Return to protonvpn.com Facebook   Twitter   Reddit   Instagram   Mastodon   ProtonMail

All ProtonVPN apps are now open source and audited

Posted on January 21st, 2020 by in Articles & News.

illustration of protonvpn open source

 

We’re happy to be the first VPN provider to open source apps on all platforms (Windows, macOS, Android, and iOS) and undergo an independent security audit. Transparency, ethics, and security are at the core of the Internet we want to build and the reason why we built ProtonVPN in the first place.

We launched ProtonVPN in 2017 to provide ProtonMail users with a trustworthy VPN service, which was increasingly necessary given the rise of Internet censorship. VPN in particular was an area in dire need of improvement. Studies have found that over one-third of Android VPNs actually contain malware, many VPNs suffered from major security lapses, and many free VPN services that claimed to protect privacy are secretly selling user data to third parties. In general, there is also a lack of transparency and accountability regarding who operates VPN services, their security qualifications, and whether they fully conform to privacy laws like the GDPR.  

ProtonVPN changed this by delivering an unparalleled level of transparency and accountability. We have done things differently from the start: We have a strict no-logs policy, we’re based in Switzerland, regulated by some of the world’s strongest privacy laws, we have a deep security background, and we have even opened up our technology for inspection by Mozilla.

Making all of our applications open source is therefore a natural next step. As former CERN scientists, publication and peer review are a core part of our ethos. We are also publishing the results of independent security audits covering all of our software.

You can find the open source code and audit reports here:

Why it’s important to use an open source VPN

When you choose to use a virtual private network, you are placing an extraordinary amount of faith in that service provider. Here’s why:

When you are not connected to a VPN, your unencrypted Internet traffic (i.e., that which is not protected by TLS) may be intercepted by your WiFi provider, by your Internet service provider (ISP), by hackers monitoring the local network, or by the government authorities in your jurisdiction. Your IP address (i.e. your device’s identity and your geographical location) is also exposed, including to the websites you visit, which can use that information to track you across the Internet. Even encrypted traffic can be monitored to observe the websites you visit, and your IP address will remain exposed.

When you connect to a VPN, your Internet traffic is encrypted between your device and the VPN server, protecting it from local network surveillance. Even your DNS lookups (the names of the web domains you visit) are protected. And your IP address is masked to help protect your identity and location. However, the VPN provider effectively becomes your ISP in that it can see your browsing activity, IP address, and location. This is why choosing a trustworthy VPN service is so important.

A VPN application, therefore, has a lot of privileged access to your device and your online activity. Open source code allows security researchers and the global security community to inspect how we implement encryption and how we handle your data, giving you more certainty that we are adhering to our strict privacy policy. Open source code provides security through transparency, meaning that because the code is heavily scrutinized, potential vulnerabilities are quickly spotted and fixed. This reduces the risk of a security vulnerability in a VPN app putting you at risk. 

In contrast, proprietary code relies on “security through obscurity,” meaning vulnerabilities are less likely to be discovered. Or worse, these vulnerabilities may be only known to malicious actors who exploit them secretly without users being aware. 

When it comes to online privacy and security software, we believe free and open source software is better for safety and provides better accountability to our user community. Open source has long been at the core of Proton, and our open source software includes the ProtonMail web app, iOS app, Android app, and the desktop Bridge app.

This means that all Proton apps that are out of beta are open source.

We also maintain open source encryption libraries, such as OpenPGPjs, which power a significant fraction of encrypted applications on the web today and serve tens of millions of users.

Third-party security audits

Another unique quality of ProtonVPN is our commitment to having independent security researchers inspect our software before releasing it publicly. Previously, Mozilla reviewed our implementations, organizational structure, and our technology as part of their due diligence for a partnership with us. 

Since then, we have initiated more thorough security-focused audits for all our clients. We contracted SEC Consult, a leading security firm, to conduct the audits. Although such audits are expensive and time-consuming, we believe these are a critical step that must go together with open sourcing our code. Going forward, we will continue to do audits on an ongoing basis to have continual independent checks on our application security.

Working with the Proton community

The other important benefit of open sourcing our software is that it furthers our overall mission to build an Internet that’s more secure, private, and free by leveraging the power of the community. Security improvements can now be submitted by developers from around the world through our bug bounty program. And in some cases even features improvements from the community may be incorporated into the official ProtonVPN apps, similar to what we have done previously with the official ProtonVPN Linux client

As a community-supported organization, we have a responsibility to be as transparent, accountable, and accessible as possible. Going open source helps us to do that and serve you better at the same time. 

