mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-06-09 23:32:56 -04:00
graphene separate VPN section
This commit is contained in:
parent
b314041355
commit
78515a8c5a
3 changed files with 20 additions and 14 deletions
|
@ -122,7 +122,7 @@ To install additional software, [Sandboxed](/glossary/#sandboxing) Google Play c
|
|||
|
||||
Avoid F-Droid due to its numerous [security issues](https://www.privacyguides.org/en/android/#f-droid). The [Aurora Store](https://www.privacyguides.org/en/android/#aurora-store) has [some of the same security issues as F-Droid](https://privsec.dev/posts/android/f-droid-security-issues/#conclusion-what-should-you-do).
|
||||
|
||||
The approach we will take is that all applications needed in the Default user profile will be installed in the Owner user profile, using Sandboxed Google Play. In the Owner user profile, all installed applications (except the VPN) will be "disabled", because we only use these applications from the Default user profile. Then we'll use the **Install available apps** feature to delegate apps to the Default user profile.
|
||||
The approach we will take is that all applications needed in the Default user profile will be installed in the Owner user profile, using Sandboxed Google Play. In the Owner user profile, all installed applications will be "disabled", because we only use these applications from the Default user profile (except, [if you ever use the phone away from home](/posts/grapheneos/#force-all-network-traffic-through-a-vpn), a VPN app that needs to run in all profiles). Then we'll use the **Install available apps** feature to delegate apps to the Default user profile.
|
||||
|
||||
## Software from Sandboxed Google Play
|
||||
|
||||
|
@ -134,22 +134,14 @@ To install and configure Sandboxed Google Play:
|
|||
* Automatic updates are enabled by default on the Google Play Store: **Google Play Store Settings → Network Preferences → Auto-update apps**.
|
||||
* Notifications for Google Play Store and Google Play Services must be enabled for auto-updates to work: **Settings → Apps → Google Play Store / Google Play Services → Notifications**. If you get notifications from the Play Store that it wants to update itself, [accept them](https://discuss.grapheneos.org/d/4191-what-were-your-less-than-ideal-experiences-with-grapheneos/18).
|
||||
|
||||
### Installing a VPN
|
||||
|
||||
You are now ready to install applications from the Google Play Store. The first application we are going to install is a [VPN](/glossary/#vpn-virtual-private-network). If you can afford to pay for a VPN, we recommend both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). Otherwise, you can use RiseupVPN, although it has far fewer users to blend in with, and it doesn't meet several important [security criteria for VPN providers](https://www.privacyguides.org/en/vpn/#criteria), such as published security audits of its code and infrastructure. A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without [Monero](https://www.privacyguides.org/en/cryptocurrency/#monero). If you already use a VPN with [Tails](/posts/tails-best/#appendix-setting-up-a-vpn-on-a-router) or [Qubes OS](/posts/qubes/#create-a-vpn-qube), you can use the same subscription.
|
||||
|
||||
VPNs must be installed in each user profile separately. All standard GrapheneOS connections will be forced through the VPN (except for [connectivity checks](https://grapheneos.org/faq#default-connections), which can be optionally [disabled](https://privsec.dev/posts/android/android-tips/#connectivity-check)). We recommended using a VPN in every profile, for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
|
||||
|
||||
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
|
||||
|
||||
Using the example of RiseupVPN, once installed, accept the 'Connection request' prompt. A green display means that the VPN has been successfully connected. Note that **Always-on VPN** and **Block connections without VPN** are enabled by default on GrapheneOS. From now on, the VPN will connect automatically when you turn on your phone. Continue installing other apps — see [Encrypted Messaging for Anarchists](/posts/e2ee/) for ideas.
|
||||
You are now ready to install applications from the Google Play Store. See [Encrypted Messaging for Anarchists](/posts/e2ee/) for ideas.
|
||||
|
||||
### Delegating apps
|
||||
|
||||
Now we will delegate apps to the profiles they are needed in:
|
||||
|
||||
* In the Owner profile, disable all applications downloaded from the Play Store except for the VPN: **Settings → Apps → [Example] → Disable**.
|
||||
* To install Riseup VPN (or any other app) in the Default user profile: **Settings → System → Multiple users → Default → Install available apps**, then select Riseup VPN.
|
||||
* In the Owner profile, disable all applications downloaded from the Play Store (except for the VPN): **Settings → Apps → [Example] → Disable**.
|
||||
* To install any app in the Default user profile: **Settings → System → Multiple users → Default → Install available apps**, then select it.
|
||||
|
||||
## Software That Isn't On the Play Store
|
||||
|
||||
|
@ -171,6 +163,20 @@ A Wi-Fi only smartphone doesn't require a service plan. As explained in [Kill th
|
|||
|
||||
Some of the VoIP applications [that work on computers](/posts/nophones#bureaucracy) also work on smartphones. The [jmp.chat](https://www.kicksecure.com/wiki/Mobile_Phone_Security#Phone_Number_Registration_Unlinked_to_SIM_Card) VoIP service can be paid for in Bitcoin, and it can be used with their [Cheogram app](https://cheogram.com/). There are also mobile-only paid options such as MySudo (although it only works in a [handful of countries](https://support.mysudo.com/hc/en-us/articles/360019983274-Which-countries-are-supported-for-Sudo-phone-numbers)). A MySudo subscription can be purchased anonymously with [Google Play gift cards](https://support.google.com/googleplay/answer/3422734), but this is probably unnecessary if the point is to give the number to bureaucracies. MySudo requires Google Play Services.
