Need advice for buying a mobile

id570

Hey GrapheneOS,

I use a Pixel 8 with GrapheneOS every day.

I need a new phone just for a Wi-Fi hotspot with a VPN—nothing else, (ClayxOS or LineageOS have this feature.)

Can you suggest a good phone with no heating issues and a strong battery for full-time hotspot use?

I don't want to spend on a latest model like Pixel 8 just for a hotspot.

Must-have features: VPN kill switch and Wi-Fi hotspot with VPN. 5G support preferred.

Threat model: i want to post against govt. On social media platform. I'm in a country where it's not safe to post against the government. Any recommendations?

other8026

id570 just an FYI, if you are connecting via the hotspot, that traffic will not be routed through the VPN. You'd have to connect to a VPN from the other device.

I'm not sure about your main question though. Maybe a 7a would fit your needs.

[deleted]

id570 As already stated, your plan will not work. You will have to put a VPN on the device you are interacting with the internet from in order to receive the benefits from it.

A word on VPN's, they do not make you anonymous, they offer privacy and security. For a VPN to be anonymous you would need the following: a VPN account that is set up anonymously (it was given an alias name (if required), an alias email (that was created anonymously), and the VPN must be funded anonymously. EVEN IF you do these things, you must understand that the VPN provider can still see your public IP address from wherever you are connecting from, so to make it truly anonymous, you would need to use an internet source that is anonymous (anonymously setup home network, mobile hotspot, or public wifi). With VPN's you are trading trust from your ISP to the VPN provider. I think they are great tools and are definitely better than nothing, but people need to understand the limitations of the technology and choose their VPN provider very carefully.

For your threat model, I recommend you use Tor (torproject.org). Your exact user case is one of the main reasons the Tor Project endorses their network. It is decentralized, encrypyted internet. It is the best privacy tool that is available to civilians. There are still limitations and ways to be de-anonymized while using Tor, so please do your research on the literature. Also know, that if you are the only one using Tor on the sites you are connecting to that it does make you stand out. Additionally, the ISP will see that you are using Tor, Tor has thought of this and has implemented bridges and pluggable transports to help obscure the fact that you are using Tor. Please go on their site and read their literature: https://tb-manual.torproject.org/about/ and https://support.torproject.org/

Your threat model my also warrant you using Tails (tails.net). Tails ships with Tor Browser and is (arguably) the easiest way to use Tor since it is already setup and installed; you also gain all of the added benefits of Tails. Please research their literature as well.

Know to that anytime you use a hotspot or cell phone (with a SIM), you are connecting to cell towers. Even if your setup is perfectly anonymous in everyway, you are still being tracked by the mobile network. Understand that means it's pinging your location as you mnove around from day to day AND WHERE YOU SLEEP. Take this into consideration and know when you should cut cell tower connection to avoid burning your location in sensitive locations.

There are tons of other considerations, please make sure you take the time to research, understand the limitations of the technology you are using, and create a plan on how you are going to manage your OPSEC. I don't know where you live, but in certain places in this world under certain governments your OPSEC is nothing to take lightly. Know too, that even with good OPSEC, if you are being targeted by a government and it's unending resources, there is always a risk.

Understand that intelligence gathering and tracking comes in many different ways, not just related to your online presence. Physical surveillance, Financial surveillace, Vehicle movement with ALPRs, CCTV, Self registration of services (when you sign up for things), Talking too much, Tip offs, Cross platform tracking via multiple online accounts, all the way down to the analysis of language (linking multiple accounts by your style of writing), etc and so on.

