A WireGuard VPN running on your Vault. Tunnels every device on your GlassBox VPN networks at once. Zero DNS logging, published configs, weekly security audits. GlassBox VPN is the VPN side of OSS Membership.
GlassBox VPN is the everyday VPN built into your Vault. Phones, tablets, laptops, work machines, anything you connect to a GlassBox VPN network gets tunneled automatically. No apps to install. No per-device setup. Web, apps, calls, work tools, all of it routes through your chosen GlassBox VPN server.
GlassBox VPN is one half of OSS Membership. The other half is full support for everything OSS touches. Together they're $90/year, and the first 30 days are included with every SecureNet system.
Important: The OSS Membership version of GlassBox VPN (whole-home, on your Vault) is exclusive to SecureNet systems on Protectli hardware. If you want GlassBox VPN without SecureNet, there's a single-peer standalone subscription at glassboxvpn.com.
Your ISP sees only encrypted WireGuard traffic. Web browsing, apps on your phone and tablet, video calls, work tools, all tunneled. Whole-home, no per-device app required.
Everything OSS touches is supported. SecureNet configuration, GlassBox VPN connectivity, hardware issues, OPNsense questions. Open a ticket, get help.
~50K known-malicious IPs blocked at the firewall on every GlassBox VPN server, refreshed regularly. Your Vault running SecureNet pulls the same list in the middle of the night, so you're protected on both sides of the tunnel.
Weekly security audits, daily filesystem snapshots, published configs. Verify every claim yourself. No other VPN offers this.
The GlassBox VPN on your Vault tunnels devices on your home network only. When you're at Starbucks, your phone isn't tunneled through it (unless you use a separate mobile VPN).
Netflix, Hulu, Disney+, and YouTube TV are blocked at DNS by design. Streaming services actively block VPNs anyway, so this avoids a fight you'd lose at random.
GlassBox VPN is for everyday traffic, not bulk transfers. Big game updates, multi-gig ISO downloads, that kind of thing. Use your unrestricted networks for those and keep GlassBox VPN snappy for everyone.
Torrenting and pirating are blocked, full stop. Try it and your account dies. We're not your alibi.
GlassBox VPN creates an encrypted WireGuard tunnel between your Protectli Vault and your chosen GlassBox VPN server. Servers are available in Chicago, LA, Dallas, and Ashburn, VA. You select your server during onboarding, and traffic on GlassBox VPN networks is automatically routed through that tunnel.
Websites see: Your server's IP address | Your ISP sees: Encrypted WireGuard packets
| Location | Best For |
|---|---|
| Chicago, IL | Midwest, Great Lakes, Central US |
| Los Angeles, CA | West Coast, Mountain West |
| Dallas, TX | South Central, Texas, Gulf Coast |
| Ashburn, VA | East Coast, Southeast, Northeast |
| Method | How | Subnet |
|---|---|---|
| GlassBox VPN WiFi | Connect any device to the GlassBox VPN SSID (VLAN 60) | 10.60.60.0/24 |
| GlassBox VPN Port | Plug into Port 3 on the Vault (wired devices, switches) | 10.70.70.0/24 |
| Regular Networks | Home, Smart, Guest networks route directly to ISP | 192.168.x.x |
If your device has a 10.x.x.x IP, your traffic is being tunneled. If it has a 192.168.x.x IP, you're on a regular network. Check at whatismyip.com to verify you see your GlassBox VPN server's IP address instead of your home IP.
GlassBox VPN uses WireGuard, a modern VPN protocol with approximately 4,000 lines of code (compared to OpenVPN's 100,000+), making it faster, simpler, and easier to audit. The encryption stack uses ChaCha20, Poly1305, Curve25519, and BLAKE2s. For complete protocol details, see the AI Whitepaper.
OSS Membership isn't just a VPN. It's your support subscription for your entire OSS system. As long as you're a member, you have full support for everything OSS touches.
SecureNet configuration, GlassBox VPN connectivity, OPNsense questions, hardware troubleshooting, WiFi access point issues, network segmentation, Monit alerts, and anything else related to your OSS system.
Third-party devices on your network (NAS, Ubiquiti switches, smart home hubs). If we trace an issue to third-party hardware, we'll let you know and point you in the right direction.
