matomo

Best deal of the year - get 77% off our 2-year plan for Black Friday! Get Deal

Use OVPN if security is of importance

Your privacy and security is the core focus of OVPN. That's why we've implemented a multi-layered security model.

Layer 1: Physical security on the VPN servers

All the hardware used to operate our service is owned by us and locked into isolated racks. All servers operate without any hard drives, as the operating system only resides in the RAM.

When our servers boot, they fetch the correct disk image by iPXE from our encrypted boot servers. As soon as the disk image has been downloaded, a verification of the kernel and initrd signature is performed to ensure that nothing has been tampered with.

The operating system is loaded into the RAM memory, and the server can finally boot if the verification passes. If the verification fails, the server will reboot and retry this process until the verification signature is valid and it's safe to boot.

Layer 2: Software security on the VPN servers

We exclusively use a scaled down verison of Alpine Linux as operating system.

OVPN does not log any activity when connected to our VPN service. Therefore, we do not know who is connected to our service, what they are doing or when they are doing it. Please read our privacy policy.

The OpenVPN processes do not have any write privileges, and syslogs have been disabled, to ensure that logs can't even temporarily be created in the RAM memory.

For WireGuard, our key management daemon, ensures that peer information is not stored indefinitely in the servers' memory. Any peers that haven't had a handshake during the previous three minutes are removed, ensuring we keep as little information as possible.

Our VPN servers don't support physical access via console, keyboard or USB ports. Critical security updates are installed on daily basis.

Technical details for OpenVPN

Protocol UDP and TCP
Ports 1194, 1195 & 443
Data channel cipher ChaCha20-Poly1305 (OpenVPN 2.5+)
AES-256-GCM (OpenVPN 2.4+)
AES-256-CBC with HMAC-SHA1 (Openvpn 2.3 and older)
Control channel cipher TLSv1.3:
TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256

TLSv1.2 and older:
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
Key exchange authentication Diffie‑Hellman and Perfect Forward Secrecy (DHE) using a RSA key with a 4096 bit key size, with a re‑keying every 45th to 75th minute.
Extra auth key RSA with a 2048 bit key size
Extra crypt key RSA with a 2048 bit key size

Technical details for WireGuard

Protocol UDP
Ports 9929
Authentication Poly1305
Symmetric encryption ChaCha20
Elliptic curve Curve25519
Hashing BLAKE2s
Hashtable keys SipHash24
Key Derivation HKDF

Layer 3: Desktop client & apps

We're actively developing a desktop client for Windows, macOS, Ubuntu, Fedora and openSUSE.

The client has a killswitch, which prevents any data leaks in case the connection to OVPN drops. It's simple to verify if the killswitch works properly.

In order to prevent DNS leaks, the client:

  • Changes the settings of all available network adapters on your device to ensure that OVPN's DNS servers are used
  • Checks the DNS settings on the adapters every second to ensure no installed software attempts to change the used DNS servers

In addition, OVPN's app for iOS and Android can be used to protect your mobile data traffic.

Layer 4: Browser extension

The browser extension is available for Chrome and Firefox, and primarily exists for two reasons.

  1. Block WebRTC: Your private IP address can leak through WebRTC even when connected to OVPN. The extension protects you against such leaks without entirely disabling WebRTC meaning you can still reap the benefits of WebRTC.
  2. Block trackers: Block companies tracking and profiling your browsing habits without your consent. The extension blocks analytics trackers which ensures your browsing stays private.

Layer 5: Transparency

By utilising a VPN service you are essentially moving the trust from your ISP to the VPN provider. It's crucial that you're using a VPN service that is trustworthy and transparent about how the business is run and which methods they've employed to protect your privacy and integrity.

OVPN is trustworthy, transparent and thoroughly describes how we ensure our customers' security. Please read our privacy policy, our terms of service and our transparency policy.

Layer 6: Website

No email address is required when creating an account. It's possible to pay for subscriptions anonymously by sending an envelope with cash to our office or by paying with cryptocurrencies.

We go into extensive details exactly which user information is stored in our privacy policy.

Layer 7: Insurance that covers legal fees

Conflicts are expensive and complicated, which we experienced firsthand when we proved in court that OVPN is a log-free VPN. We have insurance that covers legal fees as an additional layer of safety, which grants us the financial muscles to refute any requests for information.

In the case of any third party demanding information about our customers, we are fully prepared to go to court and will do everything in our power to prevent anyone from getting access to customer information.