Hey man. I had the same issue in high school. A good VPN will obscure your network traffic and negate any websites your school's firewall prohibits (I do not endorse abusing this feature). I don't know anything about Mullvad, so I can't comment on it, but I still recommend using a good paid VPN (I use iVPN, $8/month.) If for some reason the VPN is not an option, read about TOR browser. It's a free browser that obscures your network traffic using essentially the same methods as a VPN. However, depending on your school's internet service provider, TOR might not work without a proxy. Good luck!
Edit: typo
Why not keep the 6 other passwords in your password manager on your phone?
If that's not an option, length is more important than complexity. It can be something easy to type (think sentence, multiple dictionary words, etc).
Anything outside my password manager gets a sentence with some capitals, numbers, and punctuation. Something like "MyRedditUsernameIsColtman151." scores as taking centuries to crack by Bitwarden and is very easy to remember and type both. If you make it something personal, it'll be even more impossible to guess.
https://bitwarden.com/password-strength/ if you want to play around with it.
Mullvad would probably be my top recommendation for you.
Very good security. You can pay in cash or via a number of cryptocoins. Throughput is good in my experience, and they're not so popular that their IP ranges are likely to be banned. Their accounts are also essentially throwaways, and have zero information that could tie you to your real identity.
Downsides are usability and price. But, it's definitely worth looking into given your criteria.
Pretty much this.
OP, read up on hosting an onion site here: https://riseup.net/en/security/network-security/tor/onionservices-best-practices
You don’t want to host a server at home because it’s directly linked to you. Your IP address (if leaked) can geolocate you or your ISP can see a large amount of tor traffic from your connection.
What IT/CS people are telling you Linux is more secure than windows? They’re misinformed. Open source software is audited for security vulnerabilities by many contributors, where Windows is audited by...Microsoft? We don’t know if windows is secure or not, because we haven’t seen the source code.
Apparmor VS SElinux isn’t really relevant here. SEllinux is a kernel module for managing access control policies, not really managing user privacy.
Check out Tails, a privacy focused distro based on Debian. Check out a secure mail provider like tutanota or ProtonMail. Check out a vpn provider like Mullvad or ProtonVPN.
NordVPN provides unique IPs for rent. They are not that expensive and you can select the country.
That's the only way to pass these captchas.
But I made the experience, that I pass the Captcha, even if I use a normal VPN, by using Chrome (without any privacy extensions).
Stop using Windows. Get Linux. Go with Ubuntu if you never used Linux before but try to learn Arch. I tried all distros, nothing beats Antergos
Stop using CyberGhost. Get NordVPN or AirVPN. Head on over to /r/vpn and chose on based on jurisdiction and logs policy. These are the two that I narrowed it down to last time I checked and I currently use one of the two.
Use a browser such as Firefox or Chromium(preferably Firefox). Buff it up with uBlock Origin, https everywhere and disconnect(these are extensions) at the very least.
Head on over to and check to see if you're not leaking DNS or Geo data.
Once you realize you are, set your DNS to static and use and install WebRTC Network Limiter extension.
This should cover all your bases as a start.
Whonix doesn't require any incoming connections however it does require all outgoing connections. So what I would do is install uncomplicated firewall (ufw) on your host linux machine and set it to block all incoming traffic but allow all outgoing, whonix has documentation on this: https://www.whonix.org/wiki/Host_Firewall_Basics#How-to:_Install_and_Configure_a_Firewall
You're not wrong... you just need to give more details.
https://signal.org/blog/cellebrite-vulnerabilities/
TL;DR - Signal (which is an encrypted end-to-end chat client) added some extra "useless files" which when scanned by a Cellebrite station, exploits a vulnerability in the software rending all results and even prior results useless.
Article is still a great read.
>You can see on the NordVPN website that this can be an issue:
It happened on my laptop at the same time as my PC and the error did not come from NordVPN.
>Having this issue does not mean it is the government, as there are other, more plausible causes than a targeted MITM attack from government authorities.
