Is It Dangerous to SSH Over a VPN?

Hey.

It’s dangerous to connect to a remote machine through ssh while in a vpn (ex nordvpn)?

You would be over VPN so that would be encrypted. Perhaps you could elaborate more or more specific on what your concerns would be?

he’s probably concerned about his VPN provider being able to look at his data stream and sniff his credentials or whatever.

comes down to encryption and trust. Crypto AG anyone? :joy:

1 Like

LOL Yes, trust has to be established at some point. I think the OS and sites he’s visiting should be more concerning. Big brother is ALWAYS watching! insert evil witch cackle

Not concerned, maybe you can explain instead of make fun, or just keep the mouth sh : )

what? I only assumed what your question was aiming at and you want me to explain?

3 Likes

Do you need to trust your ISP while connecting via SSH? What’s the point?

@Falzo wasn’t making fun of you at all, please remember to be civil.

What are you trying to achieve here? If you’re using a reputable VPN (or better yet, your own) then there should be no concerns when using SSH.

6 Likes

The relevant point is not the VPN but SSH.

Explanation: SSH is explicitly designed to allow secure communication over potentially hostile networks.

So, if you trust SSH and have a reasonable SSH config the only relevant difference with vs without VPN is the fact that you do double encryption which decreases performance somewhat. Theoretically.
Practically AES performance on todays processors is easily reaching (more than) wirespeed on the involved connections (which is < 1 Gb/s and realistically usually not even 200 Mb/s for 99.9+% of connections to a VPS/dedi).

3 Likes

If it’s atrusted VPN provider there should be no issue.

  • a) there is no such thing as a trusted VPN provider (unless you run your own)
  • b) The VPN provider is irrelevant anyway
  • c) if there is a weak point in this constellation then it’s the fact that OP’s question indicates that his SSH config might not be, uhm, of high quality.

@sirluis

Hey, we try to help you or at least to understand your question. No need to be overly sensitive!

3 Likes

Ah, gotcha. Fair enough.

Agree though. No need to be hostile towards ppl trying to help you, OP.

1 Like

Yes, and to clarify my comment…
If you are SSH to the server, you need to trust the provider of that server is not “sniffing” your packets.
If you are using a VPN you need to trust the provider is not “sniffing” your packets.
If the ISP you are using at home/work is not “sniffing” your packets.
If the OS you’re using isn’t reporting and monitoring your activity and not “sniffing” your packets.
If the website you are visiting is not gathering your info and not “sniffing” your packets.
Just off the top of my head, those are at least 5 instances that would require your “trust” to proceed with whatever activity you’re concerned about. “…trust has to be established at some point…”

1 Like

No. You need to trust your provider - but not wrt sniffing but rather wrt not hacking your instance.

All the rest -> No. VPN, providers, carriers can sniff my packets all day long and I do not care. All they get to see is quasi random looking bytes.

Unless OpenSSL has another major hiccup (quite likely) or some crypto algo like AES turns out to be broken (extremely unlikely). But then our problem is still not that our packets go over a VPN (if they happen to do so).

1 Like

Personally I would feel safer connecting to SSH through a VPN with a Dedicated IP. This way you can allow connections using Only that IP. Yes, trust is involved and it would be better Security on your part. If you trust your VPN Provider and ISP, then it is the best way to connect using a Key (of Course). This would be ample if your IP changes with your ISP. Regardless of trust, most all VPN Providers (and ISP’s) will hand over their logs to Government Officials to avoid legal issues, as they Will protect themselves. That being said, your question and concerns seem shady, no Offense, but if you are on the up and up then you should be fine accessing SSH to your own machine. If not, then you are entering a whole ’nother ballgame. I wish you luck in finding and gaining a Trusted Provider and ISP.

1 Like

You can’t even trust you own CPU these days… Besides,

if you’re concerned that hackers stealing their encryption keys could mount decryption attacks on segments of theirs customer base, then the question is if the encrypted tunnel within the encrypted tunnel can be decrypted with those keys: and the answer should be “no”

OTOH, and besides the leak of customer account’s data of the VPN provider, you may or may not give some amount of metadata on a silver plate (ex: “User JohnDoe123 is actually Jonathan Doe, living in Amsterdam and he’s paying with Amex; he connected with his box in Frankfurt with IP 1.2.3.4 from the residential IP 2.3.4.5; he connected from 12:34 to 13:12 of the 10th of February; he offered these private keys” and so on and so forth)
The likelihood that such [cr]acker could care about your metadata (if you haven’t a state-level adversary targeting you, and I assume this is your case) are next to none… at least until they manage to put their hands on a gazillion of user metadata from a leak.
Still, is it inherently dangerous for your OpenSSH connections? I can’t see why it should be, per se, dangerous. As with anything, picking a PFS (Perfect Forward Secrecy) algo for your OpenSSH connection may be preferable. If you’re having fun hardening your SSH setup, give ssh-audit a go

This is one of the possible ways to harden OpenSSH: “don’t accept connections from strangers”
Then you’ll have to make sure that your VPN box doesn’t accept such connections :stuck_out_tongue:

1 Like

:wink:

Soon, in 5.6 kernel :wink:

SSH == Encrypted. Just verify host keys and you are safe.
Why would you use a VPN you distrust so much that SSH would be dangerous? oO; I would change VPN at that point.

1 Like

As long as you verify host keys out-of-band, or if it’s already saved in your known_hosts file. Otherwise, you’re vulnerable to a man-in-the-middle attack, as there’s no guarantee that the host you’re connecting to is the real one.

3 Likes