@@ -304,23 +304,22 @@ When using the Internet from home, it is best to use a [VPN](/glossary/#vpn-virt
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
For your VPN provider, we recommend either [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) or [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without [Monero](https://www.privacyguides.org/en/cryptocurrency/#monero).
There are two ways you can run a VPN: from your laptop or from your router. You don't want to "double up" a VPN so if its running on your router, it shouldn't be running on your laptop, and vice-versa.
There are two ways you can run a VPN: from your laptop or from your networking device (either a router or a hardware firewall). When using your laptop from home, we recommend the latter.
**Running a VPN from your router**: If you mostly use Qubes OS from home, we recommend [running the VPN from your router](/posts/tails-best/#appendix-setting-up-a-vpn-on-a-router), which requires no configuration of Qubes OS. If this is the approach you choose, you can [skip ahead to the next topic](/posts/qubes/#how-to-use-devices-like-usbs).
You don't want to "double up" a VPN — if its running on your networking device, it shouldn't be running on your laptop, and vice-versa. This means that any laptops running a VPN should disable it before connecting to a "VPN Kill Switch" access point, or alternatively, they can connect to a non-VPN access point.
**Running a VPN from your laptop**: If you regularly use Qubes OS away from home, we recommend creating a VPN qube that runs the VPN client app. If you configure Qubes OS to force all networking through the VPN qube, the laptop should connect to a VLAN of the router which is **not** running a VPN.
However, it's still valuable to know how to configure Qubes OS to force all network traffic through a VPN, for when you are using the laptop away from home. This involves creating a VPN qube. If you never use Qubes OS away from home, you can [skip ahead to the next topic](/posts/qubes/#how-to-use-devices-like-usbs). Keep in mind that you will have to revert these changes before connecting to your home's "VPN Kill Switch" access point.
## Creating a VPN qube
For your VPN provider, we recommend either [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) or [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without [Monero](https://www.privacyguides.org/en/cryptocurrency/#monero).
To create a VPN qube, follow the guide for [the Mullvad app](https://privsec.dev/posts/qubes/using-mullvad-vpn-on-qubes-os/) or the [the IVPN app](https://forum.qubes-os.org/t/ivpn-app-4-2-setup-guide/23804). We'll assume that you named the new VPN qube `sys-vpn`. It will force all network traffic through the VPN before it reaches `sys-firewall`.
### Configure qubes that were using sys-firewall
### Configure non-Tor qubes that you will use
* Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Switch the default net qube from `sys-firewall` to `sys-vpn`.
* Then, go to debian-12-dvm's **Settings → Basic** tab and change the net qube to `sys-vpn`.
* Do the same for any other disposables or App qubes that were already created which used `sys-firewall` for their net qube.
* For any disposables or App qubes you will be using while away from your home Wi-Fi, go to their **Settings → Basic** tab and change the net qube from `sys-firewall` to `sys-vpn`. For example, make this change for debian-12-dvm.
* To not forget to revert the change, do so before shutting down the laptop.
To understand this configuration, it may help to visualize the qubes involved in networking for debian-12-dvm:
...
...
@@ -331,13 +330,12 @@ To understand this configuration, it may help to visualize the qubes involved in
| `sys-vpn` | The VPN qube you created | sys-firewall |
| debian-12-dvm | Your disposable Debian qube | `sys-vpn` |
### Configure Whonix-Gateway
### If you will use Whonix-Workstation, then configure sys-whonix
We recommend connecting to a VPN *before* connecting to Tor (i.e. [You → VPN → Tor → Internet](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-vpnssh-tor)) when you are using an Internet connection tied to your identity.
We recommend connecting to a VPN *before* connecting to Tor (i.e. [You → VPN → Tor → Internet](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-vpnssh-tor)) when you are using an Internet connection tied to your identity.
* To configure connecting to a VPN before connecting to Tor, go to sys-whonix's **Settings → Basic** tab and change the net qube to `sys-vpn`.
