Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

SSH Tunneling is really that slow?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SSH Tunneling is really that slow?

TiagoTiago Member
edited October 2011 in General

I've been doing a quite few tests over the last months and noticed that SSH Tunneling is around 5 to 10 times slower than a HTTP Proxy. In a busy wireless network (at my university), I could get around 100 KB/s (1 Mbps) using a tunneled connection. But if at the same time I switch to the Squid proxy running on the same VPS, I could get more than 500 KB/s (5 Mbps). I mean, the problem isn't the university network or wireless hotspot.

I thought this could be happening because of higher CPU usage on the VPS when using SSH (compression/encryption/etc), but it is not. Is there anything I could do about that? Or tunneled connections is really much slower than a HTTP proxy?


  • No Its Not Slow !

    You're on busy wireless netwokr.. maybe SSL traffic is throttled.. HTTP traffic is proxied and cached..

  • Well, I'm not sure, but my experience says if you use multiple connections (HTTP proxy) you will gain speed versus one connection (Socks). Maybe is like that?

    Also, consider the extra latency to the VPS

  • fanfan Veteran

    Well, encrypted SSH tunneling is slow and without multithreading, then connections may hang there with no response, in an extreme case, this can make firefox's cpu usage to 100%. Adding a http proxy will help some, but the ultimate solution is openvpn.

    Thanked by 2Tiago LowEndAdmin
  • Generally, ssh tunnel is slow due to it being tcp over tcp when you use it to tunnel tcp traffic like http/https etc.

  • I made quite some experiment, and YES, simple ssh tunneling is much slower than http proxying. Busy or not, throttled or not, it's not the question.

    yomero said: Well, I'm not sure, but my experience says if you use multiple connections (HTTP proxy) you will gain speed versus one connection (Socks). Maybe is like that?

    I always thought - without looking further - it was the reason.

  • fanfan Veteran

    Of course, multithreading and pipelining is now a common feature in modern browsers.

    twochair said: Generally, ssh tunnel is slow due to it being tcp over tcp when you use it to tunnel tcp traffic like http/https etc.

  • Thank you, guys! I've not realized that a tunnel can only handle one connection at a time. I'll be doing some tests with OpenVPN.

  • yomeroyomero Member
    edited October 2011

    No, the tunnel can handle multiple connections (download two files at the same time), but you are using really just one connection, the SSH itself.

  • mrm2005mrm2005 Member
    edited October 2011

    You can try this : use a proxy software like Polipo with your ssh tunnel.

    1) make your ssh tunnel >> usually : 1080 is your socks proxy.

    2) Edit Polipo Configuration File and add your local socks proxy as the server.

    3) Run Polipo in Command Line with -c switch and your configuration filename.

    4) use Polipo as normal http proxy in your browser : usually

    With this configuration i usually have a very good speed.

  • Hmmm, IMHO that is adding more overhead

  • Hello, id really appreciate some help configuring and allowing UPD thru my ssh proxy...

    I googled it, cant find anything that works, thank You in advance

  • kristalkristal Banned
    edited October 2011

    yeah, working on it, so far im stuck on a problem:

    cant grab with bind

  • I have had 80 Mbps+ before through a standard SSH tunnel set up in PUTTY on the LAN. CPU utilisation on one core was the limiting factor.

  • Did somebody tell him yet that 5megabit != 500kb/s ?

  • fanfan Veteran

    yomero said: Hmmm, IMHO that is adding more overhead

    That's obviously faster, really.

  • @ztec Did you saw the words "around" and "more than", Master of the Obvious?

  • GaryGary Member
    edited October 2011

    yeah, but 5mbit is nowhere near 500kb/s. If he'd said 500kB/s then perhaps.

    edit: just noticed that it's ztec who's mixing bits and bytes, not the op.

  • dmmcintyre3dmmcintyre3 Member
    edited October 2011


    I have no speed issues with SSH tunneling on my Mac. Command used to connect:

    ssh -D 8080 {host} -N 
  • guys please need help, googled and there are no results (!?)

    cant grab with bind

  • kristal , wrong thread? And you can't bind to that IP, as i'm sure that doesnt exist.

  • it means my all my local ips, nevermind

  • @rajprakash: When binding a socket, is a wildcard and means the daemon wants to listen on all of the host's available addresses (though whether it includes IPv6 addresses differs from OS to OS).

    If you specify a real address instead, it means that the daemon will only listen on that one address, and that same port number is then unused on all of the host's other IPs. That can be useful if you want multiple copies of a daemon running on different IP addresses, or it can be used to "protect" a daemon and only make it accessible via a single address or interface. Like binding an admin interface to to allow connections from localhost only, or a host which only runs a web server on a VPN address.

  • good one, now please explain why:

    cant grab with bind

    when following

    thank u :-)

  • @fanovpn: Ahh, OK. Im with ya now. Bah, application specific oddities. :)

  • @kristal: What program is showing that error (ssh? netcat? socat?), and is that when running it on your local machine or your server? Maybe something is already using port 6667, have you checked (on whichever machine has the error) with "netstat -antp" (or "ss -antp" which is the Linux version of netstat) to see if anything is listed with port 6667 already under "Local Address"? Personally, I'd just setup OpenVPN instead if I were you.

    @rajprakash: It's actually a useful thing to know about in general because it's not really application-specific, it's part of how TCP/IP works on most every OS ("Berkeley sockets"). The term "bind" isn't referring to the ISC's DNS server, it's the general function call used by all software to tell an OS that the software wants to use a specific address and port. So almost ever network daemon makes it configurable which address it will bind to, with usually being the default.

Sign In or Register to comment.