Your feedback and suggestions have become a vital source of ideas and inspiration for us, and we will continue working to meet your expectations in 2020 and beyond. We will be launching new servers all over the world, improving security, and releasing new features to keep you safe and help you bypass censorship. None of what we have achieved to date could have been done without our community.

Thank you for your support!

Best Regards,
The ProtonVPN Team

Follow us on social media to stay up to date on the latest ProtonVPN news:

Twitter | Facebook | Reddit | Instagram

To get a free ProtonMail encrypted email account, visit: protonmail.com

Andy is a founder of Proton Technologies, the organization behind ProtonVPN and ProtonMail. He is a long time advocate of privacy rights and has spoken at TED, SXSW, and the Asian Investigative Journalism Conference about online privacy issues. Previously, Andy was a research scientist at CERN and has a PhD in Particle Physics from Harvard University. You can watch his TED talk online to learn more about our mission.

Post Comment

58 comments

  1. Joao

    Ganhei 7 dias de plano plus mais nao consigo acessar nafa tudo dis que tem que fazer assinatura e assinatura par netflix e assinatura para hbo go como desbloquear

  2. Roxana Zega

    Olá João,

    Com ProtonVPN Plus tens acesso ao conteúdo vídeo de outros países somente depois de criares uma conta com Netflix ou com HBO Go. Por favor entra em contato com o nosso Customer Support se não conseguires depois de criar uma assinatura.

    Obrigada,
    Roxana

  3. Paul DiGuida

    I just requested a refund within the 30 day period, however I accidentally made a typo misspelling of my name. It’s Paul DiGuida …

  4. Paul FiGuida

    I wrote 3 times to request a refund of my One Year Subscription, but have yet to receive a reply back to my request. I thought that if your not satisfied with the service, you could cancel within 30 days to obtain a refund. I don’t be understand why I have yet to receive a response back to my request. Please help, Thanks …

  5. Ben Wolford

    Hi Paul, please contact our support team for assistance: https://protonvpn.com/support-form

  6. aziz

    stupid question, what does ProtonVPN use for VPN Server (OpenVPN Server)? And will the VPN Server be open sourced if its not a preexisting server implementation?

  7. Ben Wolford

    Hi Aziz, I’m not sure I totally understand your question. This article provides a bit more information about our server security in case that’s helpful: https://protonvpn.com/blog/disk-encryption/

  8. Chris Huebschman

    I love all the products you have. VPN is Top Notch. Your Email provides a Top Level security and have all my clients and legal people switch all email correspondence through Proton. I have not felt this way about a product in a very long time.
    Also. I think that a screen saver would be a great idea. But a screen saver of the VPN signal and statistics that show when you connect showing the VPN on your screen,would be awesome and I think popular.
    Thanks again
    Chris Huebschman

  9. Open source backend

    Seems like the backend (server code) has the most implications of data privacy as all original IPs and traffic go there? Can you tell us more about the decision to open source the apps only and how that can give us confidence about the whole system?

  10. Mount

    Do you have plans for backend audit? Please merge more than one audit firm next time; Mullvad did the same with their client apps.

  11. Ben Wolford

    Hi Mount, we routinely audit and check our backend software, and an audit of the Proton API was part of the scope undertaken by SEC Consult.

  12. Mark

    In regard to your ProtonVpn app, if I use this to send an email, will my IP address, location and all other details that could lead back to me, be secret and not traceable by the person receiving the email? I need to send an email in relation to whistleblowing, but want to ensure neither I or my electronic details can be traced or identified.

  13. Ben Wolford

    We don’t include sender IP address in the email headers, so the recipient will never be able to discover your IP. Just be wary, if they send you back a message, that you don’t load remote content as that would disclose your IP unless you are on VPN.

  14. Pedro Pompilio

    hola , para cuando implementan WIREGUARD protocolo , lo probe en otras apks y soft y funciona muy muy bien, espero protonvpn lo implemente pronto ??????

  15. Roxana Zega

    Hi Pedro,

    We will set up WireGuard ProtonVPN servers for internal testing and experimentation. However, it will take some time before we do a public deployment and unfortunately, we cannot set a deadline. As far as VPN protocols go, WireGuard is still very new. Bugs and other instabilities could still exist and there are not many software libraries that support WireGuard. Support within mainline Linux distributions is also still in progress. There’s more work to be done (not all of it dependent on us) before WireGuard can reach the same level of compatibility as legacy protocols such as OpenVPN and IKEv2 and be ready for deployment to millions of users.

    Thank you!

  16. dn

    Is there a plan to audit the Linux offerings? =dn

  17. Roxana Zega

    Hi dn,

    ProtonVPN Linux command line tool has always been open source, increasing accountability and transparency over time. We don’t currently plan to also run an audit on it.

    Thank you

  18. Jean Koch

    Hi Support,
    I have had a free protonmail email for a couple of years now. I will be changing that to a paid service when some expected finances arrive.
    Just making sure I have got it right (still learning ),
    Can I change my current email to a protonVPN, then later to a paid service.?
    Greetings from Ozzieland!!
    Kindest regards…Jean

  19. Roxana Zega

    Hi Jean,

    You can always add a ProtonVPN free plan to your ProtonMail. You can later upgrade both services.

    Thank you

  20. Jonathan Cross

    Hi, where is the source code for the protonmail Bridge?

  21. Roxana Zega

    H Jonathan,

    ProtonMail Bridge is on our list of planned open source apps. Please continue to check our blogs for updates on this matter.

    Thank you.

  22. Sasha

    Excellent idea and I will definitely use your VPN.

  23. Roxana Zega

    Thank you, Sasha!

  24. Ivan

    Great news, I believed that you would open the code, open source is very important. is there a plan to implement the WireGuard Protocol ?

  25. Roxana Zega

    Hello Ivan,

    We will set up WireGuard ProtonVPN servers for internal testing and experimentation. However, it will take some time before we do a public deployment and unfortunately, we cannot set a deadline. As far as VPN protocols go, WireGuard is still very new. Bugs and other instabilities could still exist and there are not many software libraries that support WireGuard. Support within mainline Linux distributions is also still in progress. There’s more work to be done (not all of it dependent on us) before WireGuard can reach the same level of compatibility as legacy protocols such as OpenVPN and IKEv2 and be ready for deployment to millions of users.

    Thank you!

  26. AK

    Can I use this VPN on my Laptop ?

  27. Roxana Zega

    Hi AK,

    You can use ProtonVPN on all your devices. Check our setup guide: https://protonvpn.com/support/protonvpn-setup-guide/

    Thank you

  28. User

    Congratulations! I am very happy about this! 🙂

  29. Bree

    This is my first VPN have email thru u ! Can I get some instructions on how to actually do this ? Do I click my country then any state I wanna select ? Or do u pick our vpn and scramble ? Sorry big dummy here lol

  30. Richie Koch

    No worries at all. You can click “Quick Connect” and the app will automatically connect you to the fastest VPN server based upon your geographic location and server load. You can also connect to servers in a specific country as long as they are supported by your subscription. You can get more details here:
    https://protonvpn.com/support/vpn-change-countries/

  31. Vicki

    Wow! Thank you can I work for you!

  32. Erick Paquin

    Amazing! Thank you!

  33. JC

    I noticed you didn’t mention how many countries you have servers in. Also, what about speed our your connections?

  34. Roxana Zega

    Hi JC,

    As of March 2020, we have more than 700 servers in 45 countries. The list will keep expanding as we add more servers and you can always check it here: https://protonvpn.com/vpn-servers

    We use only high-speed servers. All ProtonVPN servers have at minimum 1 Gbps bandwidth, and many of our servers also utilize 10 Gbps connections. This means that even though we utilize only the strongest encryption, ProtonVPN also provides blazing fast speeds.

    Thank you!

  35. Lorenzo

    Any idea when the Proton Calendar will come into use. Would like to go all proton so that I can delete the Google products. Been using your Mail product now since 2016.

  36. Roxana Zega

    Hi Lorenzo,

    ProtonCalendar is already available in beta to all ProtonVPN and ProtonMail users with a paid plan. Simply log in to the web version of your ProtonMail account using the ProtonMail Version 4.0 beta, and you will see the ProtonCalendar icon on the top left corner sidebar.

    Thank you!

