One email a week - something from which I hope you'll get real value. We talk about things we can build, and how to defend them. That can apply to cybersecurity, physical buildings, digital products, and .... just about anything. It gives me a lot of latitude in what I can write about, but the two concepts are important for progress - as individuals, and as society.
Today's topic is: VPNs & Freedom Of Speech
Private communications are not a luxury feature. They are part of being a free person.
There is a familiar pattern now: a bad thing happens. Politicians demand a tool to stop the bad thing. The tool somehow requires scanning everyone’s private communications, weakening encryption, or forcing platforms to become informants. Then anyone who objects gets accused of defending the bad thing. Sometimes they don't even pretend there's a bad thing, but suggest that there may well be one someday so why not act now....
That is roughly where the EU’s “Chat Control” fight keeps landing. The EU Parliament has just been forced by the EU Commission to vote on it a sixth time (with the vote being brought through some very sketchy methods, too), since they couldn't get it through the first five times. (This is how the EU works though, they just vote and vote and vote on things until they get the answer they want. If you don't believe me, look it up.)
The stated aim for Chat Control is protecting children. It's difficult to argue with that as a goal - that's about as noble a cause as you can get. However, the the proposed protection keeps drifting toward mass scanning of private messages, including client-side scanning before encryption can protect those messages. Once you normalise that machinery, the purpose can change. The database can change. The threshold can change. The political mood can change. Once the technology is embedded, it's as simple as then changing the law, which as we've seen is something the EU will vote to do until they get the outcome they want.
Once that happens, your private conversations are no longer private. They are conditional. Someone else sets the conditions.
So this week’s Build & Defend is simple: build your own private communications channel.
Not because a VPN solves everything. It does not. Bad things can still happen, but at least this way you have some control over your own freedom.
If you care about speech, you should know how to build one.
🔨 BUILD: Your Own VPN
Wait, what? I can build one? I thought VPNs were just those annoying things I needed to use to get my spreadsheets at work...?
Well, yeah, but it ultimately means what the initial stand for: Virtual Private Network. Most of us know this because our employer gives us access to their Virtual Private Network, but anyone can have one. Probably everyone should. That's why I'm writing this this week. The basic version of a VPN is not complicated.
You rent a small virtual private server (VPS) - basically a virtual machine in the cloud - from a provider outside the jurisdiction or network you are worried about. For example, if you're in the EU, you would rent a VPS in the US, or Switzerland. You install WireGuard. Your phone and laptop connect to it. Your traffic leaves from that server instead of from the local network you are sitting on.
See, not complicated at all, right?
What You Need
A cheap VPS: Hetzner, OVH, Scaleway, DigitalOcean, Vultr, Linode, etc. (Those are the names of companies that sell VPS. (NB: Just because the company is outside the jurisdiction doesn't mean the machine is. Most companies have data centres in multiple places, but Hetzner's for example are all inside the EU.)
Ubuntu or Debian - this is easier than Windows (for these purposes) and requires less resources
WireGuard for the standard build (see the links below)
A second option for censorship resistance if VPN protocols (methods of sending traffic) are blocked
A tiny VPS is enough for personal use. One virtual CPU (vCPU) and 1GB RAM will handle normal browsing, messaging, admin work, and travel use. You can use this to stream video (to watch things from other regions) but that makes it more complicated in terms of resources and bandwidth required, and isn't the focus of this newsletter.
The Standard Setup
WireGuard is the default answer for a personal VPN. It's fast, simple, modern, and well supported on macOS, iOS, Android, Windows, Linux, and routers. Compared with old OpenVPN setups, it feels almost too easy.
Your architecture looks like this:
Laptop / phone | | encrypted tunnel v Your VPS | | normal internet v Websites / apps / services
The practical build is straightforward, but technical. You can prompt your AI to help you with all these steps.
First, rent a small VPS in the country you want your traffic to exit from. A basic Ubuntu server with one CPU and 1GB RAM is enough for personal use. SSH into it, update the system, and install WireGuard.
