i want to remotely ssh to my home server, and I was wondering if I could just forward port 22 with disabling password login and use pubkey authentication will be safe enough?
i want to remotely ssh to my home server, and I was wondering if I could just forward port 22 with disabling password login and use pubkey authentication will be safe enough?
How is a VPN service more secure than an SSH service?
Both accept login.
Both provide can be brute forced / if using password.
Generally speaking. VPN is easier to setup securely out of the box for most especially with limited knowledge. You can choose a random port and then have access to any server on your network. Scanners won’t usually test all ports unless they find something that’s tempting.
Normally just the normal ports will be poked including 22. SSH can be secured well but not without jumping through a few hoops. It’s easier imho to accidentally allow access through incorrect ssh setup than vpn.
When you think vpn has been developed with this exact purpose in mind. It’s fair to assume the protection will be better out of the box. If you have a vpn then a hacker needs to get through the vpn and then also the ssh so there’s not really any disadvantage to using a vpn and then also harden ssh if you want to.
It’s about making things difficult. Nobody is going to spend days or weeks battering a vpn if they don’t think there’s anything useful behind it. A VPN also shows somewhat that you’ve given things consideration and are not an easy target.
Don’t get me wrong. If somebody is determined enough and has the resources then they will find a way but given the choice between an easy target and one that’s ever so slightly more difficult, they will almost always go for the easiest.
One of the top audit companies disagrees with you: https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
A “top” audit company pushing their own agenda.
OpenVPN is simple and easy to deploy on any major operating system. Pfsense or similar is easy to setup and run in a VM. That does all the hard work for you and creates a profile. Then you essentially copy or download that profile to the client machine and you’re done. It’s all done via gui or web interface so is easier for a lot of people. My sister managed it. She wouldn’t have been able to handle command line stuff.
Like i said before though. Why not use a vpn and also harden your ssh. I can’t see a downside to that.
It’s just my opinion and experience from working with both. You’re welcome to dissagree and do your own thing though of course :)
WireGuard uses UDP and will not respond if the attacker doesn’t have the correct key. So the port used by WG will appears as a closed port.