Some tools I recommend you research and possibly implement:

Secure e2ee messaging app: https://www.signal.org/
Privacy focused OS for sensitive tasks: tails.net
Mobile service that does not require ID verification: Mint Mobile
VPN: ProtonVPN
Password Manager: keepassxc.org
VOIP numbers: mysudo (may not be available in your country), look for other VOIP providers that are.
Protonmail (UNDERSTAND THE LIMITATIONS OF EMAIL, AND HOW TO USE IT), Proton can be forced under law to release email information, but it is still light years better than gmail or some spyware equivalent
Daily driver computer OS (linux): Pop!_Os https://pop.system76.com/ (ships with full disk encryption)
Alias email forwarding: simplelogin.io
GrapheneOS (obviously)
Kleopatra (pgp encryption for files and communication): Ships with Tails OS listed above
Yubico yubikey (2FA): https://www.yubico.com/

"surveillance self defense" (electronic frontier foundation): Read their guides.
https://ssd.eff.org/

"digital security guides" (Tor Project):
https://community.torproject.org/training/digital-security-guides/

"digital safety kit" (committee to protect journalists):
https://cpj.org/2019/07/digital-safety-kit-journalists/

Encrypt everthing and do not use biometrics to unlock devices. I've only scratched the surface.

If you have any questions,

cheers.

papyrus9914

id570 IVPN has some great privacy guides that aren't specific to their service, though I'd recommend them. Make sure you test your VPN for leaking once you think it's set up correctly, they have a guide for that.

https://www.ivpn.net/privacy-guides/

raccoondad

id570 about your threat model: "I'm in a country where it's not safe to post against the government"

Something I want to mention, most privacy/anonymity software leaves 'stink' local governments can pick up on. While the traffic (including destination) is concealed, if your local government gets an idea that you are 'ideologically problematic' they might pick up on the 'stink' (you connecting to Tor nodes/known VPN IPs) and take action.

I would suggest making sure your IRL identity is non-suspect. Stink is common, but could make you look more guilty.

I'd suggest running a hidden service rather than social media as well, most social media platforms will treat you poorly for using a VPN when signing up. You could then link your hidden service on social media without fear of take downs.

You could also purchase a cheap VPS and domain with crypto (assuming its legal in your country to own) and use that as a public site. Otherwise plenty of services would be happy to have you for free since its activist work (possibly riseup?)

Regardless, keep safe and good luck :) Any questions feel free to ask. I know from experience activism is a scary ass thing, even online.

id570

other8026

CalyxOS have feature to use WIFI hotspot with vpn, so If I enable VPN in mobile I can share it with hotspot, I will use a separate mobile which have always on vpn with WIFI hotspot enable, that hotspot I am planning to use with my current mobile and laptop.

looking for a good mobile that will not heat much when use wifi hotspot.

let me know if any confusion, I will clear it

protonuser2

other8026 I was just about to comment this. I tried this myself- I had a Pixel 8 Running on proton VPN, I turned hotspot on, connected from my other phone, and check its IP, and it was showing up as my current location IP!

Anyone with more experience have any insight as to why this is the case?

It is logical to think that anyone connected to a hotspot with a VPN turned on would route all connections through the VPN.

In fact, I also know that I had VPN killswitch enabled on my phone running the vpn and hotspot. How is it possible that this wasnt working to route all traffic through vpn, or at least block it?

[deleted]

protonuser2 before you connect to hotspot that runs under VPN make sure that the device that is connecting has also installed and active always on, block connections without VPN. Then check your IP and both devices will show IP of your VPN provider.

Carlos-Anso

protonuser2 This is the expected behavior on GrapheneOS and the way it works in AOSP. Devices connected via hotspot are not routed via any VPN running on the device providing the hotspot.

In this case if you want other devices connected to be routed via a VPN you need to set up the VPN on them.

de0u

protonuser2 It is logical to think that anyone connected to a hotspot with a VPN turned on would route all connections through the VPN.

In fact, I also know that I had VPN killswitch enabled on my phone running the vpn and hotspot. How is it possible that this wasnt working to route all traffic through vpn, or at least block it?

Each user profile can use a different VPN, which may or may not be running, or none, but the hotspot is not tied to a user profile, so its packets are not run through any user profile's VPN. See: https://github.com/GrapheneOS/os-issue-tracker/issues/30