2
I have an application which transmits plaintext data over the network on a given port, say port 4000. This data is for another application which is running on my vps. How could i encrypt this data between my home server to the vps. I have thought of an ssh tunnel but cant figure out how to accomplish this as the data is to go straight into another app on the vps. so it wouldnt be like a simple "ssh -D 9000 user@ip"
user346305
Posted 2014-07-14T20:08:42.620
Reputation: 23
1
I am assuming your connection is clear, from localhost to $VPS:4000.
To make an SSH tunnel, you will open a port in localhost that will tunnel the traffic to the port 4000 on the server $VPS.
The following command-line does that:
ssh -L9000:localhost:4000 user@$VPS
where 9000 is the local port I chose.
Then, you have to change your application to no longer connect to $VPS:4000 but to connect instead to localhost:9000.
This works by connecting to user@$VPS, and then creating a secure connection between localhost:9000 on the local host and localhost:4000 on the remote host.
This way, the encryption is transparent to you, and you don't have to fall on the caveat of trying to implement any encryption algorithm. Or worse - make your own.
You do have to make sure the SSH connection is always available when you need it. It might be useful to use public key authentication, in case you aren't familiar with it :)
Valmiky Arquissandas
Posted 2014-07-14T20:08:42.620
Reputation: 1 770
This seems like the best option for me. I will give it a try and let you know how I get on with it. But i may also try Marius Matutiae's solution. Thanks for all the answers. – user346305 – 2014-07-15T09:22:31.327
1
Here's a command that may be helpful:
ssh -C -L80:127.0.0.1:80 -L443:127.0.0.1:443 $USER@$VPS
-L$LOCALPORT:$JUMPIP:$REMOTEPORT
The $JUMPIP doesn't have to be the same address as the VPS.
This isn't necessary if you have a full VPN to your VPS.
If your application is using an ephemeral port, you may have some trouble; you wouldn't know before-hand which port will be used.
dhiltonp
Posted 2014-07-14T20:08:42.620
Reputation: 121
0
Since you have given us few details, the answer to this question is going to be a bit complex.
If you have a VPN connection to your server, by and large the best solution is to use it to route your application to its remote counterpart, because all of the work (routing and enciphering/deciphering) has already been setup.
There are instances when this cannot be done. For instance, you have a routed VPN, and your application wishes to use use unusual network protocols (NetTalk, IPX, IPv6...), or you need to be in the same broadcast domain as your remote server. Or your application needs to use UDP, while your VPN uses TCP. This simply cannot be done, and this same comment applies to the other answers which suggested using ssh.
The alternative solution to this is to use a bridged, UDP-based VPN. The first specification allows you to belong to the same broadcast domain, and to use whichever routing protocol you desire, the second specification (UDP-based) allows you to use UDP ports.
By and large, the simplest solution is to use OpenVPN, but it is not the only solution. On a sister site, ServerFault, you can find this answer explaining how to set up IPSec for a GRE tunnel. IPSec provides the encryption, the GRE tunnel the point-to-point connection. Once again, you are advised to run IPSec over UDP, not TCP.
Please be advised that discussions about VPNs over UDP being flaky are moot: once a TCP packet is sent over a UDP (or TCP, for this matter) VPN, if it gets lost it will be re-transmitted (courtesy of the listening application), regardless of whether the VPN is over UDP or TCP. In other words, content integrity is provided by the encapsulated protocol, not by the carrier protocol. What you gain is that, this way, you can also forward over the VPN communications using the UDP protocol.
MariusMatutiae
Posted 2014-07-14T20:08:42.620
Reputation: 41 321
Rewrite the apps to encrypt and decrypt the data on send/receive. – Ƭᴇcʜιᴇ007 – 2014-07-14T20:11:05.000
If you are connected to a VPS over a secure connection its already being transmitted in a secure fashion on your end. You would have to modify the program to use https if you wanted both ends to be secure. – Ramhound – 2014-07-14T21:58:42.830