VPN ROUTER hides qubes os usage?

since using tor for updates doesn’t hide qubes os usage. How do high threat model users hide the fact that they are using qubes?

Is a vpn on a router sufficient enough to hide the usage of qubes os? Or can traffic analysis still identify a qubes os user.

I believe Micah Lee (of the Intercept) has provided a complex network model for people who want/need to hide their Qubes OS usage from their Internet provider. It should be noted that everything is relative (including privacy). So prepend (relatively) to “trusted”.

The model is something like this

Internet
└─Trusted VPS in a Trusted Country

Draconian ISP
└─sys-net (bare minimal with update check disabled)
    └─sys-firewall (bare minimal with update check disabled)
        └─sys-whonix (with obfuscating bridges)
            └─sys-vpn (VPN Tunnel to the Trusted VPS in a Trusted Country)
                 └─AppVMs (ordinary Internet usage)
         └─anon-whonix (Tor browsing usage)
         └─ . . . TemplateVMs (Using sys-whonix as their UpdateVM)
         └─ . . . dom0 (Using sys-whonix as its UpdateVM)

p.s. The VPS and sys-vpn could be replaced with a trusted VPN provider qube (e.g. Mullvad).

VPN traffic is sensitive to Deep Packet Inspection (DPI) and Website Traffic Fingerprinting, [7] so it is ineffective in hiding use of Whonix and Tor from the ISP or skilled adversaries.

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Tunnels/Introduction#VPN_Tunnel_Risks
Clearnet link:
Combining Tunnels with Tor

Yes. It is indeed the Tor + VPN scenario here. And I quote from the website:

…places sole trust in the VPN provider where the traffic exits.

I see a notification with Mullvad VPN App, can use private bridges.

I have no experience in these things. but the other questions I would wonder about:

Which would require cooperation from outside the country, and where ever the server is allows where the private bridge is installed.

Can anyone suggest a portable hardware VPN, that one might wan to trust? Perhaps, a link to a website where folks talk about just use of VPN where one never has to go online with qubes without it. No first contact for initial updates, or to get VPN functioning witihout, the ISP getting a first look?

this one is convenient for travel because 4g capabilities. There are many others without 4g too.

it runs openwrt with openvpn or wireguard. Can connect to wireguard servers, and has tor built in.

Downsides:

  • couldnt automate auto mac address spoofing - seems to be a hardware limitation. Requires you to manually randomize via admin panel.
  • Cant install syncthing (to add NAS functionality)
  • cant do ISP > router > laptop all in ethernet. One of the connections must be WiFi (can be vulnerable to wifi scanning)
1 Like

Better version of this: if you’re going to use a VPS VPN instead of a VPN provider, then connect to it with I2P. Then instead of VPN->Tor (which people cry about probably for good reason) you have I2P->Tor. I2P is even better at hiding traffic from draconian ISP, and if your VPS IP is compromised somehow then it won’t be connected back to you (because of course you paid with crypto and didn’t leave any KYC). :fu: :policewoman: