Digital Nomad's Blueprint: Building Infrastructure as a Privacy Shield
Share this article
For developers and security-conscious professionals operating outside traditional offices, maintaining privacy and secure workflows is a constant challenge. One technologist has meticulously documented their evolving infrastructure, providing a rare glimpse into the practical implementation of privacy-first principles on the move. Their setup prioritizes anonymity, control, and resistance to corporate and state surveillance, leveraging open-source tools and carefully selected services.
Securing the Connection: Beyond Basic VPNs
The foundation lies in controlling internet access. The author utilizes local prepaid SIM cards (often purchased anonymously where possible) combined with a Netgear Nighthawk M2 mobile router. They highlight the EU loophole: leveraging cheaper, high-data SIMs from low-income EU countries for use across the bloc. For global connectivity without local SIMs, options like WorldSIM or Keepgo are mentioned, but caveated with cost and privacy warnings compared to local anonymous options. KYC-free eSIM providers like JMP (US/Canada) and silent.link (global, expensive) offer alternatives.
WiFi access is managed via apps like WiFi Map, but the real security layer comes next. Crucially, the author runs their own global WireGuard VPN infrastructure, provisioned automatically using Terraform and Ansible. This allows rapid deployment, teardown, and rotation of VPS-based exit nodes worldwide. Everyday nodes use standard cloud providers, while high-privacy nodes run on providers accepting Monero (XMR) and are accessed only through anonymizing layers (public WiFi, Tor).
alt="Article illustration 1"
loading="lazy">
"A VPN is one of multiple measures that can be implemented to give corporate surveillance (Amazon, Facebook, Google, Twitter, …) a harder time... However, keep in mind that they’re by no means privacy silver-bullets."
The author advises against rolling your own VPN for general anonymity due to small user pool identification risks, recommending commercial providers like Mullvad VPN (accepts XMR/cash), Trust.Zone (accepts CLOAK), or Njalla VPN (accepts XMR) for most users. They also provide a stark warning about VPN/Tor legality and risks in numerous countries (Belarus, China, Russia, UAE, Turkey, etc.), emphasizing the need for situational awareness.
Hardening the Stack: DNS, Firewalls & Browsing
Privacy leaks often occur at the DNS layer. The author combats this with DNSCrypt configured to use non-logging resolvers, further enhanced by routing all DNS queries through Tor (DoHoT). They explicitly recommend disabling Firefox's default Cloudflare DNS (DoH) in favor of a dedicated DNSCrypt setup.
Network and host-based firewalls are critical components:
* OpenWrt firewall secures the private network.
* Linux: Custom iptables scripts for kill-switches, OpenSnitch for application firewall.
* macOS: Little Snitch (alert mode), with caveats about Apple services bypassing rules.
Browsing choices reflect a hard stance against mainstream options:
* Primary: Ungoogled Chromium (extensions: uBlock Origin, LibRedirect, Decentraleyes, Surfingkeys).
* Quantum Engine Needs: LibreWolf.
* High Privacy: Tor Browser on non-persistent Tails VM.
* Abandoned: Mainstream Firefox due to perceived bloat, privacy issues, and unreliability.
JavaScript is disabled by default (via uBlock), enabled only per trusted site. The author laments the Chromium monoculture but acknowledges the practical challenges of maintaining alternatives like ungoogled Chromium.
Search engines focus on privacy: SearXNG, Leta, Brave Search, Torry, Startpage, Qwant. Yandex is reluctantly used only for reverse image search due to superior results.
Communication & Data: Owning Your Digital Life
Email: Self-hosting is preferred, sharing infrastructure with trusted individuals. The author acknowledges email's inherent privacy flaws but runs their own servers for control. For business, a hosted service is reluctantly used due to deliverability/reputation issues, criticizing providers like ProtonMail for lock-in and noting Tutanota's deliverability problems. Alternative providers accepting anonymous payments (XMR/cash) include Migadu, Kolab Now, Fastmail, Posteo, Mailfence, StartMail, Runbox, Swisscows, OnionMail, Disroot Mail. PGP usage is emphasized.
