DEV Community

Cover image for SSH as VPN Alternative
Alexey Yuzhakov
Alexey Yuzhakov

Posted on

SSH as VPN Alternative

Internet Openness

During the last decades, the Internet openness principle has become something often ignored and violated. Suppose you travel a lot and want to access the resources located in one region while you are physically in another one. In that case, it is not a surprise anymore to find the resource is inaccessible. The reasons can be different. But one of the popular is that "we suffered from attacks from region X, so we decided to block the access for all the people/IPs from the region X," or even worse, "we decided to allow access only for people of our region based on IP."

VPN

I think VPN services became quite popular not only due to security reasons but also as a way to solve the described problem: provide access to a resource regardless of client IP-based limitations. There are a lot of VPN service providers across the globe. Surprisingly, the usage of VPN services can be less secure than it seems at first glance. Okay, you can buy a droplet in DigitalOcean and probably install OpenVPN or WireGuard. But at least it takes time for the initial configuration. If the need for such access is quite infrequent, all these efforts are not worth the time investment.

SSH Tunnel

There is some chance that you, like me, already have a virtual or physical server with SSH in the region to which you want access. For example, sitting in Sofia, Bulgaria, I want to check some websites hosted in Germany. Meanwhile, I have a DigitalOcean droplet located in Frankfurt, Germany, with SSH access. The SSH client is already in place on my machine. So, the only thing I need to do is establish the SSH tunnel and use a properly configured web browser for accessing these German websites.

The following command helps to establish the tunnel on 12345 port:



ssh -D 12345 my-droplet-in-frankfurt.com


Enter fullscreen mode Exit fullscreen mode

The only difference between typical SSH command is the β€œ-D” flag that instructs the SSH client to listen to the local 12345 port and forwards the traffic from our local machine to the remote server. So, we will access the desired websites "on behalf" of the remote machine.

SSH Tunnel Scheme

My primary browser is Google Chrome. For alternative web browsing through SSH tunnel, I'm using Mozilla Firefox. To setup a proxy, one should go to Settings -> Network Settings and fill in the appropriate fields highlighted in the screenshot below:

Firefox proxy settings

SSH tunnel looks like a typical SSH session. So you can quit it as soon as you finish your web browsing of restricted websites. You also don't need to change your Firefox configuration every time you need to access different websites. Just establish the SSH tunnel to the new location, open Firefox, and start browsing.

Conclusion

SSH tunnel is an often overlooked alternative to the full-featured VPN services. But for a single person, occasional usage, the SSH tunnel can be a simpler and more convenient way of accessing restricted websites.

Top comments (10)

Collapse
 
bhagatharsh profile image
BhagatHarsh

I have used wire guard and it is really taxing to configure for minimal use cases.

would Love to try this new method out!

Collapse
 
paulsdev profile image
Paul

Why do you think wire guard is taxing to configure? The times I used it, it was quite easy. Do you have really special configs?

Collapse
 
sibprogrammer profile image
Alexey Yuzhakov

Isn't it? ) WireGuard is a good tool. But if I want to check the behavior of particular website from the specific location (where I already have a VPS with SSH access) an SSH tunnel is much faster option.

Collapse
 
fyodorio profile image
Fyodor

Never thought about using ssh as vpn but it sounds really cool, thanks a lot, will try πŸ‘

Collapse
 
dyfet profile image
David Sugar

There is a tool called sshuttle, which wrapped all the logic for vpn transport into a python front end. Network Manager also at one time had an option for ssh vpn, maybe it still does.

Collapse
 
danjessen profile image
Dan Jessen πŸ‰

We use sshuttle extensively. It's a great little tool

Collapse
 
wmantly profile image
William Mantly

This isn't a VPN, it's a simple proxy. This set up will leak DNS requests. It's a nice shortcut, not in way a VPN. It's also not a SSH tunnel, thats the -L argument. Consider looking into the TCP over TCP issue to see why a proper VPN tool should be used.

Collapse
 
user_e54c6ba3dd profile image
user_e54c6ba3dd

The message is well received

Collapse
 
danjessen profile image
Dan Jessen πŸ‰

You're basically talking about what is referred to as a jumpserver / jumpbox. It's widely used

Collapse
 
sibprogrammer profile image
Alexey Yuzhakov

Not really. The jump host main purpose usually is to establish an SSH session "on behalf" of "jumper". It's a "-J" option (or I just usually put "ProxyJump" directives in the config file). The purpose of the "-D" is to establish the "listener" to be ready to proxy the traffic by some other application.