WireGuard VPN with zero DNS logging, published configurations, and weekly security audits. GlassBox security for SecureNet customers.
SafeNet is more than a VPN. It's private browsing + full support + real-time transparency for SecureNet customers with Protectli Vaults. Connect to a SafeNet network and all your traffic automatically routes through our Chicago server. No apps to install, no per-device configuration.
Important: SafeNet is exclusive to SecureNet systems on Protectli hardware. It is not a standalone VPN service you can purchase separately.
Your ISP sees only encrypted WireGuard traffic. They cannot see what websites you visit, what you search for, or what you do online.
Everything OSS touches is supported. SecureNet configuration, SafeNet connectivity, hardware issues. Open a ticket, get help.
Weekly security audits, daily filesystem snapshots, published configs. Verify every claim yourself. No other VPN offers this.
SafeNet protects your home network only. When you're at Starbucks, your phone isn't tunneled through SafeNet (unless you use a separate mobile VPN).
Netflix, Hulu, Disney+, and YouTube are blocked by design. Streaming services also actively block VPNs anyway.
UDP traffic is blocked to manage bandwidth and protect the service. Use your regular network for gaming.
SafeNet creates an encrypted WireGuard tunnel between your Protectli Vault and our Chicago server. Traffic on SafeNet networks is automatically routed through this tunnel.
Websites see: Chicago IP address | Your ISP sees: Encrypted WireGuard packets
| Method | How | Subnet |
|---|---|---|
| SafeNet WiFi | Connect any device to the SafeNet SSID (VLAN 60) | 10.60.60.0/24 |
| SafeNet Port | Plug into Port 3 on the Vault (wired devices, switches) | 10.70.70.0/24 |
| Regular Networks | Home, Smart, Guest networks route directly to ISP | 192.168.x.x |
If your device has a 10.x.x.x IP, your traffic is being tunneled. If it has a 192.168.x.x IP, you're on a regular network. Check at whatismyip.com to verify you see a Chicago IP address.
SafeNet uses WireGuard, a modern VPN protocol with approximately 4,000 lines of code (compared to OpenVPN's 100,000+), making it faster, simpler, and easier to audit. The encryption stack uses ChaCha20, Poly1305, Curve25519, and BLAKE2s. For complete protocol details, see the AI Whitepaper.
SafeNet isn't just a VPN. It's your support subscription for your entire OSS system. As long as you're a SafeNet subscriber, you have full support for everything OSS touches.
SecureNet configuration, SafeNet VPN connectivity, OPNsense questions, hardware troubleshooting, WiFi access point issues, network segmentation, Monit alerts, and anything else related to your OSS system.
Third-party devices on your network (NAS, Ubiquiti switches, smart home hubs). If we trace an issue to third-party hardware, we'll let you know and point you in the right direction.
Open a ticket through our support portal. Best effort response during business hours. Thorough written support with video guides for common issues.
Even without SafeNet, we support hardware issues. Protectli backs the hardware with a 2-year warranty and ships replacements before you return the defective unit.
During onboarding, you can opt into proactive monitoring. Your Vault's Monit system sends alerts to both you and OSS. If we see something concerning (LAN port down, CPU pegged, disk filling up), we email you before a small issue becomes a big problem. This is daily alert review, not a staffed 24/7 NOC.
| Customer Type | Support Level |
|---|---|
| SafeNet Subscriber | Full support for everything OSS touches. Troubleshooting, guidance, proactive monitoring (if opted in). |
| Non-Subscriber (after trial) | Hardware support only. Troubleshooting guide provided. Confirmed hardware failures coordinated with Protectli RMA. |
| Out of Warranty (2+ years) | Best-effort guidance. Hardware replacement at customer expense. |
SafeNet enforces a browse-only policy by design. This isn't a limitation. It's how we keep the service fast, legal, and affordable for everyone.
