SSH or VPN?

Friday, September 4, 2009

I used to rely almost exclusively on SSH for remote administration, but I recently added an OpenVPN server to my toolkit. I was interested in the performance of OpenVPN compared to OpenSSH, so I ran several tests using iperf:

  1. local
    2.46 GBytes @ 2.11 Gbps
  2. local/ssh
    172 MBytes @ 144 Mbps
  3. network
    115 MBytes @ 96.5 Mbps
  4. network/ssh
    112 MBytes @ 94.2 Mbps
  5. network/vpn
    38.8 MBytes @ 32.4 Mbps
  6. network/ssh/vpn
    32.2 MBytes @ 26.8 Mbps

I used one SSH control connection for each test to run the iperf server. The first two tests were done entirely locally; that is, both client and server were run on the OpenVPN gateway. The second test involved tunneling iperf from the gateway to itself using an additional SSH connection. The next four tests were done over a 100Mbps network. Test 3 is analogous to test 1 in that there is no encryption whatsoever. Test 4 is not surprising, considering the SSH performance in test 2. However, tests 5 and 6 show that the VPN presents a susbtantial overhead. Does this mean that SSH is better than VPN?

While SSH and VPN may seem to serve the same purpose (provide an encrypted channel for communication), they have quite a few differences. That is, one may be better than the other in some situations, but not always:

Advantages of SSH over VPN:

  • OpenSSH is clearly more performant than OpenVPN
  • OpenSSH is much easier to set up than OpenVPN: OpenSSH can tunnel individual connections with almost no configuration
  • SSH provides end-to-end security, whereas VPN relies on the security of the subnets involved, since entire subnets are bridged

Advantages of VPN over SSH:

  • SSH operates on the application layer whereas VPN operates on the IP layer, so VPN is easier for end-users to work with: applications and services work out of the box over a configured VPN
  • VPN bridges entire subnets, allowing machines and applications to communicate remotely and seamlessly over any protocol, whereas SSH is only able to tunnel one port at a time
  • While both SSH and VPN use strong encryption, OpenVPN has the added security of TLS authentication that SSH cannot match

SSH is great for communicating over a single encrypted channel. For purposes of remote administration (yes, even maintenance of the VPN), I work quite happily over SSH. But the VPN really shines when one needs a simple and secure way to extend the network itself. My main purpose for setting up this service is for the end-users to more easily telecommute from various locations. There is no longer a need to consider which specific service one is tunneling over SSH when the entire network is automagically connected. While OpenVPN performs rather poorly over a single connection when compared with SSH, the ultimate bottleneck is still the intervening network.

4 Comments

  1. Pierpaolo says:

    Hi Jiang ,

    thanks for share your information.
    I’m doing the same tests , but I have a doubt.
    I’m creating a vpn with openssh and tun/tap device , so the two linux boxs have a virtual ip to use for connecting.
    I want to create a “star” VPN were a central server permit to the other client to communicate between their by the server , so very packets between the clients are sended by the server.

    Sorry for my bad explanation , I hope that is sufficient clear for uderstand.

    Best regards

    Pierpaolo

  2. Jiang Yio says:

    That is a common use case of VPN — to set up a virtual network for clients to communicate securely from anywhere.

Pingbacks & Trackbacks

  1. DNS Tunnel :: Iodine v0.6.0 using PuTTY/SSH – Security through Obscurity - Pingback on 2012/01/13
  2. DNS Tunnel :: Iodine v0.6.0 using PuTTY/SSH – Scientia est potentia - Pingback on 2012/10/30