So it's just a coincidence that I ran Qubes OS and then my network went down until I shut down the Qubes OS PC INSTANTLY? Literally, the network went up instantly. After that, I received a new TLS certificate notification from NordVPN.
I had been noticing that after I started researching how to increase my OPSEC and use OPNSense that when I use Linux Kodachi & Qubes OS, my network started behaving differently. My internet began to slow down and sometimes not work. I decided to shut down Qubes OS once I finally got the subtle message.
>You mention in other places you live with family…is it possible that they have monitoring software or the local firewall is the cause of the issue?
They know nothing about PC's and need my assistance for anything. I hold all of the networking hardware in my room like the router as well.
I expect something. That's all.
You mention in other places you live with family…is it possible that they have monitoring software or the local firewall is the cause of the issue?
You can see on the NordVPN website that this can be an issue:
Here is another example that sounds similar: ;utm_medium=mweb3x
Having this issue does not mean it is the government, as there are other, more plausible causes than a targeted MITM attack from government authorities.
It indeed comes down to who you trust the most out of the ISP or VPN provider. My thoughts on this has previously been that my ISP has a lot of information about me, is closely connected to other markets (phone, TV) and doesn’t provide any clear statement that it doesn’t collect my usage of data (more so that it points to the opposite when reading their privacy policy). While using Mullvad with cash (best case scenario), they won’t even know my email address, as they only use provided numbers for usernames. They “guarantee” a no log policy, which is a far better attempt at privacy than what my ISP provides. This in combination with a lack of other information about me, makes it the better one to trust in my eyes at least (if there is anything proving otherwise please let me know). It’s not that I distrust my ISP in particular, but when comparing all major ISPs in my country, the fact that non of them are any privacy oriented whatsoever is a bit alarming, and makes me assume (in the worst case). That all of them would store my usage, making it more or less impossible to find any alternative that doesn’t. To be fair though, I am currently using almost the exact setup as you described, even less as I don’t have a “regular” VPN, but I have been considering a change as of late
Your "specific concern" is one of the top reasons to get a VPN in the first place, at least on mobile. Sure there are those who want to hide P2P from their ISP and some want to watch Netflix abroad, but securing connection on public wifi is definitely a normal selling point for any VPN.
Normally I would recommend Algo, but since you've already tried that, maybe ProtonVPN might be something to look into. They at leats take security seriously and we can know for sure they're not owned by some Chinese company that's registered in Panamas.
Check out https://privacytools.io, they should have nearly all the recommendations you need such as Browsers, firefox on desktop & bromite on Android.
I wouldn't recommend Apple product for privacy. The best we have for phones is a custom ROM/OS for your android phone, you can most likely install LineageOS on your current phone. But if you plan to buy a new one I would check out the Google Pixel phones as the most secure android operating system GrapheneOS works for those phones. https://grapheneos.org/
I'm fairly new to OpSec but I also don't have a large threat model. So, if I were you I would keep the mac as your public life ( physics works / schooling / any google based bullshit ) things that if were ever attacked you could walk away clean. I would ditch and never use windows again. I would then go buy as someone else mentioned an old thinkpad play around, distro hop, ( I think we are all guilty of that when we switched to linux, I was ) and settle on the distro that fits your needs and then learn through trial and error to set it up as private as you need it for your lifestyle. Use that for your basic clearnet privacy purposes. If you're doing the TOR thing, if you're using TOR for things that others might frown upon. Then I'd go on shopgoodwill and pick up cheap throw away if needed thinkpad and use that.
If that's to much and your like, I don't want 2-3 laptops !!! Go straight for the learning curve and learn Qubes go to their list of compatible hardware and go that route.
Either avenue you chose to go down to solve your concerns. Know that, you my friend will be a linux user. Welcome !! I used to be a Mac user, 2012 Airbook. It sits in a draw. I rather lug around a old oversized heavy thinkpad then use that Mac. I feel more confident and safe using this than that Mac.
Sorry I sort of went off topic, I hope that helped. The thinkpad route, is the cheapest and it gives you a machine to tinker, play, and learn with, without messing with the machine that you might need to do important work on.
