5
If I can send all of my traffic over SSH, is there a benefit to using VPN?
Another words, is VPN more secure than SSH?
Misha Manulis
Posted 2011-06-13T19:37:05.507
Reputation: 153
Is VPN a more secure solution than SSH tunneling?
Answers
9
VPNs, being designed to tunnel traffic, are in general better at doing so (read: faster). This is by no means a hard-and-fast rule, and I have seen SSH tunnels do just as well or even better than some VPNs.
That said, SSH tunnels are generally easier to set up than VPNs (again, in general -- YMMV), although are oftentimes harder to use (and again, YMMV).
Bottom line: If you're already using an SSH tunnel, you probably will not see a benefit to switching over to a VPN. As always, though, YMMV, and the only way to know for sure if you will get a benefit is to try it out.
As for security, no, a VPN is no more secure (provided that all of your traffic, including DNS queries and other potential "leaks", are indeed going through the SSH tunnel), but neither is it any less secure (unless it's a really bad product, but the same could be said for SSH clients and servers as well).
Kromey
Posted 2011-06-13T19:37:05.507
Reputation: 4 377
1
SSH does port forwarding only. Traffic going out on one port from an interface in your system travels over the SSH tunnel and vice versa.
VPNs that install a virtual networking adapter are more versatile in configuration. For example, through judicious routing rules, you can make traffic to certain IPs only go through the VPN whereas all other traffic won't do that - without modifying the application's configuration.
SSL VPNs make your traffic look like HTTPS traffic from an interceptor's point of view. SSH traffic looks like SSH traffic from an interceptor's point of view. Application-level filters/firewalls might pick up on this difference.
LawrenceC
Posted 2011-06-13T19:37:05.507
Reputation: 63 487
SSH does port forwarding? Ain't port forwarding completely different thing? From my experience port forwarding is used to forward connections on specific port of device to specific port on another device (mostly on private LAN, combined with NAT). – kravemir – 2015-03-18T08:43:37.460
The usual way to use port forwarding on SSH is tell your SSH client to listen on something like 127.0.0.1:80 and forward that to a destination IP on the server side. You then have to connect with your browser, RDP client, etc. to 127.0.0.1:80 instead of your normal IP. – LawrenceC – 2015-03-18T12:05:55.973
This question could be improved by more clearly addressing the question of security that is the core of the original question. – kojiro – 2012-10-26T14:14:56.823
2Oh, I should add, VPNs are a lot better at handling tunneling your traffic into a private network, or tunneling traffic between two private networks. It can certainly be done with SSH tunnels, but it's a lot harder to do. – Kromey – 2011-06-13T20:19:56.837
As a user of both, I'll agree that a VPN is much easier for making sure all traffic gets tunneled, or seamlessly bridging into private networks where multiple computers have to be accessed. Throw in automatic reconnect and VPN definitely has spots that it's much nicer. – Darth Android – 2011-06-13T20:25:13.720
1
Have you seen/used https://github.com/apenwarr/sshuttle ?
– Misha Manulis – 2011-06-13T21:38:29.787@Misha Nope, I've never heard of it. If it works as advertised, then this would seem to negate most of the difficulties of using SSH tunnels, perhaps making it even on par in almost all terms with the various VPNs out there. Further reinforcing my assertion that there's no real benefit to using a VPN over SSH tunnels. – Kromey – 2011-06-13T22:11:48.863
that's what I thought about it. I'm experimenting with it now, just wanted to see if there are any "real" benefits of a VPN solution. Thanks for the info – Misha Manulis – 2011-06-13T23:48:35.593