We’re happy to be the first VPN provider to open source our apps on all platforms (Windows, macOS, Android, and iOS) and undergo an independent security audit. Transparency, ethics, and security are at the core of the internet we want to build and the reason why we built Proton VPN in the first place.
We launched Proton VPN in 2017 to provide Proton Mail users with a trustworthy VPN service, which was increasingly necessary given the rise of Internet censorship. VPN in particular was an area in dire need of improvement. Studies have found that over one-third of Android VPNs actually contain malware, many VPNs suffered from major security lapses, and many free VPN services that claimed to protect privacy are secretly selling user data to third parties. In general, there is also a lack of transparency and accountability regarding who operates VPN services, their security qualifications, and whether they fully conform to privacy laws like the GDPR.
Proton VPN changed this by delivering an unparalleled level of transparency and accountability. We have done things differently from the start: We have a strict no-logs policy, we’re based in Switzerland, regulated by some of the world’s strongest privacy laws, we have a deep security background, and we have even opened up our technology for inspection by Mozilla. We’re regularly audited by independent security experts, and our latest security audit results confirm our no-logs policy.
Making all of our applications open source is therefore a natural next step. As former CERN scientists, publication and peer review are a core part of our ethos. We are also publishing the results of independent security audits covering all of our software.
You can find the open-source code and audit reports here:
You can also find the latest security audit reports for all Proton services on our community page explaining why we prioritize open-source code.
Why it’s important to use an open-source VPN
When you choose to use a virtual private network, you are placing an extraordinary amount of faith in that service provider. Here’s why:
When you are not connected to a VPN, your unencrypted Internet traffic (i.e., that which is not protected by TLS) may be intercepted by your WiFi provider, by your Internet service provider (ISP), by hackers monitoring the local network, or by the government authorities in your jurisdiction. Your IP address (i.e. your device’s identity and your geographical location) is also exposed, including to the websites you visit, which can use that information to track you across the Internet. Even encrypted traffic can be monitored to observe the websites you visit, and your IP address will remain exposed.
When you connect to a VPN, your Internet traffic is encrypted between your device and the VPN server, protecting it from local network surveillance. Even your DNS lookups (the names of the web domains you visit) are protected. And your IP address is masked to help protect your identity and location. However, when you connect to any VPN, the VPN provider can see the same kind of data that your ISP could when not using a VPN, including your browsing history and IP address. This is why choosing a trustworthy VPN service is so important.
A VPN application, therefore, has a lot of privileged access to your device and your online activity. Open-source code allows security researchers and the global security community to inspect how we implement encryption and how we handle your data, giving you more certainty that we are adhering to our strict privacy policy. Open-source code provides security through transparency, meaning that because the code is heavily scrutinized, potential vulnerabilities are quickly spotted and fixed. This reduces the risk of a security vulnerability in a VPN app putting you at risk.
In contrast, proprietary code relies on “security through obscurity,” meaning vulnerabilities are less likely to be discovered. Or worse, these vulnerabilities may be only known to malicious actors who exploit them secretly without users being aware.
When it comes to online privacy and security software, we believe free and open-source software is better for safety and provides better accountability to our user community. Open source has long been at the core of Proton, and our open-source software includes the Proton Mail web app, iOS app, Android app, and the desktop Bridge app.
This means that all Proton apps that are out of beta are open source.
We also maintain open-source encryption libraries, such as OpenPGPjs, which power a significant fraction of encrypted applications on the web today and serve tens of millions of users.
Third-party security audits
Another unique quality of Proton VPN is our commitment to having independent security researchers inspect our software before releasing it publicly. Previously, Mozilla reviewed our implementations, organizational structure, and our technology as part of their due diligence for a partnership with us.
Since then, we have initiated more thorough security-focused audits for all our clients. We contracted SEC Consult, a leading security firm, to conduct the audits. Although such audits are expensive and time-consuming, we believe these are a critical step that must go together with open sourcing our code. Going forward, we will continue to do audits on an ongoing basis to have continual independent checks on our application security.