That is a truly amazing answer, thank you very kindly for that. I now have a deeper understanding of the topic. Can you recommend a no-log VPN? I have recently looked into Mullvad and NordVPN.
And if I understand it correctly, I can use a VPN, then access the VM and use another VPN "within" the VM for extra security?
You should weigh it with your odds of being put under physical surveillance. If your adversary has the means to access surveillance cameras in the areas that you frequent, gas stations, supermarkets, coffee shops etc, they could potentially use your finger movements to narrow down the effort needed to decrypt the device. Considering that type of stuff is mostly restricted to state actors you probably don't need to worry about it.
If you plan to continue using biometric authentication remember that both Android and iOS require you supply the device password after they are shut down and iOS has a "panic mode" that will allow you to quickly shut down the device by clicking the power button 5 times.
If you ditch biometric, investing a privacy screen would lower the risk of a physical surveillance threat. If you're on iOS you can enable a feature that wipes your device after 10 failed login attempts and both iOS and android have remote wiping capabilities.
> Find a motion-capture app that can record even if the screen is locked. It will monitor housekeeping and others that may reasonably enter—that may reveal new surveillance or other undesirable behavior. Set it somewhere where it can cover most of the room and still look innocuous.
https://play.google.com/store/apps/details?id=org.havenapp.main&hl=en&gl=US
For your use case, I see nothing wrong with running your own, other than that the maintenance overhead can be annoying (ran my own for ages, stopped for exactly that reason).
I've currently got accounts on PIA (through work), PrivateVPN (through another project I work on), and Mullvad (personal). Of all of them, I prefer Mullvad. The other two are fine as well, I don't have any specific issues with them. I don't really trust PIA wholly myself, they seem to have too much going for me to be comfortable. PrivateVPN seems good enough, I just prefer the Mullvad feature set.
Edit: With regards to your last question about it being compromised, as long as you keep an eye on HTTPS validity and are careful not to click through warnings about dodgy certificates, yeah, your HTTPS traffic will still be protected, same as wifi. It may expose your location, though, through your connected IP address, but the same is true of any VPN provider arguably.
I asked this too and every answer was just to use a Bridge.
Right now if you insist you should use NordVPN but as an exit from Tor, since the exit nodes are frequently banned, this requires editing the tor config file.
While at it make sure the payments towards NordVPN are anonymous too,otherwise it's pointless.
Alternatively you can use Windows 10 Enterprise LTSB. Basically no telemetry, no Windows store, no feature updates (security updates only), no edge. Basically my perfect install of Windows, no screwing around required. I use it for my gaming install and haven't had any major issues so far.
+1 for manjaro. If you're looking to use Linux on the daily you should be able to load up a distro onto the Chromebook. I'd also look into loading up a USB with Tails on it for more security/privacy.
Also +1 for VPN. Probably my top pick for security and privacy would be Mullvad. Not sure how you'll go with speed though, but definitely don't go expecting your full internet throughput.
Enable full disk encryption (fde). Use cryptfs app to allow the use of separate passwords for fde and lockscreen. Set a strong fde password. When your phone is powered off, it should be pretty secure.
I don't think an antenna can't really be more or less secure, it's just a passive thing.
Look around for a 2.4ghz patch antenna, they're fairly compact and flat, so are easy to transport. You'll need to make sure your WiFi card has an external antenna connector available to use.
Example: https://www.amazon.com/Zer-one-Antenna-Directional-Extender/dp/B07W6W9WT5/
https://www.amazon.com/Tupavco-TP511-Antenna-Wireless-Directional/dp/B008FH5UTG/
I second Mullvad, and would highly recomend doing some research into how to pay with crypto especially monero, as well as looking into using tor, not only to access mullvad but also to avoid censorship. double check any socials you have dont have any info linking back to you, email, cell, etc
Yeah. You can read more on that from the Tails site here.
I don't know what your threat model is or from whom you want to protect yourself but chances are you'll be fine.
The main issue might be with service providers. It's challenging to find VoIP numbers easy to register on Tor and Tails.
