-
Important Announcement for The TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
SSH or VPN?
- Thread starter gjonm
- Start date
- Status
- Joined
- May 28, 2011
- Messages
- 10,994
VPN is more secure.
Darren Myers
Guru
- Joined
- Oct 2, 2014
- Messages
- 925
VPN is the way you want to go, there are some good free VPN solutions, i like OpenVPN i run the appliance with ESXi
j_r0dd
Contributor
- Joined
- Jan 26, 2015
- Messages
- 134
IMHO SSH is not less secure if you know how to set it up properly. Use public key authentication with a passphrase on your private key and disable password authentication. That way not only would someone need to steal your private key, but they would also need your passphrase as well. You can even use a service like Authy and add 3-factor auth. I use 4096-bit RSA keys and I don't use the same key for everything. Whether you open a port for VPN or open for SSH you are still opening up your network. Change the default port from 22 to something else to add some obscurity. I even have a firewall rule drop all packets coming in on port 22. You would be amazed at all the brute force ssh attempts that occur on a frequent basis. On our 500 or so Linux servers we only use SSH and have yet to have a system compromised. I'm comfortable in CLI so I prefer SSH. Find what you are comfortable with and set it up properly and either one can be just as secure as the other.
I agree with @j_r0dd but there's some catches.
You will likely get *lots* of attempts if you don't change the port, and you may get lots of attempts even if you do change the port. This makes for messy logs.
The great thing about VPN is you have total access to everything on your network. So that means you have IPMI access if you want to power off or power on the server, access to your shares, etc as if you were a local machine. This is very handy.
So in terms of security, they're about the same. But in terms of usability for all of the available purposes, the VPN has you beat by a long shot.
For these reasons I recommend VPN to everyone. Once you have it you won't be able to go without it ever again.
You will likely get *lots* of attempts if you don't change the port, and you may get lots of attempts even if you do change the port. This makes for messy logs.
The great thing about VPN is you have total access to everything on your network. So that means you have IPMI access if you want to power off or power on the server, access to your shares, etc as if you were a local machine. This is very handy.
So in terms of security, they're about the same. But in terms of usability for all of the available purposes, the VPN has you beat by a long shot.
For these reasons I recommend VPN to everyone. Once you have it you won't be able to go without it ever again.
j_r0dd
Contributor
- Joined
- Jan 26, 2015
- Messages
- 134
You can SSH in with the -D<port> and create a proxy that you can use to access IPMI. :) enough SSH-fanboying from me.
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
Sure, you can use SSH tunneling. The limitation of that is that you have to map out which specific ports you want to go where, at the time of your connection. The advantage is that there's nothing else to configure on the server/router end--once SSH is set up (and tunneling is allowed, which it is by default), you're good to go. A VPN solution (like OpenVPN) does require some setup and configuration on the server end, but once that's done, can give you access to everything on your LAN. SSH can definitely do the job, but it seems like it's more what a VPN is designed for.
- Status
