Status · All systems normal
Free for Mac · Apple Silicon + Intel · Updated June 2026

Free VPN for Mac, that actually is free.

Lifetime free, 10 Mbps, every country we serve, no data cap, no card. Post-quantum-ready encryption out of the box. Apple Silicon native and Intel supported.

TL;DR

OllaVPN for Mac is genuinely free, forever. 10 Mbps, every country, one device, no time limit, no credit card. Apple Silicon native, Intel supported, macOS 12 and later.

The kill switch is on by default and cannot be disabled. DNS stays inside the tunnel. No connection logs. The Pro tier at $2 a month lifts the speed cap to 10 Gbps and adds four more device slots.

Download OllaVPN free for Mac →

What you get on the free tier on Mac

OllaVPN's free plan on macOS is the same shape as the free plan on every other platform — the trade is bandwidth and devices, and what you get in exchange is the entire country list and every privacy feature. There is no "Mac users only get fewer countries" small print. There is no "Mac costs extra because Apple." A macOS user on the free tier gets the same access to the network as a Windows or Android user.

10 Mbps speed cap. Plenty for HD streaming (Netflix HD requires 5 Mbps, Hulu HD 6 Mbps, Disney+ HD 5 Mbps), all browsing, all calls (Zoom HD needs 1.8 Mbps both ways, FaceTime HD 1.5 Mbps), and large downloads at a steady but unhurried pace. Where 10 Mbps stops working: 4K streaming (Netflix 4K needs 25 Mbps, Apple TV+ 4K 25 Mbps), simultaneous downloads + streaming, and torrenting at speed. If you regularly hit any of those use cases, the Pro tier at $2/month annual is built for that — 10 Gbps cap, 5 devices.

1 simultaneous device. If you connect from a phone too, only one tunnel is active at a time on free. The second device that tries to connect evicts the first. This is rate-limited at the cp side (a few seconds between reassignments) so you can't accidentally thrash. Pro raises the device cap to 5, which fits a household with two phones, two laptops, and a tablet without juggling.

Every country we serve. Some free VPNs cap free users to two or three countries. Proton VPN Free is the most prominent example — three exits, period. OllaVPN does not. If we have an exit in Frankfurt, Detroit, or any other city, free users can connect to it. The exit list rotates as we add and remove servers — check the in-app country picker for the live list, or run our what-is-my-IP tool from each country after connecting to verify.

No data cap. Stream as much as the 10 Mbps cap will carry. There is no monthly meter, no rollover, no "fair use" small print, no automatic Pro upgrade after a threshold. The math: 10 Mbps continuously for 30 days is roughly 3.2 TB — far more than any reasonable user would do in a month. Even if you sustained the cap 24/7 we wouldn't email you about it. The cap itself is the only ceiling.

No time limit. The free tier does not become a paywall after seven days, or thirty, or three hundred and sixty-five. It is the product. The Pro tier exists because some users want more bandwidth or more devices and will pay for it; it does not exist as the goal we're funneling free users toward against their will. We make no attempt to nag free users to upgrade in-session. The closest we come is a Settings page entry that lists Pro features, which is necessary to make the upgrade discoverable for users who genuinely want it.

What's on the account itself. Free signup requires an email address and a password (argon2id-hashed at the cp). Email verification is mandatory before first connect — same as for Pro signups. The account record stores: email, password hash, account state, created/verified dates, current peer-slot assignment (which exit you're connected to, if any). It does NOT store: connection history, DNS queries, source IPs of past connections, destination IPs of past connections, per-packet metadata, or any browsing data. The full data inventory is documented in our security disclosure and the company about page.

What's actually inside the macOS app

OllaVPN for Mac is built on the same engineering as the Windows and Android apps — the WireGuard tunnel, the in-tunnel DNS resolver, the per-peer rate cap. The macOS-specific work lives in five places: the Apple Silicon native build, the Network System Extension that hosts the tunnel, the system service daemon that hosts the kill-switch firewall, the menu bar UI app, and the secure IPC channel between the UI and the daemon.

Apple Silicon native build. The arm64 binary is compiled natively for M-series chips (M1, M2, M3, M4 and successors). There is no Rosetta involved at runtime. The CPU overhead of an active tunnel on an M2 MacBook Air during normal browsing is sub-1%; under sustained 10 Mbps streaming the overhead is roughly 1-2% of one P-core, undetectable in Activity Monitor's foreground apps view. The Intel build (x86_64) is separately compiled for older Macs and runs at roughly 2-3% CPU overhead under the same load — still imperceptible but measurably less efficient than the native arm64 path. The installer is a Universal Binary (UB2) that contains both slices; macOS picks the right one at install time.