Messaging: A decisive move away from Signal and iMessage due to trust issues. Embraced alternatives include:
* Matrix (via Element X or iamb)
* XMPP (via Conversations / Profanity)
* IRC (via ZNC bouncer with push notifications, often over Tor)
Voice/Video: Jami and Jitsi are preferred for open-source, self-hostable options. Proprietary tools (Zoom, Meet, Teams) are used minimally under duress, confined to burner devices or browser sessions with strict permission controls and voice distortion (EasyEffects on Linux) to thwart voice fingerprinting. Phone calls are avoided entirely.
Social Networks: Largely abandoned (Reddit, Mastodon/Pleroma). Minimal presence on Superhighway84, Bluesky, Lemmy, Keebtalk. Hacker News is checked for tech news.
Contacts/Calendars/Tasks: Self-hosted via Baïkal (CalDAV/CardDAV) on a home server, syncing only on the local LAN (accessed remotely via WireGuard/Tailscale if needed). Taskwarrior (taskd) with taskwarrior-tui (Linux) and Tasks.org (Android) handle tasks.
Data Management & Infrastructure
Documents & Storage:
* Version Control: Git for code/config, using transcrypt/git-crypt/git-agecrypt with age for confidential data. Remotes include GitHub or private git servers.
* Sync: Syncthing for non-versioned data (documents, etc.), syncing between computer, NAS, and phone.
* Office: NeoVim + Pandoc (Docs/PDF), sc-im (Spreadsheets), LaTeX, LibreOffice. CryptPad for collaboration.
* Diagrams: PlantUML, Diagrams.net, Cloudcraft.
Backups: Reliance on Git remotes and Syncthing minimizes backup needs. Critical backups use rsync, restic, and rclone.
Security Extras: Full disk encryption, honeypots, and canary tokens (via CanaryTokens.org) deployed in filesystems, email, contacts, calendars, and physical objects to detect breaches.
Cloud & Infrastructure Providers
The author advocates minimizing cloud reliance but utilizes it strategically:
* Static Sites: BunnyCDN.
* Private Infrastructure: Vultr (via OpenTofu), Hetzner bare metal. OpenBSD Amsterdam recommended.
* High-Privacy VPS: Providers accepting XMR and valuing anonymity/jurisdiction: Njalla (Costa Rica/SE), Cockbox (Seychelles/RO), Impreza (Seychelles), orangewebsite (Iceland), 1984 Hosting (Iceland), FlokiNET (Iceland), Privex (Belize), Icy Evolution (Mauritius), NiceVPS (Dominica), CryptoHO.ST (Romania). OVH is strongly discouraged.
* Domains: Privacy-focused registrars acting as proxies, accepting XMR: Njalla, orangewebsite, Impreza, NiceVPS. Mentions Handshake (HNS) decentralized domains but notes lack of browser support.
Development: GitHub, Gitea (self-hosted). Radicle tried and abandoned. Web stack favors simplicity: Hugo for static sites, minimal JS, Svelte/SvelteKit for interactivity, Elixir/Phoenix, Ruby/Rails for backend. Avoids "soydev hype" (React, Next.js).
Analytics & Monitoring
The site previously used Plausible but was evaluating Fathom and Umami (as of April 2025). By May 2025, all analytics trackers were removed, opting for a completely tracker-free approach. Push notifications for infrastructure monitoring are handled by a custom solution. A "Dead Man's Switch" for data/infrastructure is noted as a future project.
alt="Article illustration 2"
loading="lazy">
The Underlying Philosophy
This comprehensive setup isn't just about tools; it's a conscious rejection of convenience-centric surveillance capitalism. The author emphasizes:
1. Control: Self-hosting core services (email, calendars, contacts, git, VPNs) whenever feasible.
2. Anonymity: Prioritizing cash/Monero payments, anonymous SIMs, and jurisdictions resistant to coercion.
3. Minimalism: Using lightweight, open-source software and avoiding bloated ecosystems.
4. Defense in Depth: Layering VPNs, encrypted DNS, firewalls, and application hardening.
5. Situational Awareness: Understanding legal risks and technical limitations (e.g., VPNs aren't magic).
While acknowledging the significant effort required, the author provides this blueprint not as a prescriptive list, but as inspiration for developers and tech leaders to critically evaluate their own digital infrastructure and reclaim agency over their data and privacy. The journey involves constant adaptation, as tools and threats evolve, but the core principle remains: infrastructure itself can be the most effective privacy shield.
Further Resources: PRISM BREAK, switching.software, Alternative Internet, Awesome Self-Hosted, EFF: Surveillance Self-Defense.