I believe Micah Lee (of the Intercept) has provided a complex network model for people who want/need to hide their Qubes OS usage from their Internet provider. It should be noted that everything is relative (including privacy). So prepend (relatively) to “trusted”.
The model is something like this
Internet
└─Trusted VPS in a Trusted Country
Draconian ISP
└─sys-net (bare minimal with update check disabled)
└─sys-firewall (bare minimal with update check disabled)
└─sys-whonix (with obfuscating bridges)
└─sys-vpn (VPN Tunnel to the Trusted VPS in a Trusted Country)
└─AppVMs (ordinary Internet usage)
└─anon-whonix (Tor browsing usage)
└─ . . . TemplateVMs (Using sys-whonix as their UpdateVM)
└─ . . . dom0 (Using sys-whonix as its UpdateVM)
p.s. The VPS and sys-vpn could be replaced with a trusted VPN provider qube (e.g. Mullvad).
I see a notification with Mullvad VPN App, can use private bridges.
I have no experience in these things. but the other questions I would wonder about:
Which would require cooperation from outside the country, and where ever the server is allows where the private bridge is installed.
Can anyone suggest a portable hardware VPN, that one might wan to trust? Perhaps, a link to a website where folks talk about just use of VPN where one never has to go online with qubes without it. No first contact for initial updates, or to get VPN functioning witihout, the ISP getting a first look?
Better version of this: if you’re going to use a VPS VPN instead of a VPN provider, then connect to it with I2P. Then instead of VPN->Tor (which people cry about probably for good reason) you have I2P->Tor. I2P is even better at hiding traffic from draconian ISP, and if your VPS IP is compromised somehow then it won’t be connected back to you (because of course you paid with crypto and didn’t leave any KYC).