1. Home
  2. VPN / Privacy
We are reader supported and may earn a commission when you buy through links on our site. Learn more

How to Hide OpenVPN Traffic with an SSH Tunnel

Secure Shell Tunnels are an effective way to hide OpenVPN traffic, but it’s useless if you’re not sure how it works! Today’s beginner-friendly guide will walk you through everything you need to know in order to configure a highly private and secure VPN connection in just a few minutes.

SSH tunnels, or secure shell tunnels, are designed to send encrypted data across an unsecured network. They’re most often used to safely transfer files or to log into services like remote servers. They can also be repurposed to carry a wider variety of network traffic, which allows it to be used as a basic VPN-style service to keep certain activities hidden online.

Alternatively, you can just pick an affordable VPN with advanced tunneling, such as these:

  1. NordVPNMost Secure Connections – NordVPN is unparalleled in the utility of its network, which spans the globe to offer users every secure access to the free and open Internet.
  2. Surfshark – Relatively modest network, but replete with the most advanced tunneling and encryption protocols. Auto obfuscation hides your VPN traffic.
  3. ExpressVPN – Blazing fast, robust server network with dynamic IP switching, split tunneling, and much more.

One of the more useful applications of SSH tunnels is to pair it with OpenVPN for an incredibly dynamic and configurable virtual private network. This set-up will help bypass filters that block VPNs, allowing you to freely browse the internet in countries that restrict access as well as use sites like Netflix without having to disable your VPN.

Do You Need to Hide VPN Traffic with an SSH Tunnel?

VPN traffic is an encrypted version of normal internet traffic. The contents are unreadable without decryption, but there are telltale signs that the traffic is coming from a VPN. Websites and external firewalls can detect these signs and block requests that originate from a virtual private network, locking you out of the internet unless you disable the VPN. The workaround is to use an SSH tunnel to wrap another layer of encryption around your VPN traffic, disguising its origin so you can access the internet more freely.

The main reason you’d want to use an SSH tunnel alongside your OpenVPN traffic is your VPN is being aggressively blocked. This could be due to an external network firewall, port blocking, or local ISP throttling. Secure corporate environments and countries that heavily monitor their internet often use similar methods to prevent people from using VPNs. If you live in or are visiting an area known to block VPNs, it’s a good idea to check into SSH tunneling to see if it can keep your connection alive.

SSH Tunnels vs VPNs

If you’ve messed around with your router settings or needed to open ports for online gaming, you’ve probably seen the UDP and TCP labels before. Both of these are protocols used to transfer data across the internet in different ways. Each has its own strengths and weaknesses, which is why certain programs prefer using one over the other.

RELATED READING: How to play Fortnite on school WiFi

TCP is a bit like firing an arrow from a bow. You’re in no hurry to aim, and as a result, you hit the target most of the time, it just takes a while. UDP is like loading all of your arrows into a catapult and flinging them towards the target. Some, maybe even most of those arrows will get to where they’re supposed to go, but a great many will miss. Everything arrived quickly, however, which is the chief advantage of UDP. Most traffic we’re familiar with, including browser and FTP transfers, takes place using TCP. Online games and BitTorrents most frequently deploy UDP, since accuracy isn’t as important to them as speed.

One of the biggest differences between a full-on VPN and SSH tunneling is the latter only covers TCP traffic. VPNs encrypt every piece of data that leaves your computer, from IM services to cloud storage, browser data, torrents, P2P transfers, and online gaming. If you just set up an SSH tunnel you only cover your browser and FTP traffic through TCP, leaving things like torrents completely unprotected.

Recommended VPNs with Tunneling Support

1. NordVPN

NordVPN - Editors choice

NordVPN is a fantastic all-around VPN provider. The service stays on top thanks to an incredible double encryption feature that wraps important data in 2048-bit SSL encryption, locking it so tightly that not even a supercomputer can break it. NordVPN also has one of the most thorough anti-logging policies on the market, covering everything from traffic to bandwidth, IP addresses, and even time stamps. Nothing you do is stored on NordVPN’s servers, making it one of the most privacy friendly VPNs around.

NordVPN doesn’t offer SSH tunnel support, but it does offer obfsproxy and SSL tunnels through its main apps. These methods offer VPN traffic obfuscation that’s very similar to SSH tunneling, which should help you defeat website blocks and throttling efforts just as easily.

Some of NordVPN’s other great features:

  • Fast connection speeds, unlimited bandwidth, and no restrictions on P2P or torrent traffic.
  • A massive and ever-growing network with over 5000+ servers in 59 different countries.
  • Custom app support for all major operating systems, smartphones, and tablets.
  • Jurisdiction in the privacy-friendly country of Panama.

Read our full NordVPN review.