On the server, you generate a private/public key pair, create a wg0 interface (same), assign it a private VPN address such as 10.8.0.1/24, enable IP forwarding, and add a simple firewall/NAT rule so traffic from your VPN clients can exit through the VPS’s public network interface. Then install the WireGuard client on your laptop or phone, generate a client key pair, and add that client as a peer on the server. The client config points at your VPS public IP, uses its own private VPN address such as 10.8.0.2/32, and sets AllowedIPs = 0.0.0.0/0, ::/0 if you want all traffic to go through the tunnel. Turn it on, visit an IP-checking site (i typically use ifconfig.co, which you can access from the command line with "curl -r ifconfig.co), and confirm your traffic now exits from the VPS rather than your local ISP. That is the whole shape of it: VPS, WireGuard server, client profile, full-tunnel routing.
Once you're set up, the local coffee shop, airport, hotel, school, employer guest Wi-Fi, or ISP sees an encrypted connection to your server. They do not see every site you visit. That alone is worth having.
The Catch
WireGuard traffic still looks like WireGuard traffic.
A censor, corporate firewall, or national filtering system may not know what is inside the tunnel, but it can often tell that the traffic is a tunnel, and probably VPN traffic. WireGuard has a recognizable 'shape' on the network. So does OpenVPN. So do many commercial VPN endpoints, which get blocked by IP reputation lists anyway.
That is fine if your threat model is basic privacy. It is not enough if your threat model includes VPN blocking.
So you need two layers to your thinking:
Normal privacy: Wireguard on your own VPS
Censorship resistance: traffic that doesn't look like VPN traffic but regular traffic instead
🛡️ DEFEND: Your Privacy
A VPN protects the network path. It does not protect the endpoint. That distinction matters. Quite a bit.
If an app scans your message before it gets encrypted, the VPN does not help. If your phone is compromised, the VPN does not help. If you log into a service with your real identity, the VPN does not make you anonymous. If you post under your own name, the VPN does not make the post deniable.
A VPN is not invisibility. It is plumbing.
Good plumbing still matters.
It protects you from:
hostile Wi-Fi networks
ISP-level logging and casual filtering
location-based blocking
some censorship blocks
cheap traffic inspection
commercial VPN blacklists, if you use your own clean VPS IP
It does not protect you from:
malware
browser fingerprinting
platform subpoenas (ie, if someone asks Facebook for their logs of your activity and they get them from Facebook)
account identity
payment trails
client-side scanning
bad personal discipline
For most normal people, the goal is not to become a spy. The goal is to make casual surveillance and lazy censorship harder. Which is a worthy goal.
Ah, but I heard you say that VPNs could be obvious?
Yes, yes you did.
If you are in a place where VPNs are blocked, “just use WireGuard” may fail. The packets may be encrypted, but the shape of the traffic can still give the game away.
So for the censorship-resistant version, you want your tunnel to resemble normal HTTPS or HTTP/3 traffic as much as possible. (Those are the basic protocols that websites use.)
Again, you're not trying to be 100% invisible - but you can make blocking you expensive, noisy, and likely to cause collateral damage. That ultimately means that you'll be able to do what you want in 99% of the cases, and for that 1% you have state-sponsored actors after you and that's an entirely different newsletter. (That's the "Avoid North Korean Spies newsletter, and I'm not sure anyone writes that.)
You will need different software when you're looking to really defend your free speech.
Option 1: Hysteria 2
Hysteria 2 is a censorship-resistant proxy built on QUIC. In practical terms, it can masquerade as HTTP/3 traffic. That matters because HTTP/3 is normal web traffic now. Blocking all HTTP/3 just to stop your tunnel may break real services. Censors hate collateral damage when it annoys enough normal people.