Working with the Proton community
The other important benefit of open sourcing our software is that it furthers our overall mission to build an Internet that’s more secure, private, and free by leveraging the power of the community. Security improvements can now be submitted by developers from around the world through our bug bounty program. And in some cases even features improvements from the community may be incorporated into the official Proton VPN apps, similar to what we have done previously with the official Proton VPN Linux client.
As a community-supported organization, we have a responsibility to be as transparent, accountable, and accessible as possible. Going open source helps us to do that and serve you better at the same time.
Your feedback and suggestions have become a vital source of ideas and inspiration for us, and we will continue working to meet your expectations in 2020 and beyond. We will be launching new servers all over the world, improving security, and releasing new features to keep you safe and help you bypass censorship. None of what we have achieved to date could have been done without our community.
Thank you for your support!
Best Regards,
The Proton VPN Team
Follow us on social media to stay up to date on the latest Proton VPN news:
Twitter | Facebook | Reddit | Instagram
To get a free Proton Mail encrypted email account, visit: proton.me/mail
do you have any plan to make the backend be open source?
Hi eular. I’m afraid not at the present time.
Because I am very suspicious about security, where can I find reports about audits about privacy done by auditing hackers. I only trust products that have been tried to break it after you made it. (make it, break it, fix it)
Hi Klaas,
We agree with your iterative approach to security, which is why we made our code open source, so more cybersecurity experts can try to “break it,” as you put it. Our audits were performed by SEC Consult, a respected cybersecurity firm. You can view them here.
Android: https://protonvpn.com/blog/protonvpn-android-app-audit-report-2020/
iOS: https://protonvpn.com/blog/protonvpn-ios-app-audit-report-2020/
macOS: https://protonvpn.com/blog/protonvpn-macos-app-audit-report-2020/
Windows: https://protonvpn.com/blog/protonvpn-windows-app-audit-report-2020/
it would be great if you install a firewall to block ads on the VPN network. consider using software like pi-hole.
Stay tuned Diher, we are currently working on a feature that is very similar to your request.
Hi Ben – Just feeding back to you on ProtonVPN. I was keen to install this software and keep my software with VPN. Sadly though the instructions for installing ProtonVpn were not clear. To add to this, when I contacted Protonmail, they were unhelpful. You have to appreciate that users are not computer tech specialists. Consequently you lost my support and I have not used VPN. It is important. Make your VPN end user friendly or you will not get the support /uptake of your product.
You let me down.
Respectfully
Peter K Ellis
I think all the nagging peole here nagg’s about anything in life. I’ve seen sooo many VPN’s out there, and Proton is without a doubt worth the tiny amount of 50 usd/year you’re asking for 1 year. poeple who complains about that, they really don’t know sh*t about VPN’s services on the market today. That’s all… thanks Protonmail for a fantastic super encrypted emailsystem and VPN. This si my 4th year on ProtonMail
Ganhei 7 dias de plano plus mais nao consigo acessar nafa tudo dis que tem que fazer assinatura e assinatura par netflix e assinatura para hbo go como desbloquear
Olá João,
Com ProtonVPN Plus tens acesso ao conteúdo vídeo de outros países somente depois de criares uma conta com Netflix ou com HBO Go. Por favor entra em contato com o nosso Customer Support se não conseguires depois de criar uma assinatura.
Obrigada,
Roxana
I just requested a refund within the 30 day period, however I accidentally made a typo misspelling of my name. It’s Paul DiGuida …
I wrote 3 times to request a refund of my One Year Subscription, but have yet to receive a reply back to my request. I thought that if your not satisfied with the service, you could cancel within 30 days to obtain a refund. I don’t be understand why I have yet to receive a response back to my request. Please help, Thanks …
Hi Paul, please contact our support team for assistance: https://protonvpn.com/support-form
stupid question, what does ProtonVPN use for VPN Server (OpenVPN Server)? And will the VPN Server be open sourced if its not a preexisting server implementation?
Hi Aziz, I’m not sure I totally understand your question. This article provides a bit more information about our server security in case that’s helpful: https://protonvpn.com/blog/disk-encryption/
I love all the products you have. VPN is Top Notch. Your Email provides a Top Level security and have all my clients and legal people switch all email correspondence through Proton. I have not felt this way about a product in a very long time.
Also. I think that a screen saver would be a great idea. But a screen saver of the VPN signal and statistics that show when you connect showing the VPN on your screen,would be awesome and I think popular.
Thanks again
Chris Huebschman
Seems like the backend (server code) has the most implications of data privacy as all original IPs and traffic go there? Can you tell us more about the decision to open source the apps only and how that can give us confidence about the whole system?
Glad to see the achievement, this means a lot!
But at the same time quite disappointed by the answer that there is no plan to audit the Linux version!!! How come? What’s the rationale behind not offering the same level of quality assurance for those of use using Linux?
Do you have plans for backend audit? Please merge more than one audit firm next time; Mullvad did the same with their client apps.
Hi Mount, we routinely audit and check our backend software, and an audit of the Proton API was part of the scope undertaken by SEC Consult.
In regard to your ProtonVpn app, if I use this to send an email, will my IP address, location and all other details that could lead back to me, be secret and not traceable by the person receiving the email? I need to send an email in relation to whistleblowing, but want to ensure neither I or my electronic details can be traced or identified.
We don’t include sender IP address in the email headers, so the recipient will never be able to discover your IP. Just be wary, if they send you back a message, that you don’t load remote content as that would disclose your IP unless you are on VPN.
hola , para cuando implementan WIREGUARD protocolo , lo probe en otras apks y soft y funciona muy muy bien, espero protonvpn lo implemente pronto ??????
Hi Pedro,
We will set up WireGuard ProtonVPN servers for internal testing and experimentation. However, it will take some time before we do a public deployment and unfortunately, we cannot set a deadline. As far as VPN protocols go, WireGuard is still very new. Bugs and other instabilities could still exist and there are not many software libraries that support WireGuard. Support within mainline Linux distributions is also still in progress. There’s more work to be done (not all of it dependent on us) before WireGuard can reach the same level of compatibility as legacy protocols such as OpenVPN and IKEv2 and be ready for deployment to millions of users.
Thank you!
Is there a plan to audit the Linux offerings? =dn
Hi dn,
ProtonVPN Linux command line tool has always been open source, increasing accountability and transparency over time. We don’t currently plan to also run an audit on it.
Thank you
Hi Support,
I have had a free protonmail email for a couple of years now. I will be changing that to a paid service when some expected finances arrive.
Just making sure I have got it right (still learning ),
Can I change my current email to a protonVPN, then later to a paid service.?
Greetings from Ozzieland!!
Kindest regards…Jean
Hi Jean,
You can always add a ProtonVPN free plan to your ProtonMail. You can later upgrade both services.
Thank you
Hi, where is the source code for the protonmail Bridge?
H Jonathan,
ProtonMail Bridge is on our list of planned open source apps. Please continue to check our blogs for updates on this matter.
Thank you.
Hello, in the message about the VPN I read nothing about Linux. Does the VPN work with Linux, and in particular with openSUSE Linux? The VPN I use now does not and although I can get a secure connection for a while, after a certain time the connection is lost. So I could use a new one but I need to be sure it does work with openSUSE Linux before I buy me a new one.
Can somebody please enlighten me? Thank you very much.
Excellent idea and I will definitely use your VPN.
Thank you, Sasha!
Sounds great! What impact does this have on the hosting of ProtonVPN? Will this mean mirror ProtonVPN servers can be setup? Can users choose mirrors or setup integration with the protonmail app (and others?) Is it possible to setup (for Termux, etc) Linux VMs that can be downloaded and run, both for server and client? Hardware authentication?
