Hello I am wondering if there is increased network/packet security by connecting to a server over ssh through a VPN hosted by that same server as opposed to without first tunneling by VPN. I imagine with or without tunneling through a VPN there would be latency/speed differences too?

  • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
    link
    fedilink
    arrow-up
    8
    ·
    7 months ago

    Yes.

    Using a VPN for all your traffic obscures your usage and hinders surveillance by your internet provider. If you ssh directly to your server, that’s one extra bit of information (that you’re ssh’ing into the server) your internet provider has about you. Whether this is significant or useful to the provider is questionable, but the short answer is “yes, it provides more security.” That said, AI is probably being already used to do pattern analysis on traffic, and they might still be able to tell you’re making an ssh connection, unless you’re also constantly streaming through the VPN, too.

    I’m going to get heat for this, but running a bitcoin wallet on your home computer - whether or not you actually have any coins or are mining - is a great way to generate a variable amount of constant traffic to an endpoint. Hosting a public IPFS, web site, torrent seeds, or Freenet node are also good ways, although some of those require opening ports to inbound connections and could invite attacks.

    • refalo@programming.dev
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      7 months ago

      and hinders surveillance by your internet provider

      Yes, but it also shifts all that surveillance capability directly to your vpn provider, of whom many are thought/known to be compromised or otherwise mishandle your data. I would argue VPN providers may even be more appropriately situated/equipped to analyze/hand over your data more easily than your local ISP.

      Also, SSH does have some obscure design “issues” that might be applicable depending on your threat model, for example one can check if a user has a certain key on the remote end, if you care about that. There’s probably more.

      • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        It’s true there’s a trust shift; you have to trust someone, even if you’re self- hosting your endpoint (unless you also own the hardware the endpoint is running on). The difference is that I can vet my VPN provider, look at third party reviews, and some even get audits… whereas it’s been proven that Comcast and Verizon are inserting trackers into your packet data and selling the results.

        Can you elaborate a little on why you think a VPN provider is better equipped to analyze or hand over data? On what basis?