Network System Extension. The tunnel runs as a macOS Network System Extension (NESystemExtension) hosting a Packet Tunnel Provider (NEPacketTunnelProvider). This is Apple's modern, App-Store-blessed way for a third-party app to claim the system-default route — replacing the older OS X "system kernel extension" model that Apple deprecated in 2019. The Network Extension framework is the same plumbing Tailscale, Mullvad, ProtonVPN, NordVPN, and ExpressVPN all use on macOS in 2026. There is no driver to install at the kernel level; the extension runs in user space with carefully scoped entitlements and can be uninstalled cleanly from System Settings > General > Login Items & Extensions.

WireGuard userspace implementation. The actual cryptographic tunnel is wireguard-go, the official userspace WireGuard implementation maintained by Jason Donenfeld and the WireGuard project. We have not written our own crypto. We carry a small fork that adds the hybrid X25519 + ML-KEM-768 handshake (PQC) — that fork is open about exactly what it changes and where. The base WireGuard protocol semantics are unchanged.

System service daemon (root-owned). The Network Extension can manage the tunnel but cannot reach far enough into the system to install firewall rules, modify the routing table, or override DNS at the system level. Those operations need root. We solve this the standard macOS way: a small system service daemon, launched at install time by launchd, runs as root and accepts requests over a local Unix domain socket from the UI app. The daemon is what installs Packet Filter rules, calls scutil to manage DNS supplemental keys, and manages the routing table. The UI app is a normal user-space app with no special privileges.

Packet Filter kill switch. When the tunnel goes up, the OllaVPN system service installs PF (Packet Filter) rules that block all non-tunnel egress at the OS firewall layer. The rules block all interfaces except the tunnel device, and they also blackhole the OS resolver and the IPv6 default route. If the tunnel drops mid-session — because of a network change, a sleep/wake cycle, or an exit-server restart — the PF rules stay in place until the tunnel reconnects. Your real IP cannot leak even briefly during a transition. The rules are also installed in a way that survives the Network Extension being killed (so if the extension crashes, the firewall doesn't drop with it). Removing the rules requires the daemon to explicitly tear them down, which only happens when the user clicks Disconnect.

Secure IPC: UDS + UID check. The UI app talks to the system daemon over a Unix Domain Socket at a fixed path. The daemon checks the connecting process's UID on every request to ensure it's the OllaVPN UI app, not some other process attempting to control the tunnel. This isn't novel — every modern VPN on macOS does something similar — but it's worth naming because it's what prevents a malicious app on your Mac from connecting to OllaVPN's daemon and impersonating user actions.

How macOS' VPN architecture actually works

If you're technically curious about why macOS VPNs all converge on the same architecture (Network Extension + system service daemon + UDS IPC), the reason is Apple's security model. Pre-2019 macOS allowed third-party kernel extensions, and many VPN clients shipped kernel-level "TUN/TAP" drivers. Apple deprecated that path for security reasons (kernel extensions can do too much; supply-chain compromise of a VPN client could compromise the entire OS).

The modern replacement is the Network Extension framework. Within that framework, three provider types matter for VPN clients:

Packet Tunnel Provider (NEPacketTunnelProvider). The full-tunnel option. The extension creates a virtual network interface (utun) and claims the system default route. All IP traffic flows through the extension, which can encrypt it and forward it to a remote endpoint. OllaVPN, Tailscale, Mullvad, and ProtonVPN all use this. It's the right primitive for a "real" VPN.

App Proxy Provider (NEAppProxyProvider). A per-app tunnel option. The extension can selectively route specific apps' traffic; everything else uses the system default. This is the split-tunneling primitive. OllaVPN doesn't yet expose this; the Pro tier roadmap includes split-tunneling for power users who want it.

Filter Data Provider (NEFilterDataProvider). A traffic-inspection-only option. The extension can observe and block traffic but not modify or tunnel it. This is what content filters and parental-control apps use. Not relevant to a VPN.

The Network Extension framework also imposes constraints that shape every macOS VPN: extensions have memory limits, they can be killed by the OS under memory pressure, they can't easily share state with the UI app (hence the daemon), and they need explicit user approval per System Settings prompt on first install. Working with these constraints — not against them — is the difference between a Mac VPN that "just works" through a year of macOS updates and one that breaks with every major release.

Privacy properties on Mac specifically

Three privacy properties matter most on macOS, and OllaVPN handles all three with belt-and-braces enforcement. We document them here in technical detail because privacy-product claims should be verifiable.

