Using SSH and VPN to Access Your Home Network
There are two common ways of accessing your home network remotely and securely: a SSH server or VPN server. Both options have various pros and cons as is usually the case when comparing two different things. These technologies provide an encrypted connection which is important for security of your network when you want to have remote access to your network.
I have limited the discussion of this topic to accessing your home network via SSH or VPN, but you may also connect your devices or even your router such as OPNsense to an external third-party VPN provider. Reasons for doing so include an increase in security, privacy, and to access content which is restricted to certain geographic regions. For more information about several popular VPN providers, please visit VPN Check to help you find a VPN provider which meets your needs.
Encryption alone is not enough to guarantee security. You could very well be communicating with a malicious hacker via an encrypted connection without evening knowing that it is occurring. In fact, this is becoming more common. Therefore, establishing identity during creation of an encrypted connection helps improve security.
SSH and VPN servers provide mechanisms to allow exchanging keys or digital certificates to help establish the proper identity of the connecting devices. The exchange of keys/certificates provides a greater level of trust in the identities of the devices as opposed to only using passwords since an attacker would need to have both the password and the private key in order to decrypt the secure connection.
SSH vs. VPN
SSH servers allow access to a particular device on your network. Once you are connected to that device, it is as though you are logged into the local machine. You can execute commands on the device using a SSH client application. SSH is useful for remote administration of your servers or other network devices (routers, switches, wireless access points, etc.). Files may also be securely transferred via a SSH connection. You may even connect to a second device on your network via SSH through the SSH session of the first device.
One common use of SSH is to create a SSH tunnel to a SSH server to provide an encrypted connection for applications that may not natively support encryption such as certain VNC clients. This is a great way to secure the communication of software which does not natively provide encryption.
SSH servers are pretty simple to configure especially if setting them up on Linux operating systems since they can be installed with a few commands using the built-in software repositories. Out of the box, the SSH server supports password authentication, but the settings may be tweaked to allow only authentication via keys to improve security.
VPN servers also allow remote access like with SSH, but instead of connecting to a single device, VPNs allow your device(s) to become a part of your network as though they are physically located on your network. VPNs may be set up to isolate VPN users from each other and/or isolate them from the rest of your home network based on your specific needs. However, VPNs can be configured to allow users to access specific resources on the network, which allows users to remotely participate in the network – useful from working remotely while on the road.
Not only is a VPN connection useful for accessing your home network while away from home, but you may also use it if you wish to use public WiFi. Public WiFi can potentially be very dangerous so if you log into your home network VPN server, you are more protected from eavesdroppers and/or hackers lingering on public WiFi networks. An added bonus is that any security protections you put in place on your home network can also be used to protect your VPN users. You can securely browse the Internet of your home network from the public WiFi of your favorite coffee shop!
One nice aspect of using a VPN server is that once you establish a connection to the network, you can have access to any devices on your network that you allow via firewall rules. You do not necessarily have to log into each device separately depending on your configuration. If you have internal facing web administration control panels, media servers, printers, etc. that you want access, it can all be allowed via firewall rules.
If you want to read more about the brief history and the potential future of VPNs, you may visit this PrivacyAustralia article.
Using a VPN and SSH Together
You can combine the usage of a VPN and SSH to have greater security in your network. The VPN server can be used to connect to your network remotely and would be the only port you need to expose to the world (unless you are running other public facing services on your network). That will protect the remote/external connections to your network. Then for each of your servers and other devices, you could enable SSH servers using keys (keys that can be additionally protected by passwords) for all of your devices you wish to administer. This will protect your connections internally in your network. For an example of how I use a VPN and SSH, I connect to my network via VPN and then use VNC over SSH to log into my devices. The VNC server on my devices are only enabled on localhost so I can only connect to the VNC server with the SSH connection.
I personally use and recommend this VPN/SSH approach because you are protecting both external and internal network connections. If you combine this approach with VLANs to segment your network along with the appropriate firewall rules, you will have a network that is reasonably locked down especially for a home network. It is essentially a zero trust approach. If someone gets into your network by exploiting a vulnerability in your VPN server, they will still need to locate and break through your other defenses such as the the various SSH servers located on your network. In theory, you can isolate and minimize the damage of an intruder. Of course, if an intruder is inside your network, you may still have big problems. Perhaps if you are “fortunate” maybe they will just mine crypto currency instead of encrypting and ransoming all your files.
One of the goals of this site is to help guide and encourage us to be more proactive about the security of our home networks. Our digital assets are extremely valuable and need to be protected especially as our lives become increasingly digital every day!