, it means that authentication and encryption of all the traffic going through this tunnel are involved.

VPN scheme. Source.

The combination of authentication and encryption algorithms is called VPN protocol. There are many VPN protocols developed so far, the most popular are IKEv2/IPsec, OpenVPN, and Wireguard.

Originally, VPN was developed to make the secured connection to the private networks remotely over the internet, and have an access to the resources of this private network just as being the local machine. This was originally developed for the big companies in order to secure the data and services accessible from their private network, but at the same time provide access from a remote machine outside the office.

But with time, this technology found different applications. A lot of companies started to sell this technology as the solution for the next pains:

  • To prevent tracking by Internet Service Provider (ISP) of your online activity.
  • To bypass geographical restrictions. For example, create an account on Netflix and watch from the country where this service is not available.

Such companies like Hotspot Shield, NordVPN, or TunnelBear put these promises as the main selling point of their services, and this business is worth billions.

So does Private Relay replaces VPN?

Apple is introducing Private Relay technology as ISP anti-tracking solution. Altogether with the Application Transport Security requirement for all 3rd-party apps, it provides security & privacy cover for network communication on a very high level, resolving one of the main pains of VPN.

Moreover, it makes it in a more efficient and elegant way than a VPN service. The main traffic is secured with HTTPS according to ATS. Unsecured HTTP traffic is a rare case nowadays. A little overhead is introduced for DNS queries, but I doubt this influences user experience much, at least in some stabilization period after release.

VPN in its turn encrypts all the traffic coming from the device. And if for DNS queries and HTTP it makes total sense, HTTPS/TLS traffic appears double-secured on VPN. And this encryption comes with no zero cost. According to the researches, the data usage is increased by 5–10% while the network speed is decreased by 10–20% on average. Additional encryption layer also requires more computational power, which drains the battery and may slow down your device. The last is not usually the case on modern devices and VPN protocols implemented on the system level in macOS and iOS, like IKEv2/IPsec. But the battery usage with always-on VPN raises for sure. Although there is no accurate research, some sites speculate that it is 5–15% of battery loss throughout the day.


Despite the fact, that Private Relay technology doesn’t allow to change browsing location, it resolves ISP anti-tracking issue pretty well.

VPN will unlikely face the same fate as Flash technology the nearest time because it will be utilized in the corporate segment for quite a long time anyway. But B2C segment of VPN usage will be influenced by Apple’s technology for a sure, and I predict a decline of this market once Private Relay is released and adopted.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store