Contact me for feedback or questions! I reply to everyone.

Ninja's guide to the Internet

- Introduction -
- Operating systems -
- Web browsers -
- Browser extensions -
- Search engines -
- E-mail providers -
- Virtual Private Networks -
- The Onion Router -
- Darknet only setup -
- Instant messengers -
- Cloud storage -
- Text upload / sharing -
- Image upload / sharing -
- Video upload / sharing -
- Translation -
- Other services worth noting -
- Website hosting -
- The Clearnet is doomed! -
- OPSEC -

Introduction

There are probably hundreds of guides to Internet privacy out there now, and most of them are terrible. They recommend browsers from evil companies like Mozilla Firefox; E-mail providers that collect LOTS of your data, such as Mailfence or Runbox; useless or malicious addons like Privacy Badger or NoScript; communication software that ask for your phone number like Signal or Telegram; suspicious VPNs like Proton; care too much about where a service is hosted instead of its policies or functionality; fall for false advertising; have "sponsored" recommendations; ignore very good providers and fail to mention essential things that you SHOULD do. My aim here is to create an ultimate guide which will hopefully not suffer from any of these issues. And the best thing is, you can do everything here for free! Why the Ninja's guide? Well, they hide in the shadows (archive). And it sounds fucking cool, doesn't it?

Operating systems

Can't avoid talking about them since that's what all your software runs on in the first place. Obviously, do not use Windows - it spies on almost everything you do (archive) and has auto-updates that cannot be turned off in the Home edition. Apparently some newer updates have allowed to disable some more of the spying, but that still doesn't salvage this system. Even if you disable all of the telemetry, Windows still sends 11 unsolicited requests per minute (archive). Of course Linux has its own problems too - Ubuntu has had spyware issues (archive) in the past, and systemd is pretty much an attempt at a takeover of Linux (archive) by big corporations. The best thing to do here is to use a Linux distribution without systemd, like Salix.

Web Browsers

Briefly, most browsers don't care about your privacy or even are actively malicious; many of those that aren't suffer from usability issues like no extension support. Ungoogled-Chromium or IceCat send no unsolicited requests and support add-ons. However they are dependent on the evil giants Google and Mozilla, respectively, so I suggest using a de-spyware'd and addon-hardened Pale Moon - which is independent from those. For more information read this article.

Browser extensions

The most important one, offering almost complete control of your browsing, is uMatrix. Decentraleyes is another essential one that works in the background, preventing connections to Content Delivery Networks (that could track you all over the Internet, due to being embedded on so many sites). WebRTC Control is essential for Chrome-based browsers to not leak your real IP through VPN / TOR. More information here.

Most so-called "private" search engines rely on either Google, Bing or Yahoo for results and can be considered compromised by default. Even worse is that many of them are doing their own tracking or have other flaws. The only ones which have their own indexes are Mojeek and Wiby - but both have very weak results. If you don't mind relying on the violators - a good SearX instance is your best bet. More information here.

E-mail providers

RiseUp is the best, and it's free - but you need an invite code. It does not require personal information to sign up, has onion domains, supports mail clients and unlimited aliases (allowing you to sign up in many places with different identities), as well as having a great privacy policy. Disroot does not need an invite code, but has no onion domains and a terrible spam filter which blocks legitimate providers; its alias feature is also paid for. From the commercial ones, Posteo is your best bet. Click here for a report which reviews the main players in depth.

Virtual Private Networks

Don't venture out without this! But be sure to get a trustworthy one. The only free provider worth its salt is RiseUp (UPDATE March 2022: it ceased supporting OpenVPN). Of course, you can always pay for a good one such as Mullvad - which will provide you with more servers all over the world, allowing you to bypass various blocks and bans. The VPN industry is dirty as fuck, though - so watch out when choosing one. Avoid custom "apps" that rob you of control - stick to WireGuard or OpenVPN (all free VPNs now require Bitmask, unfortunately). It is sad that - since RiseUp's deprecation of OpenVPN - my guide cannot anymore boast about being fully free (as in price) and still give the recommendations that I think are the best. So, in the end, you can get either deal with Bitmask or get a paid VPN supporting OpenVPN. Here's how to configure the latter:

  1. First of all, get an OpenVPN config file from your chosen VPN provider and put it in /etc/openvpn
  2. Now we will need to set up some firewall rules which prevent your real IP address leaking. Install the ufw package if you don't have it yet.
  3. In the config file, find a line that starts with "remote". Take note of the IP and port. Now type this into terminal: sudo ufw allow out to [IP] port [PORT]. Of course replace IP and PORT with the relevant values. This will let the system connect to the VPN through the firewall.
  4. Now find the line starting with dev tun. Change the tun to something recognizable, like tun_myvpn.
  5. Type these two rules into terminal: sudo ufw allow in on tun_myvpn and sudo ufw allow out on tun_myvpn. This will allow both incoming and outgoing connections through the VPN.
  6. Now type sudo ifconfig. Take note if the IP that appears after inet. This is your local (router) IP.
  7. Allow it through the firewall like this: sudo ufw allow out to [LOCAL_IP] . This will enable actually establishing the VPN connection.
  8. To set up your system to use the VPN's DNS servers instead of your ISP's. type sudo resolvconf -l. Now copy the nameservers and put them into /etc/resolv.conf (nameserver 172.27.0.1 for RiseUp, for example). Without this step, your ISP will still know every site you visit.
  9. Now make /etc/resolv.conf unmodifiable, either by chattr +i or putting nohook resolv.conf wpa_supplicant into /etc/dhcpcd.conf (my preferred option). This will prevent the system from overwriting your VPN's DNS servers with the ISP's.
  10. Finally, allow the VPN's DNS servers through the firewall; as before - sudo ufw allow out to [DNS_IP] (you've just typed the addresses into resolv.conf, so just allow all those). Without this step, you would not be able to connect to any domain unless you knew their actual IP address (since we've blocked the ISP's resolver).
  11. All that remains is to block everything except what we've just specified. sudo ufw default deny incoming and sudo ufw default deny outgoing. This is the part that actually keeps your shit secure.
  12. To enable the firewall on your system's startup, add this code to /etc/rc.d/rc.local:

    if [ -x /lib/ufw/ufw-init ]; then
    /lib/ufw/ufw-init start
    fi

    This is for Slackware-based distros and might not necessarily work on others. Search around for equivalents.

That's it for OpenVPN! However, web browsers can also leak your real IP address through WebRTC, so you're going to have to disable that as well. Firefox uses the media.peerconnection.enabled about:config entry, while Chrome-based browsers need an extension such as WebRTC Control (Pale Moon users do not need to do anything). An earlier version of this guide suggested turning off IPv6 system-wide, but it doesn't seem to be necessary if you do everything else right. However, some VPNs apparently do leak if you don't do that, so if yours is one of those, do all these steps just to be safe (earlier version had only step 1, but it seems it's not always sufficient):

net.ipv6.conf.wlan0.disable_ipv6 = 1
se net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Now run your VPN with a command such as cd /etc/openvpn; sudo openvpn [vpn_config_file.conf]. Then visit https://ipleak.net to check for leaks. A leakless result for RiseUp VPN, for example, would look like this.

Keep in mind you're still relying on trust for any VPN you use - theoretically they could choose to spy on you if they wanted to - but eventually, you'd think that information would come out (and has for some VPNs). Still, they are way superior to barebacking your ISP - who has your real name and address, stores all your logs, and will almost certainly work with the police. In case you don't think VPNs are enough - there fortunately are ways to improve your privacy even further:

The Onion Router

A network that allows (relatively) anonymous web browsing - read the first section of my article if you want to know more (but don't get discouraged - it is still useful). First, find the TOR package in Gslapt and install it. The default configuration requires a separate user for running it - so let's create it. If using Salix XFCE, click the Salix button at the lower left corner and go to System > Users and Groups (other distros should have similar tools). Click the Manage groups button, then Add, and type tor in Group name. Now that you've added the tor group - time to create the tor user and add him to that group. Close the Groups menu and click Add. Type tor in the Username field and anything you want as his Real Name. Now switch to the Groups tab and choose tor as his main group. Click OK and you're done here. Now type these commands into the terminal: sudo chown -R tor /var/log/tor, then sudo chown tor /var/lib/tor. This will make the newly created user the owner of some directories TOR requires, so that he has the permissions to use them.

