Return to protonvpn.com Facebook   Twitter   Reddit   ProtonMail
Support Center / General Information / What is Secure Core VPN?

What is Secure Core VPN?

ProtonVPN has a Secure Core mode to improve user privacy and data security by mitigating some of the risks from a compromised VPN server.

A common method to expose VPN traffic is by compromising the server that handles your traffic. This risk is particularly acute when the server is located in a high risk jurisdiction. To mitigate this risk, ProtonVPN employs a technique called Secure Core. This article provides an overview about the attacks that Secure Core mitigates, how it achieves higher VPN privacy, as well as instructions on how to activate Secure Core in ProtonVPN.

 

A. What does Secure Core protect against?

ProtonVPN’s unique Secure Core architecture allows us to defend against network attacks that other VPNs cannot defend against. A classical VPN setup involves a client passing traffic through a VPN server en-route to the final destination. This means an attacker that has control of the VPN server, or the ability to monitor the network of the VPN server, will be able to match VPN clients with their destination, nullifying the privacy benefits of the VPN.

Such timing/correlation attacks are not difficult to accomplish. In countries with restrictive Internet regulations (China, Russia, Iran, Turkey, etc), or countries with broad surveillance powers (USA, UK, etc), state surveillance agencies typically have the power to coerce either the VPN provider, or the network/server provider of the VPN provider, to assist with such network monitoring. Therefore, even though ProtonVPN is based in Switzerland, we cannot know for sure that our VPN servers in other countries such as the US or the UK are not being monitored and user privacy compromised.

B. How does Secure Core increase VPN privacy?

Secure Core allows us to defend against this threat to VPN privacy by passing user traffic through multiple servers. When you connect to a server in a high risk jurisdiction like the US, your traffic will first go through our Secure Core servers. Therefore, even if our US VPN server is being monitored, an attacker would only be able to follow the traffic back to the edge of our Secure Core network, thus making it far more difficult to discover the true IP address and location of ProtonVPN users.

We have also gone to extraordinary lengths to defend our Secure Core servers. First, servers are located in specifically selected countries with very strong privacy laws (Iceland, Switzerland, and Sweden). Secure Core servers are also located in extra high security datacenters to ensure strong physical security. ProtonVPN infrastructure in Switzerland and Sweden are located in underground datacenters, while our Iceland servers are located within a former military base. Furthermore, Secure Core servers are fully owned by us and also provisioned by us (shipped on-site directly from our offices). Finally, Secure Core servers are connected to the Internet using our own dedicated network with IP addresses that are owned and operated by our own Local Internet Registry (LIR).

These measures provide us with a much higher level of certainty that our Secure Core servers and network are not being tampered with. While there is no such thing as 100% security, Secure Core is just one of the many ways ProtonVPN delivers better VPN security and privacy by protecting against complex attacks other VPNs cannot defend against.

C. How do I activate Secure Core?

Secure Core is a feature included in our Plus and Visionary Plans and can be activated as follows:

With the Windows ProtonVPN application:

  • Install ProtonVPN, start the application and log in
  • Find and activate Secure Core under the country tab on the left.
  • Connect to the available servers in the list underneath.

On MacOS, GNU/Linux, iOS and Android

  • Follow the step by step guide to set up ProtonVPN on MacOSLinuxiOS devices or Android devices
  • When selecting a server configuration file, simply choose a config file with a name structure similar to xx-xx-00.protonvpn.com.xxxxxxx.ovpn

Related articles

Does ProtonVPN store user information?

Installing ProtonVPN on Windows

Step by step guide to ProtonVPN on MacOS

Step by step guide to ProtonVPN on Linux

Post Comment

51 comments

  1. G.

    For mac users, can we benefit of all features even if there no specific app !?
    Because with tunnel blick we can not access directly to features like kill switch, dns leak, etc.
    thanks

  2. ProtonVPN

    The dedicated Mac application is already in the works (internal testing has begun as well) which will include all the advanced features. Stay tuned for more information towards q4 2017

  3. Xcvbsugi

    Do I still have access to Bank of America page with the VPN on? If not, can I access this page, after I did certain adjustments to my VPN? If not, do you think I should close my Bank of America account in the USA? Thanks a lot.
    And what do I use on the phone as an app to access the VPN and turn it on and off or on a ipad? (Might have been asked before…) But thanks for repeating.

  4. ProtonVPN

    Hi xcvbsugi, whether third party sites work with the VPN is up to the setting of said site. We do not restrict access to any pages. It is also not our place to recommend financial institutions. What we can help with is mobile VPN access: check out protonvpn.com/support/ios-vpn-setup

  5. John

    Something does not add up with the SecureCore servers:
    All the configs used were freshly downloaded from the protonvpn.com login interface again, no matter if macos or linux udp/tcp:

    1) Entry server ips in the configs are in the exit destination. Final exit ip equals entry ip. E.g. IS-DE = DE entry ip and exit ip = same ip. IS-NL = NL entry + same as exit. Shouldnt both have IS entry ips?
    2) Latency equals latency through only the exit ip e.g. i got 40ms through IS-DE although the latency to IS is already much more and through IS alone about 130.
    3) Throughput also equals going directly through the exit server but not through the multihop. 40mbit through IS-DE while 4mbit through only IS.

