Hello I am wondering if there is increased network/packet security by connecting to a server over ssh through a VPN hosted by that same server as opposed to without first tunneling by VPN. I imagine with or without tunneling through a VPN there would be latency/speed differences too?

  • Bloody Harry@feddit.de
    link
    fedilink
    arrow-up
    1
    ·
    6 months ago

    afaik accessing your SSH over Wireguard while making SSH only listen on local can help mitigate DOS attacks, as Wireguard, opposed to many other protocols, is silent by default, meaning an attacker won’t see if you have a Server listening for incoming connections or if they are screaming into the void

    • PonzianiOP
      link
      fedilink
      arrow-up
      2
      ·
      6 months ago

      But wouldn’t the port being open alert anyone who looks for that? Network security is not my specialty but I believe I have read that people can ping/scan ip addresses easily and quickly to determine if any ports are open / forwarded, so if Wireguard was used or any VPN software, they could pick up on that as an attack vector?

      • towerful@programming.dev
        link
        fedilink
        arrow-up
        3
        ·
        6 months ago

        Wireguard uses UDP.
        Wireguard also strives to be “silent” for bad traffic/connection attempts. I’ve tried a cursory look to find more information on it, but nothing that explains it simply.

        Either way it doesn’t turn up on port scans.

        • PonzianiOP
          link
          fedilink
          arrow-up
          2
          ·
          6 months ago

          But the router must forward the port to allow the VPN to be utilized , meaning that port being forwarded can be scanned/detected i thought?

          • damium@programming.dev
            link
            fedilink
            English
            arrow-up
            3
            ·
            6 months ago

            It depends on how the router responds to other non-forwarded ports. For UDP an open port with no response is the same as a dropped packet. A scanner will only know if the device sends an ICMP response back to indicate that it is closed.