  37. S.A. Leopold

    To date I have nothing but good to say about Protonmail. I consider one of my best relatively recent decisions …to download and use Protonmail. Congratulations to all responsible at Protonmail for all of the admirable work you’re doing.

  38. Roxana Zega

    Thank you!

  39. Jeremy Boden

    Rather weirdly, I see that the Linux VPN doesn’t get a mention (even though I trialled the CLI version). Surely the Linux VPN would be open source???

  40. Richie Koch

    Yes, you are correct. Our Linux client is open source. We did not mention it as it has always been open source, but again, you make a good point. Thanks!

  41. John

    All the internet has become a source of spyware built into the design by powerful actors like Google so that google analytics monitor activities such as logging into a secure private bank account. This is stored and supplied to state actors that is a given at this time. According to rights of privacy there should have been no monitoring and tracking in the first place it is illegal. Users can make sure to use security software such as noscript to selectively give javascript access only to trusted actors when necessary.
    Other than this the reason I comment here is the need for many more systems than a vpn and a secure mail that I hope Proton may be able to provide as unfortunately actors like Facebook, Twitter and Youtube are compromised state actors and run by corporations that also control policies and politicians. So let us start by asking for a social network ?!

  42. protonic

    This is excellent news indeed!!!
    On another note, Wireguard is making its way into the next linux kernel and other VPN providers are working on implementations. Granted, it’s still early days and it needs a good audit, but I hope protonvpn are looking into or could release a makeshift roadmap for when they hope to have a beta/experimental option for brave users to test it out!

  43. José Luis

    Wonderful news. I can’t understand how there’s people who say they “trust” their VPN provider despite only their providers know what their closed source apps really do with the clients’ traffic. Maybe my data are securely encrypted once they leave my device, but what happened before the encryption, did the app do something “fishy” with my data? With ProtonVPN app now code-literate people from all the world can check the code, and all of us can be much more sure that our data is just encrypted and sent where it’s intended. Without transparency there’s no trustable security/privacy.
    Thanks a lot, and I hope that others shall follow this path you have open.

  44. Richie Koch

    You are quite right José, a closed source app requires trust, while an open source app allows anyone to verify the code the app is running. Making all our apps open source has long been a priority for just this reason. And we also hope that the fact we open sourced our applications helps encourage other services to open source their apps as well. Cheers!

  45. Remi

    Great step forward!
    Are there any thoughts or steps towards WireGuard, SoftEther protocols. Progress doesn’t stop, application of it is an another subject.

    Kind regards

  46. iman

    Wow! i was in love with proton mail and vpn and now you guys just made me to love it more!!
    thanks to all of you guys behind proton mail and vpn

  47. Richie Koch

    Thank you for your kind words! We won’t stop until everyone has access to a private and secure Internet.

  48. On Vam Ne Dimon :-)

    Awesome! Russia love Proton! 🙂

  49. Jim Boyaga

    Already a free and paid email client, but now will be paying for vpns too.

  50. Richie Koch

    Thank you! Your support will allow us to continue developing ProtonVPN.

  51. Jelle Mulckhuijse

    Are the audit reports something you want to share with the community?

  52. Richie Koch
  53. TheByteCrasher

    Wow, awesome news. So this means that your VPN under-layer can be used by others?
    And thank you for giving contribution to open source with this.
    Best wishes to Proton VPN team.

  54. Tasupporter

    This is fantastic news! Congratulations! This step is very important! And even more under GPL!
    It’s a move we’ve been waiting for and further enhances our arguments for you. I also see that you also provide an interesting and very nice documentation.

  55. Richie Koch

    Thank you very much! This has long been a priority for us and we’re happy to have seen it through.

  56. Phydeaux

    Congratulations on releasing your VPN solutions as Free Software! Even better than mere “open sores”!

  57. PlusSubscriber

    That’s great news!
    Do you know when Proton Mail and Proton VPN will be available on f-droid?

  58. Ben Wolford

    We can’t give you a timeline at the moment, but this is a priority for us.

Leave a Reply

Your email address will not be published. Required fields are marked *

Knowledge base

 

Secure your internet

Get ProtonVPN

For customer support inquiries, please submit the following form for the fastest response:
https://protonvpn.com/support-form

For all other inquiries:
contact@protonvpn.com

You can also Tweet to us:
@ProtonVPN