Thoughts on technology, society, and my life as a computer science Ph.D student.

Stay tuned

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.

jamie@example.com

A Privacy-respecting Networking Setup

A Privacy-respecting Networking Setup
Photo by Bernard Hermant / Unsplash

I recently stumbled across the Linus Tech Tips video series about how to "De-Google your life." These videos resonated with me and, coincidentally, shared my intention behind my The Best Platform is No Platform blog post. I wanted to continue this theme by recommending my current setup for staying private online.

VPN - tl;dr (Mullvad)

When most people think of online privacy, they probably immediately think of VPNs. They are relentlessly advertised on YouTube and across the internet, so it would be surprising to have never heard of the most popular options: NordVPN, SurfShark, PIA, ExpressVPN, etc. I'll start by saying that I don't recommend any of these. While they are decent for avoiding location restrictions on content, they vary on both price and privacy considerations. I'm not above paying for a better service if it ensures better privacy (you should NEVER use a free VPN, since your data is assuredly being used to pay for the service), there is a good alternative that has excellent privacy standards and is reasonably priced: Mullvad VPN.

Mullvad has a no-logs policy and is about as privacy-respecting as a modern company can get. On top of not collecting and storing any logs (this has been audited by 3rd parties), they also don't collect any personal information for your account. You are given a unique token that is the sole method of accessing your account (no name, email, phone number, etc.). The only personal information they collect is what is required to process your payment. That being said, even this is optional as you can mail them cash (in a range of currencies no less) with a sticky note holding your account number and they'll top up your account manually. I don't do this because I'd be mailing cash to Sweden (Mullvad's HQ) regularly and my privacy needs are not nearly that strict, but it's an option. Mullvad's pricing is also very reasonable at 5 euros a month and is always billed monthly. Between their straightforward pricing, transparent privacy standards, and ongoing efforts to add new features to their open-source VPN clients (multi-hop connections, Quantum-resistant encryption, etc.), Mullvad gets my full endorsement.

Now, before you run off to download Mullvad and give them money, wait a second. I'd still recommend you do that, but there is an alternate method to getting Mullvad that I'll discuss below (this allows it to play nicer with other suggestions in this post).

DNS - tl;dr NextDNS

Another key component in online privacy (or a lack of privacy is DNS). If you're not technically inclined, you're probably unfamiliar with DNS (Domain Name System). To very much oversimplify things, DNS is the method by which your computer translates domains (something like https://carsonwoods.io) to its corresponding IP address (where the server can be found on the internet). This makes your life easy because you don't need to keep track of the IP addresses of your favorite websites, but it's also a privacy vulnerability for most people. By default, most users use their internet service provider's default DNS server. This is usually the ISP's server itself. This means that your internet service provider can view any domain that you're connecting to. If you are using a VPN there is a chance that it has its own DNS server that it connects to for additional privacy (Mullvad has an encrypted DNS). This is great, except you're only using their DNS server when connected to the VPN, which you might not want to do constantly for valid reasons. The way to circumvent this is to use a custom DNS provider with better privacy policies and support for encrypted DNS (DoH, DoT). For this, I follow Linus Tech Tip's recommendation of NextDNS. They have a minimal logs policy and customer data is never logged. They also discard any personal information acquired as soon as possible. As a good bonus, they also support optionally blocking ads and trackers. This will become increasingly important as Chrome browsers will start nerfing ad-blockers in the next year or so.

You can set DNS settings in a bunch of places (at the network level, device level, or browser level). If you set it in a specific browser, then the DNS protections are only set for that browser. Setting them at the device level protects that device on any network it goes to, but this can be tedious to set across multiple devices. Setting it at a network level is great because you get it for free on any connected device, but you're suddenly unprotected again if you leave that network (plus, Linus and co. note in their video that certain services on smart devices might be inadvertently blocked by custom DNS settings accidental blocking of necessary IPs).

The best solution I found is a compromise between all of these. Remember how I said to hold off on Mullvad for a bit? Well, its time to talk about how to manage your VPN and DNS settings all in one easy way.

