A VPN may be used as part of a penetration test, but it does depend on what the customer wants. If they have a VPN server that’s part of the test, you’ll use one. If they don’t, then a VPN isn’t going to be much use. Tor, no, not at all.
The customer would normally describe what they want tested and what the limits are. That influences the tools that get used. You may try SQL injection, cross site scripting, run ‘nmap’ against the server(s) to get an idea what’s open, setup web pages on a controlled site with specific malware included.
Pen testing is part of an overall security assessment, and it may include a lot more than just trying to break in from the outside. Often the source code for specific systems will be examined as well, and that’s a different skill set.
It’s na interesting area to get into, and understanding hacking tools used by the bad guys isn’t a bad place to start. After all, ‘know your enemy well’.
Both VPN and TOR are proxies with added security. A “normal” proxy may or may not have security built in (even though it should). Security meaning here: encrypting the traffic. Not keeping logs can also be part of security of a proxy server however for pentesting I assume that you are using a proxy server that you own, using a public proxy server would be a massive security risk.
A VPN is a proxy server that reimplements part of the network stack. The network packets contain network packets that contain the actual data so to say. A VPN is most often just one server that is between you and the target.
Tor on the other hand stands for The Onion router. The “Onion” part is the difference to a vpn: instead of having one single server between you and your target there are several, none of those servers know your final target and compromising one of them should not compromise the security of your connection.
If and what proxy technology you chose in the end depends probably a lot on what the client pays you to test.
for more info:https://vpntesting.com/