[Edited 2024-03-21] "Security, Privacy and Anonymity in Linux Mint" Guide.

[Shorten3353]

Thank you very much.
Very useful:)

[MikeNovember]

Hi,

Updated on 2023-10-24, see viewtopic.php?p=2334665#p2334665.

Regards,

MN

[MikeNovember]

Hi,

Updated on 2023-11-06, see viewtopic.php?p=2334665#p2334665.

Regards,

MN

[ReyMysterio]

Thank you for this. But it's missing the one thing I'm looking for.

Can you please add a guide on how to setup a VPN killswitch in general, neutral of the VPN provider. People in the privacy community usually recommend the use of iptables or ufw, and recommend against relying on the killswitch provided by VPN clients, as you suggest doing in the guide.

Could you include whether the use of iptables/ufw in conjunction with the VPN client killswitch would add extra security, or may it cause complications?

And also, could you include how to enable split-tunneling so select applications/browsers can bypass the VPN. Most users will need to disable VPN for some activities, and I believe the foolproof way of doing this is to have a separate browser which bypasses the VPN, and is used only for these specific activities.

I think this would be a great addition to the guide. For those in heavily surveilled countries, it is essential to have a robust kill-switch.

[MikeNovember]

Thank you for this. But it's missing the one thing I'm looking for.

Can you please add a guide on how to setup a VPN killswitch in general, neutral of the VPN provider. People in the privacy community usually recommend the use of iptables or ufw, and recommend against relying on the killswitch provided by VPN clients, as you suggest doing in the guide.

Could you include whether the use of iptables/ufw in conjunction with the VPN client killswitch would add extra security, or may it cause complications?

And also, could you include how to enable split-tunneling so select applications/browsers can bypass the VPN. Most users will need to disable VPN for some activities, and I believe the foolproof way of doing this is to have a separate browser which bypasses the VPN, and is used only for these specific activities.

I think this would be a great addition to the guide. For those in heavily surveilled countries, it is essential to have a robust kill-switch.

Hi,

A firewall will work in any cases, whatever you use (normal connection, Tor network, VPN...). So, if you block incoming connections with UFW they will be blocked for all your connections kinds.

I have not spoken of VPNs in general but only of Proton VPN.
(Because of its no log policy, the possibility to use it freely, and to pay with bitcoins)
I addressed most of your points in the appendix related to Proton VPN:

- I don't recommend the use of kill switch because it can cause problems (though I explain how to cope with). To my opinion, it doesn't offer any sizeable security: it would block internet connection if VPN connection fails down. This may occur very seldom, so you can use kill switch when you think your privacy is at high risk. Enabling or disabling kill switch is in Proton VPN GUI. For more privacy, use Tor in Proton VPN (you connect with Proton VPN, than use Tor Browser or Mullvad Browser on Tor Network, you have a double anonymity layer).

- Split tunneling is not in Linux Proton VPN GUI because it is included in... Linux! I have mentioned a way to print to a printer on Wi-Fi LAN. With Proton VPN running you have access to your local network. [this should be the same with other VPNs, though I have not tested it].

- Proton VPN can be disabled with the icon in the taskbar. If you need to disable / enable Proton VPN very often, you can use the pay version, with a browser extension.

Regards,

MN

[ReyMysterio]

I see. I am using Mullvad as it ticks all the boxes you mention, except for the free option. The GUI allows for split tunneling.

I would like to know why the VPN client killswitch is as reliable in preventing IP address leakage as the iptables or ufw. Otherwise it is kind of just one person's word against the next.

Many sites are blocked on Tor, including this.

Also, specifically to Mint - there is the option in the Network Connections GUI, MyWifi, General - to "automatically connect to VPN". I wonder if this would amount to an OS level killswitch, as in could I rely on that box being ticked to ensure I don't leak my IP address. I notice however, the drop down box to the right is blank in spite of me having Mullvad installed.

(also, in my prior post I may have misused the word security. I meant reliability in ensuring IP address is not leaked)

[MikeNovember]

I see. I am using Mullvad as it ticks all the boxes you mention, except for the free option. The GUI allows for split tunneling.

Hi,
As I said, split tunneling is enabled in Linux and does not need to be in a GUI. With Proton VPN, and others, you can access your local network, this is called split tunneling.

I would like to know why the VPN client killswitch is as reliable in preventing IP address leakage as the iptables or ufw. Otherwise it is kind of just one person's word against the next.

Firewalls and kill switch are two different beasts: firewalls allow controlling your incoming or outgoing connections, while kill switch stops any internet connection when the VPN connection falls down, and prevent your true IP address to be shown.

Many sites are blocked on Tor, including this.

That's right, there are some 2000 computers in Tor network acting as internet relays; they are identified, and easy to be blocked. Linux Mint is protected by Sucuri, and Sucuri blocks Tor. Main use of Tor is to browse the Darknet, not the Clearnet...

Also, specifically to Mint - there is the option in the Network Connections GUI, MyWifi, General - to "automatically connect to VPN". I wonder if this would amount to an OS level killswitch, as in could I rely on that box being ticked to ensure I don't leak my IP address. I notice however, the drop down box to the right is blank in spite of me having Mullvad installed.

I don't know how this works, I don't use and can't comment.

(also, in my prior post I may have misused the word security. I meant reliability in ensuring IP address is not leaked)

So, you meant privacy...

Regards,

MN

[MikeNovember]

Hi,

I have updated today the Guide to its revision 25.

See: viewtopic.php?p=2334665#p2334665

Regards,

MN

[mmm]

How secure is Anydesk when using MINT to help a remote friend?

[sylvain1_]

I see. I am using Mullvad as it ticks all the boxes you mention, except for the free option. The GUI allows for split tunneling.

Hi,
As I said, split tunneling is enabled in Linux and does not need to be in a GUI. With Proton VPN, and others, you can access your local network, this is called split tunneling.

I would like to know why the VPN client killswitch is as reliable in preventing IP address leakage as the iptables or ufw. Otherwise it is kind of just one person's word against the next.

Firewalls and kill switch are two different beasts: firewalls allow controlling your incoming or outgoing connections, while kill switch stops any internet connection when the VPN connection falls down, and prevent your true IP address to be shown.

Many sites are blocked on Tor, including this.

That's right, there are some 2000 computers in Tor network acting as internet relays; they are identified, and easy to be blocked. Linux Mint is protected by Sucuri, and Sucuri blocks Tor. Main use of Tor is to browse the Darknet, not the Clearnet...

Also, specifically to Mint - there is the option in the Network Connections GUI, MyWifi, General - to "automatically connect to VPN". I wonder if this would amount to an OS level killswitch, as in could I rely on that box being ticked to ensure I don't leak my IP address. I notice however, the drop down box to the right is blank in spite of me having Mullvad installed.

I don't know how this works, I don't use and can't comment.

(also, in my prior post I may have misused the word security. I meant reliability in ensuring IP address is not leaked)

So, you meant privacy...

Regards,

MN

Using tor when on the clearnet is absolutely essential in 2024. This is explained in viewtopic.php?p=2423130#p2423130. It is also what Edward Snowden does. Read Permanent Record for more information.

How similar is your guide to https://anonymousplanet.org/guide.html?

Do you recommend the use of Dangerzone to clean potentially dangerous pdfs? https://dangerzone.rocks/

Have you considered throwing your guide into a torrent, so that other people can help you host it?

[MikeNovember]

Using tor when on the clearnet is absolutely essential in 2024. This is explained in viewtopic.php?p=2423130#p2423130. It is also what Edward Snowden does. Read Permanent Record for more information.

How similar is your guide to https://anonymousplanet.org/guide.html?

Do you recommend the use of Dangerzone to clean potentially dangerous pdfs? https://dangerzone.rocks/

Have you considered throwing your guide into a torrent, so that other people can help you host it?

Hi,

Tor in the clearnet has two disadvantages:
- There are a lot of Tor users, few Tor internal relays, and very few (some two thousands) Tor internet relays; so, Tor is slow, and Tor browsing internet Clearnet is till slower.
- The Tor internet relays are well known and identified, and it is easy for a website manager to block them. This forum is protected by Sucuri, and Sucuri blocks (most of? all?) Tor internet relays, since they are very often misused.

The use of https connections whenever it is possible, and the use of encrypted DNS requests to public DNS servers (not to your ISP's ones) is already a strong improvement.

The use of a non-logging VPN such as Proton VPN is a faster alternative to Tor, without the risk to be blocked.
Proton VPN is based on Switzerland (not in USA), and has won several years ago a trial: it is not considered as an ISP, has no logging obligation, and doesn't log the use of the VPN. So, even with a request from Switzerland justice, Proton VPN could not reveal anything about its use or its users. You can use the free option, or the pay one and pay with bitcoins.

And, browsing the Darknet, I use Tor and Proton VPN. This adds an extra layer of tunneling above Tor ones.

Tor, like Proton VPN or any other VPNs, may have security breaches. In the past some Tor breaches have been exploited. Users should always use the latest versions of Tor or of the VPN they use.

I don't know the guide you mention, I wrote mine from a blank page, as a security analysis (threats / prevention / detection / pre-established arrangements). I will take a look at the guide you mention.

Furthermore, I don't know Dangerzone. What I recommend for PDFs is:
- Use Virus Total.
- Don't open them by double-clicking but by launching your PDF reader and opening the PDF file (general recommendation for all attachments or downloads).

My guide is now on archive.org, it will survive me!

Regards,

MN

[HappyWarrior]

Wow! Thank you!

[MikeNovember]

Hi,

I have updated the Guide to revision 26, see the 1st message of this thread.

Regards,

MN

[christophe14]

Hi @MikeNovember,

First of all, thanks for making this guide and for sharing it to the community.

Considering the Rev 26, I am not sure to completely understand the NB added after DNS over TLS in 4.11.

It is mentioned :
"NB: systemd-resolved works differently with Linux Mint 20.x / Ubuntu Focal and Linux Mint 21.x / Ubuntu Jammy. In the second case, if DNS servers are mentioned in resolved.conf, the DNS servers mentioned in your network settings will not be taken into account; and, if no DNS server is
mentioned in resolved.conf, the DNS mentioned in your network settings will be used, and DNS over TLS will work if those servers accept it."

So, in case of Linux Mint 21.x/Ubuntu Jammy, it means if the DNS servers are both mentioned in resolved.conf and network settings, the DNS used will be taken from resolved.conf.
And if DNSOverTLS is set to opportunistic in resolved.conf, DNS over TLS will be used. Is this right ?

Now, "and, if no DNS server is mentioned in resolved.conf, the DNS mentioned in your network settings will be used, and DNS over TLS will work if those servers accept it."
"DNS over TLS will work if those servers accept it" is only true if DNSOverTLS is set to opportunistic in resolved.conf. Is this right ?

But then what is different in Linux Mint 20.x / Ubuntu Focal ?

Thanks.

[MikeNovember]

Hi,

I probably need to reformulate it:
- With Linux Mint 20.x, if you have set different DNS servers in your network settings and in resolved.conf, and if you have set resolved.conf to use DNS over TLS, the servers mentioned in network settings and in resolved.conf will be used.
- In the same case, with Linux Mint 21.x, the only servers used will be the one mentioned in resolved.conf, the ones in your network settings will be ignored.

With both versions, if servers are mentioned only in resolved.conf, they will be used.

With Linux Mint 21.x, if servers are mentioned in your network settings only, and resolved.conf set to use DNS over TLS, it will work. It is probably the same with Linux Mint 20.x, but I cannot test it any longer.

--> systemd-resolve doesn't work exactly the same way in Linux Mint 20.x and 21.x

In a future revision, I will add sovereign and GDPR compliant dns servers for EU citizens, and reformulate all this.

Regards,

MN

[christophe14]

Hi,

I probably need to reformulate it:
- With Linux Mint 20.x, if you have set different DNS servers in your network settings and in resolved.conf, and if you have set resolved.conf to use DNS over TLS, the servers mentioned in network settings and in resolved.conf will be used.
- In the same case, with Linux Mint 21.x, the only servers used will be the one mentioned in resolved.conf, the ones in your network settings will be ignored.

With both versions, if servers are mentioned only in resolved.conf, they will be used.

With Linux Mint 21.x, if servers are mentioned in your network settings only, and resolved.conf set to use DNS over TLS, it will work. It is probably the same with Linux Mint 20.x, but I cannot test it any longer.

--> systemd-resolve doesn't work exactly the same way in Linux Mint 20.x and 21.x

In a future revision, I will add sovereign and GDPR compliant dns servers for EU citizens, and reformulate all this.

Regards,

MN

Thanks for this clarification.

I have made some research and here is what I have found :
"The DNSSEC option should not be enabled in systemd-resolved. It is extremely buggy, and it would only duplicate the DNSSEC validation process which Quad9 already performs, significantly reducing performance."
Source : https://docs.quad9.net/Setup_Guides/Lin ... rypted%29/

And as the goal is to use DNS over TLS, I would suggest to replace DNSOverTLS=opportunistic by DNSOverTLS=yes.
Simply because the DNS server selected is supposed to support DNS Over TLS. So the DNS requests shall not fail.

Regards

[MikeNovember]

Hi,

Have a look at this post for LM 21 settings:
viewtopic.php?t=417285

Regards,

MN