VPN or SSH tunneling?

Discussion in 'privacy technology' started by italia2006, Jul 9, 2006.

Thread Status:
Not open for further replies.
  1. italia2006

    italia2006 Registered Member

    Joined:
    Jul 9, 2006
    Posts:
    14
    Location:
    Belgium
    With my third post I would like to hear some advice on the differences between a VPN connection and SSH tunneling.
    As I try to protect the data on my laptop, I also want my online traffic to be encrypted and safe.
    Using a simple MS VPN connection will encrypt the traffic and also SSH tunneling would do the same.

    At the moment though I have just a linux server that I can use but nothing is pre-installed.
    I want to set up safe environment to browse the internet.

    Could someone convince me to use TOR as this would be best attempt to also protect my IP or would encryption of traffic be enough, so ISP cannot be sniffed (though it is easy to sniff the VPN server of course).

    Need some advice on this subject as well ! Thanks a lot...:thumb:
     
  2. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    This is what I do for when I access unencrypted wireless networks.

    I setup OpenSSH and Squid proxy on my linux box (main distro is ubuntu at the moment)

    I then forwarded ONLY port 22 to my linux box from my router.

    I then SSH to my linux box remotely whenever I want, and then setup a tcp tunnel through the ssh connection. So I type
    which will ssh to my linux box using the blowfish encryption and makes all traffic that is addressed to port 3128 in loopback on my computer go to port 3128 (the one squid listens to) on the linux box.

    Then all I have to do is tell my browsers to use a proxy on 127.0.01 port 3128 and the traffic is sent to my squid proxy and out my own internet connection.

    Nifty, huh?

    Alphalutra1
     
    Last edited: Jul 9, 2006
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    I understand you want to encrypt your data, but you should be aware:
    Tor uses proxy servers - do you trust these servers?
    SSH - similarly, you will use a connection you trust to forward your information, plus you require an active connection on both ends.
    VPN - there are lots of protocols for secure browsing, I'm not really familiar with them. Can't help you there. Sorry.
    The simplest, quickest safe browsing is to use Browser Appliance virtual machine, if possible. You might also try CosmoPOD, which works on the principle of SSH tunneling.
    Eventually, it all comes down to - who do you trust.
    Mrk
     
  4. italia2006

    italia2006 Registered Member

    Joined:
    Jul 9, 2006
    Posts:
    14
    Location:
    Belgium
    Mrk,

    "Tor uses proxy servers - do you trust these servers?" - Answer: No.
    "SSH .. use a connection you trust .. active connection on both ends .."

    You can never trust the server 100% if you are not the one who physically installed the machine. The risk you are facing with TOR is of course that the servers you are using will keep logs. Using many different socks proxy in a chain will decrease the risk level somewhat, but still you cannot feel secure using these methods.

    Using SSH or VPN would at least encrypt my traffic. This way the logs of my ISP will not contain my activity.
    So by using these protocols, I just prevent "easy" sniffing. Still it is possible to get access to the SSH/VPN server as at some point the traffic must be unencrypted.

    I know this has been a hot topic on all security forums I guess, but still I would like to hear your expertise...

    Thanks! :thumbs:
     
  5. italia2006

    italia2006 Registered Member

    Joined:
    Jul 9, 2006
    Posts:
    14
    Location:
    Belgium
    Alphalutra1,

    Nice setup. I heared about this before. If my OS would be win32, I can still use Putty to setup the SSH tunnel and route my traffic through the linux server.

    Can this also be done if I do not have a local network, but have my linux box somewhere "rented" on the internet?

    Of course, the big question is then again (as always): can i trust the other server provider?
    Also quite similar with your setup, you get your traffic encrypted, but you still leaving from one access point at which data will be unencrypted.

    Can you give me some more insight why you think your setup would secure the system good enough?

    Thanks! :thumb:
     
  6. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Well, I mainly use my setup to protect against people from sniffing out my data in unsecure wireless connections or the person owning the access point spying on my data. I also trust my ISP more than some unknown ISP of the wireless hotspot.

    I would not completely trust the remote linux box if it is not your own, but OpenSSH can be installed in cygwin (so it will run in windows), for instructions, see here then you can replace the linux box with your own windows box. You can then use putty to access it remotely.

    However, there is still one thought. Someone will always be able to read your internet traffic. Through an anonymizing proxy such as tor, then will trace the traffic to the tor server, which may or may not be logging your ip, and what you did on the internet. I trust my ISP over a remote tor server and almost any internet service provider.

