Martian's Stack
Operating Systems
Development
Connectivity Tools/Products
Browsers
Storage Solutions
Messaging
ClearNet
DarkNet
Documentation
Mobile Device Privacy and Security
Devices and Roles
Device #1 with profile switching and data sandbox separation
Private Profile:
Tutanota (Secure Email & Calendar)
Bitwarden or other password manager
Travel Profile:
All run via isolated, sandboxed Google Mobile Services
Device #2 for Banking
SIM/eSIM → Only for banks and SMS 2FA
No social media or travel apps
Maps
OsmAnd for daily, privacy-first navigation
Waze only on travel, isolated in a separate profile
Multiple SIMs
#1 → Banks via eSIM
#2 → Services
#3 → Calls (personal/general)
Core Principles
Compartmentalization: Strict separation by profile and device
Minimal Apps: Only install essentials on each device
Encryption
VPN
2FA & YubiKey
LibreOffice
OS Hygiene
Use an operating system that supports SElinux and enable SElinux in enforcing mode for robust process isolation and mandatory access controls.
Choose hardened Linux distros or privacy-centric operating systems such as Qubes OS, adding SElinux plus strong host firewalls.
Use a VPN killswitch: configure via your VPN client, or manually set firewall rules (e.g., iptables or UFW) to block all traffic unless the VPN is connected. This prevents IP/DNS leaks if the VPN drops.
Always use multi-hop VPNs, configured so each hop is independent and ideally in separate VMs.
Ensure you connect to multi-hop VPNs before Tor; this prevents your ISP or local network from identifying Tor traffic as originating from the home connection, breaking correlation attempts.
Tor
Set up a virtual machine (VM) or secondary device for layered routing.
Launch the Tor Browser or configure your system or VM to route all network traffic through Tor.
For advanced control, consider Transparent Tor Proxy setups or bridges, using firewall/iptables rules to redirect all traffic through Tor.
Optionally, use "obfs4" Tor bridges to help bypass censorship.
Lokinet (with Lockdown Mode)
On your VM or secondary device, install Lokinet and configure DNS to
127.3.2.1so all supported traffic is routed through Lokinet.Use the Lokinet client’s interface to add exit node details to access the clearnet through Lokinet if desired.
Enable lockdown or kill switch mode in your operating system or setup firewall rules to block all non-Lokinet connections. This ensures that if Lokinet disconnects, no unprotected traffic leaks, maintaining privacy.
Use anonymous payments, keep software up to date, and regularly verify lockdown enforcement to prevent data leaks.
Potential Benefits of Using VPNs with Tor or Lokinet
VPNs can conceal the use of Tor or Lokinet from your internet provider by encrypting traffic before it leaves your device, enhancing privacy.
They add an additional layer of IP address masking, reducing the risk of linking your real location with your Tor or Lokinet activity.
VPNs can help bypass network restrictions or censorship that might block direct connections to Tor or Lokinet networks.
When used after Tor or Lokinet (though less common), VPNs can help protect against untrusted exit nodes by encrypting traffic leaving the privacy network.
Combining VPNs with Tor or Lokinet can increase security and anonymity over these networks, though at the cost of the VPN provider seeing the traffic as well as added complexity and some performance trade-offs.
Implication for Multi-Hop VPN + Tor vs. Multi-Hop VPN + Lokinet
With Tor, the typical setup involves layering VPNs first, then manually directing application traffic (like the Tor Browser) through Tor. This does not create a full device-level tunnel like a VPN. It requires special configuration and iptables rules for transparent proxying if a device-wide Tor network tunnel is desired, and even then, only TCP traffic is routed.
With Lokinet, since it operates at the network layer, connecting a device or VM to Lokinet acts much like connecting through a VPN. All traffic (TCP, UDP, ICMP) can be onion-routed automatically. Multi-hop VPN + Lokinet setups allow seamless layered routing at the network level, unlike Tor.
Summary Table
OSI Layer
Application Layer (Layer 7)
Network Layer (Layer 3)
Traffic Types
TCP only
TCP, UDP, ICMP, all IP traffic
Network Tunnel
Application-specific (e.g., Tor Browser)
Full device/VM network tunnel
VPN Replacement
No, complements VPNs
Yes, can replace VPN-like routing
Transparency
Needs explicit app configs or complex iptables setups
Transparent to all apps and traffic
Thus, Tor does not natively work "over" VPN like Lokinet can; instead, Tor runs atop VPNs for layered privacy while Lokinet can function directly as a network-layer privacy tool replacing or complementing VPNs.
This fundamental architectural difference explains why setups involving multi-hop VPN + Tor require application-level routing and firewall rules, while multi-hop VPN + Lokinet can use simpler, full-network layered tunneling.
Anonymous Payments for No-Log VPNs
Select a VPN that explicitly states a no-logs policy and accepts anonymous payments (Monero, CoinJoin BTC, gift/prepaid cards).
Open a new anonymous email (ProtonMail, Tutanota, etc.) using Tor for registration.
Register for the VPN service using only your anonymous details.
Pay with cryptocurrency sent from a wallet with no connection to your identity (consider tumbling or privacy wallets).
Never reuse credentials or email addresses across compartments.
Hardware & ID Obfuscation
Before connecting to any network, spoof your MAC address (
macchanger -r eth0on Linux) for every new session.Use removable, unlinked network adapters, preferably new or secondhand with no purchase records.
Avoid initializing persistent hardware/user IDs: wipe system fingerprints or use privacy-focused OS features to prevent hardware-based tracking.
Location Deception
Use GPS spoofing apps/tools on any device with location features.
When possible, operate exclusively via public and random WiFi (libraries, cafes), never returning to the same network.
Do not log in or access any accounts connected to your real identity while on these networks.
Change operational base regularly; never stay at the same public WiFi location or city for repeat sessions.
Virtual Compartmentalization
Install Qubes OS on your main device, or use a secure Linux host with VirtualBox/Virt-Manager.
Create separate Whonix VMs for each operational activity (web, email, comms, research).
Enable full-disk encryption (LUKS, VeraCrypt, or similar) with plausible deniability features.
Regularly back up data to encrypted external drives.
For highly sensitive operations, use self-destructing VM environments or disposable VMs for one-time use.
Last updated