1. Home
  2. VPN / Privacy

How to Hide OpenVPN Traffic with an SSH Tunnel

SSH tunnels, or secure shell tunnels, are designed to send encrypted data across an unsecured network. They’re most often used to safely transfer files or to log into services like remote servers. They can also be repurposed to carry a wider variety of network traffic, which allows it to be used as a basic VPN-style service to keep certain activities hidden online.

One of the more useful applications of SSH tunnels is to pair it with OpenVPN for an incredibly dynamic and configurable virtual private network. This set-up will help bypass filters that block VPNs, allowing you to freely browse the internet in countries that restrict access as well as use sites like Netflix without having to disable your VPN.

Do You Need to Hide VPN Traffic with an SSH Tunnel?

VPN traffic is an encrypted version of normal internet traffic. The contents are unreadable without decryption, but there are telltale signs that the traffic is coming from a VPN. Websites and external firewalls can detect these signs and block requests that originate from a virtual private network, locking you out of the internet unless you disable the VPN. The workaround is to use an SSH tunnel to wrap another layer of encryption around your VPN traffic, disguising its origin so you can access the internet more freely.

The main reason you’d want to use an SSH tunnel alongside your OpenVPN traffic is your VPN is being aggressively blocked. This could be due to an external network firewall, port blocking, or local ISP throttling. Secure corporate environments and countries that heavily monitor their internet often use similar methods to prevent people from using VPNs. If you live in or are visiting an area known to block VPNs, it’s a good idea to check into SSH tunneling to see if it can keep your connection alive.

SSH Tunnels vs VPNs

If you’ve messed around with your router settings or needed to open ports for online gaming, you’ve probably seen the UDP and TCP labels before. Both of these are protocols used to transfer data across the internet in different ways. Each has its own strengths and weaknesses, which is why certain programs prefer using one over the other.

TCP is a bit like firing an arrow from a bow. You’re in no hurry to aim, and as a result you hit the target most of the time, it just takes a while. UDP is like loading all of your arrows into a catapult and flinging them towards the target. Some, maybe even most of those arrows will get to where they’re supposed to go, but a great many will miss. Everything arrived quickly, however, which is the chief advantage of UDP. Most traffic we’re familiar with, including browser and FTP transfers, takes place using TCP. Online games and BitTorrents most frequently deploy UDP, since accuracy isn’t as important to them as speed..

One of the biggest differences between a full-on VPN and SSH tunneling is the latter only covers TCP traffic. VPNs encrypt every piece of data that leaves your computer, from IM services to cloud storage, browser data, torrents, P2P transfers, and online gaming. If you just set up an SSH tunnel you only cover your browser and FTP traffic through TCP, leaving things like torrents completely unprotected.

Recommended VPNs with Tunneling Support

NordVPN

NordVPN is a fantastic all-around VPN provider. The service stays on top thanks to an incredible double encryption feature that wraps important data in 2048-bit SSL encryption, locking it so tightly that not even a supercomputer can break it. NordVPN also has one of the most thorough anti-logging policies on the market, covering everything from traffic to bandwidth, IP addresses, and even time stamps. Nothing you do is stored on NordVPN’s servers, making it one of the most privacy friendly VPNs around.

NordVPN doesn’t offer SSH tunnel support, but it does offer obfsproxy and SSL tunnels through its main apps. These methods offer VPN traffic obfuscation that’s very similar to SSH tunneling, which should help you defeat website blocks and throttling efforts just as easily.

Some of NordVPN’s other great features:

  • Fast connection speeds, unlimited bandwidth, and no restrictions on P2P or torrent traffic.
  • A massive and ever-growing network with over 1,030 servers in 59 different countries.
  • Custom app support for all major operating systems, smartphones, and tablets.
  • Jurisdiction in the privacy-friendly country of Panama.

LAST MINUTE: NordVPN has a great 72% discount on the 2 year plan, costing you just $3.29/month. It also backs all of its plans with a 30 day money back guarantee.

ExpressVPN

ExpressVPN remains one of the fastest VPNs available. The service delivers top connection speeds to most of its network, encompassing 145 servers in 94 different countries. Several versions of its custom apps also feature a built-in speed test to make it easy for you to connect, evaluate, and reconnect to find the best servers available. To top it all off, ExpressVPN delivers smart privacy features such as no traffic logging, DNS leak protection, and an automatic kill switch.

ExpressVPN doesn’t directly support SSH tunnels. However, it does allow for SSL tunnels on its main apps, which provides a similar sort of VPN traffic obfuscation that will help you defeat blocks and website censorship.

ExpressVPN’s best features include:

  • Unlimited bandwidth and no restrictions on P2P or torrent traffic.
  • Zero traffic logs, 256-bit SSL encryption, and ultra fast servers.
  • Speed test option built into multiple versions of its software.
  • Custom software for a wide variety of operating systems.

GET 3 MONTHS FOR FREE: AddictiveTips readers can get 3 months free here if they sign up for the ExpressVPN annual plan, at only $6.67 per month. All are backed by a 30-day money back guarantee.

Pros and Cons of SSH Tunnels

Setting up an SSH tunnel for your OpenVPN traffic doesn’t come without its drawbacks. You’ll gain some security and you’ll boost your privacy, but you’ll sacrifice convenience and usability in the process. Weigh the pros and cons of the procedure before you get started, otherwise you might not be happy with the results.