Great news, I believed that you would open the code, open source is very important. is there a plan to implement the WireGuard Protocol ?
Hello Ivan,
We will set up WireGuard ProtonVPN servers for internal testing and experimentation. However, it will take some time before we do a public deployment and unfortunately, we cannot set a deadline. As far as VPN protocols go, WireGuard is still very new. Bugs and other instabilities could still exist and there are not many software libraries that support WireGuard. Support within mainline Linux distributions is also still in progress. There’s more work to be done (not all of it dependent on us) before WireGuard can reach the same level of compatibility as legacy protocols such as OpenVPN and IKEv2 and be ready for deployment to millions of users.
Thank you!
Does your VPN support IPv6 ?
Can I use this VPN on my Laptop ?
Hi AK,
You can use ProtonVPN on all your devices. Check our setup guide: https://protonvpn.com/support/protonvpn-setup-guide/
Thank you
Congratulations! I am very happy about this! :-)
Oh I forgot and secure core ? Thank you God Bless
This is my first VPN have email thru u ! Can I get some instructions on how to actually do this ? Do I click my country then any state I wanna select ? Or do u pick our vpn and scramble ? Sorry big dummy here lol
No worries at all. You can click “Quick Connect” and the app will automatically connect you to the fastest VPN server based upon your geographic location and server load. You can also connect to servers in a specific country as long as they are supported by your subscription. You can get more details here:
https://protonvpn.com/support/vpn-change-countries/
Wow! Thank you can I work for you!
Amazing! Thank you!
This is fantastic news! Any chance you all would consider developing some router firmware for OpenWRT compatible routers? I know it’s a long shot but my current VPN offers this functionality which has been extremely useful in extending automatic protection to all the devices on my home network – esp for household members who wouldn’t otherwise think to switch on a vpn for each device. Regardless, thank you for your commitment to being a leader in security!!
I noticed you didn’t mention how many countries you have servers in. Also, what about speed our your connections?
Hi JC,
As of March 2020, we have more than 700 servers in 45 countries. The list will keep expanding as we add more servers and you can always check it here: https://protonvpn.com/vpn-servers
We use only high-speed servers. All ProtonVPN servers have at minimum 1 Gbps bandwidth, and many of our servers also utilize 10 Gbps connections. This means that even though we utilize only the strongest encryption, ProtonVPN also provides blazing fast speeds.
Thank you!
Any idea when the Proton Calendar will come into use. Would like to go all proton so that I can delete the Google products. Been using your Mail product now since 2016.
Hi Lorenzo,
ProtonCalendar is already available in beta to all ProtonVPN and ProtonMail users with a paid plan. Simply log in to the web version of your ProtonMail account using the ProtonMail Version 4.0 beta, and you will see the ProtonCalendar icon on the top left corner sidebar.
Thank you!
To date I have nothing but good to say about Protonmail. I consider one of my best relatively recent decisions …to download and use Protonmail. Congratulations to all responsible at Protonmail for all of the admirable work you’re doing.
Thank you!
Rather weirdly, I see that the Linux VPN doesn’t get a mention (even though I trialled the CLI version). Surely the Linux VPN would be open source???
Yes, you are correct. Our Linux client is open source. We did not mention it as it has always been open source, but again, you make a good point. Thanks!
All the internet has become a source of spyware built into the design by powerful actors like Google so that google analytics monitor activities such as logging into a secure private bank account. This is stored and supplied to state actors that is a given at this time. According to rights of privacy there should have been no monitoring and tracking in the first place it is illegal. Users can make sure to use security software such as noscript to selectively give javascript access only to trusted actors when necessary.
