After Boot-Up

Privacy Steps After Starting Your Computer

1. Connect to VPN First

Before browsing, connect to your VPN. Your ISP can see all your unencrypted traffic and DNS queries.

Recommended VPNs:

• Mullvad — no-log, accepts cash/crypto, €5/month
• ProtonVPN — Swiss jurisdiction, free tier available
• IVPN — privacy-focused, audited

Avoid free VPNs — they typically monetize your traffic data.

2. Encrypt DNS Queries

Even with a VPN, your DNS queries may leak. Use DNSCrypt or DNS-over-HTTPS.

DNSCrypt (Linux/Windows)

# Install on Debian/Ubuntu
apt install dnscrypt-proxy

# Configure /etc/dnscrypt-proxy/dnscrypt-proxy.toml
server_names = ['cloudflare', 'quad9']
listen_addresses = ['127.0.0.1:53']

# Start service
systemctl enable dnscrypt-proxy
systemctl start dnscrypt-proxy

# Point /etc/resolv.conf to localhost
echo "nameserver 127.0.0.1" > /etc/resolv.conf

cloudflared (Cloudflare DoH)

# Install
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared-linux-amd64.deb

# Run as proxy-dns
cloudflared proxy-dns --port 5053 --upstream https://1.1.1.1/dns-query

# Configure system DNS to 127.0.0.1:5053

3. Change MAC Address

Your MAC address is broadcast on every Wi-Fi connection and can be logged by networks, cafes, and ISPs.

macchanger (Linux)

# Install
apt install macchanger

# Randomize MAC for wlan0 (do before connecting)
ip link set wlan0 down
macchanger -r wlan0
ip link set wlan0 up

# Reset to original MAC
macchanger -p wlan0

Permanent Random MAC (NetworkManager)

Edit the connection in NetworkManager: set “Cloned MAC address” to “Random”.

4. Verify Your Privacy

After setup, verify nothing is leaking:

ipleak.net — checks your IP, DNS servers, and WebRTC leaks

Check for:

• IP address should show VPN server, not your real IP
• DNS servers should show VPN or your DoH provider, not your ISP
• WebRTC should not reveal your real IP (disable WebRTC in browser if it does)

dnsleaktest.com — more thorough DNS leak testing