DNS doesn't leak. macOS has a stubborn tendency to fall back to the original system DNS resolver when a tunnel resolver is slow to respond, when the network configuration changes, or when an app uses certain APIs that bypass the system resolver (notably dnssd-based mDNS queries and some Apple-native DoH implementations). OllaVPN handles this with two layers. Layer 1: at connect time, the daemon uses scutil to install supplemental DNS rules at the highest priority, pointing at the tunnel's in-tunnel resolver (e.g., 100.64.0.1). This makes the tunnel resolver the system's "first answer" for almost all queries. Layer 2: the Packet Filter rules block all outbound traffic on UDP port 53 and TCP port 53 to any address other than the tunnel resolver. Even if some app or system component tries to bypass the supplemental DNS rules and hit 8.8.8.8 directly, the packet never leaves the box.

You can verify the no-leak posture from your own Mac in three steps: connect to OllaVPN, open our DNS lookup tool, and run a query. The resolver IP returned should be the in-tunnel one. Disconnect, repeat — now you should see your ISP's resolver. The diff is the evidence.

IPv6 doesn't leak. The tunnel interface is IPv4-only by design. The IPv6 system route is removed from every interface at connect time (via route delete -inet6 default-equivalent calls inside the daemon), and a separate PF rule blocks all IPv6 traffic on every interface that isn't the tunnel. At disconnect, the IPv6 routes are restored to what they were at connect time. Apps that prefer IPv6 will get a connection failure on the v6 path and fall back to IPv4 — which is inside the tunnel.

Verify on our WebRTC leak test: while connected, the test should show only the exit's IPv4 address. If you see your real IPv6 address, the IPv6 disable layer has failed and we want to know about it (email security@ollavpn.com).

Wake from sleep doesn't leak. When your Mac wakes from sleep, the network stack goes through a brief reconfiguration: interfaces re-attach, DHCP renews, routes settle. The window is small (typically 200-2000 ms) but real. OllaVPN's daemon registers for NSWorkspaceDidWakeNotification and, before the network stack finishes reconfiguring, instructs the firewall to maintain the kill-switch rules and pauses outbound traffic until the WireGuard tunnel has completed a fresh handshake. You may see a "Reconnecting" badge in the menu bar for a second or two — that's the design working as intended. The alternative would be a window in which packets could escape the tunnel.

Wi-Fi network changes also don't leak. Same mechanism, different trigger. The daemon registers for SCDynamicStoreNotificationCallback on the system configuration changes related to network state. When the user moves from one Wi-Fi network to another (or from Wi-Fi to Ethernet), the daemon detects the transition, holds the kill-switch rules in place, and re-handshakes the tunnel on the new network. The user sees one or two seconds of "Reconnecting" and then resumes. Real IPs do not leak during the transition.

Captive portal detection works through the tunnel. macOS has a "Captive Network Assistant" that pings Apple's captive portal probe endpoint (captive.apple.com/hotspot-detect.html) at network-join time to detect coffee-shop login portals. OllaVPN's tunnel routes this probe through the exit, which means captive portals on hostile networks (hotels, airports) won't see your real device's MAC or IP. We do detect when a captive portal is intercepting traffic and surface a one-time notification in the menu bar so you can briefly disconnect, sign in, and reconnect.

macOS version compatibility — Ventura, Sonoma, Sequoia, beyond

OllaVPN supports macOS 12 Monterey and later. We do not support Big Sur (macOS 11) or earlier because the Network Extension framework received material changes in macOS 12 that we rely on. Specifically:

macOS 12 Monterey — fully supported. The minimum supported version. Network Extension prompts use the older "approve in System Preferences" flow.

macOS 13 Ventura — fully supported. System Preferences became System Settings. Network Extension prompts now route through Login Items & Extensions instead of Security & Privacy. Our installer detects the version and shows the right path in the first-launch prompt.

macOS 14 Sonoma — fully supported. Sonoma changed how login items are presented (the new Login Items & Extensions panel). Tested through point releases 14.0–14.6.

macOS 15 Sequoia — fully supported. Sequoia introduced a stricter "Apple Intelligence" telemetry path which our app does not interact with, and tightened the System Settings prompts around Network Extensions. Tested through Sequoia 15.3 as of June 2026. Sequoia's stricter behavior around SYS_PROC_INFO (the syscall macOS uses internally for some process introspection) was a known gotcha in 2025; our daemon avoids it and uses the supported sysctl kern.procargs2 path instead — the same path Tailscale and Mullvad use post-Sequoia.