Other than this the reason I comment here is the need for many more systems than a vpn and a secure mail that I hope Proton may be able to provide as unfortunately actors like Facebook, Twitter and Youtube are compromised state actors and run by corporations that also control policies and politicians. So let us start by asking for a social network ?!
Sometimes I have to disconnect from Proton VPN to make a website work. Then I forget to re-connect. I would love it if Proton would add a feature that would warn me if I’m about to continue on the internet without a Proton connection.
This is portrayed as a bigger step than it is. You share openVPN files, which basically makes it open source. So making apps open source isn’t that big of a step.
What would really be interesting is to see what’s under the hood (back end). Because the state of this service has not changed: it’s still a black-box situation.
Hi
I was considering subcribing to both Proton Mail and Proton VPN until I discovered that the code is open source
and even looked at the VPN code myself and saw instructions on disabling TLS in order to do certain other things – hacker heaven!!
I believe that this undoes all of the possitive attributes of the software rendering it pointless. We subscribe based on software security and company reputation – we dont need access to the code
I wanted to make a suggestion:
Since I think that for the average user is absurd to use a VPN to gain privacy but having his email, messengers, social networks and other online service that is strictly bound to our real names, phone numbers, postal addresses, even personal photos, all them routed through the same VPN we use for private and peaceful web browsing, I think ProtonVPN should permit the user to choose that, for example, Telegram, Thunderbird, the Facebook app on mobile, etc, don’t use the VPN; it’s a way to reveal that the IP we use for web browsing is ours.
I’m aware that you share the same IP with many users, but still, WebRTC reveals the “sub-net” (or whatever it is called in technical jargon) IP each user has (if I’ve not understood wrong), and still if a single IP is shared among hundreds of users, I think that since Facebook Knows everything about me, Gmail has my address book and knows also everything about me and also know who’s my brother, what phone number has my wife, what’s the phone number of my kid’s teacher, etc, etc… They already know everything! I think they should also not know that I use a VPN for private web browsing.
I have seen that protonvpn-cli (linux.only user here, to me it’s also rather absurd trying to read a decent privacy but keep using an OS like Windows) has a function to use “tunnels”. That’s nice but it seems that only works with IPs, and sincerely, I don’t think anyone knows what IPs use, Facebook app and Whatsapp and Telegram and Instatgram and my 2 or 3 email provders and Mozilla Pocket and Evernote and my bank’s app and my government online services for the citizen, etc, etc, etc… And even if I’d ever knew it, I’m sure that they change them from time to time, so I think that even being so careful would be inutile.
So, why don’t you add, *besides*, the possibility to tunnel IPs tunneling applications? So, if I’m on my FB app on mobile, no matter where if the app connecting to, every connection made by that app will be using my real IP, that IP that FB already knows since several years ago; or if I’m on my PC using Thunderbird, I can send all TB’s traffic through my real IP addres that my email provider also knows very well.
There’s another option, that could be one of your premium services: permitting to use 2 different servers, one for let’s say, private browsing, and other for all these “tunneled” services that already know us like if they had given us to birth. We would still be safe from our ISP’s eyes and Google, for example, would still know that we are using PVPN services to check our Gmail account or synchronize our contacts, but they wouldn’t know that we are watching Youtube videos (without logging in, of course) or browsing pages plenty of Google Analytics trackers, from a different IP.
Does this make sense? I hope I’ve been able to explain myself acceptably clear.
Don’t keeping IKEv2 & OpenVPN at the same time reduces privacy/security on both backend servers & client apps? Especially the servers as they always needs to be running simultaneously.
This is excellent news indeed!!!
On another note, Wireguard is making its way into the next linux kernel and other VPN providers are working on implementations. Granted, it’s still early days and it needs a good audit, but I hope protonvpn are looking into or could release a makeshift roadmap for when they hope to have a beta/experimental option for brave users to test it out!
