All systems operational status.ollavpn.com
Trust · Resources · Contact
Technology · how OllaVPN works

Defence-grade.
Future-proof. Built to last.

A modern, post-quantum-ready privacy VPN. Hybrid post-quantum key exchange on every connection. Strong defaults — kill switch, in-tunnel DNS, peer isolation — turned on out of the box.

How it works Our principles
HOW IT WORKS

Strong defaults. No advanced settings required.

01
Post-quantum-ready key exchange
A hybrid handshake protects every connection against today's networks and tomorrow's quantum-capable adversaries.
PQ READY
02
Modern, forward-secret tunnel
Session keys rotate continuously. A recording of today's traffic cannot be decrypted by stealing a key in the future.
FORWARD SECRET
03
Kill switch on by default
If the tunnel drops, the network drops. Packets do not leak in the gap. No "advanced" toggle to find.
DEFAULT ON
04
DNS inside the tunnel
Name lookups travel inside the encrypted tunnel to a resolver we operate. OS-level DNS is firewall-blocked while connected.
LEAK-PROOF
05
True peer isolation
Other users on the same connection cannot route packets to you. Enforced at the network layer, verified by automated end-to-end tests.
VERIFIED
06
LAN access stays on
Local devices — printer, NAS, smart-home gear — keep working while the tunnel is up. Privacy without breaking your home network.
HOME-SAFE
07
Privacy-first infrastructure
No anycast magic, no recycled commodity VPS. Dedicated infrastructure, in privacy-first jurisdictions, with no logs of your activity.
NO LOGS
THE HANDSHAKE

Hybrid post-quantum, simplified.

# 1. classical key exchange classical = classical_dh(client, server) # 2. post-quantum encapsulation pqc = pqc_kem.encapsulate(server.pq_pub) # 3. mix both into the session key key = mix(classical, pqc) # 4. open the tunnel tunnel.open(key) → established · forward-secret · post-quantum-ready

If either side of the hybrid holds up — classical or post-quantum — the session stays private. That's the point of "hybrid by default."

WHAT YOU GET, EVERY CONNECTION

The defaults.

Key exchange
Post-quantumhybrid, NIST-standardized
Forward secrecy
Alwayscontinuous re-keying
Kill switch
Onby default · no bypass
DNS
In-tunnelOS DNS firewall-blocked
Peer isolation
Yesverified end-to-end
LAN access
Preservedhome network keeps working
Logs
Noneactivity-logging not in our architecture
Coverage
Globalall countries unlocked
WHY POST-QUANTUM, WHY NOW

The cliff is real. Privacy needs a head start.

2024

Standards finalized

NIST finalizes the first post-quantum cryptography standards. The era of "experimental PQC" formally ends.

2024

Major rollouts begin

Apple iMessage, Signal, Google Chrome, and Cloudflare all ship post-quantum hybrids in their flagship products.

Today

OllaVPN

Post-quantum-ready handshake on every connection, on the free plan and the paid plan alike.

Soon

The transition

The industry moves from "PQC-capable" to "PQC-default." OllaVPN starts there.

Later

The harvest pays off

"Harvest now, decrypt later" stops being theoretical. Sessions captured with only classical encryption become readable.

Lifetime free · post-quantum ready · no credit card

Privacy that ages well.

Use it · free Where it runs →