Future macOS versions — we test against the developer beta each summer (typically June-September WWDC cycle) and ship compatibility updates before the public release in October. If a new macOS release breaks our app, you'll see a banner in-app pointing at the relevant fix.

Apple Silicon vs Intel performance

OllaVPN ships universal binaries (UB2) containing both Apple Silicon (arm64) and Intel (x86_64) slices. On install, macOS picks the right one. There is no Rosetta involvement on Apple Silicon Macs.

Apple Silicon (M1/M2/M3/M4 and successors): The ChaCha20-Poly1305 cipher that WireGuard uses runs natively on the ARMv8 crypto extensions present on every M-series chip. CPU overhead from a tunnel under normal browsing load: sub-1% of one P-core. Under sustained 10 Mbps streaming: 1-2%. Under 1 Gbps Pro-tier throughput (if you upgrade): 5-8% of one P-core. Battery impact is correspondingly small — we've benchmarked a closed-lid-streaming-via-VPN session on an M2 MacBook Air at roughly 1-2% additional battery drain per hour vs the same session without VPN, well within the noise floor of macOS' own battery accounting.

Intel (x86_64, supported back to macOS 12 Monterey): Roughly 2x the CPU overhead of Apple Silicon, due to the absence of dedicated crypto acceleration on older Intel Macs without AES-NI improvements. Typical numbers: 2-3% CPU under normal browsing, 3-5% under 10 Mbps streaming. Still imperceptible in Activity Monitor's foreground apps but measurable in detailed CPU reports. Battery impact is correspondingly larger; on a 2019 16-inch Intel MacBook Pro we measure roughly 4-5% additional battery drain per hour during sustained VPN streaming. Not a deal-breaker but a real cost.

Conclusion: there is no performance reason to avoid OllaVPN on either architecture. Apple Silicon gets the better path because that's where Apple is investing; Intel gets the working path. Battery-sensitive users on Intel Macs may prefer to connect only when needed rather than leaving the tunnel up 24/7.

How it compares to other free VPNs on Mac

The other free VPNs that ship a macOS app in 2026 are Proton VPN Free, Windscribe Free, PrivadoVPN Free, hide.me Free, and TunnelBear Free. Here's the honest comparison on the dimensions that matter on a Mac specifically.

Country selection on free tier. OllaVPN: every country we serve (the in-app picker shows the live list — typically 8-15 countries depending on rotation). Proton VPN Free: 3 countries (US, NL, JP — the same three for years). Windscribe Free: 10+ rotating (US, UK, CA, DE, FR, NL, NO, RO, CH, HK, plus a rotating set). PrivadoVPN Free: 13 fixed (US-East, US-West, UK, DE, FR, NL, CH, CA, BR, AR, MX, AU, JP). hide.me Free: 8 fixed (DE, NL, US-E, US-W, CA, UK, FR, SG). TunnelBear Free: 47 countries (the largest free-tier list in the category, but capped at 500 MB/month).

Data cap on free tier. OllaVPN: unlimited. Proton VPN Free: unlimited. Windscribe Free: 10 GB/mo (+5 GB for email verify, +5 GB for tweet — max 20 GB). PrivadoVPN Free: 10 GB/mo. hide.me Free: 10 GB/mo. TunnelBear Free: 500 MB/mo (+1.5 GB for tweet — max 2 GB).

Speed cap on free tier. OllaVPN: 10 Mbps (explicit, documented). Proton VPN Free: variable (Proton calls this "medium speed," not capped at a number — practically 5-50 Mbps depending on exit congestion). Windscribe Free: variable. PrivadoVPN Free: variable. hide.me Free: variable. TunnelBear Free: variable.

Device count on free tier. OllaVPN: 1. Proton VPN Free: 1. Windscribe Free: unlimited (rare). PrivadoVPN Free: 1. hide.me Free: 1. TunnelBear Free: unlimited.

Kill switch on by default. OllaVPN: yes, cannot be disabled (PF-rule level). Proton VPN Free: yes, can be toggled. Windscribe Free: yes, can be toggled. PrivadoVPN Free: yes, can be toggled. hide.me Free: yes, can be toggled. TunnelBear Free: yes, can be toggled. (We treat "cannot be disabled" as the stronger posture; the others let an unwary user accidentally turn off their leak protection.)

Apple Silicon native. All six ship Universal Binaries in 2026. Equal here.

Audited. Proton VPN: yes (Securitum 2022, 2023, 2024). Windscribe: yes (Cure53 2022). PrivadoVPN: yes (KPMG 2023). hide.me: yes (Securitum 2023). TunnelBear: yes (annual since 2017, most recent Cure53). OllaVPN: scheduled but not yet completed — we're newer to the category. (This is the honest disadvantage of picking OllaVPN today; we're earning the audit track record now.)