Below are some of the advantages and disadvantages of using SSH tunnels.

  • They help bypass countrywide censorship – If you live in a country like China or Turkey that systematically blocks access to portions of the internet, an SSH tunnel could help you break free. There is some evidence China is slowing down SSH traffic, but for now it’s a valid method for wrapping your VPN traffic in a cloak and letting it slip through the toughest of firewalls.
  • They let you access websites that block VPNs – Several websites have begun blocking access to VPNs, including big ones like Netflix. Depending on the methods used to enact these blocks, you can often bypass the walls by using an SSH tunnel.
  • They defeat ISP throttling – Is your ISP slowing down your VPN traffic? Deploying an SSH tunnel can defeat throttles instantly.
  • Easy on, easy off – SSH tunnels are extremely easy to turn on and off. You don’t have to set them up for the long haul. Instead, just switch it on when you need it, and off when you don’t.
  • Extra encryption slows down your connection – A VPN encrypts your traffic once. An SSH tunnel encrypts it yet again. This double layer of encryption can dramatically increase the data you send across the internet, which results in a much slower connection, even for simple tasks.
  • SSH itself can be blocked – While SSH tunnels can mask VPNs so the traffic can pass through, it’s possible (though less common) that SSH traffic itself can be blocked.
  • SSH tunnels only work with a few VPNs – Unless you set up and manage your own VPN, you won’t have a lot of luck using SSH tunnels with your existing service. A few do support SSL tunnels and similar alternatives, however. See below for more information.
  • Setting up an SSH tunnel can be technical – Are you familiar with PuTTY? How about terminal commands? If neither of those words ring a bell, you’ll have a few technical hurdles to overcome before you can get your SSH tunnel up and running. Our guide below removes some of those barriers with straightforward, step by step instructions.

Setting Up Your Own VPN

Most commercial VPN providers don’t support SSH tunneling. A few such as AirVPN allow you to select tunnels from their custom apps, and a few others allow alternate forms of obfuscation, such as SSL tunnels or obfsproxy. The best way to ensure complete compatibility is to run your own VPN. It can take some time and technical knowledge to get it right, but the monthly costs are about the same, and you can arguably get better security by doing things yourself.

How to set up your own VPN:

  1. Sign up for an account with Digital Ocean.
  2. In the Digital Ocean dashboard, click “Create” to make a droplet.
  3. Choose a hostname for your droplet. Anything will do, such as yournameVPN
  4. Choose a droplet size. The smallest package will serve your needs just fine.
  5. Choose a server location, then select CentOS 7 as your distribution.
  6. Create the droplet.
  7. Follow Digital Ocean’s instructions to configure the OpenVPN server. Take your time, this is the longest and most complicated part of the procedure.

Creating an SSH Tunnel on Windows

SSH tunnels work by taking local data from your computer, wrapping it in a special layer of encryption, then sending it over the internet. In order to activate the tunnel you’ll need to create some settings on your local device so your operating system knows what to do.

How to create an SSH tunnel on Windows:

  1. Download PuTTY and run the program.
  2. In the “Host Name” box, enter the address of your VPN.
  3. In the menu tree to the left, unfold “SSH” and click on “Tunnels”
  4. Enter 8080 as the port. Make sure both “Auto” and “Dynamic” are selected, then click “Add”
  5. Click “Session” on the left menu to back to the main screen.
  6. Type a name in the top box beneath “Saved Sessions”, then click “Save”
  7. Click “Open” to connect to the server.
  8. A PuTTY security alert window will open. Click “Yes”
  9. Enter your server username and password and press ENTER.

Each time you start your computer you’ll need to run PuTTY and initiate the SSH tunnel. You won’t have to enter the information again, just select the saved session and you’re good to go.

Creating an SSH Tunnel on Mac and Linux

If you’re using a Mac or Linux PC your life just got a lot easier. Both operating systems have SSH commands build into their terminals, meaning you won’t have to install PuTTY to start your tunnel. In fact, you can type a single command to get things going.

Open a terminal in your Mac or Linux environment and run the following command, replacing the last part with your own details:

ssh -ND 8080 user@your.server.com

You’ll need to run this each time you start your computer, or set up a script to do it automatically.

Setting Your Browser to Use the SSH Tunnel

With the SSH tunnel in place it’s time to teach your local programs how to send data through the new double secure connection. Most of your web traffic is handled by a browser, so changing proxy settings here can effectively encrypt most of your online activity.

Using Firefox as a proxy:

  1. Follow the instructions above to create and run your SSH tunnel.
  2. In Firefox, go to the Settings menu and select “Manual proxy configuration”
  3. Next to “SOCKS Host” enter “localhost” without the quotes followed by 8080 as the port.
  4. Select SOCKS v5 below.
  5. Save the settings.

Using Chrome as a proxy:

  1. Follow the instructions above to create and run your SSH tunnel.
  2. In Chrome, go to Preferences, then select “Under the Hood”
  3. Beside Network click “Change Proxy Settings”
  4. Select “Manual Proxy Configuration”
  5. Next to “SOCKS Host” enter “localhost” without the quotes followed by 8080 as the port.
  6. Save the settings.

You don’t have to limit your SSH tunnel usage to web browsers. Many other internet enabled programs have an advanced settings page you can use to enter the same details as above. Just look for a settings tab marked “proxy server”, enter your details, and you’re done.

Leave a comment