* If you are intentionally using an [Internet connection not tied to your identity](/posts/tails-best/#an-internet-connection-not-tied-to-your-identity), such as Wi-Fi at a random cafe, a VPN ties you to any other computer activity you've used it for (via your subscription). In this scenario, change sys-whonix's net qube back to `sys-firewall` (connect to Tor directly), or change sys-whonix's net qube to another VPN qube (`sys-vpn-2`) that uses a compartmentalized VPN subscription.
* As a last step, we will verify that only `sys-vpn` has its net qube set to `sys-firewall`. Go to **Applications menu → Qubes Tools → Qube Manager** and sort the entries by "Net qube" to make this easier.
* To configure connecting to a VPN before connecting to Tor, go to sys-whonix's **Settings → Basic** tab and change the net qube from `sys-firewall` to `sys-vpn`.
* To not forget to revert the change, do so before shutting down the laptop.
For more information on the rationale of this configuration, see [Privacy Guides](https://privacyguides.org/en/advanced/tor-overview/#safely-connecting-to-tor). Note that you should not connect to a VPN *after* Tor because this [breaks Stream Isolation](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-tor-x).
...
...
@@ -351,6 +349,8 @@ To understand this configuration, it may help to visualize the qubes involved in
| sys-whonix | The Whonix-Gateway qube | `sys-vpn` |
| whonix-workstation-17-dvm | A disposable Whonix-Workstation qube | sys-whonix |
Connecting to a VPN ties you to any other computer activity you've used it for (via your subscription). You can think of it as equivalent to connecting to a trustworthy Internet Service Provider. If you are intentionally using an [Internet connection not tied to your identity](/posts/tails-best/#an-internet-connection-not-tied-to-your-identity), such as Wi-Fi at a random cafe, leave sys-whonix's net qube set to `sys-firewall` (connect to Tor directly).
# How to Use Devices (like USBs)
To learn how to attach devices, let's format the empty USB or hard drive that will be used for backups. Attaching the USB to an offline disposable mitigates against [BadUSB attacks](https://en.wikipedia.org/wiki/BadUSB).
A "home network" is the network that connects your devices to the Internet and each other. The "networking devices" that create this home network are called a router (specialized in "routing" network traffic from your devices to the Internet) and a hardware firewall (specialized in compartmentalizing your home network), although their functions overlap. For instance, routers usually also have some basic firewall capabilities. Another way of thinking about it is that a home network is the *"intranet"* sealed off by your network devices into a *private* network, in contrast to the *Internet* which is a *public* network accessible to anyone.
We recommend setting up your home network with a hardware firewall that runs the [OPNsense](https://www.privacyguides.org/en/router/#opnsense) operating system, paired with a router that runs the [OpenWrt](https://www.privacyguides.org/en/router/#openwrt) operating system. Although you can get by with just a router, a hardware firewall will enable a more secure set up. In this configuration, the OPNsense firewall does all of the heavy lifting, and the OpenWrt router is limited to the role of a "Wi-Fi Access Point" for your devices to connect to.
The security of your home network matters because a malicious network device can be [used to attack any devices that connect to it](https://hak5.org/products/wifi-pineapple) and [State-sponsored malware campaigns are known to compromise network devices](https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/).
# VPN Kill Switch
Your networking devices should be configured to force all network traffic through a reputable [VPN](/glossary/#vpn-virtual-private-network) — this puts your trust in your VPN instead of an inherently untrustworthy Internet Service Provider. As the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/) notes:
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
There are two ways you can run a VPN: from your laptop or phone with a Client app, or from your networking device. When using your laptop or phone from home, we recommend the latter because:
* A "VPN Kill Switch", which blocks non-VPN traffic, is [more effective](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#global-options-of-vpn-client) when the VPN runs from a networking device.