    In my opinion, the ultimate way of anonymity and knowing that noone is snooping on my internet connection is to have a friend in a remote country that has no monitoring of internet connections. I could then SSH into their network, and use it so that noone can snoop in the USA on my internet connections. But this is pretty complicated, and I don't really know anyone abroad in a country with no monitoring at all.

    Just some things to think about...

    Alphalutra1
     
  7. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I trust my ISP over a remote tor server and almost any internet service provider.

    Why? You run TOR from an open wireless connection, from the parking lot in the back of a restaurant and do whatever you want. You trust your ISP over that scenario? I'm sorry, I usually like your posts, but that one makes no sense.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    At least you know who your ISP guys are. You have no idea who TOR guys are.
    Mrk
     
  9. securityx

    securityx Registered Member

    Joined:
    Dec 1, 2005
    Posts:
    149
    Are you sure you understand TOR? With the onion (layered) system, traffic is encrypted in a forward manner. The exit node has no idea where the original packet began, or where it's been. What is there to trust? You said, "At least you know who your ISP guys are." This is true. And you think this gives you greater security? Are you forgetting that if you know who they are, they also know who you are?

    ----securityx----
     
  10. dog

    dog Guest

    Lets please stay on topic and refrain from any further quips :)

    I've removed a few posts.
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    I guess I need to rephrase my answer then (sorry dog).
    As to the transparency of Internet traffic - someone will always see what you do. Personally, I think you should know who that someone is. I prefer that my ISP knows what I do that some nameless admin on some nameless server. Although tracing back things might not be easy, I still prefer it that way.
    I think there is no need to use encryption.
    Do you encrypt your phone?
    If you have digital cables, you know they know every movie you watch.
    Every swipe of your credit card or any magnetic card you own is registered.
    Being invisible on the net is a sweet illusion. It does not contribute to your privacy, unless you need encryption to hide your indentity, in which case the very use of encryption makes you interesting.
    Mrk
     
  12. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
  13. ms64o

    ms64o Registered Member

    Joined:
    Jul 26, 2006
    Posts:
    7
  14. Tunneller

    Tunneller Registered Member

    Joined:
    Aug 10, 2006
    Posts:
    3
    Steganos

    I was just about to trust them completely, but then when I went to install, VirusScan said that the installation package had a virus.

    This may be in the FAQ somewhere (although I haven't found it yet). Is there a known problem installing Steganos VPN while VirusScan is running?

    Thanks, T.
     
  15. ms64o

    ms64o Registered Member

    Joined:
    Jul 26, 2006
    Posts:
    7
    Re: Steganos

    Some virus scanner detect parts of the nsis installer as malicious, because some spyware us this installer too. Usually they change the signatures after a couple of days. Try to update them.

    ms64o
     
  16. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    If you want to do this with a Linux box on the internet, what you could do is run putty on your windows box, and then set up appropriate port forwards for the services you use - lets say HTTP, HTTP(S) , pop3, IMAP.

    All this will provide is a secure channel for the selected services between your windows box and the linux box running SSH.

    Data coming out of the linux box will still be in the clear unless encrypted - so all you have achieved here is to provide a secure tunnel from "A" to "B".

    Simplistically - Your ISP will detect only an SSH connection to the server and DNS requests (unless you forward that too). You've moved the problem forward and now you have to maintain a Linux server as well.

    If you were using wireless hotspots (or plug your pc into other people's networks a lot) this would be a good thing to do (assuming you can keep the Linux box secured, of course) - but it's going to only stop snooping on those transitory networks between your windows box and the linux box.

    SO, if you visited http://www.example.org - the data would go from your laptop (encrytpted) over the SSH tunnel to your linux box. The request would "pop out" of the linux box and then go over the net unencrypted, come back to the linux box - and then encrypted down the SSH tunnel.

    As you can see - it's useful if you don't trust the local network where your laptop is, but doesn't bring much help if you don't trust any of the internet :)
     
  17. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
  18. Taz

    Taz Registered Member

    Joined:
    Feb 11, 2005
    Posts:
    16
    How do you know this to be true?

    Understand, I'm not doubting your sincerity, but a lot of outfits claim they don't do any logging, but I don't see how anyone can ever know for sure. If you've got the inside track with these folks...please do tell.
     
Loading...
Thread Status:
Not open for further replies.