Post-quantum cryptography on free. OllaVPN: yes, by default. Proton VPN Free: no (paid only). Windscribe Free: no. PrivadoVPN Free: no. hide.me Free: no. TunnelBear Free: no. PQC is OllaVPN's biggest differentiator on the free tier — see the methodology in our best free VPN 2026 guide for why it matters.

Linux client. Proton VPN: yes (and excellent). Mullvad (paid): yes. OllaVPN: not yet. If you also use Linux daily, Proton VPN Free is the right pairing for cross-platform consistency.

iOS client. All six listed here ship iOS clients. OllaVPN does not yet ship iOS — it's on the roadmap behind Apple Developer Program enrollment and the Network Extension entitlement approval. If you need both macOS and iOS today, Proton VPN Free is the right pairing.

For the full hand-picked comparison across all six picks plus the broader category analysis (funding models, red flags, "free VPNs we left out and why"), see our Best free VPN 2026 guide.

Why we don't recommend X free VPNs on Mac

A few specific names readers will find by searching "free VPN for Mac" that we deliberately do not include in the comparison above:

Free VPN .org (FreeVPN.org), Free VPN Hub, Free VPN Master, X-VPN Free, Hotspot Shield Free. These appear high in App Store search results and Google. Most have either undisclosed parent-company arrangements, mandatory ad SDKs (your traffic to ad networks even when not browsing), or funding models that the operator does not openly document. Hotspot Shield specifically was the subject of a 2017 FTC complaint by the Center for Democracy and Technology over alleged traffic injection — the case settled without findings, but the underlying behavior that prompted it is a red flag against trusting them with a privacy product. Avoid as a category.

Opera VPN (built into the Opera browser). Not a real VPN — it's a proxy that covers only Opera browser traffic. Everything else (other browsers, system services, native apps, command-line tools) bypasses it. The marketing implies more than it delivers. If your only need is changing the apparent country of Opera browser traffic, fine; otherwise pick a real VPN.

Free trials marketed as "free VPNs" (NordVPN free trial, ExpressVPN free trial, Surfshark free trial). These are 7-day or 30-day trials, not actual free tiers. They expire and bill your card unless you cancel. The honest free tiers on this comparison page do not require a card and do not expire.

Install in three steps (with what to expect)

Step 1 — Download. Open ollavpn.com/dl/ in any browser and click the macOS button. The installer is a Universal Binary (~30 MB) so the download is identical on Apple Silicon and Intel. Verify the SHA-256 of the downloaded .dmg against the value shown on the downloads page if you want to be belt-and-braces (this matters more before notarization is in place; see Step 2).

Step 2 — First launch. Open the .dmg, drag OllaVPN to Applications, then launch OllaVPN from Applications. Because we have not yet completed Apple notarization (on the roadmap for public launch), macOS Gatekeeper will show a one-time warning that says "OllaVPN cannot be opened because the developer cannot be verified." This is a normal stage-1-software signal, not a malware indicator. To proceed: open System Settings → Privacy & Security, scroll to the "Security" section, and click "Open Anyway" next to OllaVPN. On a notarized future build this prompt will not appear.

Next, macOS will show two permission prompts in sequence:

"OllaVPN would like to add VPN Configurations." — Required. This is macOS asking permission for our Network System Extension to install. Click Allow. Then macOS may show a system password prompt; enter your Mac login password.

"OllaVPN would like to add a system extension." — Required on first install only. This opens System Settings → General → Login Items & Extensions, where you'll see OllaVPN listed under Network Extensions with a toggle. Enable it.

Both prompts can be revoked at any time from System Settings > Network (VPN configurations) and System Settings > General > Login Items & Extensions (system extensions). Uninstalling OllaVPN cleans both up automatically.

Step 3 — Sign in and connect. Create a free OllaVPN account (email + password; verify email when the link arrives — usually within 30 seconds), or sign in with existing credentials. The country picker shows the live exit list. Pick one and click Connect. The WireGuard handshake completes in 1-2 seconds; the menu bar icon transitions from gray to green to indicate "tunnel up, kill switch active." Your traffic is now egressing from the chosen country.

Verifying it worked. Open our what-is-my-IP tool in a browser. The IP shown should be the exit's IP, not your real one. Open our WebRTC leak test. There should be no leaks. Open our DNS lookup tool and resolve any domain. The resolver shown should be the in-tunnel one.

Common Mac VPN problems and fixes

The problems below are the ones we see most often in support tickets and forum discussions. The fixes are practical, not theoretical.

