One email a week - something from which I hope you'll get real value. We talk about things we can build, and how to defend them. That can apply to cybersecurity, physical buildings, digital products, and .... just about anything. It gives me a lot of latitude in what I can write about, but the two concepts are important for progress - as individuals, and as society.

Today's topic is: VPNs & Freedom Of Speech

Private communications are not a luxury feature. They are part of being a free person.

There is a familiar pattern now: a bad thing happens. Politicians demand a tool to stop the bad thing. The tool somehow requires scanning everyone’s private communications, weakening encryption, or forcing platforms to become informants. Then anyone who objects gets accused of defending the bad thing. Sometimes they don't even pretend there's a bad thing, but suggest that there may well be one someday so why not act now....

That is roughly where the EU’s “Chat Control” fight keeps landing. The EU Parliament has just been forced by the EU Commission to vote on it a sixth time (with the vote being brought through some very sketchy methods, too), since they couldn't get it through the first five times. (This is how the EU works though, they just vote and vote and vote on things until they get the answer they want. If you don't believe me, look it up.)

The stated aim for Chat Control is protecting children. It's difficult to argue with that as a goal - that's about as noble a cause as you can get. However, the the proposed protection keeps drifting toward mass scanning of private messages, including client-side scanning before encryption can protect those messages. Once you normalise that machinery, the purpose can change. The database can change. The threshold can change. The political mood can change. Once the technology is embedded, it's as simple as then changing the law, which as we've seen is something the EU will vote to do until they get the outcome they want.

Once that happens, your private conversations are no longer private. They are conditional. Someone else sets the conditions.

So this week’s Build & Defend is simple: build your own private communications channel.

Not because a VPN solves everything. It does not. Bad things can still happen, but at least this way you have some control over your own freedom.

If you care about speech, you should know how to build one.

🔨 BUILD: Your Own VPN

Wait, what? I can build one? I thought VPNs were just those annoying things I needed to use to get my spreadsheets at work...?

Well, yeah, but it ultimately means what the initial stand for: Virtual Private Network. Most of us know this because our employer gives us access to their Virtual Private Network, but anyone can have one. Probably everyone should. That's why I'm writing this this week. The basic version of a VPN is not complicated.

You rent a small virtual private server (VPS) - basically a virtual machine in the cloud - from a provider outside the jurisdiction or network you are worried about. For example, if you're in the EU, you would rent a VPS in the US, or Switzerland. You install WireGuard. Your phone and laptop connect to it. Your traffic leaves from that server instead of from the local network you are sitting on.

See, not complicated at all, right?

What You Need

  • A cheap VPS: Hetzner, OVH, Scaleway, DigitalOcean, Vultr, Linode, etc. (Those are the names of companies that sell VPS. (NB: Just because the company is outside the jurisdiction doesn't mean the machine is. Most companies have data centres in multiple places, but Hetzner's for example are all inside the EU.)

  • Ubuntu or Debian - this is easier than Windows (for these purposes) and requires less resources

  • WireGuard for the standard build (see the links below)

  • A second option for censorship resistance if VPN protocols (methods of sending traffic) are blocked

A tiny VPS is enough for personal use. One virtual CPU (vCPU) and 1GB RAM will handle normal browsing, messaging, admin work, and travel use. You can use this to stream video (to watch things from other regions) but that makes it more complicated in terms of resources and bandwidth required, and isn't the focus of this newsletter.

The Standard Setup

WireGuard is the default answer for a personal VPN. It's fast, simple, modern, and well supported on macOS, iOS, Android, Windows, Linux, and routers. Compared with old OpenVPN setups, it feels almost too easy.

Your architecture looks like this:

Laptop / phone   |   | encrypted tunnel   v Your VPS   |   | normal internet   v Websites / apps / services

The practical build is straightforward, but technical. You can prompt your AI to help you with all these steps.

First, rent a small VPS in the country you want your traffic to exit from. A basic Ubuntu server with one CPU and 1GB RAM is enough for personal use. SSH into it, update the system, and install WireGuard.

