1. 9
  1.  

  2. 8

    This really is an apples to oranges comparison - and it didn’t have to be. Yes, you can tunnel ports with ssh (oranges).. but you can also do full on (layer 1, layer2) Virtual Private Networking (apples)!

    From the ssh(1) man page:

    SSH-BASED VIRTUAL PRIVATE NETWORKS
         ssh contains support for Virtual Private Network (VPN) tunnelling using
         the tun(4) network pseudo-device, allowing two networks to be joined
         securely.  The sshd_config(5) configuration option PermitTunnel controls
         whether the server supports this, and at what level (layer 2 or 3
         traffic).
    
         The following example would connect client network 10.0.50.0/24 with
         remote network 10.0.99.0/24 using a point-to-point connection from
         10.1.1.1 to 10.1.1.2, provided that the SSH server running on the gateway
         to the remote network, at 192.168.1.15, allows it.
    
         On the client:
    
               # ssh -f -w 0:1 192.168.1.15 true
               # ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
               # route add 10.0.99.0/24 10.1.1.2
    
         On the server:
    
               # ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
               # route add 10.0.50.0/24 10.1.1.1
    
         Client access may be more finely tuned via the /root/.ssh/authorized_keys
         file (see below) and the PermitRootLogin server option.  The following
         entry would permit connections on tun(4) device 1 from user “jane” and on
         tun device 2 from user “john”, if PermitRootLogin is set to
         “forced-commands-only”:
    
           tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
           tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
    
         Since an SSH-based setup entails a fair amount of overhead, it may be
         more suited to temporary setups, such as for wireless VPNs.  More
         permanent VPNs are better provided by tools such as ipsecctl(8) and
         isakmpd(8).
    
    1. 1

      Isn’t simple tunneling over SSH prone to TCP-over-TCP issues? Something like sshuttle would avoid these, as should OpenVPN over UDP.