Use OVPN if security is of importance
Your privacy and security is the core focus of OVPN. That's why we've implemented a multi-layered security model.
Layer 1: Physical security on the VPN servers
All the hardware used to operate our service is owned by us and locked into isolated racks. All servers operate without any hard drives, as the operating system only resides in the RAM.
When our servers boot, they fetch the correct disk image by iPXE from our encrypted boot servers. As soon as the disk image has been downloaded, a verification of the kernel and initrd signature is performed to ensure that nothing has been tampered with.
The operating system is loaded into the RAM memory, and the server can finally boot if the verification passes. If the verification fails, the server will reboot and retry this process until the verification signature is valid and it's safe to boot.
Layer 2: Software security on the VPN servers
We exclusively use a scaled down verison of Alpine Linux as operating system.
OVPN does not log any activity when connected to our VPN service. Therefore, we do not know who is connected to our service, what they are doing or when they are doing it. Please read our privacy policy.
The OpenVPN processes do not have any write privileges, and syslogs have been disabled, to ensure that logs can't even temporarily be created in the RAM memory.
For WireGuard, our key management daemon, ensures that peer information is not stored indefinitely in the servers' memory. Any peers that haven't had a handshake during the previous three minutes are removed, ensuring we keep as little information as possible.
Our VPN servers don't support physical access via console, keyboard or USB ports. Critical security updates are installed on daily basis.
Technical details for OpenVPN
| Protocol | UDP and TCP |
| Ports | 1194, 1195 & 443 |
| Data channel cipher | ChaCha20-Poly1305 (OpenVPN 2.5+) AES-256-GCM (OpenVPN 2.4+) AES-256-CBC with HMAC-SHA1 (Openvpn 2.3 and older) |
| Control channel cipher | TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLSv1.2 and older: TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 |
| Key exchange authentication | Diffie‑Hellman and Perfect Forward Secrecy (DHE) using a RSA key with a 4096 bit key size, with a re‑keying every 45th to 75th minute. |
| Extra auth key | RSA with a 2048 bit key size |
| Extra crypt key | RSA with a 2048 bit key size |
Technical details for WireGuard
| Protocol | UDP |
| Ports | 9929 |
| Authentication | Poly1305 |
| Symmetric encryption | ChaCha20 |
| Elliptic curve | Curve25519 |
| Hashing | BLAKE2s |
| Hashtable keys | SipHash24 |
| Key Derivation | HKDF |
Layer 3: Desktop client & apps
We're actively developing a desktop client for Windows, macOS, Ubuntu, Fedora and openSUSE.
The client has a killswitch, which prevents any data leaks in case the connection to OVPN drops. It's simple to verify if the killswitch works properly.
In order to prevent DNS leaks, the client:
- Changes the settings of all available network adapters on your device to ensure that OVPN's DNS servers are used
- Checks the DNS settings on the adapters every second to ensure no installed software attempts to change the used DNS servers
In addition, OVPN's app for iOS and Android can be used to protect your mobile data traffic.
Layer 4: Browser extension
The browser extension is available for Chrome and Firefox, and primarily exists for two reasons.
- Block WebRTC: Your private IP address can leak through WebRTC even when connected to OVPN. The extension protects you against such leaks without entirely disabling WebRTC meaning you can still reap the benefits of WebRTC.
- Block trackers: Block companies tracking and profiling your browsing habits without your consent. The extension blocks analytics trackers which ensures your browsing stays private.
Layer 5: Transparency
By utilising a VPN service you are essentially moving the trust from your ISP to the VPN provider. It's crucial that you're using a VPN service that is trustworthy and transparent about how the business is run and which methods they've employed to protect your privacy and integrity.
OVPN is trustworthy, transparent and thoroughly describes how we ensure our customers' security. Please read our privacy policy, our terms of service and our transparency policy.
Layer 6: Website
No email address is required when creating an account. It's possible to pay for subscriptions anonymously by sending an envelope with cash to our office or by paying with cryptocurrencies.
We go into extensive details exactly which user information is stored in our privacy policy.
Layer 7: Insurance that covers legal fees
Conflicts are expensive and complicated, which we experienced firsthand when we proved in court that OVPN is a log-free VPN. We have insurance that covers legal fees as an additional layer of safety, which grants us the financial muscles to refute any requests for information.
In the case of any third party demanding information about our customers, we are fully prepared to go to court and will do everything in our power to prevent anyone from getting access to customer information.