7

What are the major differences between using OpenVPN and using VPN over OpenSSH?

Does adding a virtual tunnel interface to a SSH connection offer the same benefits of OpenVPN? Can PuTTY be used on Windows to use the "layer-3 IP-in-SSH tunnelling" protocol described in the article? The article states there are no Windows clients that use this protocol.

I'm looking into remotely connecting to a home server and attempting to learn about the necessary security measures. Within the LAN, I'm used to logging into the server from my laptop via SSH. Outside the LAN, however, I would like to connect to my server and have my traffic be encrypted.

schroeder
  • 123,438
  • 55
  • 284
  • 319
cptncrnch
  • 305
  • 3
  • 8
  • 2
    OpenVPN should already encrypt the traffic, so using that inside another SSH tunnel just looks like a performance bottleneck since you'll be encrypting the traffic two times (re-encrypting the already encrypted VPN traffic). –  Sep 26 '14 at 17:28
  • 3
    Creating a tunnel over SSH (TCP) has some negative performance implications because of how TCP works. See: http://sites.inka.de/~W1011/devel/tcp-tcp.html – Zoredache Nov 04 '14 at 19:21
  • @user42178, actually, the point discussed here is not using OpenVPN on top of SSH but using the OpenSSH-specific VPN support. – ysdx Dec 22 '21 at 09:51

3 Answers3

9

I don't see any security issue there. SSH is supposed to be secure and all the data are passed thru the SSH tunnel. So, yes, I believe it is secure enough. The only issue I see is efficiency. SSH is TCP protocol. TCP traffic is passed through an another TCP protocol. The packets are double "acknowledged" by the 2-layer of TCPs. Better protocols are built on UDP or even IP.

I've never used SSH tunnel like this. I have only experience with SOCK V5 protocol (ssh -D), and I haven't realised any significant network speed degradation issue.

schroeder
  • 123,438
  • 55
  • 284
  • 319
smrt28
  • 875
  • 6
  • 12
1

It really depends on how you configure your OpenVPN/OpenSSH access (which authentication methods are enabled, which type of keys you are using, whether you configured the server properly).

If you enable SSH on your system anyway, using the OpenSSH-based VPN avoids increasing the attack surface (but the performance won't be as great as a datagram-based VPN such as OpenVPN with UDP or wireguard): you'll have more servers to monitor, maintain and upgrade if/when vulnerabilities are found.

On the other hand, if you enable an OpenSSH server only to provide a VPN but fail to disable command execution, an attacker which manages to login will be able to execute commands on your system.

FWIW, I tend to think that configuring and hardening an OpenSSH server is significantly easier than configuring an OpenVPN server. There are quite a few pitfalls in OpenVPN configuration that are easy to make (eg. it is quite easy to configure the clients to accepts other clients as valid server certificates).

When using OpenVPN with TLS 1.2 and below using certificate-based authentication, the certificate client, which often includes the client identity, is sent in clear text. This might be a privacy issue. In contrast, in OpenSSH the SSH user authentication protocol runs on top of the SSH transport protocol: AFAIU, the username is sent encrypted. See the traffic analysis section.

ysdx
  • 851
  • 6
  • 14
1

If on your home LAN you connect to the server via SSH, then why do you need VPN? You can use SSH directly without VPN. SSH is encrypted. Maybe you need VPN for other reasons, but if not, SSH is good enough.

schroeder
  • 123,438
  • 55
  • 284
  • 319
SPRBRN
  • 7,379
  • 6
  • 33
  • 37