Asking for a brainstorm and practical ideas on how to best use a GrapheneOS setup and VPNs in a totalitarian country with high government-surveillance risks.
I’m setting up the phone for a non-technical relative and will physically send it with someone traveling there soon.
The phone is a Google Pixel 9 running GrapheneOS. The threat model includes censorship, occasional VPN blocking with DPI, and a realistic possibility of casual device inspections by authorities. For example, it’s not uncommon to be asked to prove that the device is harmless when entering the subway.
The challenge is that the person using the device is not technical at all. If something breaks, the recovery process has to be simple enough to explain over messages or a phone call. Ideally, the setup should be as self-sustaining as possible.
I came up with four separate profiles to balance usability and compartmentalization.
The owner profile is a “depository”: it contains globally used / low-risk apps and Google Play Services so apps can be installed and updated across the device, but there are no personal logins there at all. No messaging accounts, no real identity, no daily use. The idea was to separate Google Play from the space where actual usage happens — not because I think GrapheneOS handles sandboxing poorly, but mostly because I don’t want the user changing things too much.
The “convenience” profile is the normal-looking daily driver. That’s where Telegram, WhatsApp, browsers, maps, and mainstream apps live. It also has Google Play for compatibility. The goal is for the phone to behave like a regular smartphone and not require operational discipline every five minutes.
There’s a separate profile for regional services — banking apps, local apps, government portals, delivery/taxi apps, and other software that unnecessarily requests or reports VPN data, or simply stops working if it detects any VPN presence. So the task is to conceal and mimic “normal enough” behavior to avoid drawing attention.
Finally, there’s a more isolated profile reserved for sensitive communication and privacy-focused tools:
* Proton Mail
* Signal
* Threema
* Olvid
* Tor Browser, along with Vanadium and Simple Notes (I also considered Joplin, mostly because of backup convenience)
VPN-wise, the current setup is:
* Amnezia VPN as primary
* WireGuard-based
* Obfuscation enabled
* Always-on VPN
* Block connections without VPN
* Enforced for all profiles except the regional-services one
I want to add another layer of VPN redundancy. I know that the government targets VPNs aggressively, and from experience, that’s the weakest link in the entire setup.
I already have multiple servers configured in AmneziaWG, and it’s realistic to teach switching between them. This is the default option because it integrates cleanly with GrapheneOS’s strict VPN settings and kill switch.
I also have a Hiddify subscription, but I don’t consider it a 100% working solution either.
Thank you for reading this post:-) Since you seem interested, here are my questions:
What would you suggest for a fallback scenario: switching VPNs within the same profile, or having a separate profile with an alternative type of connection? Why?
I’m also thinking about viable backup strategies, especially considering that I have a duress password configured.
And one quick question: does the duress password affect the entire device, or only the profile where it was configured? Right now, it’s configured under the owner account.