Wonderful news. I can’t understand how there’s people who say they “trust” their VPN provider despite only their providers know what their closed source apps really do with the clients’ traffic. Maybe my data are securely encrypted once they leave my device, but what happened before the encryption, did the app do something “fishy” with my data? With ProtonVPN app now code-literate people from all the world can check the code, and all of us can be much more sure that our data is just encrypted and sent where it’s intended. Without transparency there’s no trustable security/privacy.
Thanks a lot, and I hope that others shall follow this path you have open.
You are quite right José, a closed source app requires trust, while an open source app allows anyone to verify the code the app is running. Making all our apps open source has long been a priority for just this reason. And we also hope that the fact we open sourced our applications helps encourage other services to open source their apps as well. Cheers!
Nice! But you can’t say you’re on “all platforms” if you don’t support GNU/Linux.
Good, but what about the server software ? And the Linux client ?
Great step forward!
Are there any thoughts or steps towards WireGuard, SoftEther protocols. Progress doesn’t stop, application of it is an another subject.
Kind regards
Security of VPN endpoints in countries, say Costa Rica. What guarantees do ProtonVPN users have against the NSA strong arming them into revealing VPN connection logs and metadata? Does SecureCore add a layer of protection here?
Wow! i was in love with proton mail and vpn and now you guys just made me to love it more!!
thanks to all of you guys behind proton mail and vpn
Thank you for your kind words! We won’t stop until everyone has access to a private and secure Internet.
Kindly provide tutorials for us technicians so we can take advantage of this development
My last comment was never approved (or was deleted by staff), and then the blog is updated with the information that only the client-side software will be open sourced. This is mere click-bait and a marketing exercise then, since being unable to examine your server platform makes the client source code release effectively moot.
A true shame, as I want to use a platform I *know* is secure.
What about a Linux version?
Awesome! Russia love Proton! :-)
Already a free and paid email client, but now will be paying for vpns too.
Thank you! Your support will allow us to continue developing ProtonVPN.
Are the audit reports something you want to share with the community?
Links to the results of all our independent audits can be found above in the blog post. For convenience, I have copied and pasted the links here:
https://protonvpn.com/blog/protonvpn-android-app-audit-report-2020/
https://protonvpn.com/blog/protonvpn-ios-app-audit-report-2020/
https://protonvpn.com/blog/protonvpn-macos-app-audit-report-2020/
https://protonvpn.com/blog/protonvpn-windows-app-audit-report-2020/
Cheers.
Where is the independent security audit of the actual servers? Auditing the client software doesn’t tell you what is going on at the server level
Wow, awesome news. So this means that your VPN under-layer can be used by others?
And thank you for giving contribution to open source with this.
Best wishes to Proton VPN team.
This is fantastic news! Congratulations! This step is very important! And even more under GPL!
It’s a move we’ve been waiting for and further enhances our arguments for you. I also see that you also provide an interesting and very nice documentation.
Thank you very much! This has long been a priority for us and we’re happy to have seen it through.
This is great news but are you also going to open source protonmail-bridge some day?
Currently it’s a little bit difficult process to always update from Linux binary packages on distros not supporting natively either rpm or deb packet format (like Gentoo Linux).
Congrats on that and let the force be with you! OpenSource are for Open Minded people and you take the right path.
Best wishes for the new ZOZO year!
Keep up the good work!
This is amazing news. Thank you for being so transparent and open about your platform.
Are you also planning to open source your server technologies?
Not really “all platforms” if you don’t include Linux. Linux really isn’t a priority it seems, the platform isn’t even mentioned but once in this entire article about audits and the app on Linux doesn’t even have a GUI.
Has the official linux VPN client been audited?
so does this mean that protonvpn is going to be totally free or not
Is there going to be a Linux version?
Congratulations on releasing your VPN solutions as Free Software! Even better than mere “open sores”!
That’s great news!
Do you know when Proton Mail and Proton VPN will be available on f-droid?
We can’t give you a timeline at the moment, but this is a priority for us.
Great step in the right direction, but what about the server code?