Now the fun part - setting up your web browser to use the network. In Pale Moon, go to Tools -> Preferences -> Advanced -> Network -> Settings. Choose Manual proxy configuration and - in the SOCKS Host field - type 127.0.0.1 as the server and 9050 for the port. There is no need for the Use proxy to perform DNS queries option, since we'll be setting up TORDNS system-wide anyway; but do mark SOCKS5 instead of 4. Now you will automatically visit all clearnet sites through the TOR network. You can also add the Proxy Privacy Ruler extension on top of this config so that TOR is enabled only for Private Windows or certain domains. Either way - since TOR resolves onions through its own DNS - you need to enable that functionality to connect to those. First, add these two lines at the end of your /etc/tor/torrc file:

DNSport 53
AutomapHostsOnResolve 1

Then, put this line: nameserver 127.0.0.1 into your /etc/resolv.conf to use TOR as the DNS resolver. Without this, .onion domains would simply fail to resolve, since a regular DNS server does not "understand" them. Now, the TOR network is not limited to web browsing - any application that has proxy settings (for example, instant messengers or feed readers) can be configured to use it. Even if they don't, a tool called proxychains-ng can get around that. Just install it from your repository (most distros should have it) and run it from the terminal like this: proxychains4 filezilla (replace filezilla with the program you want to launch). For extra protection, pair your TOR network with the VPN you've configured earlier. Compared to TOR alone, this setup has the advantage of still keeping your real IP hidden in case of a TOR leak or just an application that doesn't support it (anything that uses UDP). Also, read my Avoiding "The Botnet" - impossible? article before getting too confident about either VPNs or TOR (in fact anything you do electronically or even IRL).

Darknet only setup

This method lets through only TOR traffic. You will have to install nftables, and likely the newest glibc and openssl, and obviously tor. Probably going to need to burn your old iptables rulesets with iptables -F and iptables -X. Then create a config file such as /etc/nftables/toreverything.conf and fill it with:

flush ruleset
table inet restricted {
chain inbound {
type filter hook input priority filter; policy accept;
ct state { established, related } accept
iifname "lo" accept
iifname "eth0" tcp dport 22 accept
ip protocol icmp icmp type echo-request accept
reject with icmp port-unreachable
}

chain outbound {
type filter hook output priority filter; policy accept;
oifname "lo" accept
oifname "eth0" meta skuid 414 accept
oifname "eth0" tcp sport 22 accept
reject
}

chain forward {
type filter hook forward priority filter; policy drop;
}
}

Every instance of eth0 has to be changed if using other interfaces, such as wlan0. The 414 is the ID of your tor user, and also has to be modified if it's different in your OS. What this firewall actually does is blocking any connections that don't come from the user tor. And because the tor user only runs the tor process, it effectively blocks anything non-TOR. Anyway, after writing down the configs, load them with the command sudo nft -f /etc/nftables/toreverything.conf. Put that command into one of your startup scripts like /etc/rc.d/rc.local.

This setup obviously provides a significant increase in anonymity compared to the VPN one (and is free), but comes with a price. It is a lot slower, for one. And you will have to explicitly configure all your software to use TOR. If a program does not include that functionality, it will need to be run through proxychains...prepare to be using that a lot. UPDATE: even if a program is able to set a proxy, it is often leaky and some (or all) functionality will fail to work with a darknet only firewall. I have found I need to run almost everything through proxychains to prevent that. All UDP packets are blocked so forget about torrenting, you dirty little consoomer, you. Oh, and Cloudflare will bully you mercilessly. Even WHOIS blocks TOR (so if it works for you, you have a leak). I am warning you, this setup is only for true darknet enthusiasts. However, it's not so bad - you get used to it quick, like to uMatrix. And the rewards are worth it.

This is not as battle tested as the VPN setup. As usual, test everything for leaks. To give you a hint, nothing should be able to connect to the internet without being configured to use TOR or run through proxychains. If that happens, it's a leak (send me a note). If you are convinced you won't use the VPN setup anymore, you can now uninstall ufw. Proxy Privacy Ruler can also be disabled. With this darknet setup, the guide is now fully free again, as it was meant to be since its inception.