  • Unblocks US Netflix, iPlayer, Amazon Prime and other streaming services
  • No bandwidth caps
  • 256-bit AES encryption with perfect forward secrecy
  • Extra-secure Double VPN for data encryption
  • Great support (24/7 chat).
  • Sometimes slow in procesing refunds (but always do).
BEST OVERALL VPN: NordVPN is tailor-made to bypass website restrictions and has the raw performance to allow for the fastest servers on the market. Get a huge 70% discount on the 3-year plan ($3.49/mo), backed by a hassle-free 30-day money-back guarantee.

2. Surfshark

Surfshark VPN

Like most VPNs, there’s no specific support for SSH tunneling within Surfshark’s offering. In fact, they are rather explicit about opting for more secure methods, which include OpenVPN TCP/UDP, IKEv2/IPSec, WireGuard and Shadowsocks on Windows devices. In general–but especially in the correct application–these protocols are far more stable, secure, and efficient than SSH, and will serve to get you past even the most heinous Internet restrictions.

Furthermore, an SSH tunnel won’t come with Surfshark’s 256-AES-GCM encryption–the same cipher used by the NSA to guard their own communications. And where are you tunneling to? Surfshark gives you over 800 servers, located in 50 countries around the world to bypass geoblocks and access restricted content.

Rounding out Surfshark’s outstanding package are numerous failsafes, including IP/DNS/WebRTC leak protection, a kill switch, no logging, and even an anti-malware/tracking/adware module which intercepts bad links and popups before they can load.

Surfshark’s advanced features include:

  • Automatic obfuscation available on any server to hide your OpenVPN traffic (works in Egypt)
  • Unlimited simultaneous connections
  • 24/7 live chat support
  • RAM-only server infrastructure
  • Bypass government censorship with NoBorders mode
  • Unlimited server switching
  • Trial in confidence with a 30-day money back guarantee
  • Independently audited privacy practices
  • Get help any time of day via email, phone, or live chat.
  • Overall, not much to complain about
  • Relatively young VPN still has to prove itself trustworthy over the long haul.

Read our full Surfshark review.

BEST BUDGET OPTION: Surfshark is one of the most affordable ways to get premium VPN tunneling. Get 83% off a two-year plan + 3 months FREE for just $2.21 per month.

3. ExpressVPN


ExpressVPN remains one of the fastest VPNs available. The service delivers top connection speeds to most of its network, encompassing 3000 servers in 94 different countries. Several versions of its custom apps also feature a built-in speed test to make it easy for you to connect, evaluate, and reconnect to find the best servers available. To top it all off, ExpressVPN delivers smart privacy features such as no traffic logging, DNS leak protection, and an automatic kill switch.

ExpressVPN doesn’t directly support SSH tunnels. However, it does allow for SSL tunnels on its main apps, which provides a similar sort of VPN traffic obfuscation that will help you defeat blocks and website censorship.

ExpressVPN’s best features include:

  • Unlimited bandwidth and no restrictions on P2P or torrent traffic.
  • Zero traffic logs, 256-bit SSL encryption, and ultra fast servers.
  • Speed test option built into multiple versions of its software.
  • Custom software for a wide variety of operating systems.

Read our full ExpressVPN review.

  • Unblocks US Netflix
  • Superfast servers (minimal speed loss)
  • AES-256 encryption
  • Strict no-logs policy for personal information
  • 24/7 Live Chat.
  • Slightly pricier than competition.
GREAT ALL-ROUNDER: Get 3 months free and save 49% on the annual plan. 30-day money back guarantee included.

Pros and Cons of SSH Tunnels

Setting up an SSH tunnel for your OpenVPN traffic doesn’t come without its drawbacks. You’ll gain some security and you’ll boost your privacy, but you’ll sacrifice convenience and usability in the process. Weigh the pros and cons of the procedure before you get started, otherwise you might not be happy with the results.

Below are some of the advantages and disadvantages of using SSH tunnels.

  • They help bypass countrywide censorship – If you live in a country like China or Turkey that systematically blocks access to portions of the internet, an SSH tunnel could help you break free. There is some evidence China is slowing down SSH traffic, but for now it’s a valid method for wrapping your VPN traffic in a cloak and letting it slip through the toughest of firewalls.
  • They let you access websites that block VPNs – Several websites have begun blocking access to VPNs, including big ones like Netflix. Depending on the methods used to enact these blocks, you can often bypass the walls by using an SSH tunnel.
  • They defeat ISP throttlingIs your ISP, e.g. Verizon slowing down your VPN traffic? Deploying an SSH tunnel can defeat throttles instantly.
  • Easy on, easy off – SSH tunnels are extremely easy to turn on and off. You don’t have to set them up for the long haul. Instead, just switch it on when you need it, and off when you don’t.
  • Extra encryption slows down your connection – A VPN encrypts your traffic once. An SSH tunnel encrypts it yet again. This double layer of encryption can dramatically increase the data you send across the internet, which results in a much slower connection, even for simple tasks.
  • SSH itself can be blocked – While SSH tunnels can mask VPNs so the traffic can pass through, it’s possible (though less common) that SSH traffic itself can be blocked.
  • SSH tunnels only work with a few VPNs – Unless you set up and manage your own VPN, you won’t have a lot of luck using SSH tunnels with your existing service. A few do support SSL tunnels and similar alternatives, however. See below for more information.
  • Setting up an SSH tunnel can be technical – Are you familiar with PuTTY? How about terminal commands? If neither of those words ring a bell, you’ll have a few technical hurdles to overcome before you can get your SSH tunnel up and running. Our guide below removes some of those barriers with straightforward, step by step instructions.