On the server, you generate a private/public key pair, create a wg0 interface (same), assign it a private VPN address such as 10.8.0.1/24, enable IP forwarding, and add a simple firewall/NAT rule so traffic from your VPN clients can exit through the VPS’s public network interface. Then install the WireGuard client on your laptop or phone, generate a client key pair, and add that client as a peer on the server. The client config points at your VPS public IP, uses its own private VPN address such as 10.8.0.2/32, and sets AllowedIPs = 0.0.0.0/0, ::/0 if you want all traffic to go through the tunnel. Turn it on, visit an IP-checking site (i typically use ifconfig.co, which you can access from the command line with "curl -r ifconfig.co), and confirm your traffic now exits from the VPS rather than your local ISP. That is the whole shape of it: VPS, WireGuard server, client profile, full-tunnel routing.

Once you're set up, the local coffee shop, airport, hotel, school, employer guest Wi-Fi, or ISP sees an encrypted connection to your server. They do not see every site you visit. That alone is worth having.

The Catch

WireGuard traffic still looks like WireGuard traffic.

A censor, corporate firewall, or national filtering system may not know what is inside the tunnel, but it can often tell that the traffic is a tunnel, and probably VPN traffic. WireGuard has a recognizable 'shape' on the network. So does OpenVPN. So do many commercial VPN endpoints, which get blocked by IP reputation lists anyway.

That is fine if your threat model is basic privacy. It is not enough if your threat model includes VPN blocking.

So you need two layers to your thinking:

Normal privacy: Wireguard on your own VPS

Censorship resistance: traffic that doesn't look like VPN traffic but regular traffic instead

🛡️ DEFEND: Your Privacy

A VPN protects the network path. It does not protect the endpoint. That distinction matters. Quite a bit.

If an app scans your message before it gets encrypted, the VPN does not help. If your phone is compromised, the VPN does not help. If you log into a service with your real identity, the VPN does not make you anonymous. If you post under your own name, the VPN does not make the post deniable.

A VPN is not invisibility. It is plumbing.

Good plumbing still matters.

It protects you from:

  • hostile Wi-Fi networks

  • ISP-level logging and casual filtering

  • location-based blocking

  • some censorship blocks

  • cheap traffic inspection

  • commercial VPN blacklists, if you use your own clean VPS IP

It does not protect you from:

  • malware

  • browser fingerprinting

  • platform subpoenas (ie, if someone asks Facebook for their logs of your activity and they get them from Facebook)

  • account identity

  • payment trails

  • client-side scanning

  • bad personal discipline

For most normal people, the goal is not to become a spy. The goal is to make casual surveillance and lazy censorship harder. Which is a worthy goal.

Ah, but I heard you say that VPNs could be obvious?

Yes, yes you did.

If you are in a place where VPNs are blocked, “just use WireGuard” may fail. The packets may be encrypted, but the shape of the traffic can still give the game away.

So for the censorship-resistant version, you want your tunnel to resemble normal HTTPS or HTTP/3 traffic as much as possible. (Those are the basic protocols that websites use.)

Again, you're not trying to be 100% invisible - but you can make blocking you expensive, noisy, and likely to cause collateral damage. That ultimately means that you'll be able to do what you want in 99% of the cases, and for that 1% you have state-sponsored actors after you and that's an entirely different newsletter. (That's the "Avoid North Korean Spies newsletter, and I'm not sure anyone writes that.)

You will need different software when you're looking to really defend your free speech.

Option 1: Hysteria 2

Hysteria 2 is a censorship-resistant proxy built on QUIC. In practical terms, it can masquerade as HTTP/3 traffic. That matters because HTTP/3 is normal web traffic now. Blocking all HTTP/3 just to stop your tunnel may break real services. Censors hate collateral damage when it annoys enough normal people.

