Identity management for WireGuard

Posted Oct 19, 2022 4:55 UTC (Wed) by intelfx (subscriber, #130118)
In reply to: Identity management for WireGuard by donald.buczek
Parent article: Identity management for WireGuard

> But we very much prefer to teach people to use ssh with a socks tunnel and configure their browsers to use it instead. People just keep asking vor VPN because they think they need it and we talk them into ssh.

Well, I would very much prefer *not* to use ssh -D, exactly for the reasons discussed above which are inherent to any TCP-over-TCP tunneling solution.

It does work okay-ish for one-off management & rescue tasks, but for anything remotely serious? I'd like my OpenVPN, complete with all the routing automation and split DNS forwarding, thank you very much, and please leave the security theater at the door.

Identity management for WireGuard

Posted Oct 19, 2022 14:30 UTC (Wed) by patrakov (subscriber, #97174) [Link]

SSH SOCKS tunneling is not a TCP-over-TCP tunneling solution. It works on byte streams, not TCP packets. TCP connections are terminated by the SSH server.

Identity management for WireGuard

Posted Oct 20, 2022 5:34 UTC (Thu) by donald.buczek (subscriber, #112892) [Link]

> Well, I would very much prefer *not* to use ssh -D, exactly for the reasons discussed above which are inherent to any TCP-over-TCP tunneling solution.

I can just say, that I work like that all day (even with an additional ProxyJump) when in home office and I don't notice any difference in my browser when I go to public sites whether socks proxy is on or not.