    The math and entry ips tell me im clearly not being routed through IS but stay in DE or NL (doesnt matter if you use IS-DE or IS-NL or CH-UK etc)

    Am i missing something? OpenVPN + macos or linux UDP/TCP configs downloaded from protonvpn logged in interface.

  6. ProtonVPN

    Hi John, we are unable to reproduce at this point. Example:
    IS-NL secure core remote IP start with 185.xxx.xxx.xxx, NL server IP’s start with 64.xxx.xxx.xxx.
    Connecting with the IS-NL config file, an ip check reveals the exit node IP.
    If the issue persist for you please drop us a line via the support form with detailed log output of your OpenVPN connection and a traceroute from the CLI (e.g. traceroute google.com -n on linux)

  7. T

    If the same protonvpn’s openvpn account is used Linux workstation and iPhone and the iPhone gets compromised (attacker gets openvpn username and password and config) does this affect user’s privacy on the Linux workstation usage?

  8. ProtonVPN

    It should not because we don’t log.

  9. Oldman

    Could I just ask a noob question please? I am using a IOS device and was just wondering do I leave the VPN on 24/7 or just when I need to connect to the internet? Also does this use up data in your phones data plan?
    Thanks 🙂

  10. CIPHERSTONE

    When using the Windows ProtonVPN app with a secure core connection, my IP listed in the ProtonVPN app when connected is often different that what a website reports is that because the App reports the first core server and the external website shows the second? If so, it would be nice if the app could be updated to include the external IP we will be seen as in addition to the IP assigned at the first server (e.g. Connected to Iceland->Germany core server). App shows Iceland IP, external connections see Germany IP. Would be cool to see both somewhere.

  11. ProtonVPN

    thanks for the feedback. This is currently being worked on and will be included in future updates!

  12. hallo

    im planing to use vpn for streming video(kodi) .are basic offer secure enough?

  13. Joe

    Sounds almost like a dual-VPN tunnel with the multiple servers use. How is Secure Core different from a dual-VPN connection?

  14. SOCKS

    So does secure core serve the same purpose as running through a proxy/SOCK5 before connecting to the VPN. I also thought it would be good to list what programs tend to leak your IP. Because I recall someone from one of the hacking groups got popped because he logged into IRC without logging into TOR. Then the cops convinced them they had flipped on each other.
    Could you add one to explain what ProtonMail Visionary is I can’t quite figure it out. I can infer that Plus Servers are better servers? I also wasn’t aware that not all VPNs cover TOR and I was thinking you could still be compromised by malicious Tor exit nodes and there is a way to mitigate that if not solve it completely somehow. I understand this is aimed at privacy advocates but I was wondering how you intend to prevent abuse without logs? Correct me if I am wrong but if someone was to torrent using this VPN with Tor would that slow down the VPN or how fast Tor will go? If I am going through the core do I need to obfuscate my Tor traffic to avoid correlation attacks or simply because the network admin doesn’t allow it.

  15. ProtonVPN

    Tor will generally see performance drops due to the nature of how its implemented. When connected through ProtonVPN Tor node, your information stops at the TOR server and we pass on the traffic for you. ProtonMail Visionary info can be found here https://protonmail.com/support/knowledge-base/paid-plans/

  16. Joseph McAteer

    AirVPN in my opinion, is top rated as far as tech is concerned. It appears you might be giving them a run for our money. great job Proton.

  17. robert

    just signed up for Plus. thank you for all you are doing. re:speed of secure core in US. i have 80 mbs up and down without vpn and close with your basic vpn without secure core. however, with secure core i drop to 12 mbs down and 1.5mbs second up. i am in between Phila & NY in the US. can anything be done about that speed which is just not workable?

  18. SOCKS

    Unlikely dude because the Core is in Sweden since it’s “Privacy Friendly” the most they could do is find somewhere closer to NA that is equally privacy friendly but it will still be across the ocean where as their VPN service has servers all over the world. You could look into a SOCK5 or something similar but there are similar issues where the privacy friendly one’s are all in the EU. I think it’s best to use Core only when browsing sensitive material and use the VPN without Core for things where your speed matters like playing games in browser, facebook or streaming video.

  19. ProtonVPN

    generally, users have reported speeds of around 75% of their full speed, even with secure core (however the ping will be impacted, due to the nature of rerouting through two countries instead of one)

  20. Rob

    With Core, can you route through more than 2 servers? i.e. 4 hops (servers) for ultra secure?

  21. byu

    so with secure core download speed will go lot down even I pick a server closest to me? I’m an located in east coast USA. I want to have maximum security and download speed. which plan should I choose?

  22. Badr

    Which plan is the best to use when within China? And what servers should be used?

