VPN vs SSH - The difference between SSH and VPNs

SSH is often referred to as 'the poor man's VPN'  or 'the VPN that no-one remembers' but both are still widely used today and have their advantages and similarities. In this I will try and explain in layman's terms how they work and will also explore the pros and cons of both connection types and point out their best uses.

A simple analogy of VPN (Virtual Private Network) vs SSH (Secure Shell) would be as follows: you are having a telephone conversation from home with your colleagues in a board room elsewhere. With a VPN everybody in the board room is able to hear you and you can hear them but with an SSH only a single person can hear you and they have to forward the message to everybody else. What we are saying is a VPN connects you to a network and SSH to a single computer.

As their names would suggest both VPN and SSH are both used to 'tunnel' network traffic using an encrypted connection and thereby providing you with extra security. For this  people often ask "Which is the more secure?".As you can probably guess from the name of our company we are partial to VPNs but from reading the article you will also realise that SSH is a great tool.

There are two different cases of using VPNs and SSH - internal and external - and both of these will be explored. What we mean by internal is running your own VPN/SSH server and by external is when you connect to a remote service as provided by your company for home working or by a VPN provider for security.

VPN

The main difference between SSH and VPN is that VPN works on the transport level while SSH works on an application level. This means that when you install a VPN it automatically routes all your network traffic through a secure tunnel and this is why when you install a VPN software it will also install a virtual network adapter.

On a security level both can be used to provide exactly the same amount of encryption and from this point of there is no difference as long as you use the same encryption (see our encryption guide). The upside of using VPNs is that the traffic can be disguised as HTTPs traffic from an interceptors view.

Though VPN is generally easier to set up the problem is that there is no one unified standard for it. This means that the level of support can vary and you might have problems with setting it up. with modern VPN they provide very good software and support so this is only an issue if you plan on running your own VPN server or need to connect to your company's network.

Pros: Can use UDP or TCP, can disguise traffic

Cons: no unified standard

Uses: Remote access to company resources, providing security

SSH

As mentioned above SSH works on an application level. This means that it needs to be configured manually in order to protect all your traffic. Therefore if you wish to set-up encryption for all your software it needs to be manually configured using your SSH client - usually PuTTY.

In some it is good that SSH doesn't encrypt all your traffic since this can slow down your connection and not all your programs might need it. On the it is much harder to disguise SSH traffic and some Flash/Java/JS/Activex plugins can bypass the connection settings.

As mentioned above SSH is easy to install but it can be hard to set-up. This is because you need to configure all connections individually and need to set your browsers to use a SOCKS proxy. SSH is a unified system and therefore there is a large amount of support out there.

Pros: doesn't encrypt all your traffic, cheaper to run, single standardized & unified protocol

Cons: Harder to set up, can only use TCP, doesn't encrypt all your traffic, hard to disguise traffic, DNS leaks

Uses: remote access to a single computer, providing security

Conclusion

In both VPN and SSH can provide you with the same level of security if properly configured. However SSH is a lot harder to configure and there to choose from while there are plenty of VPN providers and since it automatically encrypts all your traffic and can be disguised - in our opinion at least - it is a far better system. Of  if you don't mind all your traffic encrypted (e.g. only need secure browsing and emails) and learning some technical know-how then SSH is worth considering. If you really wish to it is also possible to use the two side-by-side but this can really sacrifice speed for a level of protection that you probably don't need.

Update:

We recently reviewed - a company that provides both SSH and VPN connections.

Written by: Peter Selmeczy

Peter is a full-time tech enthusiast and gadget geek. When not working, you'll find him playing with Lego or tinkering away on an RPi.

5 Comments

  1. Kevin Francis Burke

    on August 8, 2019
    Reply

    "On a security level both can be used to provide exactly the same amount of encryption and from this point of there is no difference as long as you use the same encryption (see our encryption guide). The upside of using VPNs is that the traffic can be disguised as HTTPs traffic from an interceptors view." Sorry, this is not correct as the NSA can crack VPN encryption while if you setup SSH right, I know how, it is unlikely the NSA can crack it. This knowledge comes from my computer expertise and from Edward Snowden's revelations. Also, Putty on Windows ? If you are using something like a VPN then why would one use something corporate like Windows or Ubuntu ? It would be safer to use OpenBSD, Arch Linux or Slackware etc...

    1. Douglas Crawford replied to Kevin Francis Burke

      on August 12, 2019
      Reply

      Hi Kevin. 1. The Edward Snowden papers showed that the NSA can easily crack PPTP, and less easily crack L2TP/IPsec VPN protocols. In a case of admission by omission, it was fairly clear that the NSA stumbled when it came to OpenVPN. This is mainly because of its (optional) use of Perfect Forward Secrecy (PFS) which means the NSA would have to re-crack a VPN connection (a non-trioval task at best) every time a new session is started. Most vendors use stronger OpenVPN settings, including PFS, these days, so it is reasonable to assume OpenVPN remains secure. IKEv2(/IPsec) has become popular in the years since Mr. Snowden's revelations gave us a snapshot of the NSA's capabilities and so has never been "battle-tested." But on paper it is highly cryptographically secure. 2.VPN services do not use SSH for a variety of reasons (scalability being the main one), so SSH tunnels might hide what you get up to, but they don't hide _who_ is getting up to it...3. It all comes down to threat models. Most people want a VPN to help hide their identity from websites, evade blanket untargeted government surveillance, unblock blocked websites, and watch US Netflix. If they are paranoid enough to use something OpenBSD, Arch Linux or Slackware for privacy reasons, then they should be using Tor instead of a VPN, anyway.

  2. steveob

    on November 12, 2017
    Reply

    In a secure server environment, it is often faster and safer to connect only the ports that you need when there are a limited number of other servers to connect to, and you know what you are buying into in that case. There is no way to know how secure a third party vpn product is, without so much analysis and research that it is impractical, compared to opening a handful of ports on a handful of machines. If you are trying to connect to your "work" machine, what I do is set up a vnc server on my desktop, that I can only get into with a single ssh tunnel, and bob's your uncle, and any/all synchronization issues disappear. The rest of the time it is locked behind the desktop machines carefully considered firewall (which is behind the main firewall). I don't really understand the use case for vpn I guess, as I have access to my desktop as if I'm sitting right there with vnc (or whatever), and in the server environment there are no loose ends, it really couldn't be simpler.

    1. Douglas Crawford replied to steveob

      on November 13, 2017
      Reply

      Hi steveob, What you are talking about is connecting to a remote server in order to access to access its resources. Enterprise VPN networks are designed to do something similar, and are primarily about scaling such remote access. Commercial VPN services, however, are doing something very different. Please check out my VPNs for Beginners guide for a detailed discussion on what commercial VPN services do.

  3. Dimitri

    on November 30, 2014
    Reply

    As far as I remember, Tunvpn provide only one SSH server (in NL). So, you could have indicated Perfect Privacy in your list. Perfect-Privacy has many VPN servers arould the world, with SSH on _each_ server (plus many other things: http/squid & sock5 proxies on each server, double & triple vpn, and very good non loging policy). An other VPN provider offering SSH connection you have not spoken about: ovpn.to.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.