Tor (and VPN) on GrapheneOs

Ddhhdjbd · 2025-03-22T13:03:55+00:00

While my personal threat model is not high, i am more like paranoid as a hobby, i am not sure what i would recommend someone who has a high threat model.

I mean a VPN should not really be seen as anoym (https://discuss.grapheneos.org/d/770-tor-over-vpn/6)

Still i think it is more trustworthy than an ISP, since you can atleast choose who can see this data.
Furthermore since for example mullvad offers DAITA, this might be able to help further obfuscate that someone uses tor (from a spying isp by analysing the vpn data)

tor itself has the well know problem, that attackers owning the used nodes, could identifiy users.
which further makes me believe that it would be more reasonable to use a vpn + tor

But i do not see that this is really archivable currenty since the options to use tor are mostly Orbot and the tor browser.

Orbot is just a tor, without a vpn.
And tor browser does not seem that secure (https://discuss.grapheneos.org/d/14146-is-tor-browser-more-save-on-graphene-than-on-stock-android/2)

And this doesnt even include potentional fingerprinting concerns.

So i am wondering if users who need that level of anonymity should better use something else than grapheneOs. But at the same time as far as i know there is nothing more secure.

Or does someone know of solution for this, since i could not find a well implemented solution for it.
And does someone know if there are long term plans exist to solve this, like i heard vanadium should offer tor support at some point? Or other projects.
Is this something that the virtualisation features will help with?

What would you recommend for someone with a need for anonimity like this?

( since i feel like since https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/ even italy is spying on activists, who help with refugees. And further considering what is going on in the us, i feel like the caution is warrented for activists)

Ddhhdjbd · 2025-03-22T13:07:20+00:00

I am especially wondering about how to post anonym to social media networks.

(Since masseges should be secure by using signal or molly, not even a vpn is needed here, noone should be able to spy on this)

00xsigsev · 2025-03-22T13:28:58+00:00

dhhdjbd am not sure what i would recommend someone who has a high threat model

You should not try to advise them anything but reaching out to a professional. I understand that 'being a target' may seem 'cool' with everything that's happening in media right now, but vast majority of people who claim have a 'high treat model's or 'were hacked' etc have really no idea what they're talking about, and correlate things which simply are not there in the first place..

Just use the phone as you'd normally do, and don't overcomplicate your everyday usage.. Security needs to be balanced with usability otherwise you'll quickly drop it because you won't be even able to do a simple things with your phone.

Ddhhdjbd · 2025-03-22T13:40:12+00:00

0xsigsev
So you mean my understanding of who has a high threat modell is basically just wrong?

like that people who should be concerned about this have like a relevant position in an NGO, a great following or might even run some kind of collaborating network or whatever...

and that people who just post "radical" opinions online should not be concerned with that level of anonymity?

geniuly curiouse

redwheelbarrow · 2025-03-22T13:44:59+00:00

0xsigsev I would agree with the initial reply also. If it's a passion project for you, then learn the internals of certain privacy projects, tinker, implement, iterate.

Throwing vague mentions of Tor being insecure and TCAs (Traffic Correlation Attacks) being trivial with current onion protocols is just false. Nothing is 100% secure and everything has a weak spot - known or unknown - but simply suggesting these in the context of adding another who's life may be in danger is reckless.

Aargante · 2025-03-22T13:55:34+00:00

dhhdjbd tor itself has the well know problem, that attackers owning the used nodes, could identifiy users.
which further makes me believe that it would be more reasonable to use a vpn + tor
(...)
Orbot is just a tor, without a vpn.

This is not true. Tor has the ability to use bridges, which play a role similar to vpn+tor. So there is no need to use vpn+tor.

However, it makes some sense to use tor+socks5 proxy (socks5 placed after the tor exit). This allows you to hide from the target server that you are using tor.

Ddhhdjbd · 2025-03-22T14:01:50+00:00

redwheelbarrow sorry so you mean that the "problems" i keep hearing about Tor (like in the second link i posted) basically always describe very sophosticated attacks?

I think i am a bit confused about the security concerns regarding tor, and who should be concerned about this, would someone mind to explain please or knows a good resource

(And i just want to add i did not actually plan to advise someone who would be in danger like this)

Ddhhdjbd · 2025-03-22T14:07:03+00:00

argante This is not true. Tor has the ability to use bridges, which play a role similar to vpn+tor. So there is no need to use vpn+tor

So these concerns (https://discuss.grapheneos.org/d/10323-vpn-to-tor-with-everything-routed-through-tor/4)
Are unfounded and setting up a bridge is basically the solution for this?

redwheelbarrow · 2025-03-22T14:09:23+00:00

dhhdjbd Thank you for clarifying.

What I'm "saying" is that the biggest concern for the average person's privacy and security is their Opsec. By all means, delve into the nitty gritty of some of the novel attack vectors, proof-of-concepts, and fascinating security research - some of the things I've read have been mind-boggling!

Do not however think that these edge cases need to be a primary concern for yourself or others. Focus on the basics and layer your defense over time as you learn, grow, and your needs change. Try and keep your questions more specific so as not to leave them so open-ended as to start an opinion war - which hurts everyone on the platform.

Lastly, privacy and security is a sliding scale; nothing is 100% secure or private. Ever. Period. You just are always striving to be the best you can be, based on your knowledge, experience, and needs.

All the best,

redwheelbarrow · 2025-03-22T14:11:09+00:00

dhhdjbd To be frank, I'm busy with my daughter at the moment and cannot make the time commitment to follow through with the articles and a response here. Apologies!

Ddhhdjbd · 2025-03-22T14:14:56+00:00

redwheelbarrow

Thank you for your advice, no worrys.
I think i understand what you mean and will try to approach it all more like this :D

redwheelbarrow · 2025-03-22T14:18:42+00:00

dhhdjbd With that attitude, you are already ahead of most newcomers to this space. Welcome, friend.

Stay humble, and stay safe!