When you are an outsource company and you’re working with clients, if they have a database data source, you are most likely to connect to it through a VPN or through an SSH tunnel. Have you ever wondered: why all this shenanigans? Why not just give me an IP or a URL and I can access it? I’m going to explain why VPN / SSH tunnel is necessary when accessing a company’s resources. This article is my take on explaining the most basic concepts in networking.

After reading this, you should be able to understand: Why companies use VPN and SSH tunnel, and what are the differences between VPN and SSH tunnel.

1.Why companies use VPN and SSH tunnel

Short explanation: Companies set up VPN and SSH tunnel so people in somewhere else can access their private network.

Long explanation:

To understand this, you must first know what is a private network.

Imagine you have a tech company that develops softwares. In order to develop softwares, you need to build a local network where computers within your company are inter-connected. Within the same network, you install databases on your server to store data. This whole network you just built is a private network. It is private because devices outside of this network cannot connect / send requests to devices inside this network, to ensure security.

Now you need to grant your developers access to the Internet, so they can Google and copy code from StackOverflow. You just granted devices within your private network to send requests to the Internet. Administrators usually allow devices in a private network to send requests out to the Internet, but not the other way around. That means devices from the Internet cannot send requests / connect to devices inside a private network. This is enforced through firewall rules.

Typical private network setup

Now imagine you need the help of a consulting company on how to best use your data, stored in your database. You need to grant them access to the database inside your private network. How do you do that?

The easiest way is to modify the firewall rules to allow devices from the Internet to send requests to your database. This way, you only need to provide your consultant with the database IP, user/password, and they can send login requests to your database and access it. However, other people (like hackers) can also send requests to your database. Although they don’t know the user/password, they can use a bot to send login requests with different user/password combination until it’s correct. This means a lot of requests will be sent to your database, overloading it, causing slow down in speed and even crash the database.

Allow public access to the database

One way to prevent that is IP whitelisting. This option means firewall will only allow devices with a certain IP to requests to your database. Those without the specified IP cannot do that. Networks from companies often have a specified IP range, so we can whitelist that range of the consultant. This helps lower the risk of attacks.

Whitelist IP from consultant only

However, what if people in the consultant company works from home / cafe? They then will have a different IP, and cannot access your database from a different place. This is where VPN and SSH tunnel come in. Using VPN/SSH tunnel, we can give database access to anyone we want, without concern about their IP.
So to sum up, companies have private network for security. VPN and SSH tunnel are ways to securely access those private networks from anywhere.

2. VPN and SSH tunnel

2.1. VPN

The idea of VPN is: you connect remotely to a machine, called VPN server (let’s name this machine A) on the private network. After that, all requests sent from your local machine is sent from machine A. See diagram below for more details

Re-routing requests after connecting to VPN server

Because the request to your database is made from a machine within the private network, it can definitely get through.

One main thing to remember about VPN is: after establishing the VPN connection, ALL requests from your local machine is sent from the VPN server. So when you go to Google, or StackOverflow, you are sending requests to these websites from the VPN server. This means if the administrator allows the VPN server to send requests to the Internet, then you can still access these websites. If not, then you cannot access anything on the Internet. That’s why sometimes after connecting to VPN, you will have no Internet access.

2.2. SSH tunnel

The idea of SSH tunnel is: you connect remotely to a machine, called SSH tunnel server (let’s name this machine B) on the private network, and then specify the IP of the database you want to access. After that, all requests sent from your machine to the database is sent from machine B. See diagram below for more details

Re-routing requests after connecting to SSH tunnel

Similar to VPN, because the request to your database is made from a machine within the private network, it can definitely get through.

One main thing to remember about SSH tunnel is: after establishing the SSH tunnel connection, ONLY requests to the database will be sent from the SSH tunnel server. Everything else will be sent from your local machine, as usual. So when you go to Google, or StackOverflow, you are sending the requests to these websites from your own local machine, not the SSH tunnel server. This means no matter if the administrator allows the SSH tunnel server to send requests to the Internet or not, you can still access the Internet.

2.3. VPN vs SSH tunnel and when to use which

From the definition above, we can see what are the similarities and differences of VPN and SSH tunnel:

Similarities:

  • Used to allow people outside of private network, from any locations, to access the resources within the private network
  • The basic idea is to remotely connect to a server, and send requests from that server

Differences:

  • VPN
    • After remote connection, all requests are sent from the server
    • Use this when your work requires connecting to multiple resources in the private network.
  • SSH tunnel
    • After remote connection, only requests to the specified resource are sent from the server. Requests to other destinations are sent from your local machine.
    • Use this when your work requires connecting to a few certain resources in the private network.

——–

Example: You are a consultant that must connect to a customer’s private network, which has both VPN and SSH tunnel options. The VPN and SSH tunnel servers do not have access to the Internet.

Use case 1: You need to connect to 4 separate databases, and possibly some more resources in the private network.

  • Using VPN: after connecting to VPN, you can send requests to all 4 databases, and any other resources in the private network successfully. However when you need to visit Google, you need to disconnect the VPN.
  • Using SSH tunnel: you need to remotely connect to the SSH server and port forward to the addresses of 4 databases. When you need to visit other resources on the private network, you need to re-establish the SSH connection and port forward to the new address. However when you need to visit Google, you don’t need to disconnect the SSH tunnel.

Using SSH tunnel in this situation is more clunky, so it’s better to use VPN instead.

Use case 2: You only need to connect to 1 database in the private network.

  • Using VPN: after connecting to VPN, you can send requests to the database successfully. However when you need to visit Google, you need to disconnect the VPN.
  • Using SSH tunnel: you need to remotely connect to the SSH server and port forward to the address of the database. When you need to visit Google, you don’t need to disconnect the SSH tunnel.

Using SSH tunnel in this situation is very convenient, unlike VPN. So it’s better to use SSH tunnel.

——–

Thank you for reading this. Hopefully that helps you understand more about VPN and SSH tunnel.