Good fit:
hostile networks
mobile networks
unreliable connections
places where UDP still works
users who want speed
Tradeoffs:
some networks block or throttle UDP
setup is more involved than WireGuard
you need to keep the client/server config clean
Option 2: Xray with VLESS + REALITY
Xray/VLESS/REALITY is popular in harder censorship environments because it is designed to blend into normal TLS traffic. The idea is that your connection looks less like “VPN app talking to VPN server” and more like a regular encrypted web session. Done properly, it can be much harder to classify without blocking normal HTTPS traffic too.
Good fit:
networks that aggressively detect VPN protocols
places where HTTPS is still allowed
users comfortable with more technical setup
Tradeoffs:
more moving parts
more ways to misconfigure it
bad tutorials are everywhere
you need to understand certificates, domains, and client profiles
Option 3: Shadowsocks
Shadowsocks is older but still useful. It is not a VPN in the classic sense. It is an encrypted proxy. For many people, that is enough. You send browser and app traffic through the proxy, and it avoids some blunt filtering systems.
Good fit:
lightweight setups
simple proxy use
routers and mobile clients
people who do not need full-device VPN routing
Tradeoffs:
less comprehensive than a full tunnel unless configured carefully
plain Shadowsocks may be easier to identify than newer obfuscation methods
client support varies by platform
💰 STACK: Resilient Personal Comms
The tunnel is only one piece. You still need to think of everything else.
Signal for personal messaging
SimpleX or Session if you want fewer identity ties
Proton Mail or Tuta for email
Bitwarden or 1Password for passwords
YubiKeys for important accounts
encrypted device backups
Tailscale for trusted personal machines
a second VPS provider as backup
Do not wait until the week you need this stuff. Build it while life is boring. Boring is when security work gets done properly.
The Uncomfortable Truth
Chat Control-style proposals expose a deeper problem.
Most people do not own their communications stack. They rent it from platforms. They borrow it from ISPs. They accept defaults from phone vendors. They trust app stores, cloud backups, DNS providers, mobile carriers, payment companies, and governments not to quietly change the rules. That can work for convenience. (It often does.)
It is a terrible foundation for liberty. You do not need to become paranoid. You do need to become less helpless. Build a private tunnel. Learn how it works. Keep a backup. Teach your family how to turn it on. Write down the recovery steps. Pay for the VPS with something that will not vanish if one company decides you are unfashionable this week. (This is why we have Monero. (You have Monero, right?))
The point is not to hide from ordinary law enforcement. The point is to preserve the ordinary private space that free people need in order to think, speak, organise, argue, and dissent.
If private speech requires permission, it is not private speech.
🔗 LINKS
European Commission: Protecting Children From Sexual Abuse Online
The official EU framing for the policy area behind the Chat Control debate.
Fight Chat Control
A campaign site tracking the civil liberties objections to mass scanning proposals.
(They have a difficult job - since the EU passed it with the majority voting against it. Wait, you say, how can that be? Well, they needed a certain number of people to say "no" and when that number didn't happen - because they had the vote on the day before the vacation - so even though the majority of people who actually voted said no, not enough said no, so they considered that a "yes". Yes, that's really how the EU operates. It's enough to make Stalin blush.)
WireGuard
The best default choice for a clean personal VPN.
Hysteria 2
A censorship-resistant proxy designed to masquerade as HTTP/3 traffic.
Xray-Core
The project behind VLESS/REALITY setups used in more aggressive censorship environments.
💬 ONE THING
This week, rent one small VPS and build a WireGuard server.
Do not overthink it. Pick a provider, install it, connect your phone, and confirm that your traffic exits through the server. Then write down the steps in a note you can find later.
Once that works, build the second version: Hysteria 2 or Xray REALITY on another VPS.
The first tunnel is for privacy.
The second is for the day someone decides privacy itself looks suspicious.
Thanks for reading this newsletter! Feel free to respond any time.
Thomas
Was this forwarded to you? Subscribe at builddefend.fyi.
Had enough? [Unsubscribe] - no hard feelings.*
* Well, a little bit.
