SEARCH

How-To Geek

VPN vs. SSH Tunnel: Which Is More Secure?

image

VPNs and SSH tunnels can both securely “tunnel” network traffic over an encrypted connection. They’re similar in some ways, but different in others – if you’re trying to decide which to use, it helps to understand how each works.

An SSH tunnel is often referred to as a “poor man’s VPN” because it can provide some of the same features as a VPN without the more complicated server setup process – however, it has some limitations.

How a VPN Works

VPN stands for “virtual private network,” – as its name indicates, it’s used for connecting to private networks over public networks, such as the Internet. In a common VPN use case, a business may have a private network with file shares, networked printers, and other important things on it. Some of the business’s employees may travel and frequently need to access these resources from the road. However, the business doesn’t want to expose their important resources to the public Internet. Instead, the business can set up a VPN server and employees on the road can connect to the company’s VPN. Once an employee is connected, their computer appears to be part of the business’s private network – they can access file shares and other network resources as if they were actually on the physical network.

image

The VPN client communicates over the public Internet and sends the computer’s network traffic through the encrypted connection to the VPN server. The encryption provides a secure connection, which means the business’s competitors can’t snoop on the connection and see sensitive business information. Depending on the VPN, all the computer’s network traffic may be sent over the VPN – or only some of it may (generally, however, all network traffic goes through the VPN). If all web browsing traffic is sent over the VPN, people between the VPN client and server can’t snoop on the web browsing traffic. This provides protection when using public Wi-Fi networks and allows users to access geographically-restricted services – for example, the employee could bypass Internet censorship if they’re working from a country that censors the web. To the websites the employee accesses through the VPN, the web browsing traffic would appear to be coming from the VPN server.

image

Crucially, a VPN works more at the operating system level than the application level. In other words, when you’ve set up a VPN connection, your operating system can route all network traffic through it from all applications (although this can vary from VPN to VPN, depending on how the VPN is configured). You don’t have to configure each individual application.

To get started with your own VPN, see our guides to using OpenVPN on a Tomato router, installing OpenVPN on a DD-WRT router, or setting up a VPN on Debian Linux.

How an SSH Tunnel Works

SSH, which stands for “secure shell,” isn’t designed solely for forwarding network traffic. Generally, SSH is used to securely acquire and use a remote terminal session – but SSH has other uses. SSH also uses strong encryption, and you can set your SSH client to act as a SOCKS proxy. Once you have, you can configure applications on your computer – such as your web browser – to use the SOCKS proxy. The traffic enters the SOCKS proxy running on your local system and the SSH client forwards it through the SSH connection – this is known as SSH tunneling. This works similarly to browsing the web over a VPN – from the web server’s perspective, your traffic appears to be coming from the SSH server. The traffic between your computer and the SSH server is encrypted, so you can browse over an encrypted connection as you could with a VPN.

image

However, an SSH tunnel doesn’t offer all the benefits of a VPN. Unlike with a VPN, you must configure each application to use the SSH tunnel’s proxy. With a VPN, you’re assured that all traffic will be sent through the VPN – but you don’t have this assurance with an SSH tunnel. With a VPN, your operating system will behave as though you’re on the remote network – which means connecting to Windows networked file shares would be easy. It’s considerably more difficult with an SSH tunnel.

image

For more information about SSH tunnels, see this guide to creating an SSH tunnel on Windows with PuTTY. To create an SSH tunnel on Linux, see our list of cool things you can do with an SSH server.

Which Is More Secure?

If you’re worried about which is more secure for business use, the answer is clearly a VPN — you can force all network traffic on the system through it. However, if you just want an encrypted connection to browse the web with from public Wi-Fi networks in coffee shops and airports, a VPN and SSH server both have strong encryption that will serve you well.

There are other considerations, too. Novice users can easily connect to a VPN, but setting up a VPN server is a more complex process. SSH tunnels are more daunting to novice users, but setting up an SSH server is simpler – in fact, many people will already have an SSH server that they access remotely. If you already have access to an SSH server, it’s much easier to use it as an SSH tunnel than it is to set up a VPN server. For this reason, SSH tunnels have been dubbed a “poor man’s VPN.”

Businesses looking for more robust networking will want to invest in a VPN. On the other hand, if you’re a geek with access to an SSH server, an SSH tunnel is an easy way to encrypt and tunnel network traffic – and the encryption is just as good as a VPN’s encryption.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 07/5/12

Comments (13)

  1. Omid

    Thank You, I have a question:

    I’m using “proxifier” to make all applications to use SSH tunnel and it works but how do I know that SSH tunnel is really secure, I mean how do I figure out the proxy I’m using is related to SSH tunnel and not a none secure tunnel(Can someone sell none secure proxy tunnel and state proxy is SSH secure?)