"OllaVPN cannot be opened because the developer cannot be verified." The Gatekeeper warning before notarization. See Step 2 above — System Settings → Privacy & Security → Open Anyway. One-time only.

The Network Extension prompt doesn't appear. Sometimes macOS suppresses the prompt if you've previously denied it. Open System Settings → General → Login Items & Extensions → Network Extensions; toggle OllaVPN to enabled. If OllaVPN isn't listed there, uninstall OllaVPN and reinstall; the prompt should appear on fresh install.

"Connection failed" on first connect. Usually a firewall/router on your local network is blocking UDP 51820 (WireGuard's default port). Workarounds: (1) try a different network briefly to isolate; (2) on a restrictive corporate or hotel network, the Frankfurt exit supports MASQUE-over-port-443 obfuscation that looks like HTTPS to network observers — switch to it in the country picker.

Wi-Fi switches and the tunnel drops. Expected and recovers automatically. The menu bar shows "Reconnecting" for 1-3 seconds while the daemon detects the network change, holds the kill switch, and re-handshakes on the new network. If it stays "Reconnecting" longer than 30 seconds, click Disconnect then Connect.

Sleep/wake takes longer than usual to reconnect. macOS' wake-from-sleep path includes a network stack reconfiguration window that can take 200ms-2s. We pause traffic during this window (kill switch stays active) and re-handshake when the network is ready. If the wake-reconnect window exceeds 10 seconds repeatedly, file a support ticket with the time and your macOS version.

DNS is slow inside the tunnel. The in-tunnel resolver (an unbound instance on each exit) caches popular DNS queries but cold queries can take 50-200ms. This is a privacy-vs-speed tradeoff we make deliberately — sending DNS through a tunnel adds latency vs hitting your ISP's resolver directly. The tradeoff is worth it (your ISP cannot see DNS lookups while connected). If specific queries are unusually slow, our DNS lookup tool tells you whether the slowness is the resolver or the upstream record itself.

A specific website breaks while connected. Some sites geo-block or VPN-block specific exits. Try switching exits. If the site works directly but not through any OllaVPN exit, the site has blocklisted our IP ranges (sometimes streaming services do this). The honest fix: disconnect briefly for that one site, or use a different paid VPN with a streaming-specific SKU.

Battery drains faster. Apple Silicon Macs: typically 1-2% additional drain per hour during active tunnel use, undetectable in casual use. Intel Macs: 4-5% additional drain per hour. If you see substantially more than these numbers, the network may be unstable and the tunnel may be re-handshaking too often — try a different exit, or disconnect when not actively needed.

OllaVPN won't disconnect. Very rare, usually after a forced sleep or a macOS crash. Force-quit OllaVPN from Activity Monitor; if the network is still routed through the tunnel afterward, run sudo route delete default 100.64.0.1 in Terminal (replace with the actual in-tunnel gateway you can see in the menu bar's "Connection info" panel) to manually clear the route. Reinstalling clears everything if all else fails.

You see ads on sites that normally don't show ads. Not us — OllaVPN does not inject ads, full stop. If you see this while connected, run a malware scan; the culprit is usually a browser extension or a separate adware app, not the VPN. If it consistently only happens while connected and not otherwise, file a support ticket with packet capture and we'll investigate (this would be a serious incident on our side).

Browser-specific notes on macOS

Different browsers handle DNS, WebRTC, and proxy settings slightly differently. None of these are issues per se, just dimensions to know about.

Safari. Uses the macOS system DNS resolver. Honors the in-tunnel DNS we install. WebRTC is enabled by default and respects the system network stack — so it goes through the VPN tunnel and does not leak. Private Relay (Apple's privacy proxy for iCloud+) interacts with system VPNs by deferring to the VPN; Private Relay is effectively disabled while OllaVPN is connected. This is fine for most users; Private Relay's protections are weaker than a full VPN.

Chrome / Edge / Brave / other Chromium-based browsers. Use the macOS system DNS resolver. Chromium has its own WebRTC implementation that historically had a leak bug (it would expose local network interfaces' IPs); modern Chromium versions respect the system network policy and do not leak when a VPN is active. You can verify on our WebRTC leak test.

Firefox. By default uses the macOS system DNS resolver, so honors in-tunnel DNS. However, Firefox optionally enables DNS-over-HTTPS (DoH) which sends DNS to Cloudflare or NextDNS instead of the system resolver — bypassing the VPN's in-tunnel DNS for resolution (the actual traffic still goes through the tunnel). For the strictest privacy posture, disable Firefox's "Enable DNS over HTTPS" in Settings → Privacy & Security → Network Settings while using a VPN, so DNS goes through the tunnel resolver instead.

