As part of our mission to make a secure and private Internet available to all, Proton VPN will have to add servers in countries with poor privacy protections. Here’s how to safely use servers in high-risk countries.
Which VPN server you connect to is generally determined by what information you are trying to access and where that server is located. To access information that a government censored within its borders, you would need to connect to a VPN server outside your country. Other times you may need to access information that is only available inside your own country. For example, some websites only allow you to log in if you are using an IP address from the country hosting it. If you are traveling abroad, you would need a VPN to access that site. Therefore, the only way for us to properly serve our users, who come from more than 180 countries worldwide, is to add servers in practically every country on earth.
However, privacy laws vary widely from country to country, just as governments range from liberal democracies to dictatorships. Adding a server to a country does not mean that we endorse its government’s policies and regulations. In the process of serving our global user base and fulfilling requests for servers in more countries, we must necessarily add servers in countries which are, quite frankly, terrible at privacy.
In recognition of this, it is important for the Proton VPN community to be informed about the risks that can come with using these servers, and how some of these risks can be mitigated. We would also like to clarify our own policies regarding high-risk countries.
Guidelines for connecting to servers in high-risk VPN countries
Understand your threat model before connecting to servers in high-risk countries
As outlined in our threat model, Proton VPN cannot guarantee the absolute security of our servers in high-risk countries (such a guarantee is impossible for all VPN services). Therefore, you should consider any servers in a country with weak privacy protections to potentially be compromised as part of your user threat model.
Consider the following examples: If you are using the Internet to do low-risk activities (e.g., streaming TV or looking up football scores), then which server you connect to is not important. On the other hand, if you are a North Korean dissident handling sensitive communications, we would not recommend connecting to a server in North Korea (if we ever get one), as the North Korean secret police could potentially be monitoring that server.
Use Secure Core VPN
If you must connect to a server in a country with weak privacy protections, enable the Secure Core feature (available with the Proton VPN Plus plan). With Secure Core, your Internet traffic is routed through special, hardened servers in countries with strong protection laws, like Iceland, Sweden, or Switzerland, before it goes through the server in the high-risk country. If authorities are monitoring the VPN server in the high-risk country, they will only be able to trace the traffic from it back to the Secure Core server and not to your true IP address.
Whenever we add servers in unfriendly jurisdictions, we will always add Secure Core coverage to those servers. Secure Core significantly reduces the risk of using a server in any unfriendly jurisdiction.
Proton VPN policies in high-risk countries
To continue providing our users with the highest degree of security possible, even in countries with weak privacy protections, we have adopted the following internal policies for high-risk jurisdictions.
Avoid directly owning infrastructure
To avoid unfriendly governments from trying to claim jurisdiction over Proton VPN, we will utilize third-party infrastructure in high-risk countries. VPN services that own hardware or have a substantial staff presence in a country with weak privacy protections could fall under that country’s jurisdiction through the “principal place of business” doctrine. By working through third parties, Proton VPN avoids having a physical presence in any jurisdictions with weak privacy protections, making it difficult to dispute our status as a Swiss company.
Work only with reliable partners
We will thoroughly scrutinize all potential infrastructure partners in high-risk countries and only work with those whose values align with our mission. This vetting process may delay adding servers in certain high-risk countries where it is difficult to find a suitable partner. Even when we find an ideal partner, we will also deploy technical measures to further mitigate some of the risks of having a VPN server in an unfriendly jurisdiction.
Always use dedicated hardware
Proton VPN only uses bare metal (physical) servers that we can fully control all the way down to the base operating system level. We have followed this policy in all countries. Using a bare metal server as opposed to a virtual server means the hardware is dedicated solely to Proton VPN, giving us a higher degree of control and making it more secure. This bare-metal-only policy will continue in unfriendly jurisdictions to ensure that our servers are harder to compromise.
Implement full-disk encryption
All Proton VPN servers, including those in lower-risk countries, are secured with block-level disk encryption. This protects against a specific but powerful attack in which an adversary compromises an exit server, steals the server certificate, and redirects user traffic to a server controlled by the attacker. By implementing full-disk encryption on all our servers, we can protect our certificates and mitigate the risk of MITM attacks.
Leave countries rather than compromise our values
We expect that in some high-risk countries, law enforcement or intelligence agencies may exert pressure on our infrastructure providers to monitor network traffic upstream of our servers. In the US, for example, ISP monitoring and NSA data collection is the default on almost all Internet connections. Since our Secure Core architecture reduces the amount of information that these agencies can collect through this type of surveillance, they may try to force Proton VPN to log the online activity on our servers. If this situation arises, we will shut down our server and withdraw from the country in question, instead of compromising our values or our strict no-logs policy.
Communicate transparently
Finally, we reiterate our commitment to transparency. We are transparent about who we are, and we have always communicated openly with the community. As Proton VPN’s global network grows, this transparency will become more critical. If we come under pressure or feel that we can no longer live up to our privacy standards in a high-risk country, we will promptly share this information with our community and shut down the servers in that country. We will also endeavor to more systematically identify the privacy risks of each country and communicate that to the community at large.