Enforcement works at two levels: UDP is blocked at the protocol level (kills streaming, gaming, VoIP), and streaming CDNs are filtered at DNS (netflix.com, disneyplus.com, etc. return NXDOMAIN). This keeps bandwidth manageable across 200+ customers sharing 10 Gbps, eliminates piracy liability, and keeps the price at $9/month.
Note on VoIP: VoIP quality suffers through any VPN tunnel due to latency. Your other networks (Home, Smart, Guest) have unrestricted internet with QoS priority for voice traffic. Use those for video calls.
Most VPNs ask you to trust them. We give you the tools to verify. Here's exactly what we log, what we don't, and what that means for your privacy.
| Server KNOWS | Server DOES NOT Know |
|---|---|
| Your WireGuard public key | Your name or identity |
| Your tunnel IP (10.x.x.x) | Your home IP address |
| Total bandwidth used | Which websites you visit |
| That a peer is currently connected | DNS queries (logging disabled in Unbound) |
| Scenario | What Exists On Server | What Does Not Exist |
|---|---|---|
| Government subpoena | Public key, tunnel IP, bandwidth total | DNS queries, browsing history, timestamps |
| Server compromise | Peer configs, current connections | Customer names, DNS history, browsing data |
| ISP request | Encrypted packets to/from server | Any content or queries |
All server configurations are published on Forgejo. You can verify that DNS logging is disabled, check our firewall rules, and see exactly what's running. Better yet, check the GlassBox Verification portal below.
Every week, our server runs a battery of security scans and publishes the raw results. No editing. No cherry-picking. You get the same output our team sees. This is what "open source security" actually means.
Full system security audit covering SSH, firewall, file permissions, kernel parameters, and 200+ other checks.
View Report →Scans for 498+ known rootkits, backdoors, and trojans. Verifies system binaries haven't been replaced.
View Report →Compares current system files against a cryptographic baseline. Any unauthorized change is logged and reported.
View Report →Every day at 5:00 AM EST, the server generates a complete filesystem snapshot with SHA-256 checksums of every configuration file. Compare these hashes against the files published on Forgejo to verify nothing has been modified.
View Full Snapshot → | Verification Portal → | Forgejo Source →
| Resource | What It Shows | Link |
|---|---|---|
| Live Server Metrics | CPU, RAM, disk, network usage updating every 5 seconds | status.oss-vpn.net → |
| DNS Blocklist | The exact domains being blocked on your connection | dns-combined.txt → |
| IP Blocklist | The exact IPs being blocked at the network level | ip-combined.txt → |
| Source Code | All server configuration scripts and blocklist tooling | Forgejo → |
All reports are plain text. No accounts, no JavaScript required. Download them with curl and inspect them yourself. If something looks wrong, email us. We want to know.
Simple, transparent pricing. No data caps. No device limits. One price covers your entire household, plus full support.
Or $89/year (save 18%)
First month included free with SecureNet consultation
Cards, Apple Pay, Cash App Pay, Google Pay, and Link accepted via Stripe
| If You Subscribe | If You Don't |
|---|---|
| Add a payment method and everything continues. VPN, support, dashboard access. No interruption. | SafeNet quietly expires. No cancellation needed, no awkward emails. Your SecureNet still works, you just lose VPN and full support. |
Hardware support continues regardless: Even without SafeNet, we support hardware issues. If your Vault fails, Protectli ships a replacement before you return the defective unit. SafeNet subscription covers software, configuration, and ongoing support.
Remember: SafeNet is optional. SecureNet provides enterprise-grade security with or without SafeNet. The subscription adds VPN privacy, full support, and proactive monitoring. It's not required for network protection.
SafeNet is just getting started. Here's what's coming for subscribers.
Additional server locations for better geographic coverage and lower latency.
Coming SoonAutomated analysis of your system logs to catch issues before they become problems.
PlannedStaffed monitoring with immediate response to critical alerts, not just daily check-ins.
PlannedSafeNet subscribers get first access to new features as they roll out. Your subscription supports continued development of the platform.
SafeNet is included free for your first 30 days with SecureNet. Schedule a free intro call to learn more about the complete system.