# Martian's Stack

## Operating Systems

{% embed url="<https://www.qubes-os.org/>" %}

{% embed url="<https://www.kicksecure.com/>" %}

{% embed url="<https://whonix.org>" %}

{% embed url="<https://fedoraproject.org>" %}

{% embed url="<https://tails.net/>" %}

{% embed url="<https://proxmox.com>" %}

## Development

{% embed url="<https://vscodium.com/>" %}

{% embed url="<https://voideditor.com/>" %}

## Connectivity Tools/Products

{% embed url="<https://mullvad.net/>" %}

{% embed url="<https://tailscale.com/>" %}

{% embed url="<https://openvpn.net/>" %}

{% embed url="<https://www.wireguard.com/>" %}

{% embed url="<https://opnsense.org/>" %}

{% embed url="<https://lokinet.org/>" %}

## Browsing

{% embed url="<https://mullvad.net/en/download/browser/linux>" %}

{% embed url="<https://librewolf.net/>" %}

{% embed url="<https://github.com/linkwarden/linkwarden>" %}

## Storage Solutions

{% embed url="<https://cryptomator.org/>" %}

{% embed url="<https://veracrypt.io/en/Downloads.html>" %}

{% embed url="<https://mega.nz>" %}

{% embed url="<https://internxt.com/>" %}

{% embed url="<https://proton.me/drive/download>" %}

## Self-Hosted Business Solutions

{% embed url="<https://www.ubicloud.com/>" %}

{% embed url="<https://nextcloud.com/>" %}

## Messaging

ClearNet

{% embed url="<https://getsession.org/>" %}

DarkNet

{% embed url="<https://tox.chat/>" %}

## Documentation

{% embed url="<https://www.onlyoffice.com/>" %}

{% embed url="<https://www.libreoffice.org/>" %}

{% embed url="<https://www.giuspen.net/cherrytree/>" %}

***

## Mobile Device Privacy and Security <a href="#privacy-and-security-setup-guide" id="privacy-and-security-setup-guide"></a>

#### Devices and Roles

**Device #1 with profile switching and data sandbox separation**

* **Private Profile:**
  * [Proton Mail](https://proton.me/mail), [Proton Drive](https://proton.me/drive)
  * [Tutanota](https://tutanota.com/) (Secure Email & Calendar)
  * [Bitwarden](https://bitwarden.com/) or other [password manager](https://www.privacyguides.org/software/passwords/)
  * [Signal](https://signal.org/) and [Session](https://getsession.org/) (messengers, private 1:1 conversations)
* **Travel Profile:**
  * All run via isolated, sandboxed [Google Mobile Services](https://grapheneos.org/usage#sandboxed-google-play)
* **Messengers Profile:**
  * [WhatsApp](https://www.whatsapp.com/) (only when required)
  * [Telegram](https://telegram.org/) (for programming chats/news)
  * No social media apps (minimizes attack surface)

**Device #2 for Banking**

* SIM/eSIM → Only for banks and SMS 2FA
* No social media or travel apps

### Maps

* [OsmAnd](https://osmand.net/) for daily, privacy-first navigation
* Waze only on travel, isolated in a separate profile

### Multiple SIMs

* \#1 → Banks via eSIM
* \#2 → Services&#x20;
* \#3 → Calls (personal/general)

### Core Principles

* **Compartmentalization:** Strict separation by profile and device
* **Minimal Apps:** Only install essentials on each device
* **Encryption**
* **VPN**
* **2FA & YubiKey**

***

## OS Hygiene

* Use an operating system that supports SElinux and enable SElinux in enforcing mode for robust process isolation and mandatory access controls.
* Choose hardened Linux distros or privacy-centric operating systems such as Qubes OS, adding SElinux plus strong host firewalls.
* Use a VPN killswitch: configure via your VPN client, or manually set firewall rules (e.g., iptables or UFW) to block all traffic unless the VPN is connected. This prevents IP/DNS leaks if the VPN drops.
* Always use multi-hop VPNs, configured so each hop is independent and ideally in separate VMs.
* Ensure you connect to multi-hop VPNs before Tor; this prevents your ISP or local network from identifying Tor traffic as originating from the home connection, breaking correlation attempts.

### Tor

* Set up a virtual machine (VM) or secondary device for layered routing.
* Launch the Tor Browser or configure your system or VM to route all network traffic through Tor.
* For advanced control, consider Transparent Tor Proxy setups or bridges, using firewall/iptables rules to redirect all traffic through Tor.
* Optionally, use "obfs4" Tor bridges to help bypass censorship.

