Home Network Security outline

content/posts/qubes/index.md

@@ -304,23 +304,22 @@ When using the Internet from home, it is best to use a [VPN](/glossary/#vpn-virt
 
 >Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
 
-For your VPN provider, we recommend either [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) or [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without [Monero](https://www.privacyguides.org/en/cryptocurrency/#monero). 
+There are two ways you can run a VPN: from your laptop or from your networking device (either a router or a hardware firewall). When using your laptop from home, we recommend the latter. 
 
-There are two ways you can run a VPN: from your laptop or from your router. You don't want to "double up" a VPN so if its running on your router, it shouldn't be running on your laptop, and vice-versa.
+You don't want to "double up" a VPN — if its running on your networking device, it shouldn't be running on your laptop, and vice-versa. This means that any laptops running a VPN should disable it before connecting to a "VPN Kill Switch" access point, or alternatively, they can connect to a non-VPN access point. 
 
-**Running a VPN from your router**: If you mostly use Qubes OS from home, we recommend [running the VPN from your router](/posts/tails-best/#appendix-setting-up-a-vpn-on-a-router), which requires no configuration of Qubes OS. If this is the approach you choose, you can [skip ahead to the next topic](/posts/qubes/#how-to-use-devices-like-usbs). 
-
-**Running a VPN from your laptop**: If you regularly use Qubes OS away from home, we recommend creating a VPN qube that runs the VPN client app. If you configure Qubes OS to force all networking through the VPN qube, the laptop should connect to a VLAN of the router which is **not** running a VPN. 
+However, it's still valuable to know how to configure Qubes OS to force all network traffic through a VPN, for when you are using the laptop away from home. This involves creating a VPN qube. If you never use Qubes OS away from home, you can [skip ahead to the next topic](/posts/qubes/#how-to-use-devices-like-usbs). Keep in mind that you will have to revert these changes before connecting to your home's "VPN Kill Switch" access point. 
 
 ## Creating a VPN qube
 
+For your VPN provider, we recommend either [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) or [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without [Monero](https://www.privacyguides.org/en/cryptocurrency/#monero). 
+
 To create a VPN qube, follow the guide for [the Mullvad app](https://privsec.dev/posts/qubes/using-mullvad-vpn-on-qubes-os/) or the [the IVPN app](https://forum.qubes-os.org/t/ivpn-app-4-2-setup-guide/23804). We'll assume that you named the new VPN qube `sys-vpn`. It will force all network traffic through the VPN before it reaches `sys-firewall`.
 
-### Configure qubes that were using sys-firewall 
+### Configure non-Tor qubes that you will use
 
-* Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Switch the default net qube from `sys-firewall` to `sys-vpn`. 
-* Then, go to debian-12-dvm's **Settings → Basic** tab and change the net qube to `sys-vpn`.
-* Do the same for any other disposables or App qubes that were already created which used `sys-firewall` for their net qube. 
+* For any disposables or App qubes you will be using while away from your home Wi-Fi, go to their **Settings → Basic** tab and change the net qube from `sys-firewall` to `sys-vpn`. For example, make this change for debian-12-dvm. 
+* To not forget to revert the change, do so before shutting down the laptop. 
 
 To understand this configuration, it may help to visualize the qubes involved in networking for debian-12-dvm: 
 
@@ -331,13 +330,12 @@ To understand this configuration, it may help to visualize the qubes involved in
 | `sys-vpn` | The VPN qube you created | sys-firewall |
 | debian-12-dvm | Your disposable Debian qube | `sys-vpn` |
 
-### Configure Whonix-Gateway 
+### If you will use Whonix-Workstation, then configure sys-whonix 
 
-We recommend connecting to a VPN *before* connecting to Tor (i.e. [You → VPN → Tor → Internet](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-vpnssh-tor)) when you are using an Internet connection tied to your identity.   
+We recommend connecting to a VPN *before* connecting to Tor (i.e. [You → VPN → Tor → Internet](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-vpnssh-tor)) when you are using an Internet connection tied to your identity. 
 
-* To configure connecting to a VPN before connecting to Tor, go to sys-whonix's **Settings → Basic** tab and change the net qube to `sys-vpn`.
-	* If you are intentionally using an [Internet connection not tied to your identity](/posts/tails-best/#an-internet-connection-not-tied-to-your-identity), such as Wi-Fi at a random cafe, a VPN ties you to any other computer activity you've used it for (via your subscription). In this scenario, change sys-whonix's net qube back to `sys-firewall` (connect to Tor directly), or change sys-whonix's net qube to another VPN qube (`sys-vpn-2`) that uses a compartmentalized VPN subscription. 
-* As a last step, we will verify that only `sys-vpn` has its net qube set to `sys-firewall`. Go to **Applications menu → Qubes Tools → Qube Manager** and sort the entries by "Net qube" to make this easier. 
+* To configure connecting to a VPN before connecting to Tor, go to sys-whonix's **Settings → Basic** tab and change the net qube from `sys-firewall` to `sys-vpn`.
+* To not forget to revert the change, do so before shutting down the laptop. 
 
 For more information on the rationale of this configuration, see [Privacy Guides](https://privacyguides.org/en/advanced/tor-overview/#safely-connecting-to-tor). Note that you should not connect to a VPN *after* Tor because this [breaks Stream Isolation](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-tor-x).
 
@@ -351,6 +349,8 @@ To understand this configuration, it may help to visualize the qubes involved in
 | sys-whonix | The Whonix-Gateway qube | `sys-vpn` |
 | whonix-workstation-17-dvm | A disposable Whonix-Workstation qube | sys-whonix |
 
+Connecting to a VPN ties you to any other computer activity you've used it for (via your subscription). You can think of it as equivalent to connecting to a trustworthy Internet Service Provider. If you are intentionally using an [Internet connection not tied to your identity](/posts/tails-best/#an-internet-connection-not-tied-to-your-identity), such as Wi-Fi at a random cafe, leave sys-whonix's net qube set to `sys-firewall` (connect to Tor directly).
+
 # How to Use Devices (like USBs) 
 
 To learn how to attach devices, let's format the empty USB or hard drive that will be used for backups. Attaching the USB to an offline disposable mitigates against [BadUSB attacks](https://en.wikipedia.org/wiki/BadUSB).