Instant messengers

XMPP + OMEMO encryption is the gold standard. Gajim and Psi are the best clients for privacy and feature support, but they both require mitigation. I have a full XMPP guide now. Don't use Signal or Telegram (despite their sustained shilling) - they ask for your freaking phone number! Discord is even worse. WhatsApp is owned by Facebook - enough said. Skype works directly with the Prism program and used to redirect Chinese people to a modified version, which allowed the Chinese government to implement censorship and surveillance. XMPP is decentralized - anyone can run a server, so you should choose one with good privacy such as...well, just read the policies for yourself. Remember that XMPP stores your roster server-side regardless. Don't skip out on the encryption even if you're using secure software and server! That's the main takeaway here.

Cloud storage

Get into the habit of storing everything locally! And make fucking backups, holy shit - don't be the clown who loses everything because of malware, hardware failure, theft, or whatever. All you need is a spare USB drive or SD card. Anyway, I've researched most of the available free cloud storage providers and they either require your private data like name or phone number, don't support the English language, pretend to be free but are actually paid, or have other issues. Disroot is the only one with a passable grade - but Nextcloud is bloated and they will also delete your whole account if you upload something they think is against their ToS (unless you remove the offending file in 24 hours). If you do decide to use such services anyway, remember that you can password protect your files (for example, with the command gpg -c terrorism_manual.pdf) from the admins or other snoops, and still share them with the people you want to.

Text upload / sharing

AKA the famous pastebin. Deep Paste (onion only) is the best - simple, with no JS requirement; supports public, private and self-destructing pastes - and doesn't delete anything. A similar one, except on the clearnet and without private paste functionality, is https://pst.moe.Snopyta's service (onion), or some other PrivateBin, is another option but requires JS (though you do get more features, including password protection and encryption - but anyone who knows the link can decrypt). Don't use Ghostbin (uses cloudflare, no privacy policy), 0bin (admits they don't care about protecting your uploads), or pastebin (the worst - stores your IP and other data, is not encrypted, admits to censorship [archive], uses Google Analytics and has targeted advertisements).

Image upload / sharing

Coinsh used to be here, but it died. Use lainsafe until someone makes another coinsh instance. Another option is ttm.sh (no IPFS integration, files remain for 30 to 365 days depending on their size). Keep in mind those hosts can store files for a long time. If you need fast file deletion, cockfile is your best bet.

Video upload / sharing

Unfortunately, nothing tops YouTube in terms of the amount of users and content. Regardless of its Google integration, absolutely terrible privacy policy, cluttered UI, shitty "features" like autoplay / auto-load next video as well as advertisements and massive censorship issues (archive) - we have to deal with it if we want the videos. There are two good ways of doing this - one is Invidious which debloats the UI and now does not require google connections to watch the videos (if you choose the dash quality as preferred in the settings). The other is youtube-dl, which, by downloading the video instead of using someone's server, completely avoids their issues like throttling etc. The video is now just a file on your drive - you do whatever you want with it. Of course, if you want "features" like comments, you have to succumb to the botnet and sign in with your google account (which I don't recommend, of course). What about the so-called youtube alternatives? Briefly - they all suck. Vimeo and Dailymotion have much less content and their privacy policies aren't good anyway. Bitchute requires a cloudflare browser check before you can even access it. Brighteon is anti-censorship but requires an invitation (really like the content there though). UPDATE: Rumble is probably the best if you really need an alternative video site. You can try some peertube instances but those could die at any time (obviously, since they are not supported by a big corpo) and there is so many of them that you can forget about gaining popularity as a content creator (since there is no big, centralized database for people to find your videos - a problem common to mostly any decentralized service). Unfortunately I do not foresee this solved until Google fucks with content creators so hard they all decide to pack up, leave and create their own YouTube alternative - which they aren't going to do as long as they earn the ad money - so capitalism has to die first.

Translation

Swisscows translator used to be recommended here, but it died. There are some local ways to do it, though I know nothing about them. UPDATE: one of our chat members has managed to install Apertium and said it works okay. UPDATE 2: a lean proxy for Botnet Translate now exists.

Other services worth noting

Cockfile allows you to store a file for 24 hours and alleges to keep no logs. The size limit is 5GB and there are some filetype restrictions. Disroot's Lufi is a similar kind of service with an up to 60 day timespan and 1GB size limit. It also encrypts your files so even the admins can't see the contents. Snopyta, in addition to what I've mentioned before, provides various other services such as Git, a YaCy instance (weak search results though, but completely decentralized), a Mumble (voice chat) server, collaborative editing and others - many of which have hidden services.

