SSH Tunnel & OSSH
SSH Tunnel & OSSH
The bypass for networks that block everything but SSH. OrbVPN's SSH Tunnel routes your traffic through an SSH connection — and OSSH scrambles even the SSH handshake into random-looking bytes, so deep packet inspection has nothing to fingerprint.
What the SSH Tunnel Is
The SSH Tunnel is one of OrbVPN's five selectable protocols. It carries your traffic inside an SSH connection and bridges it to a full device tunnel, giving you a working VPN on networks that permit SSH but fingerprint and block conventional VPN signatures.
It is a deliberate last-resort path: SSH is allowed almost everywhere because administrators and developers rely on it, which makes it one of the hardest things for a censor to block outright. When WireGuard, VLESS, and OrbConnect are all being detected, the SSH Tunnel often still gets through.
Works Where Others Are Blocked
Many networks allow SSH for legitimate administration. The SSH Tunnel rides that allowance to give you a VPN path when VPN-shaped traffic is filtered.
OSSH Obfuscation
Obfuscated SSH transforms the SSH handshake into random-looking data, removing the tell-tale SSH banner so DPI cannot recognize it as SSH at all.
Strong, Modern Crypto
OSSH keys the obfuscation layer with Argon2id and encrypts it with ChaCha20, on top of SSH's own end-to-end encryption.
Full Device Tunnel
The SSH Tunnel bridges a SOCKS5 channel into a device-wide tunnel, so all your apps are protected — not just a single browser.
SSH Transport Modes
The SSH Tunnel carries four transport modes. Start with the most direct one and move toward heavier obfuscation only if your network needs it.
Direct SSH
Standard SSH connection. Fastest and simplest. Use it on networks that allow SSH without inspecting it.
Obfuscated SSH (OSSH)
Scrambles the SSH handshake with ChaCha20 keyed by Argon2id, so DPI sees random bytes instead of an SSH banner. Use it where plain SSH is recognized and throttled.
OSSH + WebSocket
Wraps OSSH inside a WebSocket connection so it looks like ordinary web traffic. Use it on networks that only permit HTTP-shaped traffic.
OSSH + CDN
Routes OSSH through the Cloudflare CDN. Maximum stealth — to block it a censor would have to block millions of legitimate websites at once.
How to pick a transport
Try Direct SSH first for speed. If the network fingerprints SSH, switch to OSSH. If non-HTTP traffic is blocked, use OSSH + WebSocket. Under the heaviest censorship, OSSH + CDN hides inside ordinary Cloudflare HTTPS. Or simply connect on Auto (Smart Connect) and let OrbVPN choose the right SSH transport for you.
When to Use the SSH Tunnel
Heavy DPI, SSH Allowed
A firewall fingerprints every VPN protocol but still permits SSH for administration. The SSH Tunnel — especially with OSSH — slips through.
Russia & East Asia
Networks that aggressively detect VPN signatures but tolerate SSH. OSSH variants are a strong fit here.
Everything Else Stalled
When WireGuard, VLESS, and OrbConnect all fail to pass traffic, the SSH Tunnel is your fallback bypass.
Corporate & Campus Networks
Environments that lock down ports but keep SSH open for engineers. The SSH Tunnel quietly rides the same allowance.
How to Connect via SSH
Disconnect Any Active Session
If you are connected on another protocol, disconnect first before switching.
Open the Protocol Selector
Go to the Protocol screen from the connection view, or open Settings and choose your protocol.
Select SSH Tunnel
Choose SSH Tunnel, then pick a transport: Direct SSH, Obfuscated SSH (OSSH), OSSH + WebSocket, or OSSH + CDN.
Choose a Server and Connect
Pick a server location and tap connect. Wait for the handshake and traffic verification to finish.
Confirm Your IP Changed
OrbVPN verifies that real traffic flows and your public IP changed. If the direct mode is fingerprinted, switch to an OSSH variant.
SSH Tunnel Troubleshooting
Direct SSH Refused or Throttled
The network likely recognizes the SSH handshake. Switch to OSSH so the handshake is scrambled into random bytes.
OSSH Still Blocked
Only HTTP-shaped traffic is getting through. Move to OSSH + WebSocket, or OSSH + CDN to ride Cloudflare HTTPS.
Slow on SSH
The SSH Tunnel carries more overhead than WireGuard. If your network allows it, prefer WireGuard or VLESS for speed and keep SSH as the bypass.
Not Sure Which Variant
Connect on Auto (Smart Connect). It tests the SSH transports in the right order for your region and verifies traffic before settling.
Pair with a manual region override
If you are in Russia, China, or Iran and the SSH chain is not leading correctly, set a manual region override so OrbVPN prioritizes the OSSH variants known to survive there. See the Region & Failover guide.
Get Through Where VPNs Are Blocked
When everything else is fingerprinted, the SSH Tunnel with OSSH obfuscation is your way out. Try it free.