Difference between SSH Tunnel / Proxy and VPN in terms of security

Question

What benefits does a VPN have over just using a regular SSH Tunnel?

I'm considering setting up OpenVPN on a server, but was wondering what benefits that would have over just using that same server as an SSH Tunnel which is very easy to setup and allows connecting via SOCKS5 which is already supported everywhere. Wouldn't both show the same IP address as source anyways in which case you're no longer anonymous?

SSH Tunnel seems to be much easier, just open an SSH tunnel and setup the computer to connect to that port via localhost and a SOCKS5 proxy.

ssh -D 1723 -f -C -q -N user@server.com

VPN on the other hand seems like a bit more work to setup and I'm unable to see what benefits it offers over just a simple SSH Tunnel.

Answer 1

People often speak of SSH tunneling as a poor man's VPN. It is exactly the same on a feature and security point of view: you establish a secure tunnel between the client and a relay host and let a communication go unencrypted past the relay. The way the tunnel is established and secured may vary per VPN system but all serious ones can use standard up to date protocols, as can do SSH (and all can be equally configured with some work to use unsecure protocols).

The main difference is in usability. SSH goal is to establish a secure connection between a client and a host, and it does a nice job for it with clean and neat human interfaces. It can transport additional communications inside its tunnel, but as it is not its main goal, the commands are not really straightforward. Whereas a VPN goal is to provide transparent relaying of various protocols so it is much easier to use for that goal.

Answer 2

SSH

SSH is at its heart a secure shell. It was originally designed as a encrypted successor to telnet. It can, however, do so so much more! For your uses, you are specifically looking at dynamic port forwarding:

Dynamic port forwarding turns your SSH client into a SOCKS proxy server. SOCKS is a little-known but widely-implemented protocol for programs to request any Internet connection through a proxy server. Each program that uses the proxy server needs to be configured specifically, and reconfigured when you stop using the proxy server.

This is similar to local port forwarding to a server with squid ... cept SSH now takes care of running the socks proxy for you (cause its a boss).

Once both the SSH connection and your browser are setup correctly, you should be able to google what is my ip and have it display the remote servers IP address. This means that all websites you visit will see you as having a browser open on that remote server.

You can (should) also set Your Browser to use the DNS through that proxy, so even your DNS lookups are secure:

• Type in about:config in the Firefox address bar
• Find the key called "network.proxy.socks_remote_dns" and set it to true

---

VPN

VPN extends a private network across a public network by setting up a virtual network card and configuring it with an ip and gateway of the private network.

This means that you can use this to tunnel all of your software to make it appear if everything is running from your remote server (even programs that dont have native support for proxying). Again, you should be able to google what is my ip and have it display the remote servers IP address.

VPNs also tend to have more support for UDP (torrents / streaming software / gaming)

---

Security

OpenVPN runs a custom security protocol based on SSL and TLS rather than support IKE, IPsec, L2TP or PPTP.

SSH does NOT use TLS/SSL, rather, it employs its own protocol see RFC 4253

---

Take away

Some people say that SSH is a poor mans VPN. I would strongly disagree, and say instead that SSH is a more surgical method of tunneling specific traffic for people who understand what they are doing. Whereas VPN is like tunneling with dynamite ... you will get a tunnel, but is sometimes the wrong tool for the job.

For example, lets say you are working remotely and want to VPN into your work network from home. Now lets say that you want to want browse reddit but you still want to keep your VPN connected so you dont miss any important emails. Well, all those cat memes you are browsing are routed through your work's network ... possibly blocked by works proxy/firewall.

Alternatively, if you have SSH access to your works network ... you can tunnel just your email and setup a socks proxy. This means that you can still get your email, and use one browser for business stuff (eg Chrome) and another browser for viewing cat pictures (eg Firefox).

Both tools can be useful, just depends on what you want to do.

Answer 3

VPNs commonly have a feature where multiple users traffic will appear from a single public IP address, this makes it difficult to track a user using a VPN, since the traffic coming from a single IP could be one of any number of customers.

VPNs often offer multiple locations, allowing users to pick where their traffic will appear to originate.

Connecting to SSH server and running a socks proxy can be easy, but then that still requires you to completely lock down the server, maintain it's patches, monitor for intrusions, or any other failures which require manual intervention.

Then you have to worry about the security of the SSH tunnel. Which SSH versions will you allow? Which ciphers?

If your SSH proxy goes down for maintenance, the proxy is offline, as opposed a VPN service which commonly has multiple redundant servers.

EDIT: I see your question was about running your own server (SSH or VPN). If you're going to be running your own server, then what I mentioned above isn't going to be relevant.

The benefit to setting up your own VPN server, is that you don't have to provide full login account credentials to users (or yourself). Say your device(s) get compromised, and someone finds your SSH login. They can now access your SSH server as a user. If you were using a VPN that wouldn't provide credentials to login as a remote user.

Secondly, SSH keeps logs of who has logged in when, and potentially the commands executed.

Answer 4

I don't think that there's much of a difference in security between a well implemented ssh connection (e.g. key only, strong passphrase, ...) and a VPN. You can make both quite tight, use 2FA, what have you ...

The benefit I see is in usability; the VPN will give you routing magically, and you don't need to stick to software that understands what a socks proxy is.

Answer 5

I really love the power and convenience of running SOCKS5 via ssh to my own server out in the data center (as the posted pointed out). TAhough I think I use the syntax "ssh -f -Nn -D $LOCAL:$LPORT -p $RPORT $USER@$HOST".

Not only does this securely tunnel my DNS requests and on line banking and DNS requests securely past my ISPs prying eyes (once you direct your browser to use it).. but instead of taking over my full machine's IP stack like a VPN.. I can tunnel just the apps I want to (e.g. run chrome for my SOCKS5 banking, and firefox (direct home network) for printing to my wireless LAN HP laserjet). Any other apps that don't have SOCKS5 settings (or I just don't want to mess with them) can be "wrapped" to run through my SOCKS5 tunnel by using proxychains as a wrapper. VERY powerful and handy app..

For example..

$ elinks -dump v4.icanhazip.com
   73.99.20.38
$ proxychains elinks -dump v4.icanhazip.com
ProxyChains-3.1 (http://proxychains.sf.net)
|DNS-request| v4.icanhazip.com 
|S-chain|-<>-127.0.0.1:5000-<><>-4.2.2.2:53-<><>-OK
|DNS-response| v4.icanhazip.com is 104.20.17.242
|S-chain|-<>-127.0.0.1:5000-<><>-104.20.17.242:80-<--timeout
|S-chain|-<>-127.0.0.1:5000-<><>-104.20.17.242:80-<><>-OK
   91.121.25.19

Tweeks

Answer 6

An ssh tunnel only protects traffic to a specific port on a specific server, while a VPN should handle all the traffic across a specific route. Having said that, if you have a ssh connection then you can run ppp or slip through it to create a full VPN.

The differences in the security will be down to the implementation.