Do you use a stock keyboard on your phone? The keyboard software logs everything you type - whether or not its a message you send. That data is sold off to advertisers.
Do you use gmail or any other mainstream email service? The provider scans your incoming, outgoing, and draft messages to learn more about you, then sells that data.
There are dozens of similar access points that most people have no idea exist. See, for example, https://signal.org/blog/the-instagram-ads-you-will-never-see/.
Search yourself using OSINT tools. Read Extreme Privacy by Michael Bazzell. Don't count out a therapist.
Best of luck.
If your OPSEC model requires not having cameras with the ability to spy on you, the only question need asking is "is it open source?". Since the answer is most likely "no", that should also be the answer to "should I give it unlimited trust in my presence?".
Personally, I physically remove any camera on any device I own, or, if it would render the device inapproprable to do so, simply electrical tape it blind and make sure the software cannot access it without relying on zero days.
As a matter of fact, taping cameras shut was the inspiration for this logo I made https://dribbble.com/shots/2868883-Zero-Knowledge-Concept-Logo
However overall you have to assess your threat model first - what are you trying to hide/protect, why you want/need to be anonymous etc.
I realize it may be impossible to be completely private, but I do this on my Samsung phone without root.
I essentially use three profiles that serve different functions with a VPN/Tracker blocker on each.
1) Regular profile - AdGuard
2) Shelter App - Blokada
3) Secure Folder - ProtonVPN (Always-On, Secure Core) (You can enable Kill Switch as well)
I uninstall and disable everything I can from Google and Samsung on each profile, e.g., Google Play services and the Play Store. On the regular profile in addition to disabling those apps, I block internet access at an App level via Adguard. I use the Shelter App profile to install required apps that may have a few trackers since Blokada has better visibility/logging into what trackers are being blocked. You can utilize the Secure Folder protected by ProtonVPN (Secure Core) to do most web browsing on a privacy-focused browser.
A few other things:
- I use Aurora Droid, Aurora Store, and sideloading for installing apps.
- I use the apps Warden, Tracker Control, and App Manager to understand what trackers (if any) apps have.
- I use Hermit to create shortcuts to websites instead of installing native applications, e.g., banks, social media sites, etc. You can enforce some privacy stuff using Hermit.
- I install Tor in the Secure Folder profile.
Not sure whether that would hold up in court but theoretically it seems plausible. Have a look at the wiki for some details around this.
> What is the difference between using Tor browser in Whonix, and Firefox in Whonix then?
Tor browser: Mitigations against more advanced fingerprinting techniques. Firefox: Distinct fingerprint. You won't be nearly as anonymous.
The best you can do is copy your whonix-ws DVM, modify if and use these dispVMs only for the sites you need your addons.
Yes, I am sure it can. You should be able to export your chrome passwords into a .CSV file and then you would just be able to import that .CSV file into your KeePassXC database.
​
https://winaero.com/blog/export-saved-passwords-google-chrome/
Sounds like you'd be interested in Qubes OS, as it's project goals is entirely what you're trying to achieve. It does security by compartmentalization, and each window is a separate VM. https://www.qubes-os.org/
>FB wrote the Messenger app. We’re running their code. They can see the message before it is encrypted.
But check it out. Just found this, FB uses Signal's code and it's open-source.
SSN these days is basically public information, although certain financial data might be a bigger worry. As others have said, they are not likely selling your information. The main worry would be poor security practices leading to leaks.
Using something paid like Adobe Acrobat Pro (I try to avoid because I don't like Adobe's practices, but the software itself works well). LibreOffice Draw can also edit PDFs but is not really suited for form filling. Some browsers also support form filling to a degree, as well as the default document viewer in GNOME.
If all else fails, you can always print out the form and fill by hand.
Whonix, the operating system used to connect to Tor on Qubes.
Note that you don't have to run Qubes in order to run Whonix--all you need is VirtualBox.
The purpose of Tails is to connect to darknets without leaving a forensic trace (this a name based on the descriptor "amnesic").
Whonix, on the other hand, is an OS dedicated to providing a secure connection to Tor given a persistent workstation.