Setting Up Your Own VPN

Most commercial VPN providers don’t support SSH tunneling. A few such as AirVPN allow you to select tunnels from their custom apps, and a few others allow alternate forms of obfuscation, such as SSL tunnels or obfsproxy. The best way to ensure complete compatibility is to run your own VPN. It can take some time and technical knowledge to get it right, but the monthly costs are about the same, and you can arguably get better security by doing things yourself.

How to set up your own VPN:

  1. Sign up for an account with Digital Ocean.
  2. In the Digital Ocean dashboard, click “Create” to make a droplet.
  3. Choose a hostname for your droplet. Anything will do, such as yournameVPN
  4. Choose a droplet size. The smallest package will serve your needs just fine.
  5. Choose a server location, then select CentOS 7 as your distribution.
  6. Create the droplet.
  7. Follow Digital Ocean’s instructions to configure the OpenVPN server. Take your time, this is the longest and most complicated part of the procedure.

Creating an SSH Tunnel on Windows

SSH tunnels work by taking local data from your computer, wrapping it in a special layer of encryption, then sending it over the internet. In order to activate the tunnel you’ll need to create some settings on your local device so your operating system knows what to do.

How to create an SSH tunnel on Windows:

  1. Download PuTTY and run the program.
  2. In the “Host Name” box, enter the address of your VPN.
  3. In the menu tree to the left, unfold “SSH” and click on “Tunnels”
  4. Enter 8080 as the port. Make sure both “Auto” and “Dynamic” are selected, then click “Add”
  5. Click “Session” on the left menu to back to the main screen.
  6. Type a name in the top box beneath “Saved Sessions”, then click “Save”
  7. Click “Open” to connect to the server.
  8. A PuTTY security alert window will open. Click “Yes”
  9. Enter your server username and password and press ENTER.

Each time you start your computer you’ll need to run PuTTY and initiate the SSH tunnel. You won’t have to enter the information again, just select the saved session and you’re good to go.

RELATED READING: Best VPN for Windows 10

Creating an SSH Tunnel on Mac and Linux

If you’re using a Mac or Linux PC your life just got a lot easier. Both operating systems have SSH commands build into their terminals, meaning you won’t have to install PuTTY to start your tunnel. In fact, you can type a single command to get things going.

Open a terminal in your Mac or Linux environment and run the following command, replacing the last part with your own details:

ssh -ND 8080 user@your.server.com

You’ll need to run this each time you start your computer, or set up a script to do it automatically.

RELATED READING: How to get a virtual IP address

Setting Your Browser to Use the SSH Tunnel

With the SSH tunnel in place it’s time to teach your local programs how to send data through the new double secure connection. Most of your web traffic is handled by a browser, so changing proxy settings here can effectively encrypt most of your online activity.

Using Firefox as a proxy:

  1. Follow the instructions above to create and run your SSH tunnel.
  2. In Firefox, go to the Settings menu and select “Manual proxy configuration”
  3. Next to “SOCKS Host” enter “localhost” without the quotes followed by 8080 as the port.
  4. Select SOCKS v5 below.
  5. Save the settings.

Using Chrome as a proxy:

  1. Follow the instructions above to create and run your SSH tunnel.
  2. In Chrome, go to Preferences, then select “Under the Hood”
  3. Beside Network click “Change Proxy Settings”
  4. Select “Manual Proxy Configuration”
  5. Next to “SOCKS Host” enter “localhost” without the quotes followed by 8080 as the port.
  6. Save the settings.

You don’t have to limit your SSH tunnel usage to web browsers. Many other internet-enabled programs have an advanced settings page you can use to enter the same details as above. Just look for a settings tab marked “proxy server”, enter your details, and you’re done.


How to get a FREE VPN for 30 days

If you need a VPN for a short while when traveling for example, you can get our top ranked VPN free of charge. NordVPN includes a 30-day money-back guarantee. You will need to pay for the subscription, that’s a fact, but it allows full access for 30 days and then you cancel for a full refund. Their no-questions-asked cancellation policy lives up to its name.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.