Hello I am wondering if there is increased network/packet security by connecting to a server over ssh through a VPN hosted by that same server as opposed to without first tunneling by VPN. I imagine with or without tunneling through a VPN there would be latency/speed differences too?
Yes.
Using a VPN for all your traffic obscures your usage and hinders surveillance by your internet provider. If you ssh directly to your server, that’s one extra bit of information (that you’re ssh’ing into the server) your internet provider has about you. Whether this is significant or useful to the provider is questionable, but the short answer is “yes, it provides more security.” That said, AI is probably being already used to do pattern analysis on traffic, and they might still be able to tell you’re making an ssh connection, unless you’re also constantly streaming through the VPN, too.
I’m going to get heat for this, but running a bitcoin wallet on your home computer - whether or not you actually have any coins or are mining - is a great way to generate a variable amount of constant traffic to an endpoint. Hosting a public IPFS, web site, torrent seeds, or Freenet node are also good ways, although some of those require opening ports to inbound connections and could invite attacks.
Thank you for this excellent answer
and hinders surveillance by your internet provider
Yes, but it also shifts all that surveillance capability directly to your vpn provider, of whom many are thought/known to be compromised or otherwise mishandle your data. I would argue VPN providers may even be more appropriately situated/equipped to analyze/hand over your data more easily than your local ISP.
Also, SSH does have some obscure design “issues” that might be applicable depending on your threat model, for example one can check if a user has a certain key on the remote end, if you care about that. There’s probably more.
It’s true there’s a trust shift; you have to trust someone, even if you’re self- hosting your endpoint (unless you also own the hardware the endpoint is running on). The difference is that I can vet my VPN provider, look at third party reviews, and some even get audits… whereas it’s been proven that Comcast and Verizon are inserting trackers into your packet data and selling the results.
Can you elaborate a little on why you think a VPN provider is better equipped to analyze or hand over data? On what basis?
VPN latency depends on tech used. OpenVPN is kinda slow and wireguard quite fast in my experience. That said, both work fine and I can’t tell the speed difference unless I actually use a ton of data (streaming 4k hd videos, or transferring gigs of files or something). Regular ssh, I can’t tell a difference.
Thank you
It’s likely more secure, but VPN increases attack vectors if one of your systems is compromised.
Both require opening a port but theoretically ssh going through the vpn would mean port 22 does not need to be open/forwarded right, as opposed to both port 22 and whichever for the VPN open?
The SSH port can be set to just accept connections from within the VPN.
However, what I meant is: VPN does allow for more than SSH. Let’s assume something like you allowed your girlfriends phone to use your wifi, but she uses an app with a Chinese backdoor. The Chinese hacked your network printer which is available to all using the wifi. Your linux CUPS printing service talks to the printer and gets infected with a worm, but being linux it’s confined within the things the cups user can access.
At that point the attacker/worm has no access to your personal files yet, except for what you print. Nor does the attacker/worm know about your server.
Now when you use just SSH it will likely stay that way.
If you use VPN though, it will allow the worm/attacker to find out about the existence of the server and send network traffic to your server. Hopefully, that doesn’t get them far, but it’s an additional attack vector they get.
This is the first that I have heard about setting the SSH port to only accept connections from the VPN, is there a term or something I can search about this online? Or is this basically just allowing port 22 open on a device and not forwarding the port on the router as when a different device tunnels into the same network through the VPN it can already talk to the first device?
You would either configure the Linux firewall of the router or server to drop everything on the SSH port not from the VPN IP/interface or change the ListenAdress in /etc/ssh/sshd , but be careful: Don’t lock yourself out!
Whenever we have a discussion about security, it’s generally useful for us to talk about the types of attacks that we are trying to mitigate. What are some examples that you would be concerned about?
If your VPN is reasonably responsive, you probably won’t notice a change in the latency. VPNs tend to have maximum top speeds, and if you were doing SFTP, there’s a reasonable chance you would find that limit very quickly.
I am aware that opening / forwarding ports are attack vectors and they become unavoidable though if i need the vpn and ssh capability, however, in theory the ssh port could be closed/not forwarded if traffic/connection was tunneled through the VPN. Those are my thoughts
afaik accessing your SSH over Wireguard while making SSH only listen on local can help mitigate DOS attacks, as Wireguard, opposed to many other protocols, is silent by default, meaning an attacker won’t see if you have a Server listening for incoming connections or if they are screaming into the void
But wouldn’t the port being open alert anyone who looks for that? Network security is not my specialty but I believe I have read that people can ping/scan ip addresses easily and quickly to determine if any ports are open / forwarded, so if Wireguard was used or any VPN software, they could pick up on that as an attack vector?
Wireguard uses UDP.
Wireguard also strives to be “silent” for bad traffic/connection attempts. I’ve tried a cursory look to find more information on it, but nothing that explains it simply.Either way it doesn’t turn up on port scans.
But the router must forward the port to allow the VPN to be utilized , meaning that port being forwarded can be scanned/detected i thought?
It depends on how the router responds to other non-forwarded ports. For UDP an open port with no response is the same as a dropped packet. A scanner will only know if the device sends an ICMP response back to indicate that it is closed.