Given a threat model covering passive attacks and general surveillance capitalism (including ISP snooping), I’ve been thinking through the risks associated with exposing an ISP IP that I connect to via VPN.
I have a home lab server hosting a variety of self hosted services I use. I have an always-on connection to this server IP over VPN from my mobile phone. I use this for notifications, location tracking, etc, so it’s important to me that it’s always on. All my internet traffic is also routed through this server and exits through a public VPN provider. I’m wondering how concerned I should be by the fact that I’m the only one connecting to this IP and therefore very identifiable on public wifi. I’m thinking:
Anytime I connect to public wifi, I could be profiled because my traffic pattern is so consistent and I’m the only one that ever connects to that IP. (in general, I have traditionally favored wifi connectivity for my mobile phones and often run in airplane mode)
My home ISP will see my source IP when I’m traveling and can derive my location from this IP anytime I’m connected to wifi outside my house.
I believe I can solve this on my laptop by tunneling my home VPN through a public VPN service but my understanding is that tunneling VPNs is not possible on Android/GrapheneOS.
Is this a threat vector I should be worried about for general anti-surveillance capitalism?How comfortable are you exposing your dedicated VPN IPs to all of the public wifi points you connect to?
After giving further thought and discussing with a few people, I’ve decided these threats are of relatively little concern given my threat model.
Nevertheless, I did a couple things that I think gives me some protection and doesn’t cost much in latency.
On devices that I can layer VPNs, like my laptop, I always tunnel my home VPN connection through a public VPN connection like Mullvad.
On Android, I decided to reflect my VPN connection off of a privacy respecting VPS located near my home. This adds very little latency but hides my home IP from public wifi networks and prevents my ISP from seeing where I connect from. It’s probably overkill but doesn’t cost me much in latency.
fwiw, I did consider a few other thoughts:
Find a tunneling/forwarding service for UDP packets and try to rotate IPs regularly.
Avoid public wifi for Android device and prefer a mobile data with non-KYC eSIM
It may still make sense to prefer non-KYC mobile data over large provider public wifi but mobile device management comes with it’s own nuances.
For now, I’m not going to give this threat much further thought.
I’m sad that your initial post didn’t get much attention when initially posted…I think it’s a fair concern to have! Glad that you have arrived to a conclusion.
Did you have a guide or online resource that you followed for doing this on Android? We don’t usually discuss VPS at Privacy Guides, so I’m happy to give it a read if I ever need to do something similar in the future.
I don’t know how I missed this post but I completely agree with @KevPham that this is a very valid question and it’s something I’ve also thought a fair bit about. Thanks for sharing what solution worked for you because I personally haven’t really arrived at a satisfactory solution.
I didn’t follow a guide, per se. In my case, I selected a cheap VPS from one of the providers recommended on this forum. For simple routing, I use a single core VPS with little RAM – the cheapest VPS possible. I then set up iptables to forward Wireguard UDP packets following a guide similar to the one below (as well as adding a few other firewall rules to lock down the VPS server)
Given this configuration, I now configure my Android wireguard client to connect to the VPS IP address instead of my Home Lab IP
Android Wireguard Client — VPS IP —> [VPS Server] — My ISP IP —> [Home Lab]
Given this configuration, the VPS server still never sees unencrypted data as the VPN traffic bounces off the VPS Server while remaining fully encrypted. My ISP never sees where I’m actually coming in from (only the VPS IP). The public WIFI access points never see my Home IP.
Future Iteration
I think a more elegant approach here may be to use your public VPN’s Dynamic Port Forwarding / NAT-PMP capabilities and actually terminate your Home Lab VPN using your public VPN’s address. It seems Mullvad no longer supports this but Proton VPN does. I’ll be playing with this a bit more. In that case, you could do something like:
Android Wireguard Client — Public VPN IP —> [PortonVPN] <— Public VPN IP — [Home Lab]
Nevertheless, I still think this is probably a lower threat in the realm of mass/corporate surveillance.