Internet Openness
During the last decades, the Internet openness principle has become something often ignored and violated. Suppose you travel a lot and want to access the resources located in one region while you are physically in another one. In that case, it is not a surprise anymore to find the resource is inaccessible. The reasons can be different. But one of the popular is that "we suffered from attacks from region X, so we decided to block the access for all the people/IPs from the region X," or even worse, "we decided to allow access only for people of our region based on IP."
VPN
I think VPN services became quite popular not only due to security reasons but also as a way to solve the described problem: provide access to a resource regardless of client IP-based limitations. There are a lot of VPN service providers across the globe. Surprisingly, the usage of VPN services can be less secure than it seems at first glance. Okay, you can buy a droplet in DigitalOcean and probably install OpenVPN or WireGuard. But at least it takes time for the initial configuration. If the need for such access is quite infrequent, all these efforts are not worth the time investment.
SSH Tunnel
There is some chance that you, like me, already have a virtual or physical server with SSH in the region to which you want access. For example, sitting in Sofia, Bulgaria, I want to check some websites hosted in Germany. Meanwhile, I have a DigitalOcean droplet located in Frankfurt, Germany, with SSH access. The SSH client is already in place on my machine. So, the only thing I need to do is establish the SSH tunnel and use a properly configured web browser for accessing these German websites.
The following command helps to establish the tunnel on 12345 port:
ssh -D 12345 my-droplet-in-frankfurt.com
The only difference between typical SSH command is the ā-Dā flag that instructs the SSH client to listen to the local 12345 port and forwards the traffic from our local machine to the remote server. So, we will access the desired websites "on behalf" of the remote machine.
My primary browser is Google Chrome. For alternative web browsing through SSH tunnel, I'm using Mozilla Firefox. To setup a proxy, one should go to Settings -> Network Settings and fill in the appropriate fields highlighted in the screenshot below:
SSH tunnel looks like a typical SSH session. So you can quit it as soon as you finish your web browsing of restricted websites. You also don't need to change your Firefox configuration every time you need to access different websites. Just establish the SSH tunnel to the new location, open Firefox, and start browsing.
Conclusion
SSH tunnel is an often overlooked alternative to the full-featured VPN services. But for a single person, occasional usage, the SSH tunnel can be a simpler and more convenient way of accessing restricted websites.
Top comments (10)
I have used wire guard and it is really taxing to configure for minimal use cases.
would Love to try this new method out!
Why do you think wire guard is taxing to configure? The times I used it, it was quite easy. Do you have really special configs?
Isn't it? ) WireGuard is a good tool. But if I want to check the behavior of particular website from the specific location (where I already have a VPS with SSH access) an SSH tunnel is much faster option.
Never thought about using ssh as vpn but it sounds really cool, thanks a lot, will try š
There is a tool called sshuttle, which wrapped all the logic for vpn transport into a python front end. Network Manager also at one time had an option for ssh vpn, maybe it still does.
We use sshuttle extensively. It's a great little tool
This isn't a VPN, it's a simple proxy. This set up will leak DNS requests. It's a nice shortcut, not in way a VPN. It's also not a SSH tunnel, thats the
-L
argument. Consider looking into the TCP over TCP issue to see why a proper VPN tool should be used.The message is well received
You're basically talking about what is referred to as a jumpserver / jumpbox. It's widely used
Not really. The jump host main purpose usually is to establish an SSH session "on behalf" of "jumper". It's a "-J" option (or I just usually put "ProxyJump" directives in the config file). The purpose of the "-D" is to establish the "listener" to be ready to proxy the traffic by some other application.