Good fit:

  • hostile networks

  • mobile networks

  • unreliable connections

  • places where UDP still works

  • users who want speed

Tradeoffs:

  • some networks block or throttle UDP

  • setup is more involved than WireGuard

  • you need to keep the client/server config clean

Option 2: Xray with VLESS + REALITY

Xray/VLESS/REALITY is popular in harder censorship environments because it is designed to blend into normal TLS traffic. The idea is that your connection looks less like “VPN app talking to VPN server” and more like a regular encrypted web session. Done properly, it can be much harder to classify without blocking normal HTTPS traffic too.

Good fit:

  • networks that aggressively detect VPN protocols

  • places where HTTPS is still allowed

  • users comfortable with more technical setup

Tradeoffs:

  • more moving parts

  • more ways to misconfigure it

  • bad tutorials are everywhere

  • you need to understand certificates, domains, and client profiles

Option 3: Shadowsocks

Shadowsocks is older but still useful. It is not a VPN in the classic sense. It is an encrypted proxy. For many people, that is enough. You send browser and app traffic through the proxy, and it avoids some blunt filtering systems.

Good fit:

  • lightweight setups

  • simple proxy use

  • routers and mobile clients

  • people who do not need full-device VPN routing

Tradeoffs:

  • less comprehensive than a full tunnel unless configured carefully

  • plain Shadowsocks may be easier to identify than newer obfuscation methods

  • client support varies by platform

💰 STACK: Resilient Personal Comms

The tunnel is only one piece. You still need to think of everything else.

  • Signal for personal messaging

  • SimpleX or Session if you want fewer identity ties

  • Proton Mail or Tuta for email

  • Bitwarden or 1Password for passwords

  • YubiKeys for important accounts

  • encrypted device backups

  • Tailscale for trusted personal machines

  • a second VPS provider as backup

Do not wait until the week you need this stuff. Build it while life is boring. Boring is when security work gets done properly.

The Uncomfortable Truth

Chat Control-style proposals expose a deeper problem.

Most people do not own their communications stack. They rent it from platforms. They borrow it from ISPs. They accept defaults from phone vendors. They trust app stores, cloud backups, DNS providers, mobile carriers, payment companies, and governments not to quietly change the rules. That can work for convenience. (It often does.)

It is a terrible foundation for liberty. You do not need to become paranoid. You do need to become less helpless. Build a private tunnel. Learn how it works. Keep a backup. Teach your family how to turn it on. Write down the recovery steps. Pay for the VPS with something that will not vanish if one company decides you are unfashionable this week. (This is why we have Monero. (You have Monero, right?))

The point is not to hide from ordinary law enforcement. The point is to preserve the ordinary private space that free people need in order to think, speak, organise, argue, and dissent.

If private speech requires permission, it is not private speech.

European Commission: Protecting Children From Sexual Abuse Online
The official EU framing for the policy area behind the Chat Control debate.

Fight Chat Control
A campaign site tracking the civil liberties objections to mass scanning proposals.

(They have a difficult job - since the EU passed it with the majority voting against it. Wait, you say, how can that be? Well, they needed a certain number of people to say "no" and when that number didn't happen - because they had the vote on the day before the vacation - so even though the majority of people who actually voted said no, not enough said no, so they considered that a "yes". Yes, that's really how the EU operates. It's enough to make Stalin blush.)

WireGuard
The best default choice for a clean personal VPN.

Hysteria 2
A censorship-resistant proxy designed to masquerade as HTTP/3 traffic.

Xray-Core
The project behind VLESS/REALITY setups used in more aggressive censorship environments.

💬 ONE THING

This week, rent one small VPS and build a WireGuard server.

Do not overthink it. Pick a provider, install it, connect your phone, and confirm that your traffic exits through the server. Then write down the steps in a note you can find later.

Once that works, build the second version: Hysteria 2 or Xray REALITY on another VPS.

The first tunnel is for privacy.

The second is for the day someone decides privacy itself looks suspicious.

Thanks for reading this newsletter! Feel free to respond any time.

Thomas

Was this forwarded to you? Subscribe at builddefend.fyi.

Had enough? [Unsubscribe] - no hard feelings.*

* Well, a little bit.

Keep reading