* An adversary that compromises your phone or laptop will need to also compromise the networking device in order to learn your public IP address — your phone or laptop will only know your VPN IP address.
* If all of the network traffic coming from your home runs through the same VPN server, this makes it more challenging for an adversary to perform traffic analysis.
You don't want to "double up" a VPN, so any laptops or phones running a VPN should disable it before connecting to the "VPN Kill Switch" access point. Alternatively, they can connect to a non-VPN access point that we'll optionally configure.
## VPNs and Tor
We recommend connecting to a VPN *before* connecting to Tor (i.e. [You → VPN → Tor → Internet](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-vpnssh-tor)) when you are using Tor from your home Internet connection. For more information on the rationale, see [Privacy Guides](https://privacyguides.org/en/advanced/tor-overview/#safely-connecting-to-tor).
This works perfectly when the VPN runs from your networking device — for instance, when you use Tor Browser on your laptop you will connect to a VPN before connecting to Tor, even though there is no VPN running on your laptop. In fact, this is the only way to connect to a VPN before Tor when using the Tails operating system.
# Configure the Hardware Firewall
This guide will assume that you'll set up a hardware firewall in tandem with a router, but you can skip ahead to the [appendix below](/posts/router/#appendix-configure-a-router-without-a-hardware-firewall) for the less secure option of using only a router.
The OPNsense operating system can be installed on a [variety of hardware](https://docs.opnsense.org/manual/hardware.html). [Protectli](https://protectli.com) sells firewall hardware that is easy to get started with. The '4 Port' models are sufficient for an apartment sized residence.
This guide will assume that you're using Protectli hardware (but it can be adapted to any OPNsense firewall), and that you're using Tails to set it up (but you could also set it up from Qubes OS).
# Configure the Router
The OpenWrt operating system can be installed on a variety of hardware — see their [compatability list](https://openwrt.org/toh/start). [GL-iNet](https://www.gl-inet.com/) sells affordable OpenWrt routers that are easy to get started with. The 'Travel' models are sufficient for an apartment sized residence.
This guide will assume that you're using a GL-iNet router (but it can be adapted to any OpenWrt router), and that you're using Tails to set it up (but you could also set it up from Qubes OS).
# Generate Tor Traffic Continuously
Generating extra Tor traffic continuously from your home Internet connection makes it more challenging for an adversary to perform traffic analysis. For example, if the only active device on your home network is a Tails session, an adversary will see VPN traffic, but its timing will still have some correlation with the Tor traffic of your activity. In contast, if Tor "cover" traffic is being generated that is unrelated to your activity, an adversary can no longer easily distinguish the traffic that matters for a [targeted correlation attack](/posts/tails-best/#non-targeted-and-targeted-correlation-attacks).
There are many ways to generate the Tor cover traffic. We recommend the AnarSec fork of Noisy, a simple Python script which provides randomized and continuous Tor traffic. For usage instructions, [see here](https://0xacab.org/anarsec/noisy).
There are two approaches you can take with Noisy:
1) Simply generate the cover traffic from the same machine you are using for your Tor activity (Qubes OS or Tails).
2) Use a dedicated machine to generate the cover traffic, that can be kept running while you are out of the house.
Which approach you take depends on what type of activity you are doing from your home Internet connection.
An adversary being able to see when you are *not* using the Internet is potentially a valuable metric. For example, let's say that you are the moderator for a website that has activity on a daily basis — in a given year, only 28 days had no activity. If these periods of inactivity happen to correlate with when there was also no activity on your home Internet connection, that's not good. If this type of traffic analysis would be relevant to the projects you do from your home Internet connection, choose the second approach.
## Noisy from a dedicated machine
You can run Noisy from a Raspberry Pi or mini-PC that stays permanently powered on, although it requires some Linux knowledge to set up. We recommend that you limit the traffic to the daytime — if it was 24/7, it could look like you're running an Onion Service.