Open a ticket through our support portal. Best effort response during business hours. Thorough written support with video guides for common issues.
Even without OSS Membership, we support hardware issues. Protectli backs the hardware with a 2-year warranty and ships replacements before you return the defective unit.
| Customer Type | Support Level |
|---|---|
| OSS Member | Full support for everything OSS touches. Troubleshooting, guidance, proactive monitoring (if opted in). |
| Non-Member (after trial) | Hardware support only. Troubleshooting guide provided. Confirmed hardware failures coordinated with Protectli RMA. |
| Out of Warranty (2+ years) | Best-effort guidance. Hardware replacement at customer expense. |
GlassBox VPN is built for everyday use. The stuff you and your family do online every day: browsing, email, apps on your phone, video calls, work, banking, shopping, music. All of it tunneled, all of it private from your ISP. What we block is the heavy stuff that wrecks a shared VPN for everyone else: streaming services, torrenting, and bulk transfers. Honest about it up front so you know before you pay, not after you're frustrated.
Most VPNs don't cap individual subscribers because more usage per peer means more bandwidth sold per dollar. When one customer hammers the server, everyone else gets slow speeds and nobody tells them why.
We cap each Vault at 250 Mbps through the GlassBox VPN tunnel. That's enough headroom for a household of six all online at once: video calls, work tools, music, browsing, app traffic, banking, all of it. It's not enough to peg a 10 Gbps server pipe with one Vault streaming or pulling bulk transfers, which is the point. Honest speed at honest load, for everyone sharing the server.
The 250 Mbps cap is a ceiling, not a target. A Vault that holds the ceiling pinned for 10 minutes straight is doing something that does not happen on everyday traffic. Most of the time it is not malicious: someone forgets they're on a GlassBox VPN network and starts a 50 GB game patch, a backup kicks off over the tunnel, an OS updater pulls a half-gig delta in the background. One Vault alone can't take down the server, but a few of them on the same node will eat the burst headroom for everyone else. So we throttle, transparently, with the rules published.
| Layer | What It Does |
|---|---|
| Layer 1: Per-Vault cap | Every Vault is capped at 250 Mbps using Linux tc HTB. Standard kernel traffic control, no custom code, enforced at the WireGuard interface. |
| Layer 2: Saturation throttle | If a Vault holds 90% or more of the 250 Mbps cap for the entire duration of a 10-minute rolling window, the Vault is throttled to 100 Mbps. The throttle releases automatically at 04:00 UTC the next day. |
| Layer 3: Strike review | Three throttle trips within 30 days flags the membership for manual review. We email the account, ask what's running, and decide whether it's normal use that needs adjustment, a misconfiguration we can help fix, or sustained policy violation. Most reviews end with the membership continuing service after a quick conversation. |
Throttle status, trip count, and active enforcement state are surfaced live on the customer dashboard. No surprises, no secret enforcement. The same data the server has about your Vault is the data your dashboard shows you. The exact tooling lives on Forgejo and the AI Whitepaper covers the math.
Streaming and bulk-transfer domains are filtered at DNS so they fail fast and cleanly instead of buffering forever. Torrenting and stealing files is blocked, period. Try it and your account dies. We're not the place for that.
If call quality matters: Video calls work fine on GlassBox VPN for most people, but any VPN tunnel adds a few milliseconds of latency. If you're on a critical work call and want the cleanest possible path, your unrestricted networks (Home, Smart, Guest) are right there with QoS priority for voice traffic.
Most VPNs ask you to trust them. We give you the tools to verify. Here's exactly what we log, what we don't, and what that means for your privacy.
| Server KNOWS | Server DOES NOT Know |
|---|---|
| Your WireGuard public key | Your name or identity |
| Your tunnel IP (10.x.x.x) | Your home IP address (in kernel only, never logged) |
| Total bandwidth used | Which websites you visit |
| That a peer is currently connected | DNS queries (logging disabled in Unbound) |
| Scenario | What Exists On Server | What Does Not Exist |
|---|---|---|
| Government subpoena | Public key, tunnel IP, bandwidth total | DNS queries, browsing history, timestamps |
| Server compromise | Peer configs, current connections | Customer names, DNS history, browsing data |
| ISP request | Encrypted packets to/from server | Any content or queries |
All server configurations are published on Forgejo. You can verify that DNS logging is disabled, check our firewall rules, and see exactly what's running. Better yet, check the GlassBox Verification portal below.
