All the hardware used to operate our service is owned by us and locked into isolated racks. All servers operate without any hard drives, as the operating system only resides in the RAM.
When our servers boot, they fetch the correct disk image by iPXE from our encrypted boot servers. As soon as the disk image has been downloaded, a verification of the kernel and initrd signature is performed to ensure that nothing has been tampered with.
The operating system is loaded into the RAM memory, and the server can finally boot if the verification passes. If the verification fails, the server will reboot and retry this process until the verification signature is valid and it's safe to boot.
We exclusively use a scaled down verison of Alpine Linux as operating system.
OVPN does not log any activity when connected to our VPN service. Therefore, we do not know who is connected to our service, what they are doing or when they are doing it. Please read our privacy policy.
The OpenVPN processes do not have any write privileges, and syslogs have been disabled, to ensure that logs can't even temporarily be created in the RAM memory.
For WireGuard, our key management daemon, ensures that peer information is not stored indefinitely in the servers' memory. Any peers that haven't had a handshake during the previous three minutes are removed, ensuring we keep as little information as possible.
Our VPN servers don't support physical access via console, keyboard or USB ports. Critical security updates are installed on daily basis.
Protocol | UDP and TCP |
Ports | 1194, 1195 & 443 |
Data channel cipher | ChaCha20-Poly1305 (OpenVPN 2.5+) AES-256-GCM (OpenVPN 2.4+) AES-256-CBC with HMAC-SHA1 (Openvpn 2.3 and older) |
Control channel cipher | TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLSv1.2 and older: TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 |
Key exchange authentication | Diffie‑Hellman and Perfect Forward Secrecy (DHE) using a RSA key with a 4096 bit key size, with a re‑keying every 45th to 75th minute. |
Extra auth key | RSA with a 2048 bit key size |
Extra crypt key | RSA with a 2048 bit key size |
Protocol | UDP |
Ports | 9929 |
Authentication | Poly1305 |
Symmetric encryption | ChaCha20 |
Elliptic curve | Curve25519 |
Hashing | BLAKE2s |
Hashtable keys | SipHash24 |
Key Derivation | HKDF |
We're actively developing a desktop client for Windows, macOS, Ubuntu, Fedora and openSUSE.
The client has a killswitch, which prevents any data leaks in case the connection to OVPN drops. It's simple to verify if the killswitch works properly.
In order to prevent DNS leaks, the client:
In addition, OVPN's app for iOS and Android can be used to protect your mobile data traffic.
The browser extension is available for Chrome and Firefox, and primarily exists for two reasons.
By utilising a VPN service you are essentially moving the trust from your ISP to the VPN provider. It's crucial that you're using a VPN service that is trustworthy and transparent about how the business is run and which methods they've employed to protect your privacy and integrity.
OVPN is trustworthy, transparent and thoroughly describes how we ensure our customers' security. Please read our privacy policy, our terms of service and our transparency policy.
No email address is required when creating an account. It's possible to pay for subscriptions anonymously by sending an envelope with cash to our office or by paying with cryptocurrencies.
We go into extensive details exactly which user information is stored in our privacy policy.
Conflicts are expensive and complicated, which we experienced firsthand when we proved in court that OVPN is a log-free VPN. We have insurance that covers legal fees as an additional layer of safety, which grants us the financial muscles to refute any requests for information.
In the case of any third party demanding information about our customers, we are fully prepared to go to court and will do everything in our power to prevent anyone from getting access to customer information.