# Appendix: Configure a Router without a Hardware Firewall
## First time setup
Start a Tails session, then follow the documentation for [first time setup](https://docs.gl-inet.com/router/en/4/faq/first_time_setup/):
* Use the Unsafe Browser to access the web Admin Panel (Tor Browser blocks connections to the local network).
* From Qubes OS, use any web browser other than Tor Browser.
* When prompted to create a new password for the web Admin Panel, use [KeePassXC](/posts/tails/#password-manager-keepassxc) to set a [strong password](/posts/tails-best/#passwords).
* Connect the router to the Internet [via an ethernet cable](https://docs.gl-inet.com/router/en/4/interface_guide/internet_ethernet/) from the WAN port of the GL-iNet router (Wide Area Network, i.e. the Internet) to the modem. You'll need to remove the router that you were previously using.
*[Enable the 5GHz Wi-Fi](https://docs.gl-inet.com/router/en/4/interface_guide/wireless/), change the SSID to something that doesn't leak router information (for our purposes, "Geologic-5G"), and set a strong Wi-Fi password. 5GHz is faster than 2.4GHz and it travels a shorter distance, so it will be harder to monitor from a van parked outside of your house.
*[Enable the 5GHz Guest Wi-Fi](https://docs.gl-inet.com/router/en/4/interface_guide/wireless/), change the SSID to something that doesn't leak router information (for our purposes, "Symphony-5G"), and set a strong Wi-Fi password.
## Obtain VPN configuration files
For your VPN provider, we recommend either [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) or [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without [Monero](https://www.privacyguides.org/en/cryptocurrency/#monero).
* From Tails, connect to the Wi-Fi you just set up, then use the Tor Browser to get the configuration files from [IVPN](https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_client/#ivpn) or [Mullvad](https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_client/#mullvad).
## Set up the VPN on the router
* Use the Unsafe Browser to login to the web Admin Panel of your router. Navigate to the VPN Dashboard.
* Under VPN Client, click **Set Up Now** beside WireGuard, then follow [the guide](https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_client/#setup-wireguard-client).
* In [VPN Client Options](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#vpn-client-options) enable **IP Masquerading**.
* Click "Global Proxy" and change the [proxy mode](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#proxy-mode) to **Policy Mode: Based on the VLAN**. Enable the VPN on "Private", disable the VPN on "Guest". This means that "Geologic-5G" forces all network traffic through the VPN, and "Symphony-5G" doesn't. This way, devices running a VPN can connect to the Guest Wi-Fi to avoid a "doubled up" VPN.
* Click [Global Options](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#global-options-of-vpn-client) and enable **Block Non-VPN Traffic**.
* Test that the VPN is configured properly with the [Mullvad connection check](https://mullvad.net/en/check) or [IVPN status](https://www.ivpn.net/) using the Unsafe Browser.
* If you will be connecting to the router via an ethernet cable to the LAN port (Local Area Network, i.e. your home network), also test that.
* Verify that the router [firmware is set to automatically update](https://docs.gl-inet.com/router/en/4/interface_guide/firmware_upgrade/).
## Using the router
* On Tails, connect to the router via Wi-Fi with "Geologic-5G" or via ethernet to a LAN port (this will also use the "Private" VLAN). The network traffic from your Tails laptop now connects to a VPN *before* connecting to Tor.
* On other devices, connect to "Geologic-5G" if there is no VPN client app running on the device, and "Symphony-5G" if there is.
@@ -98,7 +98,7 @@ When using Wi-Fi in a public space, keep the following operational security cons
If you need to regularly use the Internet for projects like moderating a website or hacking, going to a new Wi-Fi location after doing surveillance countermeasures might not be realistic on a daily basis. Additionally, a main police priority will be to seize the computer while it is unencrypted, and this is much easier for them to achieve in a public space, especially if you are alone. In this scenario, the ideal mitigation is to **use a Wi-Fi antenna positioned behind a window in a private space to access from a few hundred metres away** — a physical surveillance effort won't observe you entering a cafe or be able to easily seize your powered-on laptop, and a digital surveillance effort won't observe anything on your home Internet. To protect against [hidden cameras](https://www.notrace.how/earsandeyes), you should still be careful about where you position your screen.