Bringing It All Together - tl;dr Tailscale

The secret sauce for making this all work is Tailscale. Tailscale is awesome. Excluding all the cool privacy stuff I'll be recommending, Tailscale is just a great service. Normally, if you want to run a server (or just a computer with remote access), it must be exposed to the internet to allow you to connect to it from anywhere. This must be done carefully to avoid introducing a vulnerability that enables a nefarious hacker onto your network. Tailscale fixes that by creating a software-defined network. Simplifying a lot, it makes all your devices think they're on the same network, so devices never need to be exposed to the wider internet, but still allowing for remote access. Tailscale has a TON of awesome features and a very generous free plan, so I won't describe everything it can do. Instead, you should just go play with it!

Ok, so what does this have to do with privacy? The way Tailscale works on most devices is by being a VPN. Tailscale ensures that all connections between devices on your TS network are end-to-end encrypted, just like Mullvad, so your privacy is preserved. That's great, but this is only for traffic between devices. It doesn't protect any traffic between, say, your laptop and Google.com (or any external server/site). This is where another one of Tailscale's coolest features comes into play: exit nodes. Exit nodes are nodes on your Tailscale network that your other devices can route traffic through. This means, that you can specify a computer on your network that traffic goes through to reach the wider internet.

An overview of a network where a laptop connects directly to Google.com
No Exit Node Diagram. Courtesy of Tailscale.com
An overview of a network where a laptop connects to Google.com through a desktop exit node.
Exit Node Diagram. Courtesy of Tailscale.com

Ok, this is cool, but that still means you're using your device to connect to a network. One of your IPs is still being shared with your destination server. Plus, if Tailscale is being a VPN, then you can't even use Mullvad, right? This is where things get really cool. Tailscale recently added beta support for using Mullvad nodes as exit nodes for your TS network. This means you can be using TS all the time, and enable a Mullvad exit node on-demand whenever you need the extra privacy. The way this works under the hood is, depending on the number of devices you have on your network, Tailscale will bill you for their costs to Mullvad based on your usage (aka, in increments of 5 euros per month per 5 devices).

There are some caveats to this approach that might be worth considering. Tailscale is not log-free like Mullvad, and they have a disclaimer that there will inevitably be some privacy concession from letting Tailscale manage your Mullvad account. For a full description of the privacy concessions, read their documents here. That being said, traffic to and from any device on the network (including the Mullvad nodes) is encrypted and can't be viewed by Tailscale. I think that, for most users, this compromise is likely minimal. If you need such privacy that your safety is at risk without it, you can and should probably use Mullvad directly and avoid Tailscale altogether. Additionally, Mullvad's client app supports other features like multi-hop routing and quantum-resistent encryption. Based on their documentation, it is unclear if Tailscale supports these added features in their client. Again, these are probably not dealbreakers for most people, but it's worth considering.

The last thing we'll cover is DNS and Tailscale. As with Mullvad, Tailscale supports setting custom DNS settings for devices on your Tailscale network. This is awesome because it means you can ensure all new devices you get are private on any network by simply installing Tailscale as you might want to do anyways. This also means that smart-home devices and other, less-important devices are not obstructed in some way. Tailscale allows for NextDNS (along with a few different options) to be set up with effectively one click (you don't even need a NextDNS account if you don't want one). If you wish to use a NextDNS account (this can be used for custom content filters and filter exceptions), you can also add your account details in Tailscale's settings. Their documentation for this process can be found here.

Conclusions

This guide isn't intended to keep you 100% anonymous online. There are better tools and guides for that out there, and I'm no expert in perfect anonymity. This is just intended to document my approach since I found it useful, straightforward, and cost-effective, while also allowing me to be more privacy-conscious.

Some unmentioned privacy protections that I can think of might be:

  • Browser - Chrome is run by Google (an ad company) and Firefox has become less privacy-respecting recently. Some alternatives include Brave and Arc (though maybe disable their AI features).
    • I'm sad that Firefox/Mozilla has started doing things that are less privacy-centric. We need less Chromium-based browsers out there, but that's a whole topic of its own.
  • Browser Extensions - extensions like Honey, Rakuten, etc. sound great, but they can read any page you view, so having network protections is instantly defeated by these extensions being installed.
  • AI tools - Free AI tools feel much like free VPNs. A service that we've been told is amazing and totally free, trust me bro. I hope no one is fooled, sharing information with these tools means sharing it with their creators. They can be useful, but be careful and, when possible, run the models locally.
Latest issue