All browsers. The VPN tunnel covers traffic at the OS network layer, not the browser layer. There is nothing browser-specific you need to enable in any browser to "use the VPN" — once the tunnel is up, every browser is using it automatically.

What the macOS app does NOT do (transparency)

For completeness, the things some users expect a Mac VPN to do that ours does not, with the reason:

No iOS app yet. iOS requires the Apple Developer Program ($99/year) and the Network Extension entitlement, which is on a roadmap behind our public launch. If you need iOS coverage today, Proton VPN Free, Windscribe Free, and hide.me Free all have iOS apps.

No Linux desktop client yet. Linux is on a roadmap but not stage-1 scope. Proton VPN's Linux client is the gold standard if you need it; Mullvad's is also excellent.

No split-tunneling on macOS yet. Split-tunneling on macOS requires the NEAppProxyProvider path rather than the NEPacketTunnelProvider we use today. It's a planned Pro-tier feature. Currently every app on the Mac goes through the tunnel.

No in-tunnel ad blocking yet. Windscribe (R.O.B.E.R.T.) and a few competitors ship resolver-level ad blocking. We have not yet shipped this on the tunnel-resolver path. It's a planned Pro-tier feature.

No multi-hop on free. Sovereign Route (multi-hop through a Swiss entry-hop, with PQC on both legs) is being built but is positioned as a Pro-tier feature, not free. The free tier is single-hop with full PQC protection — that's the trade.

No Apple TV / Smart TV app. Apple TV's TVOS Network Extension story is its own thing and we have not shipped there yet. PrivadoVPN ships a Fire TV app; Proton ships an Android TV app; OllaVPN does not yet cover the living-room device.

Things macOS users specifically ask

Is OllaVPN free on Mac?

Yes. OllaVPN's free tier on macOS is lifetime free — 10 Mbps, every country we serve, one device, no data cap, no credit card. The Pro tier at $2/month lifts the speed cap to 10 Gbps and adds four more device slots, but the free tier never expires.

Does OllaVPN work on Apple Silicon?

Yes. OllaVPN ships a native Apple Silicon build (arm64) and a separate Intel build (x86_64) signed with the same code-signing certificate. The installer detects your CPU and installs the correct variant.

What macOS versions are supported?

macOS 12 Monterey or later. Older macOS versions are not supported because the system Network Extension framework on which OllaVPN's tunnel relies received significant changes in macOS 12.

Is the macOS app notarized?

Notarization is on the roadmap for public launch — until then macOS may show a Gatekeeper prompt on first launch. You can verify the SHA-256 of the installer against the value published on the download page to confirm authenticity in the meantime.

Will OllaVPN slow down my Mac's internet?

All VPNs add some latency. OllaVPN's free tier is capped at 10 Mbps which is fast enough for HD streaming, all browsing, and most calls. Apple Silicon Macs running the native arm64 build see near-zero CPU overhead from the tunnel.

Does the macOS app have a kill switch?

Yes. The kill switch is on by default on macOS and cannot be disabled. If the tunnel drops mid-session, the system firewall blocks all non-tunnel egress until the tunnel reconnects.

Does OllaVPN leak DNS on Mac?

No. All DNS queries while connected go to an in-tunnel resolver. We enforce this with two layers: scutil-installed supplemental DNS rules at the highest system priority, plus Packet Filter rules that block all outbound DNS to non-tunnel resolvers. You can verify on our free WebRTC leak test and DNS lookup tools.

Does OllaVPN work with Apple's iCloud Private Relay?

iCloud+ Private Relay is Apple's privacy proxy for Safari traffic and some system services. Private Relay defers to a system VPN when one is active — meaning Private Relay is effectively bypassed while OllaVPN is connected. Apple does this on purpose because Private Relay is weaker than a full VPN. There's no conflict; OllaVPN's tunnel is strictly better protection than Private Relay alone.

Can I use OllaVPN with Tailscale or another VPN at the same time?

macOS allows only one active VPN tunnel at a time via the Network Extension framework. If Tailscale is connected and you connect OllaVPN, Tailscale's tunnel will be torn down (or refuse to come up). Pick one at a time. If you need both — say, OllaVPN for general privacy and Tailscale for accessing your home network — toggle between them as needed.

Does OllaVPN support Touch ID for login?

Not yet — Touch ID support is on the roadmap. Currently the macOS app uses standard email + password authentication, with the JWT token persisted to macOS Keychain so you don't re-enter credentials on every launch. Touch ID would unlock the Keychain entry; it's a UX improvement on the roadmap, not a privacy improvement.

