I was wondering the same thing. The post went through all the steps to setup SSH VPN while SSH tunneling works pretty well and requires almost-zero config on the server…
OTOH I saw the value of using PPTP or L2TP-based VPN. It is supported on most systems by default. I set up one for iPhone because you cannot do SSH tunneling on it. On non-*nix systems there is usually no SSH installed by default. I opened my PPTP/L2TP VPN for friends running Windows.
It's also slightly easier to connect to PPTP/L2TP VPN with a single click on the menubar of OS X without installing any additional software.
Otherwise I stick with SSH tunneling with SOCKS proxy.
Could someone explain the benefits of SSH VPN please?
SideStep basically automates ssh -D for you and sets up a local SOCKS proxy. However SOCKS proxies (and thus the current version of Sidestep) can only protect TCP traffic that supports SOCKS proxies. For example, you can't tunnel your DNS requests over a proxy (without tinkering with Firefox's about:config).
Also, since ssh -D is not a true VPN tunnel, your machine is exposed to the hostile network (if you don't have a firewall).
If you want complete privacy where ALL of your IP traffic is tunneled out, OpenVPN (or other tunneling layer 3 solution) is the way to go.
Thanks for the explanation! There are a few things I don't understand fully, could you please talk a bit more?
“since ssh -D is not a true VPN tunnel, your machine is exposed to the hostile network (if you don't have a firewall).”
I believe on OS X the SOCKS proxy is applied globally, unlike Windows where you have to do per-application settings. So aside from DNS queries, I guess other TCP connections should go through SOCKS? That should cover the major problem of FireSheep.
Also, since on Windows/OS X/iOS there is no default OpenVPN clients, I use PPTP/L2TP/IPSec-based VPN instead because they are available by default. Is there any advantage of OpenVPN over them?
For the purpose of defeating FireSheep, ssd -D works just fine.
OpenVPN in the configuration of the blog post utilizes 443/tcp, which is open at most places, while the ports required for PPTP/L2TP/IPSec could be closed.
Worst than just "ports" AFAIK: last I checked PPTP required use of either GRE or its own protocol (I can't remember which)--so not TCP nor UDP, and thus more likely to be blocked or simply NATed incorrectly. I don't recall how L2TP works, but I bet it uses a different IP protocol as well. I'm not sure if it's common to use L2TP unless it's tunneled in IPsec these days. IPsec can run over UDP if configured correctly. (I always encountered the UDP transport in the context of NAT-T which has/had its own set of problems. For example, it used to be the case that many IPsec "servers" had a problem with more than a single NAT-T client behind the same NAT. Not sure if that's still the case as this stuff is no longer my job, thankfully.)
I've never used OpenVPN (and am not a network expert), but my guess is that it shims into your network stack somehow, so it's transparent to any application? Maybe, it's just a guess. Otherwise, it doesn't seem to make much sense.
I'm running a low-tech setup like this with sshd on my home router and PuTTY on my laptop, acting as a SOCKS proxy, and there are several applications that don't know how to talk to a SOCKS proxy. Luckily FF knows how to.
It doesn't. It merely installs a virtual network adapter and then you get creative with the routing table to pass the traffic you want through that adapter.
ssh -D: socks proxy. only works with some apps. tunnels at the "data stream" level.
ssh vpn: tunnels all packets at the "network" level. bad because running TCP over TCP can have erratic performance. good because it covers all traffic.
openvpn: tunnels using UDP, so you don't have the TCP on TCP problems. it's just more work to set up than ssh vpn, but still probably easier than full blown ipsec.
OTOH I saw the value of using PPTP or L2TP-based VPN. It is supported on most systems by default. I set up one for iPhone because you cannot do SSH tunneling on it. On non-*nix systems there is usually no SSH installed by default. I opened my PPTP/L2TP VPN for friends running Windows.
It's also slightly easier to connect to PPTP/L2TP VPN with a single click on the menubar of OS X without installing any additional software.
Otherwise I stick with SSH tunneling with SOCKS proxy.
Could someone explain the benefits of SSH VPN please?