A WireGuard VPN running on your Vault. Tunnels every device on your SafeNet networks at once. Zero DNS logging, published configs, weekly security audits. SafeNet is the VPN side of OSS Membership.
SafeNet is the everyday VPN built into your Vault. Phones, tablets, laptops, work machines, anything you connect to a SafeNet network gets tunneled automatically. No apps to install. No per-device setup. Web, apps, calls, work tools, all of it routes through your chosen SafeNet server.
SafeNet is one half of OSS Membership. The other half is full support for everything OSS touches. Together they're $9/month or $89/year, and the first 30 days are included with every SecureNet system.
Important: The OSS Membership version of SafeNet (whole-home, on your Vault) is exclusive to SecureNet systems on Protectli hardware. If you want SafeNet without SecureNet, there's a single-peer standalone subscription at safenetvpn.us.
Your ISP sees only encrypted WireGuard traffic. Web browsing, apps on your phone and tablet, video calls, work tools, all tunneled. Whole-home, no per-device app required.
Everything OSS touches is supported. SecureNet configuration, SafeNet connectivity, hardware issues, OPNsense questions. Open a ticket, get help.
~55,000 known-malicious IPs blocked at the firewall on every SafeNet server, refreshed regularly. Your Vault running SecureNet pulls the same list in the middle of the night, so you're protected on both sides of the tunnel.
Weekly security audits, daily filesystem snapshots, published configs. Verify every claim yourself. No other VPN offers this.
The SafeNet on your Vault tunnels devices on your home network only. When you're at Starbucks, your phone isn't tunneled through it (unless you use a separate mobile VPN).
Netflix, Hulu, Disney+, and YouTube TV are blocked at DNS by design. Streaming services actively block VPNs anyway, so this avoids a fight you'd lose at random.
SafeNet is for everyday traffic, not bulk transfers. Big game updates, multi-gig ISO downloads, that kind of thing. Use your unrestricted networks for those and keep SafeNet snappy for everyone.
Torrenting and pirating are blocked, full stop. Try it and your account dies. We're not your alibi.
SafeNet creates an encrypted WireGuard tunnel between your Protectli Vault and your chosen SafeNet server. Servers are available in Chicago, LA, Dallas, and Ashburn, VA. You select your server during onboarding, and traffic on SafeNet networks is automatically routed through that tunnel.
Websites see: Your server's IP address | Your ISP sees: Encrypted WireGuard packets
| Location | Best For |
|---|---|
| Chicago, IL | Midwest, Great Lakes, Central US |
| Los Angeles, CA | West Coast, Mountain West |
| Dallas, TX | South Central, Texas, Gulf Coast |
| Ashburn, VA | East Coast, Southeast, Northeast |
| Method | How | Subnet |
|---|---|---|
| SafeNet WiFi | Connect any device to the SafeNet SSID (VLAN 60) | 10.60.60.0/24 |
| SafeNet Port | Plug into Port 3 on the Vault (wired devices, switches) | 10.70.70.0/24 |
| Regular Networks | Home, Smart, Guest networks route directly to ISP | 192.168.x.x |
If your device has a 10.x.x.x IP, your traffic is being tunneled. If it has a 192.168.x.x IP, you're on a regular network. Check at whatismyip.com to verify you see your SafeNet server's IP address instead of your home IP.
SafeNet uses WireGuard, a modern VPN protocol with approximately 4,000 lines of code (compared to OpenVPN's 100,000+), making it faster, simpler, and easier to audit. The encryption stack uses ChaCha20, Poly1305, Curve25519, and BLAKE2s. For complete protocol details, see the AI Whitepaper.
OSS Membership isn't just a VPN. It's your support subscription for your entire OSS system. As long as you're a member, you have full support for everything OSS touches.
SecureNet configuration, SafeNet VPN connectivity, OPNsense questions, hardware troubleshooting, WiFi access point issues, network segmentation, Monit alerts, and anything else related to your OSS system.
Third-party devices on your network (NAS, Ubiquiti switches, smart home hubs). If we trace an issue to third-party hardware, we'll let you know and point you in the right direction.
Open a ticket through our support portal. Best effort response during business hours. Thorough written support with video guides for common issues.
Even without OSS Membership, we support hardware issues. Protectli backs the hardware with a 2-year warranty and ships replacements before you return the defective unit.
| Customer Type | Support Level |
|---|---|
| OSS Member | Full support for everything OSS touches. Troubleshooting, guidance, proactive monitoring (if opted in). |
| Non-Member (after trial) | Hardware support only. Troubleshooting guide provided. Confirmed hardware failures coordinated with Protectli RMA. |
| Out of Warranty (2+ years) | Best-effort guidance. Hardware replacement at customer expense. |
SafeNet is built for everyday use. The stuff you and your family do online every day: browsing, email, apps on your phone, video calls, work, banking, shopping, music. All of it tunneled, all of it private from your ISP. What we block is the heavy stuff that wrecks a shared VPN for everyone else: streaming services, torrenting, and bulk transfers. Honest about it up front so you know before you pay, not after you're frustrated.