### Lokinet (with Lockdown Mode)

* On your VM or secondary device, install Lokinet and configure DNS to `127.3.2.1` so all supported traffic is routed through Lokinet.
* Use the Lokinet client’s interface to add exit node details to access the clearnet through Lokinet if desired.
* Enable lockdown or kill switch mode in your operating system or setup firewall rules to block all non-Lokinet connections. This ensures that if Lokinet disconnects, no unprotected traffic leaks, maintaining privacy.
* Use anonymous payments, keep software up to date, and regularly verify lockdown enforcement to prevent data leaks.

### Potential Benefits of Using VPNs with Tor or Lokinet

* VPNs can conceal the use of Tor or Lokinet from your internet provider by encrypting traffic before it leaves your device, enhancing privacy.
* They add an additional layer of IP address masking, reducing the risk of linking your real location with your Tor or Lokinet activity.
* VPNs can help bypass network restrictions or censorship that might block direct connections to Tor or Lokinet networks.
* When used after Tor or Lokinet (though less common), VPNs can help protect against untrusted exit nodes by encrypting traffic leaving the privacy network.
* Combining VPNs with Tor or Lokinet can increase security and anonymity over these networks, though at the cost of the VPN provider seeing the traffic as well as added complexity and some performance trade-offs.

#### Implication for Multi-Hop VPN + Tor vs. Multi-Hop VPN + Lokinet

* With **Tor**, the typical setup involves layering VPNs first, then manually directing application traffic (like the Tor Browser) through Tor. This does not create a full device-level tunnel like a VPN. It requires special configuration and iptables rules for transparent proxying if a device-wide Tor network tunnel is desired, and even then, only TCP traffic is routed.
* With **Lokinet**, since it operates at the network layer, connecting a device or VM to Lokinet acts much like connecting through a VPN. All traffic (TCP, UDP, ICMP) can be onion-routed automatically. Multi-hop VPN + Lokinet setups allow seamless layered routing at the network level, unlike Tor.

<h3 align="center">Summary Table</h3>

| Feature         | Tor                                                   | Lokinet                             |
| --------------- | ----------------------------------------------------- | ----------------------------------- |
| OSI Layer       | Application Layer (Layer 7)                           | Network Layer (Layer 3)             |
| Traffic Types   | TCP only                                              | TCP, UDP, ICMP, all IP traffic      |
| Network Tunnel  | Application-specific (e.g., Tor Browser)              | Full device/VM network tunnel       |
| VPN Replacement | No, complements VPNs                                  | Yes, can replace VPN-like routing   |
| Transparency    | Needs explicit app configs or complex iptables setups | Transparent to all apps and traffic |

Thus, Tor does not natively work "over" VPN like Lokinet can; instead, Tor runs atop VPNs for layered privacy while Lokinet can function directly as a network-layer privacy tool replacing or complementing VPNs.

This fundamental architectural difference explains why setups involving multi-hop VPN + Tor require application-level routing and firewall rules, while multi-hop VPN + Lokinet can use simpler, full-network layered tunneling.

### Anonymous Payments for No-Log VPNs

* Select a VPN that explicitly states a no-logs policy and accepts anonymous payments (Monero, CoinJoin BTC, gift/prepaid cards).
* Open a new anonymous email (ProtonMail, Tutanota, etc.) using Tor for registration.
* Register for the VPN service using only your anonymous details.
* Pay with cryptocurrency sent from a wallet with no connection to your identity (consider tumbling or privacy wallets).
* Never reuse credentials or email addresses across compartments.

### Hardware & ID Obfuscation

* Before connecting to any network, spoof your MAC address ( `macchanger -r eth0` on Linux) for every new session.
* Use removable, unlinked network adapters, preferably new or secondhand with no purchase records.
* Avoid initializing persistent hardware/user IDs: wipe system fingerprints or use privacy-focused OS features to prevent hardware-based tracking.

### Location Deception

* Use GPS spoofing apps/tools on any device with location features.
* When possible, operate exclusively via public and random WiFi (libraries, cafes), never returning to the same network.
* Do not log in or access any accounts connected to your real identity while on these networks.
* Change operational base regularly; never stay at the same public WiFi location or city for repeat sessions.

### Virtual Compartmentalization

* Install Qubes OS on your main device, or use a secure Linux host with VirtualBox/Virt-Manager.
* Create separate Whonix VMs for each operational activity (web, email, comms, research).
* Enable full-disk encryption (LUKS, VeraCrypt, or similar) with plausible deniability features.
* Regularly back up data to encrypted external drives.
* For highly sensitive operations, use self-destructing VM environments or disposable VMs for one-time use.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://martian1337.gitbook.io/notes/digital-privacy/opsec/martians-stack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.