VPNs and SSH tunnels can both securely âtunnelâ network traffic over an encrypted connection. Theyâre similar in some ways, but different in others â if youâre trying to decide which to use, it helps to understand how each works.
An SSH tunnel is often referred to as a âpoor manâs VPNâ because it can provide some of the same features as a VPN without the more complicated server setup process â however, it has some limitations.
How a VPN Works
VPN stands for âvirtual private network,â â as its name indicates, itâs used for connecting to private networks over public networks, such as the Internet. In a common VPN use case, a business may have a private network with file shares, networked printers, and other important things on it. Some of the businessâs employees may travel and frequently need to access these resources from the road. However, the business doesnât want to expose their important resources to the public Internet. Instead, the business can set up a VPN server and employees on the road can connect to the companyâs VPN. Once an employee is connected, their computer appears to be part of the businessâs private network â they can access file shares and other network resources as if they were actually on the physical network.
The VPN client communicates over the public Internet and sends the computerâs network traffic through the encrypted connection to the VPN server. The encryption provides a secure connection, which means the businessâs competitors canât snoop on the connection and see sensitive business information. Depending on the VPN, all the computerâs network traffic may be sent over the VPN â or only some of it may (generally, however, all network traffic goes through the VPN). If all web browsing traffic is sent over the VPN, people between the VPN client and server canât snoop on the web browsing traffic. This provides protection when using public Wi-Fi networks and allows users to access geographically-restricted services â for example, the employee could bypass Internet censorship if theyâre working from a country that censors the web. To the websites the employee accesses through the VPN, the web browsing traffic would appear to be coming from the VPN server.
Crucially, a VPN works more at the operating system level than the application level. In other words, when youâve set up a VPN connection, your operating system can route all network traffic through it from all applications (although this can vary from VPN to VPN, depending on how the VPN is configured). You donât have to configure each individual application.
How an SSH Tunnel Works
SSH, which stands for âsecure shell,â isnât designed solely for forwarding network traffic. Generally, SSH is used to securely acquire and use a remote terminal session â but SSH has other uses. SSH also uses strong encryption, and you can set your SSH client to act as a SOCKS proxy. Once you have, you can configure applications on your computer â such as your web browser â to use the SOCKS proxy. The traffic enters the SOCKS proxy running on your local system and the SSH client forwards it through the SSH connection â this is known as SSH tunneling. This works similarly to browsing the web over a VPN â from the web serverâs perspective, your traffic appears to be coming from the SSH server. The traffic between your computer and the SSH server is encrypted, so you can browse over an encrypted connection as you could with a VPN.
However, an SSH tunnel doesnât offer all the benefits of a VPN. Unlike with a VPN, you must configure each application to use the SSH tunnelâs proxy. With a VPN, youâre assured that all traffic will be sent through the VPN â but you donât have this assurance with an SSH tunnel. With a VPN, your operating system will behave as though youâre on the remote network â which means connecting to Windows networked file shares would be easy. Itâs considerably more difficult with an SSH tunnel.
For more information about SSH tunnels, see this guide to creating an SSH tunnel on Windows with PuTTY. To create an SSH tunnel on Linux, see our list of cool things you can do with an SSH server.
Which Is More Secure?
If youâre worried about which is more secure for business use, the answer is clearly a VPN â you can force all network traffic on the system through it. However, if you just want an encrypted connection to browse the web with from public Wi-Fi networks in coffee shops and airports, a VPN and SSH server both have strong encryption that will serve you well.
There are other considerations, too. Novice users can easily connect to a VPN, but setting up a VPN server is a more complex process. SSH tunnels are more daunting to novice users, but setting up an SSH server is simpler â in fact, many people will already have an SSH server that they access remotely. If you already have access to an SSH server, itâs much easier to use it as an SSH tunnel than it is to set up a VPN server. For this reason, SSH tunnels have been dubbed a âpoor manâs VPN.â
Businesses looking for more robust networking will want to invest in a VPN. On the other hand, if youâre a geek with access to an SSH server, an SSH tunnel is an easy way to encrypt and tunnel network traffic â and the encryption is just as good as a VPNâs encryption.