How does it do this? (see the relevant wiki page for more details)
What this means is that no matter what, the Tor browser (and the OS running it) cannot ping a server over the clearnet to expose the user's true identity. This mitigates attacks such as using weird Flash exploits to ping over clearnet, along with the other vulnerabilities associated with Tor using an outdated version of Firefox.
Never upload any sensitive data to the cloud no matter whether its encrypted or not. I'd recommend to store all of your encrypted data in a external HD or a USB stick. As it is illegal to force you to decrypt any data in most of the countries. If you want you can even use Luks nuke option https://www.kali.org/tutorials/emergency-self-destruction-luks-kali/ but remember if you do this in front of LE it will be considered as the obstruction of justice and destruction of evidence so be careful. Another thing you might be able to do is to put that HD in a locker somewhere else if possible, in someone else's name as it would be hard for LE to get a warrent for that place. Another advice is don't keep anything incriminating anywhere. If you still want to use cloud storage I'd recommend Nextcloud self hosted or in a privacy respecting country.
https://www.kali.org/tutorials/emergency-self-destruction-luks-kali/
You can use this patched version of LUKS on any Linux system. Use one password to decrypt the drive, and another to nuke the headers. If the headers are nuked doesn’t matter if they have your pass phrase or not, the data is not recoverable.
Thanks for the detailed reply and this is on desktop its an app from Github similar to DNSCrypt and Pihole called Portmaster.
https://github.com/Safing/portmaster
>Yes I already use those in your end statement. Never tried Qubes yet though<
As the sidebar says, it all depends on who you're protecting yourself from. A VPN conceals the origin address, but it may not provide two-way encryption for example. You can also secure your signal five ways to Sunday and still be vulnerable by using a service or protocol which identifies you in other ways - e.g., if John.Doe and Jane.Doe communicate using accounts that are linked to their real identities then a VPN is only providing superficial anonymity.
Edit: As a suggestion, since using Google services are sort of the weak link to this operation in the sense of protecting privacy, consider exploring open source alternatives that have proven end to end security. For example, PRISMBreak. You could just as easily do something like route Tox protocol through Tor and double up with a VPN to make totally anonymous calls without needing a phone number and which require no central authority that could divulge your activity even if both layers of encryption weren't enough.
Read this. Seriously, it's an incredible privacy guide. Tor browser bundle is worth checking out, but basically Tor and i2P are the only two browsers I know of that grant anonymity. You should tunnel your connection through a VPN before connecting to Tor since, as I understand it, your ISP won't be able to view any traffic within that tunnel because it's encrypted.
VPN for privacy, Tor for anonymity.
No, SHA256 is a hashing method. Hashing is not the same as encryption, it's a form of encryption that's one-way only. You can decrypt something that's encrypted, but you can't dehash something that's hashed.
Uploading sensitive data to the cloud as long as it is end-to-end encrypted should be okay. You might use Cryptomator or Rclone or any other similar software for this. However the problem is if it is a cloud account that is linked to your legal identity, LE might be able acquire a copy of the encrypted data on the cloud and they might force you to give up your password by using key disclosure laws (depending on your jurisdiction). Encryption against LE is not an effective protection, you will probably have to get into a legal fight to get away with it and it also makes you look bad in the eyes of a judge or a jury because you are hiding something. So LE shouldn't be aware of any encrypted data in the first place.
Instead you should compartmentalize the sensitive data. You can do it either offline or online. For the former ideally you should keep the encrypted data off-site in somewhere hidden (for legal reasons but again depends on your jurisdiction), for the latter you need to create a separate compartmentalized cloud storage account and you need to connect it to only through Tor/I2P etc. by using Tails for example. In theory, as long as LE is unable to link the cloud account with your legal identity your cloud provider shouldn't have to give up the data.
