clarify VPN phrasing

content/posts/qubes/index.md

@@ -325,10 +325,10 @@ To understand this configuration, it may help to visualize the qubes involved in
 
 ## Configure connecting to the VPN before Tor 
 
-Unless you are intentionally using [Internet not tied to your identity](/posts/tails-best#internet-not-tied-to-your-identity), we recommend connecting to a VPN *before* connecting to Tor (i.e. [You → VPN → Tor → Internet](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-vpnssh-tor)).   
+We recommend connecting to a VPN *before* connecting to Tor (i.e. [You → VPN → Tor → Internet](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-vpnssh-tor)) when you are using an Internet connection tied to your identity.   
 
 * To configure connecting to a VPN *before* connecting to Tor, go to sys-whonix's **Settings → Basic** tab and change the net qube to `sys-vpn`.
-	* When using Internet from home, its best to use a VPN for all network traffic. But if you are intentionally using Internet not tied to your identity, such as Wi-Fi at a random cafe, the VPN ties you to any other computer activity you've used it for (via your subscription). In this scenario, you can change sys-whonix's net qube back to `sys-firewall` (connect to Tor directly), or change sys-whonix's net qube to another VPN qube (`sys-vpn-2`) that uses a compartmentalized VPN subscription. 
+	* When using the Internet from home, it is best to use a VPN for all network traffic — this puts your trust in your VPN instead of an inherently untrustworthy Internet Service Provider. But if you are intentionally using an [Internet connection not tied to your identity](/posts/tails-best/#an-internet-connection-not-tied-to-your-identity), such as Wi-Fi at a random cafe, the VPN ties you to any other computer activity you've used it for (via your subscription). In this scenario, you can change sys-whonix's net qube back to `sys-firewall` (connect to Tor directly), or change sys-whonix's net qube to another VPN qube (`sys-vpn-2`) that uses a compartmentalized VPN subscription. 
 * As a last step, we will verify that only `sys-vpn` has its net qube set to `sys-firewall`. Go to **Applications menu → Qubes Tools → Qube Manager** and sort the entries by "Net qube" to make this easier. 
 
 For more information on the rationale of this configuration, see [Privacy Guides](https://privacyguides.org/en/advanced/tor-overview/#safely-connecting-to-tor). Note that you should not connect to a VPN *after* Tor because this [breaks Stream Isolation](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-tor-x).
@@ -447,7 +447,7 @@ To create a Kicksecure disposable, go to **Applications menu → Qubes Tools →
 * **Networking**: default (sys-firewall)
 * In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the disposable in the Apps tab of the Applications Menu. Make sure you are not working in the disposable Template (the same name in the Templates tab of the Applications menu). 
 
-Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If you set all sys qubes to use the Debian Template during the Qubes OS installation, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-12-dvm`. If you want to use disposable Kicksecure for sys qubes, set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-17-dvm` Template.
+Kicksecure is [not officially supported](https://forums.kicksecure.com/t/kicksecure-for-sys-qubes-and-sys-vpn/442/2) for sys qubes. If you set all sys qubes to use the Debian Template during the Qubes OS installation, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-12-dvm`. If you want to use disposable Kicksecure for sys qubes, set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-17-dvm` Template.
 
 # Appendix: Hardware Security