It is an unfortunate fact that there are numerous countries around the world where online privacy is under attack. If we avoided these countries altogether though, we would only be able to have servers in Sweden, Switzerland, and Iceland, which would not be enough to sufficiently serve the needs of our community. However, as long as you are aware of the threat model, or enable Secure Core VPN, you can use our VPN servers anywhere in the world. We look forward to bringing Proton VPN to every country in the world.
Best Regards,
The Proton VPN Team
Get a free Proton VPN account
Follow us on social media to stay up to date on the latest Proton VPN releases: Twitter | Facebook | Reddit
To get a free Proton Mail encrypted email account, visit: proton.me/mail
Hi there,
Big cheers for your great work. I enjoy using ProtonVPN.
I’m afraid my question might have been asked many times, but I haven’t been able to figure out an answer so far… Why can one not connect ANY server through Secure Core, instead of only one or two (rarely 3) of these in each country ? Indeed, I always hesitate between having different IP addresses in (let’s say) the UK, which offers better anonymity, and using Secure Core, which offers stronger security but only one IP. I find it’s a bit of a pity, as Proton puts effort into renting/offering a great panel of different servers, even in high-risk countries where secure core would be necessary, whereas I reckon this would be due to some technical reason. Why offering several servers in a high-risk country when only one of these can be accessed actually securely?
Cheers.
When setting up my secure core proton VPN it ask for an exit country and I make a profile what country should I use if I’m in the United States(for privacy) and then you have to select server? Please educate me a little on best choices..thanks
This is a good question that unfortunately does not have an easy answer. Which country you choose for your exit server depends largely on the content you want to access. If it is geo-blocked and only accessible to users with a US IP address then you should choose a US server. The good news is that with Secure Core, you are applying an extra layer of security regardless of which country you choose for your exit server. (Learn more about Secure Core here: https://protonvpn.com/support/secure-core-vpn/)
If many users are using p2p on your servers and i happen to also be connected to the same server, will i get wrongly flagged because my ip given by the VPN seems like its being used for file sharing? Does traffic matching really work and could they get it wrong by attributing torrent traffic to me?
Second question. IPvanish claimed to not keep logs, and they were found out to be keeping detailed port:ip time stamps. Have your bare matal servers storing any logs at all?
If connection is lost to an exit node (repeatedly, different nodes) but the secure core connection remains active, does that mean a government or highly sophisticated enemy is attacking the exit node? Or trying to establish who and where a user is from?
Also, does direct physical access to a modem/router allow for such entities to instal software to by pass the vpn service entirely?
Hello! The connection can be lost by various and simple reasons, mostly due to an unstable/weak internet connection. That doesn’t mean that someone is attacking the exit node and trying to breach the VPN. If you are experiencing disconnections, please contact our support team so we can assist you accordingly: protonvpn.com/support-form.
Regarding your second question, the VPN protection is activated on the device that you are using and which is connected to the ProtonVPN servers. The protection and encryption cannot be bypassed because the router cannot see the traffic within the VPN tunnel on your device.
should i worry about auto connect to these servers, when my app by default is configured to connect to the fastest available server?
No, because our secure VPN sends your internet traffic through an encrypted VPN tunnel regardless of the server you choose or if you auto-connect to a server. You can also create a custom profile with your favorite server and set the profile as a default one.
Could you be more specific as to what constitutes a ‘high-risk country’ in terms of privacy? I think it’s important to highlight some general conditions even though everyone has a different threat model. North Korea is a good example, yes, but you don’t offer a server in that location and I think it’s important and helpful for us readers to know how ProtonVPN identifies such risks.
Thanks in advance!
What is high risk really depends on your threat model, which varies from person to person. That’s why it’s hard to be specific about this. For example, a German citizen using hypothetical North Korean servers probably actually faces very little risk.
I live in China, almost all servers can’t connect
Hello, for China you might need to use an alternative connection method. Please write an e-mail via https://protonvpn.com/support-form or fill in the following form: https://protonvpn.com/support-form for further instructions and our support team will assist you accordingly.
Would opening a server on a high risk country generate problems for users not using these servers? I am worried because some VPN operating servers in high risk countries were forced (court orders or legislation) to provide de-encription keys for their VPNs… So, the question is, would opening a VPN server in a high risk country open the possibility for the encryption protocols (used in other ProtonVPN) servers be shared with governments from these high risk countries? If that’s the case, then opening a VPN server in a HR Country (while still keeping the legal entity in Switzerland) would surely lessen the security currently offered by ProtonVPN.
Could you clarify this issue?
Regards
Hello! Thank you for your question. As we discussed in the blog post, if we get a request that goes against our values, we will shut down our VPN servers in that country rather than comply.
I notice that NordVPN use a British hosting provider (M247) in many countries including Switzerland. Presumably UK’s GCHQ could secretly force M247 to provide access to the hardware at their sites – what methods to ProtonVPN and others have to protect against this? Do you use hosting providers that are likely to be subject to these sorts of secretive orders?
Our solution is Secure core VPN which guards against situations like this: https://protonvpn.com/support/secure-core-vpn/