You could hire someone on fivver to read the script. Fivver accepts bitcoin. For example, this woman paid $15 to have an indian newscaster read a press release for her book:
Did you create a persistent volume? Open the "Configure persistent volumes" app and enable dotfiles
Go to https://wire.com/en/download/ and get the appimage for Linux
Go to your persistent folder, and make a folder called Wire and then another folder in that folder called Wire.AppImage to put the image in
Create two empty folders next to it, and name them Wire.AppImage.config
and Wire.AppImage.home. This ensures that your conversations are saved in your Persistent folder, and you don't have to login each time again.
Create a file called Wire.desktop with the following :
[Desktop Entry] Encoding=UTF-8 Name=Wire Exec='/home/amnesia/Persistent/Wire/Wire.AppImage' --proxy-server="socks5://localhost:9050" Type=Application Categories=Network
Finally open the "Terminal" app and run the following:
mkdir -p "/live/persistence/TailsData_unlocked/dotfiles/.local/share/applications" cp "/home/amnesia/Persistent/Wire/Wire.desktop" "/live/persistence/TailsData_unlocked/dotfiles/.local/share/applications"
One of Discord's goals is hiding your IP Address from other users, to mitigate DDOS attacks popular among the gaming community. I'm not sure about Telegram's policies on IP Addresses.
Your IP Address is nothing special, though, when it comes to Doxxing, any piece of identifying information (name, phone number, email, etc), can link you to the content of some "deep net" database providing even more information about you to your attackers. So be aware of what you are telling other users through these instant messaging services.
Take into consideration how far an adversary would go to passively seek this information. Social engineering? Stealing? Physical robbery? Or maybe they'd never go beyond a simple Google search.
You mentioned using said services as an application versus in the browser. In this case, you are worried about an active attack against you, one involving an exploit. Consider whether your adversary would be willing to reveal the existence of such a (supposedly valuable) vulnerability in order to attack you. Or maybe you'd be part of a sweeping attack against all Discord/Telegram users.
One last consideration is how much you trust Telegram/Discord. You might tell something personal to your wife through Telegram, but what if they are hacked, dumping all the chats you ever sent? Or what if law enforcement gets involved?
If the above is a worry, consider using messengers with end-to-end encryption, such as WhatsApp, or even better Signal.
Consider whether these threats are worth your time. Focus your efforts on what is worth your time.
I recommend using Mullvad for dns over https rather than cloudflare. They’re also a phenomenal vpn provider which may be better than your self-hosted setup depending on where you are hosting your vps and how much you trust the provider.
Let me list something:
>Whonix and QubeOS would be an overkill
Nothing is overkill if you cared for anonymously. Hell, some Linux Distro can do the trick. Tail OS can help out for being Anonymous but it uses Tor as the main Browser and it not suppose to be a permanent OS at all if you want to use it on a daily basis. 100% Anonymous is impossible if you plan to achieve that.
> I can't surf through Tor without getting spammed with captcha
Tor is too obvious of course and getting captcha 10 times is annoying as well but that the nature of using Tor, consider it is a popular tool for privacy which some people tend to use to abuse ToS on clearnet. There are alternatives but I advise double-checking and do some research before using it so. (link: )
>VPN logs every single information and it's not very reliable too.
That depends on what VPN you use. I won't trust those that been promoted hella lot on Youtube (ExpressVPN, SurfShark) but some like ProtonVPN are good ones. Try to do some research on what VPN is good and bad.
On to the point, trying to be anonymous on clearnet is a pain in an ass without having a major network using build-in Tracker and intense use of Javascript, cookies, and advertisement. You can use a different front-end (For example, you can use Invidious as front-end for Youtube, Teddit for Reddit, etc). Another way is to, well don't sign up for anything. Don't uses any email (or least use an burner email), don't share any info, etc. if you serious care for anonymous.
Tor, tails, whonix. All of these use the TOR network
Tor IPs are blocked a lot of the time. But there are work arounds.
I have never used these before so, take this advice with a grain of salt.
VPN options: mullvad, calyx, etc. There are many to choose from. Just pick a good one.
If the site is blocking you it is because they have that IP address blocked. Ie they are blocking a IP address they know is associated to something like tor or a VPN or something else.