If a Wi-Fi antenna is too technical for you, you may even want to **use your home internet** for some projects that require frequent internet access. This contradicts the previous advice to not use an Internet connection that is tied to your identity. It's a trade-off: using Tor from home avoids creating a physical footprint that is so easy to observe, at the expense of creating a digital footprint which is more technical to observe, and may be harder to draw meaningful conclusions from. There are two main deanonymization risks to consider when using your home internet: that the adversary deanonymizes you through a Tor correlation attack, or that they deanonymize you by hacking your system (such as through [phishing](/posts/tails-best/#phishing-awareness)) which [enables them to bypass Tor](/posts/qubes/#when-to-use-tails-vs-qubes-os). To make both of these attacks more difficult, we recommend connecting to a VPN *before* connecting to Tor when using Tails from home — see the [appendix](/posts/tails-best/#appendix-setting-up-a-vpn-on-a-router).
If a Wi-Fi antenna is too technical for you, you may even want to **use your home internet** for some projects that require frequent internet access. This contradicts the previous advice to not use an Internet connection that is tied to your identity. It's a trade-off: using Tor from home avoids creating a physical footprint that is so easy to observe, at the expense of creating a digital footprint which is more technical to observe, and may be harder to draw meaningful conclusions from. There are two main deanonymization risks to consider when using your home internet: that the adversary deanonymizes you through a Tor correlation attack, or that they deanonymize you by hacking your system (such as through [phishing](/posts/tails-best/#phishing-awareness)) which [enables them to bypass Tor](/posts/qubes/#when-to-use-tails-vs-qubes-os). To make both of these attacks more difficult, we recommend connecting to a VPN *before* connecting to Tor (i.e. [You → VPN → Tor → Internet](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-vpnssh-tor)) when using Tails from home, which requires running the VPN from your networking device (either a router or a hardware firewall). For more information on the rationale, see [Privacy Guides](https://privacyguides.org/en/advanced/tor-overview/#safely-connecting-to-tor).
#### To summarize
...
...
@@ -374,52 +374,3 @@ Now we know that we have a genuine version of the Tails public key. `gpg` also
Now that we know that we have a genuine version of the Tails .img file, we can proceed to install it on a USB.
# Appendix: Setting up a VPN on a Router
When using the Internet from home, it is best to use a [VPN](/glossary/#vpn-virtual-private-network) for all network traffic — this puts your trust in your VPN instead of an inherently untrustworthy Internet Service Provider. We recommend connecting to a VPN *before* connecting to Tor (i.e. [You → VPN → Tor → Internet](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-vpnssh-tor)) when you are using Tor from your home Internet connection. For more information on the rationale, see [Privacy Guides](https://privacyguides.org/en/advanced/tor-overview/#safely-connecting-to-tor).
For your VPN provider, we recommend either [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) or [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without [Monero](https://www.privacyguides.org/en/cryptocurrency/#monero).
There are two ways you can run a VPN: from your laptop or from your router. You don't want to "double up" a VPN so if its running on your router, it shouldn't be running on your laptop, and vice-versa.
On Tails, it is only possible to connect to a VPN before Tor by configuring a VPN on your router (or for more technical users, on your [hardware firewall](https://www.privacyguides.org/en/router/#opnsense)).
## Configure the router
We recommend using a router that runs the [OpenWrt](https://www.privacyguides.org/en/router/#openwrt) operating system. [GL-iNet](https://www.gl-inet.com/) sells affordable OpenWrt routers that are easy to use — the 'Travel' models are sufficient for an apartment sized residence. This guide will assume that you're using a GL-iNet router, and that you're using Tails to set it up, but you could also set it up with Qubes OS.