Every week, our servers run a battery of security scans and publish the raw results. No editing. No cherry-picking. You get the same output our team sees. This is what "open source security" actually means.
Full system security audit covering SSH, firewall, file permissions, kernel parameters, and 200+ other checks.
View Report →Scans for 498+ known rootkits, backdoors, and trojans. Verifies system binaries haven't been replaced.
View Report →Compares current system files against a cryptographic baseline. Any unauthorized change is logged and reported.
View Report →Every day at 5:00 AM EST, each server generates a complete filesystem snapshot with SHA-256 checksums of every configuration file. Compare these hashes against the files published on Forgejo to verify nothing has been modified.
View Full Snapshot → | Verification Portal → | Forgejo Source →
| Resource | What It Shows | Link |
|---|---|---|
| Live Server Metrics | CPU, RAM, disk, network usage updating every 5 seconds | status.oss-vpn.net → |
| DNS Blocklist | The exact domains being blocked on your connection | dns-combined.txt → |
| IP Blocklist | The exact IPs being blocked at the network level | ip-combined.txt → |
| Source Code | All server configuration scripts and blocklist tooling | Forgejo → |
All reports are plain text. No accounts, no JavaScript required. Download them with curl and inspect them yourself. If something looks wrong, email us. We want to know.
GlassBox VPN runs on the same infrastructure being tested at glassboxvpn.com/proof. A Texas test client hits ten real websites every 20 minutes through GlassBox VPN and the two biggest names in the VPN category. The script doesn't pick winners. Data is live, methodology is published, the harness is on Forgejo.
Time-to-first-byte (TTFB) is the metric you feel on every page load, every API call, every script your browser fetches. We picked it because we cannot lie about it: the test client measures it from outside the tunnel and the numbers above come from the same JSON file you can curl yourself.
That percentage above translates to roughly 230 milliseconds per request slower on Proton's tunnel. Multiply across 50,000 first-byte requests per year (conservative estimate for a typical internet user) and that's about 2 hours 35 minutes a year of waiting on Proton's tunnel that you wouldn't be waiting on GlassBox VPN's. Heavy users clear 100,000 requests; the math points the same direction.
The infrastructure benchmarked at glassboxvpn.com/proof is the same infrastructure that powers GlassBox VPN on your Vault. Same servers, same WireGuard tunnels, same blocklist, same performance characteristics.
Simple, transparent pricing. No device limits. One price covers your entire household, plus full support.
Billed once annually · 30 days free with SecureNet
Cards, Apple Pay, Cash App Pay, Google Pay, and Link accepted via Stripe
| If You Subscribe | If You Don't |
|---|---|
| Add a payment method, $90 charged once for the year, and everything continues. GlassBox VPN, support, dashboard access. No interruption. | OSS Membership quietly expires. No cancellation needed, no awkward emails. Your SecureNet still works, you just lose GlassBox VPN and full support. |
Hardware support continues regardless: Even without OSS Membership, we support hardware issues. If your Vault fails, Protectli ships a replacement before you return the defective unit. OSS Membership covers software, configuration, and ongoing support.
The version of GlassBox VPN on this page is whole-home, included with OSS Membership, and exclusive to SecureNet customers. There's also a single-peer standalone subscription for one device at glassboxvpn.com ($60/year, no support, capped speeds, same servers and same transparency).
Remember: OSS Membership is optional. SecureNet provides enterprise-grade security with or without it. The membership adds GlassBox VPN, full support, and proactive monitoring. It's not required for network protection.
GlassBox VPN is a US-based service subject to US law. We protect your everyday browsing from your ISP, advertisers, and data brokers. We do not and cannot protect you from government agencies with legal authority to compel surveillance. No US-based service can regardless of what they claim. Our server configurations are published publicly, our security audits are posted weekly, and we maintain a warrant canary. If your threat model includes government-level adversaries you need a provider outside US jurisdiction and we respect that decision. For the full technical and legal breakdown see our AI Whitepaper on Forgejo.
OSS Membership is included free for your first 30 days with SecureNet. Schedule a free intro call to learn more about the complete system.