Website hosting

Neocities stands head and shoulders above other clearnet hosts - it has free 1GB storage, IPFS integration, in-built bitcoin donation as well as some quasi-social media features that allow you to find other interesting sites, post comments, etc. However, in terms of privacy or censorship, it is a black box (though I have not heard of any real case of the latter). Edit: I don't think it's so great now. It still requires recaptcha (another edit: now hcaptcha, same issue with performing tricks) for registration and the privacy policy is really suspicious, I think they store everything (since they don't tell you what they store). FC2 is an alternative someone mentioned to me, also with 1GB storage but banning almost everything in their ToS and probably putting ads on your site. There's also tilde.club, which I don't know much about. Everyone else suffers from crippling flaws such as being paid for, requiring personal data, slow speed, enforced downtimes or ads (especially if free), and most importantly - shitty censorship policies (archive). Your best bet is to store your site on Freenet or find a host on the TOR network. And with that, we move on to the most important section...

The Clearnet is doomed!

In the end, whenever we use a clearnet service, we're relying on some server controlled by a stranger or big corpo that can install any policies it wants to and change them at any time. It can also die of course, and take your data with it (big corpos kind of resist that but still...). The Internet is being consolidated in the hands of a few players like Cloudflare, Amazon, Google, Twitter and Facebook. Did you know that, for example, even if the site you're connecting to has no elements from any of those, it can still go through their data centers (you can confirm that through a network monitor)? Not to mention the fact that all connections go through a few ISPs, which can not only install their own policies, but are also subject to the governments' increasing crackdown on free speech (or even free read) and privacy. To bypass these, we need to rely on decentralized solutions that are harder to censor or block. Some of them are ZeroNet, RetroShare, TOR and IPFS (all these have serious flaws), and Freenet, which is, IMO, the only decent one out of those (though not all that great either). Decentralization has many inherent flaws in general (some I've touched on in the Video section) - however, if the clearnet becomes unusable, we will have no choice but to move onto them, and wait for their inevitable improvement (or help make it happen if you can!). Freenet is the oldest and the only one available that allows hosting a site without being online 24 hours per day. It cannot be censored and can be made highly anonymous with proper security settings (you choose the level of compromise you're going to make). I recommend moving to it right now since I don't give the clearnet too much time from now on. But also read Avoiding "The Botnet" - impossible? for some clarification on decentralization and the internet in general (short summary: we will need the physical infrastructure eventually). But for now, Freenet is our hope!

OPSEC

Security / privacy is not just about software or services, but your behavior as well. Try not to put your personal data on the internet - such as name or phone number - as well as, preferably, any real life details which could connect your Internet activity to your real persona (people got their lives ruined by failing to heed this advice). Unless those details are something you want to be revealed - but then, do it with a new account on a platform that won't use it against you. E.g if you have a Reddit account with a thousand posts, you might not want to attach that to an event you've been at in real life, like a protest or something. It's a good idea to have several identities on the Internet anyway, even so that an account you care about is not "tainted" by something stupid you've said on a video game forum, or whatever.

Obviously, make regular backups of your data so that malware, a hack or disk failure doesn't destroy you. Have several layers of security - use TOR for any program that supports it, along with a VPN and trusted providers. Encrypt your communication as well as the data on your disk. For the really sensitive stuff, you might even want to use another installation or a whole new computer with a public WiFi network way away from your house (heads OS is often used for such purposes). Use different passwords for every account you care about. Delete all registration E-mail so that, in the event it got hacked, the attacker couldn't just "Remember password" for all your accounts. Obviously, don't download untrusted software, like scripts from shady imageboards (lol) unless you can read and understand the code (still, malware has happened even in official Linux repos (archive)). If you're hardcore, you could also sandbox certain applications with Firejail, or even use a security-oriented distro like Qubes or Whonix (since by default, applications in Linux have all the permissions of the user account they're run from). There's way more to cover here - entire books have been written about OPSEC - but this is a good start. However, if you're trying to do something that could really get you in trouble - go on the darknet, find people with experience, ask questions. Don't rely on this entirely unprofessional guide.

Back to the front page