VPN vs SSH Tunnel - in my particular case...

[pcm81]

Hello all.
I would like to learn something new and useful today and the topic of the day is VPN vs SSH tunnel. I know the basic difference, but I am curious if there are some advantages in my particular case of one vs. the other.

I have Cisco RV325 running behind a netgear router. This dual router setup provides wireless isolation allowing wired devices on Cisco to access wireless devices like printers but not the other way around.
Anyhow, I have couple servers running on Cisco and I can SSH tunnel to those servers. My RV325 also supports VPN and I am wondering if there is any advantage of setting it up?

I guess I am trying to figure out advantages of VPNing into my home network rather than SSH tunneling into it.

Any insight would be appreciated.
I understand the benefits of VPN for corporate environments like connecting multiple sites via one virtual network, as well as allowing multiple users to remote into corporate network, but for a home user like me, are there any advantages of VPN over SSH tunnel?

Thanks ahead

 

[frowertr]

Depends on what your intention is and your desired security level. I don't have open the standard ssh port (or any nonstandard port for ssh) on my firewall. I VPN in first, and then once on my network, I then have full access to all resources I have available. I can then ssh into my servers while on the VPN.

This way I only need a couple ports open just for the OpenVPN service on my firewall. Everything else remains closed. My environment is virtualized, so I need access to both my direct ESXi host and vCenter from off network. A VPN is perfect here as you wouldn't want your host to have with a forward facing IP address.

 

[mv2devnull]

The term "SSH tunnel" -- for me -- means a tunnel that SSH connection provides in addition to remote session.
The most common one is X11 traffic. X client applications on remote host can connect to X server on local host via a tunnel that the SSH creates along the shell session.
SSH can create L3 and L2 tunnels too and not just forward single ports, so SSH can implement VPN connection.

Again, IMO, a VPN connection does not "connect" anyone anywhere, it merely creates a route between some machines.

However, as pointed out by frowertr, all connections (HTTP, SSH, VPN, etc) require an accessible port on accessible address.
The route provided by VPN implementation gives you an access to addresses that others cannot see via single addressort (of VPN on the router).

Less points of entry means less points where one could break into. That is good.

SSH encrypts packets of its connection. VPN encrypts packets of its connection. Encryption requires computing. A good VPN endpoint has hardware support for the computations. That way the encryption won't slow the traffic too much. It is a marketing point of firewall+VPN devices, how many simultaneous connections they support.


There are clear advantages on having VPN.


What I personally do not like is that when I have a VPN connection and I make a SSH connection to a server via it, the actual data packets of my shell session are encrypted twice: first by SSH and again by VPN. If I shuffle a deck of cards properly and then do it again, are they more shuffled?

 

[Red Squirrel]

VPN: More versatile, as it's like being connected directly to your network, or if you desire you can have a VPN vlan and restrict stuff as you wish. I believe it's even possible to setup per user restrictions. Downside is that it's more complex to setup and manage, I'm also not aware of any way to protect against brute force attacks or other similar attacks on the open port. Being a more complex protocol it is more likely to have exploits. Ex: Heart bleed.

SSH Tunnel: More limited, but if you only need access to a few remote ports, it is an easier alternative to VPN as all you really need is a SSH client that also supports tunneling. It also means you can have something like putty on a USB stick and use it on any public computer without having to install a VPN client, setup certificates etc.... Which you would probably need admin access to do. It's also a simpler protocol, and you can use something like fail2ban to stop brute force attacks. Also use a non standard port, of course. Even for VPN you should.

Basically if you have a laptop that you carry around, I'd go the VPN route, just need to figure out a way to secure the port, maybe some kind of port triggering or separate web based logon that opens it temporarily for your IP or something.

But if you want to be able to get on any computer and access something, then SSH tunnel is way to go. But really you don't even need to setup much for a SSH tunnel, just a basic SSH server. You can also do X11 forwarding through SSH which is interesting as it will show you an application off the server, kinda like Citrix. This is super easy to do, in most clients you only need to enable it, and within ssh if you type a command that opens a graphical interface, it will display it on your PC. Of course it's not really ideal over a slow or high latency network connection.

 

[frowertr]

What I personally do not like is that when I have a VPN connection and I make a SSH connection to a server via it, the actual data packets of my shell session are encrypted twice: first by SSH and again by VPN. If I shuffle a deck of cards properly and then do it again, are they more shuffled?

Well i guess you could use telnet once connected via VPN if this really bothered you. But on modern day processors the overhead of twin encryption here I bet can't even be measured.

 

[pcm81]

VPN: More versatile, as it's like being connected directly to your network, or if you desire you can have a VPN vlan and restrict stuff as you wish. I believe it's even possible to setup per user restrictions. Downside is that it's more complex to setup and manage, I'm also not aware of any way to protect against brute force attacks or other similar attacks on the open port. Being a more complex protocol it is more likely to have exploits. Ex: Heart bleed.

SSH Tunnel: More limited, but if you only need access to a few remote ports, it is an easier alternative to VPN as all you really need is a SSH client that also supports tunneling. It also means you can have something like putty on a USB stick and use it on any public computer without having to install a VPN client, setup certificates etc.... Which you would probably need admin access to do. It's also a simpler protocol, and you can use something like fail2ban to stop brute force attacks. Also use a non standard port, of course. Even for VPN you should.

Basically if you have a laptop that you carry around, I'd go the VPN route, just need to figure out a way to secure the port, maybe some kind of port triggering or separate web based logon that opens it temporarily for your IP or something.

But if you want to be able to get on any computer and access something, then SSH tunnel is way to go. But really you don't even need to setup much for a SSH tunnel, just a basic SSH server. You can also do X11 forwarding through SSH which is interesting as it will show you an application off the server, kinda like Citrix. This is super easy to do, in most clients you only need to enable it, and within ssh if you type a command that opens a graphical interface, it will display it on your PC. Of course it's not really ideal over a slow or high latency network connection.

Thanks all for the replies. I might set-up the VPN just as a learning exercise, but so far I really do not see any advantages of it over SSH for my particular application of connecting to my home network.

Here is an overkill idea for security junkies:

Modem --- Router1 --- Router2(with VPN support)

|
SSH Server
​

Set up SSH server with 2048-bit or bigger RSA key. Use fail to ban, no password authentication etc. Open SSH port on Router1 (don't use default port #). Then you can SSH tunnel from remote machine through SSH Server to the VPN port on Router2 and connect to your network via VPN, yet never have VPN port open to the public. I might actually try this set-up when I get back home; at the moment all of my SSH servers are behind Router 2...

 

[imort]

I understand the benefits of VPN for corporate environments like connecting multiple sites via one virtual network, as well as allowing multiple users to remote into corporate network, but for a home user like me, are there any advantages of VPN over SSH tunnel?
Thanks ahead

I believe there are hardly for a regular home user.

You can increase your routers security a bit by restricting SSH at all and connecting with VPN only. If you have a router with IpSec VPN feature available at home you can configure site-by-site VPN and have permanent transparent connection to your office computers without needs to create multiple SSH tunnels at all.

SSH can be less secure especially if you still using password login and didn't use fail2ban or other similar tools.

But more or less it's about the same.