VPN: Threat Model First
Most VPN ads sell a feeling. Here is what the tool actually does.
by Alien Investor
#VPN #Privacy #OPSEC #DNS #Mullvad #DigitalSovereignty
────────────────
“A VPN shifts trust. It does not eliminate it.”
────────────────
VPN marketing promises invisibility. “Military-grade encryption.” “100% anonymous.” “One click to privacy.”
That is not a threat model. That is a sales pitch.
A VPN is a tunnel. It encrypts traffic between your device and the VPN provider’s server. Your ISP sees an encrypted connection. Websites see the VPN server’s IP, not yours.
That is it. Powerful in some scenarios. Useless in others.
────────────────
Protection by Threat Model
Here is the honest breakdown across five real scenarios.
Public Wi-Fi (hotel, café, airport): 10/10 This is where VPNs shine. Your data leaves the device already encrypted. An attacker on the same network sees nothing usable. No contest.
ISP surveillance and DNS logging: 9/10 Your internet provider sees an encrypted connection to a VPN server. It cannot read which domains you visit or what you send. Solid protection.
Targeted law enforcement: 8/10 (Mullvad/Proton) vs. 0/10 (free VPN) A no-logs provider that has already survived a real police raid hands over nothing because nothing exists. A free VPN with a “no-logs” promise hands over everything, because the logs are the product.
State mass surveillance and deep packet inspection: 7/10 DPI can identify VPN protocols with 85–99% accuracy depending on method. The state can see that you are using a VPN. It cannot read the content. That is still meaningful, but it is not invisibility.
Ad industry, Google, Meta tracking: 1–2/10 Browser fingerprinting makes your IP address largely irrelevant. Canvas values, fonts, GPU model, screen resolution, timezone: this combination identifies you across sessions without a single cookie. A VPN changes your IP. It does not change your fingerprint. Wrong tool for this threat.
────────────────
The DNS Paradox Nobody Talks About
This is the mistake that silently kills VPN anonymity for careful users.
Combining a personalized NextDNS profile with a VPN sounds smart: better filtering plus encryption. The problem is structural.
Your NextDNS profile is unique. Which blocklists you run, which domains you whitelist, which queries you send: this yes/no response matrix creates a logical fingerprint. Route those queries through a VPN tunnel and NextDNS does not learn your real IP. But it still learns your behavioral pattern, which is effectively your identity.
The result: you paid for anonymity and built a de-anonymization layer into your own setup.
The fix:
When anonymity is the goal, use the VPN’s own DNS resolver. Mullvad DNS Adblock handles filtering without creating a persistent profile tied to you. No external DNS through the tunnel.
NextDNS belongs on a home router without a VPN behind it, good filtering, easy management, no fingerprint problem, since your home IP already identifies you.
────────────────
Mullvad vs. ProtonVPN
Both are worth recommending. The difference is the threat level.
Mullvad: No account. No name. No email. You get an anonymous account number. Pay with Monero, cash, or Bitcoin. RAM-only servers, nothing persists to disk. In 2023, police raided a Mullvad server. They left without data because there was none.
ProtonVPN: Email required. Swiss law protects the VPN service specifically (not necessarily ProtonMail under the same standard). Independent annual audits. Free tier available. Works well within the Proton ecosystem.
If your goal is maximum anonymity: Mullvad, paid with Monero or cash, RAM-only servers, Mullvad DNS.
If you want a solid everyday VPN bundled with encrypted mail and cloud: ProtonVPN is a reasonable choice.
────────────────
Free VPNs
Servers cost money. If you are not paying, the logs are the product.
Multiple independent studies have documented free VPN apps selling browsing data, injecting ads into traffic, or logging and reselling DNS queries. Some have been caught routing user traffic through other users’ devices.
There is no free lunch in privacy infrastructure. Avoid free VPNs entirely.
────────────────
What a VPN Cannot Replace
For the ad-industry and fingerprinting problem, the tools that actually work are:
- Firefox or LibreWolf with
privacy.resistFingerprintingenabled - uBlock Origin (full version, not Lite)
- No Google account active in the browser
- Mullvad Browser for high-risk sessions (Tor Project anti-fingerprinting tech, VPN-ready)
A VPN and a hardened browser are complementary, not substitutes. Both have their role.
────────────────
GrapheneOS and VPN
GrapheneOS has per-app VPN routing built into the OS. You specify exactly which apps go through the tunnel and which do not, no root required.
Enable always-on VPN and the kill switch in Settings. No traffic leaves unprotected if the VPN drops. This is the cleanest mobile setup: hardware privacy at the OS level, network privacy at the VPN level.
────────────────
Affiliate block:
🔧 Alien Phone Service — GrapheneOS professionally installed and configured, delivered to your door. No flashing required. Bitcoin or Fiat. 👉 https://alien-investor.org/en/grapheneos-flash-service.html
📖 GrapheneOS: Android in the Age of Surveillance — Setup, Apps & Digital Sovereignty. The complete handbook for your Google-free Android. DRM-free, €4.99. 👉 https://alien-investor.org/buecher.html · also on Amazon KDP
₿ Bitcoin in self-custody — Hardware wallet instead of exchange account. Code ALIENINVESTOR = 5% discount on the BitBox. 👉 https://alien-investor.org/bitbox
🛡️ Privacy & Mail — Email, VPN, Cloud without Big Tech. I use Proton. 👉 https://alien-investor.org/proton
₿ Bitcoin DCA (Europe) — Bitcoin-only, no shitcoin noise. Code ALIENINVESTOR = permanent −0.2% fee reduction. 👉 https://alien-investor.org/21bitcoin
Disclaimer: Some links are affiliate links. Using them supports this channel at no extra cost to you.
────────────────
Money, power, Bitcoin — and OPSEC. I write about financial sovereignty, privacy, and cybersecurity in a world built on control. More at alien-investor.org 👽
Write a comment