15

I use sshuttle to tunnel my traffic through one of my remote boxes whenever I'm in a cafe or connected to an insecure network.

Does a VPN provide any additional security benefit over this kind of setup? What are the pros and cons of a VPN versus an SSH tunnel?

chishaku
  • 253
  • 1
  • 6
  • 2
    We all keep using the term _SSL_, but actually SSL is deprecated. It has been replaced by TLS. In fact, TLS 1.0 and 1.1 are both considered broken and all new solutions should support TLS 1.2 only. I wrote an answer to a related question a few hours ago and later realized I had used the term SSL rather than TLS. Makes you wish the standards people had kept the old name, but I believe a different team developed TLS in parallel with the development of SSL 3.0, so they needed to make a distinction. – JaimeCastells Oct 18 '15 at 18:30

1 Answers1

9

No. It is just different VPN protocol. If NSA can't decrypt SSH, you are fine with sshuttle, if you use strong VPN there should be nothing different.

If you set up weak primes for diffie-hellman key exchange for ssh connections, you are vulnerable, but the same can happen for any choice of weak VPN protocols.

Clarifying more details of your specific application(s) would help to evaluate further, but generally there is no difference in security if used correctly.

rhymsy
  • 1,212
  • 1
  • 10
  • 15
Jakuje
  • 5,229
  • 16
  • 31
  • 1
    What does it mean to 'set up week [sic] primes'? How do I confirm I haven't exposed myself to such a vulnerability? Also, did you mean to say NSA can't *decrypt* as opposed to *encrypt* SSH? – chishaku Oct 18 '15 at 23:10
  • Sorry. I meant week primes for diffie-hellman key exchange on server side. 1024 should be for today. The other was also typo. – Jakuje Oct 19 '15 at 05:33
  • @chishaku Setting up "weak primes" means to use either too short prime numbers (i.e. 512 bit can be broken in reasonable time) or known to be vulnerable to some attack. – GxTruth Nov 20 '18 at 11:15
  • 2
    You should probably mention that SSH uses TCP whereas OpenVPN can make use of UDP, which means the former is less efficient due to the TCP-over-TCP problem. Security-wise they're both fine though. – forest Nov 21 '18 at 03:55
  • @forest, The OP was specifically talking about sshuttle which does not use TCP-over-TCP [[1](https://sshuttle.readthedocs.io/en/stable/how-it-works.html)]: "sshuttle assembles the TCP stream locally, multiplexes it statefully over an ssh session, and disassembles it back into packets at the other end. So it never ends up doing TCP-over-TCP. It’s just data-over-TCP, which is safe." – Jon Aug 14 '21 at 12:49