Most VPNs don't cap individual subscribers because more usage per peer means more bandwidth sold per dollar. When one customer hammers the server, everyone else gets slow speeds and nobody tells them why.
We cap each Vault at 250 Mbps through the SafeNet tunnel. That's enough headroom for a household of six all online at once: video calls, work tools, music, browsing, app traffic, banking, all of it. It's not enough to peg a 10 Gbps server pipe with one Vault streaming or pulling bulk transfers, which is the point. Honest speed at honest load, for everyone sharing the server.
Streaming and bulk-transfer domains are filtered at DNS so they fail fast and cleanly instead of buffering forever. Torrenting and stealing files is blocked, period. Try it and your account dies. We're not the place for that.
If call quality matters: Video calls work fine on SafeNet for most people, but any VPN tunnel adds a few milliseconds of latency. If you're on a critical work call and want the cleanest possible path, your unrestricted networks (Home, Smart, Guest) are right there with QoS priority for voice traffic.
Most VPNs ask you to trust them. We give you the tools to verify. Here's exactly what we log, what we don't, and what that means for your privacy.
| Server KNOWS | Server DOES NOT Know |
|---|---|
| Your WireGuard public key | Your name or identity |
| Your tunnel IP (10.x.x.x) | Your home IP address |
| Total bandwidth used | Which websites you visit |
| That a peer is currently connected | DNS queries (logging disabled in Unbound) |
| Scenario | What Exists On Server | What Does Not Exist |
|---|---|---|
| Government subpoena | Public key, tunnel IP, bandwidth total | DNS queries, browsing history, timestamps |
| Server compromise | Peer configs, current connections | Customer names, DNS history, browsing data |
| ISP request | Encrypted packets to/from server | Any content or queries |
All server configurations are published on Forgejo. You can verify that DNS logging is disabled, check our firewall rules, and see exactly what's running. Better yet, check the GlassBox Verification portal below.
Every week, our servers run a battery of security scans and publish the raw results. No editing. No cherry-picking. You get the same output our team sees. This is what "open source security" actually means.
Full system security audit covering SSH, firewall, file permissions, kernel parameters, and 200+ other checks.
View Report →Scans for 498+ known rootkits, backdoors, and trojans. Verifies system binaries haven't been replaced.
View Report →Compares current system files against a cryptographic baseline. Any unauthorized change is logged and reported.
View Report →Every day at 5:00 AM EST, each server generates a complete filesystem snapshot with SHA-256 checksums of every configuration file. Compare these hashes against the files published on Forgejo to verify nothing has been modified.
View Full Snapshot → | Verification Portal → | Forgejo Source →
| Resource | What It Shows | Link |
|---|---|---|
| Live Server Metrics | CPU, RAM, disk, network usage updating every 5 seconds | status.oss-vpn.net → |
| DNS Blocklist | The exact domains being blocked on your connection | dns-combined.txt → |
| IP Blocklist | The exact IPs being blocked at the network level | ip-combined.txt → |
| Source Code | All server configuration scripts and blocklist tooling | Forgejo → |
All reports are plain text. No accounts, no JavaScript required. Download them with curl and inspect them yourself. If something looks wrong, email us. We want to know.
Simple, transparent pricing. No device limits. One price covers your entire household, plus full support.
Or $89/year (save 18%)
First month included free with SecureNet consultation
Cards, Apple Pay, Cash App Pay, Google Pay, and Link accepted via Stripe
| If You Subscribe | If You Don't |
|---|---|
| Add a payment method and everything continues. SafeNet, support, dashboard access. No interruption. | OSS Membership quietly expires. No cancellation needed, no awkward emails. Your SecureNet still works, you just lose SafeNet and full support. |
Hardware support continues regardless: Even without OSS Membership, we support hardware issues. If your Vault fails, Protectli ships a replacement before you return the defective unit. OSS Membership covers software, configuration, and ongoing support.
The version of SafeNet on this page is whole-home, included with OSS Membership, and exclusive to SecureNet customers. There's also a single-peer standalone subscription for one device at safenetvpn.us ($60/year, no support, capped speeds, same servers and same transparency).
Remember: OSS Membership is optional. SecureNet provides enterprise-grade security with or without it. The membership adds SafeNet VPN, full support, and proactive monitoring. It's not required for network protection.
SafeNet is a US-based service subject to US law. We protect your everyday browsing from your ISP, advertisers, and data brokers. We do not and cannot protect you from government agencies with legal authority to compel surveillance. No US-based service can regardless of what they claim. Our server configurations are published publicly, our security audits are posted weekly, and we maintain a warrant canary. If your threat model includes government-level adversaries you need a provider outside US jurisdiction and we respect that decision. For the full technical and legal breakdown see our AI Whitepaper on Forgejo.
OSS Membership is included free for your first 30 days with SecureNet. Schedule a free intro call to learn more about the complete system.