### First time setup
Start a Tails session, then follow the documentation for [first time setup](https://docs.gl-inet.com/router/en/4/faq/first_time_setup/):
* Use the Unsafe Browser to access the web Admin Panel (Tor Browser blocks connections to the local network).
* From Qubes OS, use any web browser other than Tor Browser.
* When prompted to create a new password for the web Admin Panel, use [KeePassXC](/posts/tails/#password-manager-keepassxc) to set a [strong password](/posts/tails-best/#passwords).
* Connect the router to the Internet [via an ethernet cable](https://docs.gl-inet.com/router/en/4/interface_guide/internet_ethernet/) from the WAN port of the GL-iNet router to the modem. You'll need to remove the router that you were previously using.
*[Enable the 5GHz Wi-Fi](https://docs.gl-inet.com/router/en/4/interface_guide/wireless/), change the SSID to something that doesn't leak router information (for our purposes, "Geologic-5G"), and set a strong Wi-Fi password. 5G is faster than 2.4G and it travels a shorter distance, so it will be harder to monitor from a van parked outside of your house.
*[Enable the 5GHz Guest Wi-Fi](https://docs.gl-inet.com/router/en/4/interface_guide/wireless/), change the SSID to something that doesn't leak router information (for our purposes, "Geologic-5G-GUEST"), and set a strong Wi-Fi password.
### Obtain VPN configuration files
* From Tails, connect to the Wi-Fi you just set up, then use the Tor Browser to get the configuration files from [IVPN](https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_client/#ivpn) or [Mullvad](https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_client/#mullvad).
### Set up the VPN on the router
* Use the Unsafe Browser to login to the web Admin Panel of your router. Navigate to the VPN Dashboard.
* Under VPN Client, click **Set Up Now** beside WireGuard, then follow [the guide](https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_client/#setup-wireguard-client).
* In [VPN Client Options](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#vpn-client-options) enable **IP Masquerading**.
* Click "Global Proxy" and change the [proxy mode](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#proxy-mode) to **Policy Mode: Based on the VLAN**. Enable the VPN on "Private", disable the VPN on "Guest". This means that "Geologic-5G" forces all network traffic through the VPN, and "Geologic-5G-GUEST" doesn't. This way, devices running a VPN can connect to the Guest Wi-Fi to avoid a "doubled up" VPN.
* Click [Global Options](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#global-options-of-vpn-client) and enable **Block Non-VPN Traffic**. This feature is also known as a VPN Kill Switch, and it is especially effective when the VPN runs on a router.
* Test that the VPN is configured properly with the [Mullvad connection check](https://mullvad.net/en/check) or [IVPN status](https://www.ivpn.net/) using the Unsafe Browser.
* Verify that the router [firmware is set to automatically update](https://docs.gl-inet.com/router/en/4/interface_guide/firmware_upgrade/).
### Using the router
* On Tails, connect to "Geologic-5G". The network traffic from your Tails laptop now connects to a VPN *before* connecting to Tor.
* On other devices, connect to "Geologic-5G" if there is no VPN client app running on the device, and "Geologic-5G-GUEST" if there is.
## Generating traffic when you're not home
At this point, an adversary looking at the network traffic leaving your house will only see VPN traffic. However, they will still be able to see when you are *not* using the Internet, which could be a valuable metric. For example, let's say that you are the moderator for a website that has activity on a daily basis — in a given year, only 28 days had no activity. If these periods of inactivity happen to correlate with when there was also no activity on your home Internet connection, that's not good.
If this type of traffic analysis would be relevant to the projects you do from home, you can generate Tor traffic when you're out of the house. We recommend running [Noisy](https://0xacab.org/anarsec/noisy) from a Raspberry Pi or mini-PC that stays permanently powered on, although it requires some Linux knowledge to set up.