What information does OllaVPN send to its servers?

Authentication (email + password hash → JWT) at login. Per-connect, your account ID + chosen exit + a new WireGuard public key (private key stays on your Mac) so the exit can authenticate your tunnel. After the tunnel is up, nothing else is sent to OllaVPN's control plane — the tunnel handles all data-plane traffic and the control plane stays out of it. Crash reports, telemetry, and analytics are off by default and we have not built an in-app way to enable them.

Is OllaVPN code-signed?

Yes, the app and the system service daemon are both code-signed with an Apple Developer ID certificate. Notarization (the separate step where Apple scans the build for malware) is on the roadmap for public launch; until then the first-launch Gatekeeper prompt appears (see Install Step 2).

What happens to my macOS network configuration if I uninstall OllaVPN?

Uninstall cleans up: the Network Extension is unregistered, the system service daemon is stopped and removed, scutil DNS supplemental keys are cleared, IPv6 routes are restored, and the Packet Filter rules are torn down. macOS network configuration returns to the state it was in before install. If you uninstall by deleting the .app from Applications instead of using the in-app Uninstall option, the daemon and extension stay registered until next reboot — clean uninstall always requires using the in-app option.

Does OllaVPN's macOS app use Apple's CryptoKit?

For the WireGuard cryptography path: no. WireGuard's protocol pins specific algorithms (Curve25519, ChaCha20-Poly1305, Blake2s) and we use the validated implementations in wireguard-go and Apple's CommonCrypto for those primitives. For TLS to our control plane: yes, the app uses URLSession which uses Apple's Network framework and CryptoKit under the hood. For the PQC component (ML-KEM-768): we use the reference implementation, since CryptoKit does not yet ship NIST PQC primitives.

Will OllaVPN show in macOS' Privacy & Security network monitor?

macOS 14 Sonoma and later show network activity in System Settings → Privacy & Security → Local Network and → Network Privacy. OllaVPN appears as the application requesting Network Extension access and (separately) as the active VPN configuration. Both entries are normal for a VPN client. You can audit which apps are using the network through OllaVPN's tunnel via the standard tools — Activity Monitor's Network tab, or Little Snitch if you have it.

Can I run OllaVPN at login automatically?

Yes. Open OllaVPN's Settings → General → "Launch at login" toggle. The Settings panel also has an "Auto-connect on launch" option that brings the tunnel up to your last-used country as soon as the app starts. Combined, this means every Mac restart leaves you protected within seconds of login.

Is OllaVPN better than Apple's Private Relay alone?

For most users, yes — but they're complementary, not competitors. Private Relay covers Safari traffic and DNS, splits the proxy across two hops (Apple-operated + third-party-operated), and is included free with iCloud+ ($1+/mo). OllaVPN covers all traffic (every browser, every app, every system service), can route from any country, ships PQC encryption, and is free. For users with iCloud+, Private Relay is a fine default for Safari-only browsing; for users who want their whole device covered including other browsers and apps, a full VPN like OllaVPN is the stronger choice.

About this guide

This page is maintained by Nathan Pratt, OllaVPN's Privacy & Security Lead. Fact-checked by Hannah Wu, Senior Security Engineer. The technical claims about macOS behavior (Network Extension framework, Packet Filter rules, scutil supplemental DNS, sleep/wake handling) were verified hands-on against macOS 14 Sonoma 14.6 and macOS 15 Sequoia 15.3 during the June 2026 update cycle. Quarterly refresh planned.

If you spot a factual error — a macOS version that's no longer supported, a performance claim that's drifted, a privacy property that's changed — email guides@ollavpn.com and we'll fix it in the next refresh.

What to do next

If you're ready: download OllaVPN free for Mac. The installer is ~30 MB, the first-launch flow takes 2-3 minutes, and you'll be connected within five minutes total of clicking the download.

If you want to read first: the Best free VPN 2026 buyer guide compares OllaVPN against the five other trustworthy free tiers across all platforms. The kill switch deep-dive explains why "on by default and cannot be disabled" matters more than "kill switch supported." The post-quantum cryptography guide explains the differentiator. Our technology stack page covers what's inside the OllaVPN tunnel beyond just the macOS app.

If you're a power user wanting to verify our claims: try the privacy tools while connected and disconnected, and compare. Or read the security disclosure for our vulnerability reporting policy.

Free for Mac · 10 Mbps · every country · no card

Download for Mac, free.

Apple Silicon native or Intel. macOS 12 or later. Kill switch on by default. PQC-ready.