|
||||
|
||||
# Force All Network Traffic Through a VPN
|
||||
|
||||
It is best to force all of GrapheneOS's network traffic through a [VPN](/glossary/#vpn-virtual-private-network) — this puts your trust in your VPN instead of an inherently untrustworthy Internet Service Provider. As the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/) notes:
|
||||
|
||||
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
|
||||
|
||||
There are two ways you can run a VPN: from your phone or from your networking device (either a router or a hardware firewall). When using your phone from home, we recommend the latter.
|
||||
|
||||
You don't want to "double up" a VPN — if its running on your networking device, it shouldn't be running on your phone, and vice-versa. This means that a phone running a VPN should disable it before connecting to Wi-Fi configured with a "VPN Kill Switch", or alternatively, connect to a non-VPN Wi-Fi.
|
||||
|
||||
If you ever use the phone away from home, you should configure GrapheneOS to force all network traffic through a VPN — install the VPN app in every user profile. All standard GrapheneOS connections will be forced through the VPN (except for [connectivity checks](https://grapheneos.org/faq#default-connections), which can be optionally [disabled](https://privsec.dev/posts/android/android-tips/#connectivity-check)). Note that **Always-on VPN** and **Block connections without VPN** are enabled by default on GrapheneOS. Keep in mind that you will have to disable the VPN app before connecting to your home's "VPN Kill Switch" Wi-Fi.
|
||||
|
||||
If you can afford to pay for a VPN, we recommend both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). Otherwise, you can use RiseupVPN, although it has far fewer users to blend in with, and it doesn't meet several important [security criteria for VPN providers](https://www.privacyguides.org/en/vpn/#criteria), such as published security audits of its code and infrastructure. A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without [Monero](https://www.privacyguides.org/en/cryptocurrency/#monero).
|
||||
|
||||
# Tor
|
||||
|
||||
You may want to use [Tor](/glossary/#tor-network) from a smartphone. However, if you need the anonymity of Tor rather than the privacy of Riseup VPN, you should use [either Qubes OS or Tails](/posts/qubes/#when-to-use-tails-vs-qubes-os) on a computer. The [Graphene docs](https://grapheneos.org/usage#web-browsing) recommend avoiding Gecko-based browsers like Tor Browser, as these browsers "do not have internal sandboxing on Android." Orbot is an app that can route traffic from any other app on your device through the Tor network, but simply using the Vanadium browser through Orbot is [not recommended by the Tor Project](https://support.torproject.org/tbb/tbb-9/).
|
||||
|
|
|
@ -306,7 +306,7 @@ When using the Internet from home, it is best to use a [VPN](/glossary/#vpn-virt
|
|||
|
||||
There are two ways you can run a VPN: from your laptop or from your networking device (either a router or a hardware firewall). When using your laptop from home, we recommend the latter.
|
||||
|
||||
You don't want to "double up" a VPN — if its running on your networking device, it shouldn't be running on your laptop, and vice-versa. This means that any laptops running a VPN should disable it before connecting to a "VPN Kill Switch" access point, or alternatively, they can connect to a non-VPN access point.
|
||||
You don't want to "double up" a VPN — if its running on your networking device, it shouldn't be running on your laptop, and vice-versa. This means that a laptop running a VPN should disable it before connecting to an access point (whether Wi-Fi or ethernet) configured with a "VPN Kill Switch", or alternatively, connect to a non-VPN access point.
|
||||
|
||||
However, it's still valuable to know how to configure Qubes OS to force all network traffic through a VPN, for when you are using the laptop away from home. This involves creating a VPN qube. If you never use Qubes OS away from home, you can [skip ahead to the next topic](/posts/qubes/#how-to-use-devices-like-usbs). Keep in mind that you will have to revert these changes before connecting to your home's "VPN Kill Switch" access point.
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ a4="router-a4.pdf"
|
|||
letter="router-letter.pdf"
|
||||
+++
|
||||
|
||||
A "home network" is the network that connects your devices to the Internet and each other. The "networking devices" that create this home network are called a router (specialized in "routing" network traffic from your devices to the Internet) and a hardware firewall (specialized in compartmentalizing your home network), although their functions overlap. For instance, routers usually also have some basic firewall capabilities. Another way of thinking about it is that a home network is the *"intranet"* sealed off by your network devices into a *private* network, in contrast to the *Internet* which is a *public* network accessible to anyone.
|
||||
A "home network" is the network that connects your devices to the Internet and each other. The "networking devices" that create this home network are called a router (specialized in receiving network traffic from your devices via an "Access Point" and "routing" it onwards to the Internet) and a hardware firewall (specialized in enforcing "firewall rules" and compartmentalizing your home network), although their functions overlap. For instance, routers usually also have some basic firewall capabilities. Another way of thinking about it is that a home network is the *"intranet"* sealed off by your network devices into a *private* network, in contrast to the *Internet* which is a *public* network accessible to anyone.
|
||||
|
||||
We recommend setting up your home network with a hardware firewall that runs the [OPNsense](https://www.privacyguides.org/en/router/#opnsense) operating system, paired with a router that runs the [OpenWrt](https://www.privacyguides.org/en/router/#openwrt) operating system. Although you can get by with just a router, a hardware firewall will enable a more secure set up. In this configuration, the OPNsense firewall does all of the heavy lifting, and the OpenWrt router is limited to the role of a "Wi-Fi Access Point" for your devices to connect to.
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue