Ninja's guide to the Internet

Introduction

There's probably hundreds of guides to Internet privacy out there now, and most of them are terrible. They recommend browsers from evil companies like Mozilla Firefox; E-mail providers that collect LOTS of your data, such as Mailfence or Runbox; useless or malicious addons like Privacy Badger or NoScript; communication software that ask for your phone number like Signal or Telegram; suspicious VPNs like Proton; care too much about where a service is hosted instead of its policies or functionality; fall for false advertising; have "sponsored" recommendations; ignore very good providers and fail to mention essential things that you SHOULD do. My aim here is to create an ultimate guide which will hopefully not suffer from any of these issues. And the best thing is, you can do everything here for free! Why the Ninja's guide? Well, they hide in the shadows (archive). And it sounds fucking cool, doesn't it?

Operating systems

Can't avoid talking about them since that's what all your software runs on in the first place. Obviously, do not use Windows - it spies on almost everything you do (archive) and has auto-updates that cannot be turned off in the Home edition. Apparently some newer updates have allowed to disable some more of the spying, but that still doesn't salvage this system. Even if you disable all of the telemetry, Windows still sends 11 unsolicited requests per minute (archive). Of course Linux has its own problems too - Ubuntu has had spyware issues (archive) in the past, and systemd is pretty much an attempt at a takeover of Linux (archive) by big corporations. The best thing to do here is to use a Linux distribution without systemd, like Salix.

Web Browsers

Briefly, most browsers don't care about your privacy or even are actively malicious; many of those that aren't suffer from usability issues like no extension support. Ungoogled-Chromium or IceCat send no unsolicited requests and support add-ons. However they are dependent on the evil giants Google and Mozilla, respectively, so I suggest using a de-spyware'd and addon-hardened Pale Moon - which is independent from those. For more information read this article.

Browser extensions

The most important one, offering almost complete control of your browsing, is uMatrix. Decentraleyes is another essential one that works in the background, preventing connections to Content Delivery Networks (that could track you all over the Internet, due to being embedded on so many sites). WebRTC Control is essential for Chrome-based browsers to not leak your real IP through VPN / Tor. More information here.

Most so-called "private" search engines rely on either Google, Bing or Yahoo for results and can be considered compromised by default. Even worse is that many of them are doing their own tracking or have other flaws. The only ones which have their own indexes are Mojeek and Wiby - but both have very weak results. If you don't mind relying on the violators - a good SearX instance is your best bet. More information here.

E-mail providers

RiseUp is the best, and it's free - but you need an invite code. It does not require personal information to sign up, has onion domains, supports mail clients and unlimited aliases (allowing you to sign up in many places with different identities), as well as having a great privacy policy. Disroot does not need an invite code, but has no onion domains and a terrible spam filter which blocks legitimate providers; its alias feature is also paid for. From the commercial ones, Posteo is your best bet. Click here for a report which reviews the main players in depth.

Virtual Private Networks

Don't venture out without this! But be sure to get a trustworthy one. The only free provider worth its salt is RiseUp. Of course, you can always pay for a good one such as Mullvad - which will provide you with more servers all over the world, allowing you to bypass various blocks and bans. The VPN industry is dirty as fuck, though - so watch out when choosing one. Avoid custom "apps" that rob you of control - stick to WireGuard or OpenVPN. Here's how to configure the latter:

  1. First of all, get an OpenVPN config file from your chosen VPN provider and put it in /etc/openvpn
  2. Now we will need to set up some firewall rules which prevent your real IP address leaking. Install the ufw package if you don't have it yet.
  3. In the config file, find a line that starts with "remote". Take note of the IP and port. Now type this into terminal: sudo ufw allow out to [IP] port [PORT]. Of course replace IP and PORT with the relevant values. This will let the system connect to the VPN through the firewall.
  4. Now find the line starting with dev tun. Change the tun to something recognizable, like tun_myvpn.
  5. Type these two rules into terminal: sudo ufw allow in on tun_myvpn and sudo ufw allow out on tun_myvpn. This will allow both incoming and outgoing connections through the VPN.
  6. Now type sudo ifconfig. Take note if the IP that appears after inet. This is your local (router) IP.
  7. Allow it through the firewall like this: sudo ufw allow out to [LOCAL_IP] . This will enable actually establishing the VPN connection.
  8. To set up your system to use the VPN's DNS servers instead of your ISP's. type sudo resolvconf -l. Now copy the nameservers and put them into /etc/resolv.conf (nameserver 172.27.0.1 for RiseUp, for example). Without this step, your ISP will still know every site you visit.
  9. Now make /etc/resolv.conf unmodifiable, either by chattr +i or putting nohook resolv.conf wpa_supplicant into /etc/dhcpcd.conf (my preferred option). This will prevent the system from overwriting your VPN's DNS servers with the ISP's.
  10. Finally, allow the VPN's DNS servers through the firewall; as before - sudo ufw allow out to [DNS_IP] (you've just typed the addresses into resolv.conf, so just allow all those). Without this step, you would not be able to connect to any domain unless you knew their actual IP address (since we've blocked the ISP's resolver).
  11. All that remains is to block everything except what we've just specified. sudo ufw default deny incoming and sudo ufw default deny outgoing. This is the part that actually keeps your shit secure.
  12. To enable the firewall on your system's startup, add this code to /etc/rc.d/rc.local:
    if [ -x /lib/ufw/ufw-init ]; then
    /lib/ufw/ufw-init start
    fi
    This is for Slackware-based distros and might not necessarily work on others. Search around for equivalents.

That's it for OpenVPN! However, web browsers can also leak your real IP address through WebRTC, so you're going to have to disable that as well. Firefox uses the media.peerconnection.enabled about:config entry, while Chrome-based browsers need an extension such as WebRTC Control (Pale Moon users do not need to do anything). An earlier version of this guide suggested turning off IPv6 system-wide, but it doesn't seem to be necessary if you do everything else right. However, some VPNs apparently do leak if you don't do that, so if yours is one of those, do all these steps just to be safe (earlier version had only step 1, but it seems it's not always sufficient):

Back to the front page