Maybe try using a different VPN. The free ones get blocked alot. Mullvad is dope and has many IPs to choose from so if they block one you can switch it and try again.
Good luck.
Yes, if you use Tails it will still route the Firefox traffic through Tor. You should use a VPN. From my experience sites tend to not block ExpressVPN IP addresses, they claim they do not keep logs and I believe they accept crypto as payment. It's more expensive than most VPN services though.
Exactly, which is why I suggested VPN Gate. Constantly switching the VPN you're using, and only using ones with no logging is a FAIRLY safe bet.
But yes, you're right too. EFF does state exactly that.
To answer your question bluntly, I don't think taking the steps you've laid out would keep you uncorrelated from your old data.
​
You'll never completely disconnect from your older data. Any sufficiently determined person will end up finding a bread crumb or pay for people search data aggregators and they'll run your phone number/email/etcc and get reasonably close so that they can figure out the rest. Social media network analysis will also likely link your new accounts to your older accounts as I'm guessing you'll still be operating in the same social media space. TOR is generally not an optimal choice due to its popularity. This is a good article discussing the known issues. I'd advise reviewing some TOR alternatives like I2P and Freenet if you're hellbent on it. You may also want to use an encrypted messaging app like Signal or Whatsapp. There is a lot to learn about OPSEC and how to better guard your privacy and it can be frustrating at times but it's worth it in the end if increased privacy is your goal. Michaell bazzell has a good book on the topic. You may want to read/reference. His books are very informative.
Three virtual machines that I'm accessing to sign in to an account. The amount that would be active would be more. Right now I'm writing this in Tor Browser in a Whonix WS DisposableVM. In my setup, for this connection, there are a total of 6 VMs related to networking + 2 for my two KeePassXC databases that I've got open. The chain goes like this:
sys-net -> sys-firewall-nl > sys-mullvad-wg-nl -> sys-corridor -> sys-whonix -> disp****
Let me break those down. sys-net is the VM that has hardware passthrough to the network devices (ethernet and wireless card). It provides network to sys-firewall, a dedicated firewall VM that I've got setup to whitelist traffic to only the Mullvad VPN server in the Netherlands. sys-mullvad-wg-nl is the aforementioned VPN VM that in term provides network to sys-corridor is a Tor traffic whitelisting gateway (). That in term provides network to sys-whonix, a Whonix GW AppVM that transparently torifies all traffic coming from VMs that use it for their networking. That in term provides network to disp**** (where **** is a random sequence of numbers), a Whonix WS Disposable VM. That VM is where I've got Tor Browser opened. When I close this window, the VM will be deleted, so if malware installed in this dispVM, it doesn't affect the rest of my machine (unless it just so happened exploit a zero-day in the Xen Hypervisor to get RCE in Dom0, but if that was the case, then I've got bigger issues).
The two other KeePassXC VMs don't have a network device attached to them.
lots of very good advice the book that was posted below is:
https://www.amazon.com/gp/product/B0898YGR58/
that book, has tons of really great info and get his podcast and listen to as much as you can.
but i would do a full opsec review, search yourself, try to find as much info on yourself as possible and try to correct it, it takes some time to stuff to drop off. make a list of every site
you have an account on and fix it. make sure profile URL, and all privacy info is locked down, get a password manager and make sure all sites have diffent password, and each has an an alais.
make sure, to put your house and cars in a trust etc. try to remove everything you can from public records. basically hack yourself, and fix anything you find.
every site, lock it down as much as you can...
Most commercial VPN services have a plethora of apps/extensions that handle everything for you. With Mullvad you have to manage the OpenVPN configurations manually. I think they have desktop applications for Windows/Mac/Linux now, but still no iOS/Android apps or browser extensions.
What VPN service? There are some that have residential dedicated IP address from time warner and comcast as well as cogent are new fresh ones that can't be used for torrenting or anything like that but they are about 8 bucks a month for one on top of the vpn. I've found this stops all the captchas and anything else they have an issue with. Just don't abuse it or they'll take it away LOL. I know Nordvpn has this as well as Torguard. Hope this helps some.