  23. Robert

    Testing 0.9.7 on Win10.
    What is the meaning of the partial Yellow in the “Countries” tab?
    Some have no Yellow, some more…
    Thanks.

  24. ProtonVPN

    the yellow country tab represents the current load of the VPN server, if you hover over it with your mouse, you should see the numerical value

  25. Liam

    I am on a steep learning curve with this stuff. Thanks Jim White for the webopedia link. Are there any other specific resources that cover these topics or do I have to piecemeal stuff? What exactly is considered a ”high-risk jurisdiction’…? I’m currently switching from iPhone to Galaxy s8…are there specific concerns to be addressed with doing so…? Thanks!

  26. Wilf K

    Wouldn’t a “high risk jurisdiction, be considered a member of the so-called” 14 Eyes” countries?

  27. Jeffrey Julius

    How do I ell the location of a server in a country, so that I can connect to the closest server?

  28. ProtonVPN

    For now, this information is not yet available. We’ll be adding server region information in the near future, stay tuned on that.

  29. User

    Secure Core terminating in USA is no longer available on server list, so I switched to another country. I use online services in the USA, and this does cause some inconvenience when I connect to websites that are sensitive to the apparent origin of a user’s connection. I now need to do a lot more two-factor authentication for services I use. Will USA be coming back?

  30. ProtonVPN

    Secure Core in the US is still available. We just added Swiss Secure Core servers and have shifted the US connection to run via Switzerland. Look for ch-us connection

  31. Stephen

    I will always support Proton. I have enjoyed the mail and will utilize the VPN religiously. Just a thought. Mobile VPN for android or iOS would be great for those of us always on the go!

    Loving the Beta so far.

  32. ProtonVPN

    Mobile apps are in the works! In the meantime, you can already connect using third party clients, check our guides for Android: https://protonvpn.com/support/android-vpn-setup ; and iOS: https://protonvpn.com/support/ios-vpn-setup

  33. Morten

    Your explanation of “Secure Core VPN” is a bit vague.
    If I use, say, the config file named “is-nl-01.protonvpn.com.xxxxxxx.ovpn”, I end up in the Netherlands (NL).
    I understand that the “is-” part means that I first go to Iceland, but what security-related tasks are you doing there?

    Are you terminating my tunnel on Iceland and establishing a new tunnel from Iceland to the Netherlands – or are you simply routing the tunnel via Iceland?
    What other security-tricks are you doing, that makes this trip via Iceland more secure than going directly to the Netherlands?

    Please explain a little more about what “Secure Core VPN” is and how it works?

  34. ProtonVPN

    More technical info will be published as we progress with beta and move closer to launch, stay tuned!

  35. Wilf K

    Now that we are launched with ProtonVPN… Can we get more info on how the Secure Core works?

  36. xamessuer

    Yes, I am also interested in what security measures you take at the first location. What if someone monitors the first server? Is there a double encryption at the end? Do you run the Service on RAM disks? Thanks for helping! I love the Service please give some more information on secure core.

    Are you planning to do something against DPI and other actions? This is Important for all in restrictive countries.

  37. ProtonVPN

    The measures taken are described in the article actually if you read through it entirely. And yes, we are working on things to foil DPI.

  38. John Connett

    Any plans to support IPSec VPNs in addition to OpenVPN?

  39. Joseph Pihkal

    Very nice layout and design.
    Does it have a fail safe? Like lock the computer if it losses the VPN connection?

    Don’t want to wait to find out !!!

  40. Flea

    +1 on that one. would be great if that would be implemented.

  41. SOCKS

    It says in faq that there’s a built in kill switch that prevents IP leak

  42. ProtonVPN

    the built in killswitch is available in the native clients. At launch it’s available on Windows with other platforms coming soon. (more info in Q4 this year)

  43. j

    Now all you guys need is a drop box alternative!

  44. Jonathan

    Mega.nz do the job

  45. Slavo

    try Mega, I’m very pleased with that service

  46. Tilt

    Try the swiss zeroknowledge tresorit.com

  47. Ken

    I too have a turris and would like to add protonvpn to it. The process to add your vpn to my Ubuntu was documented perfectly, thank you.

  48. David

    Awesome will be a user of your service forever.

  49. jim white

    For those (like me) not as verbal on what a vpn is : I came across this update which explains partly the vpn. Seems to me they have (yet) to define the forward thinking and service your providing. Salutes. jpw http://www.webopedia.com/DidYouKnow/Internet/virtual_private_network_VPN.asp?utm_medium=email&utm_campaign=WEBO_NL_WN_20170303_STR2L1&dni=400003344&rni=262152059

  50. jim white

    Humbled to MS load your invention in Beta! Best to all, jpw.

  51. yuri

    Will it be possible to use this service taking into account for example turris omnia router on devices?

Leave a Reply

Your email address will not be published. Required fields are marked *

Don't find your answer? We're happy to help you!     Contact Our Support Team

Secure Your Internet Today

Get ProtonVPN