[riskable]

Why on Earth would you run OpenVPN through ssh? That makes zero sense. It's like running ssh through ssh.

OpenVPN is pretty much the ultimate VPN that can do anything and handle any situation. It is indistinguishable from regular web SSL traffic and can run on any port via TCP or UDP. It can even run in routed (TUN) or promiscuous (TAP) mode!

Once you've got OpenVPN setup there's no need to tunnel with ssh since OpenVPN is your tunnel.

I used to run an OpenVPN ISP named VPNOut many years ago. I had CTOs from large organizations begging me to tell them all the IPs I used so they could block it because apparently employees were using my service to access things that were normally blocked inside their corporate networks. Even to this day that problem exists: If you configure iptables to forward all ports to an OpenVPN daemon on both TCP and UDP you can get around basically any form of blocking that isn't IP-based. You can even do some tricks to make it look like regular web traffic for the initial SSL preamble to get around "intelligent" firewalls!

OpenVPN is the best!

[contingencies]

I like OpenVPN too. However, there are times when one size doesn't fit all. For example, opening another service to the public is not always a good idea. GFW is programmed to profile and periodically kill OpenVPN traffic flows. OpenVPN under many configurations is MITMable, SSH much less so. The list goes on.

[subway]

OpenSSH and OpenVPN have nearly identical attack vectors with regard to MITM. In a default configuration, both require an upfront exchange of public keys (SSH at time of first-connection; OpenVPN at time of first-configuration).

In fact, because OpenVPN requires the client to obtain the server's certificate ahead of time out of band, and SSH instead relies on the end user typing "yes" after manually comparing a fingerprint, it could be argued OpenVPN is less susceptible to a MITM attack.

edit: Additionally, from past experiences linking up cn-north-1 with us-east-1, individual SSH tunnels fail constantly. individual VPN sessions fail constantly. The only way we were able to make life livable between the two was by way of BGP across a combination of ipsec and openvpn tunnels. (different tunnels, mind you; not layered)

[peterwwillis]

They are not identical in attack vectors, and OpenVPN has many more capabilities to resist MITM and other attacks, and it resists network failure much more.

OpenSSH uses the SSH protocol and username/password and public keys for auth.

OpenVPN auth uses TLS key exchange, pre-shared keys, and username/password, and uses IPSec's ESP protocol for transport, with custom work to handle multiplexing connections. It can verify HMAC on all packets. It tunnels layer 2 or 3. It won't swap sensitive memory and can utilize SELinux. Since OpenVPN can use static keys and a UDP transport, it can resist network partition much better than OpenSSH.

Of course IPSec is much better than either of them. If you have to do all your tunneling in userland, OpenVPN is a more secure method, but if you don't have tun/tap device access, OpenSSH will get you by with port forwarding (which is what its SOCKS tunnel is, if you don't use its tun/tap device or pppd).

[contingencies]

OpenSSH and OpenVPN have nearly identical attack vectors with regard to MITM.

Perhaps in theory, but in practice I would argue otherwise. Why?

Most SSH configurations require key verification and are rarely modified otherwise.

By contrast many OpenVPN configurations, statistically, have MITMable keys, and as they tend to be written from scratch the likelihood of these configurations in the wild is much higher.

With regards to SSH tunnel longevity, try specifying the ServerAliveInterval and ServerAliveCountMax options.

[rufugee]

What is "GFW" in this context?

[crishoj]

GFW here is short for the "great firewall of China" [0]. It's truly a PITA.

[0] https://en.wikipedia.org/wiki/Great_Firewall