SSH+ SOCK Proxy vs VPN

Question

Basically I want to route all my internet traffic (http,https) out to another network (hosted network) and make it encrypted to the end node(hosted network). I can do this right now via SSH> Port forwarding & Socks on Firefox/other application.

But lets say I want to do it LAN wide. I would ether need to route all TCP/UDP traffic to the SSH Server which will forward the traffic through socks proxy, right?

Or I could use a VPN, right? However here's the kicker and reason I do not want to use a VPN. Some of the traffic I don't need encrypted. Example I don't need rdp or sftp traffic encrypted. Thus hints why I am only trying to encrypt "internet" traffic (http/https protocol) traffic. Could I limit what type of traffic is routed via VPN? I guess as long as my router comes before my VPN client I can tell which traffic for the client to listen to ?

Answer 1

In line of principle you can do whatever you like. For instance, if your router is a Linux pc, or has as an OS DD-WRT,OpenWRT, or Tomato, you can build an OpenVPN which connects to the remote network, but only forwards HTTP/HTTPS traffic (or whichever port you are using). The advantage is the centralized control: one single installation covering all of your machines, even those, like an Xbox, over which you have no control.

But, on the other hand, using a similar trick (see later), you can do the very same with SSH+Socks. So, it is really up to you.

The trick is to have two routing tables, using what is called policy/source routing. You can have a routing table for the OpenVPN connection, and another routing table which is your usual table without the VPN. You find a concise but sufficient intro to the topic here.

The whole trick is choosing, as the rule to choose which routing table to apply, on the basis of the destination port: if the destination ports are 80 or 443, then choose the routing table thru the VPN; otherwise choose the traditional routing table.

It's fun and easy, it is just a bit of work.