1

Using an example of someone connecting to a VPS, an SSH tunnel will encrypt any traffic coming from the user to the VPS. Once it reaches the VPS network, the traffic is not encrypted and is easily sniffable by network administrators on that particular network. (am I understanding all that correctly?)

Is there a way to have the traffic encrypted on both ends so that neither side is susceptible to packet sniffing to reveal what kind of data/traffic/protocol is being transmitted?

EDIT: In my situation, I would be connecting from either work or home so I am interested in making sure the traffic is secured on the VPS's network so that it cannot be monitored. Is there any way to do this with SSH or would I need VPN?

Aaron
  • 722
  • 2
  • 10
  • 19
  • Are you talking about traffic coming from an SSH shell? Or a dynamic proxy / tunnel established through SSH? If you are talking about the traffic coming from a secure shell (putty, ssh client on linux etc) I don't think you have to concern yourself as the packets transmitted to and from the server are all encrypted. Otherwise I am not sure about using tunnels to access other networks but I feel will be the same thing. – Ben Ashton Mar 21 '12 at 22:06

2 Answers2

1

What you are saying is correct. You can SSH / VPN directly between the two points to prevent this issue.

Lets say there is a sever in the network you want encrypted traffic from end to end. You would set up a SSH server on the server (or a VPN server such as openVPN) and then connect to it from the other end point. The problem here is that you have to have access to the gateway to forward the ssh/vpn traffic to that inside server.

One way around this is using a service such as Hamachi. This will allow encrypted end to end traffic with out having forward any ports. There is also ways to reverse connect to SSH to get around firewalls / port forwarding.

evolvd
  • 1,384
  • 6
  • 33
  • 58
  • Can you elaborate on that? What do you mean SSH or VPN between the two points? – Aaron Mar 21 '12 at 21:57
  • I added some more info above :) – evolvd Mar 21 '12 at 22:14
  • Thanks for the additional info. Let's say I was connecting to the VPS from work or home and I wanted both ends to be fully encrypted, not just one end. Is my only option VPN, or can I accomplish this with SSH somehow? – Aaron Mar 22 '12 at 13:10
  • You need to have a VPN or SSH server set up at the point you want the encryption to end at. You can set up a SSH server on the VPS and at that point all traffic to the VPS is encrypted. – evolvd Mar 22 '12 at 21:34
1

If you're concerned about this, and your architecture allows this, you can set up your VPS boxes so that they can talk to each other over your own private VPN, e.g., something like an OpenVPN server on the VPS you're SSHing into, and the other VPS boxes as OpenVPN clients. If you're communicating across your boxes strictly on the VPN, your network traffic won't be sniffable. For that matter, your user may be able to connect to the VPN server over the VPN, obviating the need for SSH to the server.

Of course, this won't prevent a bad actor at your hosting provider with administrative access from accessing your VPS boxes directly. After all, they control the underlying box. It depends on your threat model.

cjc
  • 24,916
  • 3
  • 51
  • 70
  • My situation would involve connecting from home or work to the VPS. Is VPN my only option if I wanted to make sure the traffic on the VPS's end is encrypted too and can't be viewed from the network the VPS is on? – Aaron Mar 22 '12 at 13:12
  • 1
    Hmm. There are probably other ways (you can play games with SSH port forwarding, for example), but those solutions feel jury rigged and fragile. VPNs were designed explicitly to allow secure communications between sites through potentially hostile networks. "Sites" in this case would be your individual VPS boxes. Oh, @evolved suggestion about Hamachi is a VPN suggestion, but, as a commercial product, they try to make it easier to set up. OpenVPN, which has a free community edition, will give you more control, but may be more difficult to set up. – cjc Mar 22 '12 at 13:31
  • Thanks very much. I understand now and think I have all the information I need. :) – Aaron Mar 22 '12 at 15:14