    Sorry for my english, hope you get it :)

  2. StarsLikeDust

    If you have access to an always on Windows or OS X Machine the free version of Hamachi is a pretty easy way to setup a small VPN. If I remember right its limited by the number of machines that can connect but the upside is setup doesn’t take much more than just running the installer on all the machines you want to connect.

  3. Rogue

    I haven’t used SSH tunnels but have VPNs. While trying different companies, I like Witopia. They have several servers, excellent customer care and competitively priced.

  4. Cerdant

    Excellent read!

  5. r

    vpn always works for me

  6. Binaryphile

    I went through the process of setting up both in the not-too-distant past. One of the things to know about SSH tunneling is that data-intensive applications on top of SSH (such as downloading large files) doesn’t work very well. Unfortunately, TCP over SSH (which is also TCP) has known pathological behaviors. The general consensus in my research was “don’t do it.”.

    That said, if you’re on Windows, SSH is a breeze to set up as long as you have a Unix machine to act as server and PuTTY for Windows . The major downside is that it won’t scale to any kind of serious deployment without Active Directory integration, at which point you’re better off looking at regular VPN solutions because of the TCP issue.

    If you’re looking at VPN solutions, I only looked at the ones that had built-in Windows support (SSTP, L2TP, PPTP). Of the three, L2TP is the one that’s widely-supported (I’m looking at you SSTP) and doesn’t have major security issues (PPTP), although I saw some unsubstantiated claims that L2TP has security issues. I don’t see what they are, if so. I went with L2TP.

    Last, I’ll say that I don’t like any kind of VPN/tunneling solution to take over my entire Internet connection while it’s running. Unfortunately, both SSH and Windows VPN are terrible at split-routing, that is, sending my Internet traffic outside the tunnel and just the remote traffic inside the tunnel. Over SSH, as soon as you configure the Socks proxy for your browser, there’s no way to tell it not to use the proxy for some traffic and no way to run another browser window without the proxy. That is, until I found that you could run isolated instances of Chrome with their own settings via Sandboxie. So that worked for SSH.

    For Windows VPN though, I had to uncheck the option in the Advanced settings to tell it to use the VPN for all traffic by default. Unfortunately, you can’t add a permanent entry for the remote network in your routing table, since it gets nuked automatically whenever the VPN connection goes down. So I’m stuck adding the route manually (through a script) every time I bring up the VPN connection. Still, I’d rather do that than double-bounce all of my Internet traffic through my remote workplace.

    Ultimately I find the convenience of the VPN superior to SSH.

  7. Binaryphile

    Edit: *not* to use the VPN for all traffic by default

  8. Penny

    I use a SSH tunnel daily back to my home network and use Bitvise Tunneler portable to tunnel back my traffic through SSH and it works great. Good article here and both are great solutions.

  9. ti

    ^agree with penny. I use SSH tunnels constantly, and I also use Bitvise for my Windows box.

  10. Richard Steven Hack

    The reason one forces all traffic through the VPN is that a “split VPN” allows a hacker who has compromised your machine via the non-VPN side to access the VPN. This is why corporations usually require ALL their home worker Internet traffic to go through the corporate VPN. Of course, if your machine is compromised in some other way, this doesn’t solve the problem.

    As for Hamachi, the problem is that the free version doesn’t allow file transfer or commercial use. The best way to get around the file transfer issue is to use Hamachi as the VPN and run a version of VNC over it such as TightVNC, UltraVNC (Windows only – which has its own encryption capabilities on top of Hamachi’s encryption) or for Linux SSVNC (which supports UltraVNC’s encryption.) Never use VNC without tunneling it over an encrypted SSH or VPN because the VNC protocol by default is unencrypted (except for UltraVNC and SSVNC.)

  11. Arman

    @Omid

    Never, never buy SSH. Do know what? if i’m a “bad guys” same as SEPAH, i would sell own SSHs to you for having better monitoring of my victims.
    So, if you don’t like to be a “victim”, please, please always use VPN.
    your program is nice, but if you like to have a awesome one, i highly recommended to use TOR.

  12. Louie

    this was a good read, i’m glad I looked into a vpn, I found a site called torguard.net. I’m pretty much a novice for computers and when I hit a snag they had live chat support, besides they have an auto installer that works great now.

  13. Jon

    http://ninjatunnel.net is a cheap ssh tunnel run by a trustworthy guy. I’ve used it for a while and don’t see any reason to switch.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!