this post was submitted on 18 May 2024
19 points (100.0% liked)

linux4noobs

1356 readers
1 users here now

linux4noobs


Noob Friendly, Expert Enabling

Whether you're a seasoned pro or the noobiest of noobs, you've found the right place for Linux support and information. With a dedication to supporting free and open source software, this community aims to ensure Linux fits your needs and works for you. From troubleshooting to tutorials, practical tips, news and more, all aspects of Linux are warmly welcomed. Join a community of like-minded enthusiasts and professionals driving Linux's ongoing evolution.


Seeking Support?

Community Rules

founded 1 year ago
MODERATORS
 

Hello I am wondering if there is increased network/packet security by connecting to a server over ssh through a VPN hosted by that same server as opposed to without first tunneling by VPN. I imagine with or without tunneling through a VPN there would be latency/speed differences too?

you are viewing a single comment's thread
view the rest of the comments
[–] lurch@sh.itjust.works 1 points 6 months ago (1 children)

It's likely more secure, but VPN increases attack vectors if one of your systems is compromised.

[–] Ponziani@sh.itjust.works 4 points 6 months ago (1 children)

Both require opening a port but theoretically ssh going through the vpn would mean port 22 does not need to be open/forwarded right, as opposed to both port 22 and whichever for the VPN open?

[–] lurch@sh.itjust.works 3 points 6 months ago (1 children)

The SSH port can be set to just accept connections from within the VPN.

However, what I meant is: VPN does allow for more than SSH. Let's assume something like you allowed your girlfriends phone to use your wifi, but she uses an app with a Chinese backdoor. The Chinese hacked your network printer which is available to all using the wifi. Your linux CUPS printing service talks to the printer and gets infected with a worm, but being linux it's confined within the things the cups user can access.

At that point the attacker/worm has no access to your personal files yet, except for what you print. Nor does the attacker/worm know about your server.

Now when you use just SSH it will likely stay that way.

If you use VPN though, it will allow the worm/attacker to find out about the existence of the server and send network traffic to your server. Hopefully, that doesn't get them far, but it's an additional attack vector they get.

[–] Ponziani@sh.itjust.works 2 points 6 months ago (1 children)

This is the first that I have heard about setting the SSH port to only accept connections from the VPN, is there a term or something I can search about this online? Or is this basically just allowing port 22 open on a device and not forwarding the port on the router as when a different device tunnels into the same network through the VPN it can already talk to the first device?

[–] lurch@sh.itjust.works 1 points 6 months ago* (last edited 6 months ago) (1 children)

You would either configure the Linux firewall of the router or server to drop everything on the SSH port not from the VPN IP/interface or change the ListenAdress in /etc/ssh/sshd , but be careful: Don't lock yourself out!

[–] Ponziani@sh.itjust.works 1 points 6 months ago

Thank you for the info! This is very helpful to me.