Peer isolation means that even if you're sharing an OllaVPN server with hundreds of other users, they can't see or interact with your devices on your local network. It's like having your own private, soundproof room in a shared building, ensuring that no one else sharing the same internet exit point can snoop on your computer or attempt to access it.
We've built this multi-layered protection directly into our network architecture, making it impossible for traffic to flow directly between users on the same server. This isn't just a simple software setting; it's a fundamental design choice that prevents direct connections and keeps your device's identity hidden from others, even though you're sharing the same public IP address.
This crucial privacy feature is active by default for all OllaVPN users, whether you're on our free 10 Mbps plan or the 10 Gbps Plus tier. It works alongside our post-quantum-ready encryption and other safeguards to provide you with comprehensive security, ensuring your sensitive online activities remain private and protected without needing a credit card or email to start.
What is VPN peer isolation and why does it matter?
VPN peer isolation is a security measure that prevents users connected to the same shared VPN server from seeing or interacting with each other's devices on the local network.
When you connect to a VPN, you're usually sharing a server with many other users. Think of it like being in a big, busy apartment building: everyone has their own apartment, but they all share the same main entrance and hallways. With a traditional VPN setup, even though your internet traffic is encrypted and routed through the VPN server, there's a risk that other users on that same server could potentially see your device on what looks like a shared local network. This means they might be able to discover your computer, phone, or other devices, leading to unintended exposure of your internal network services. That's where **peer isolation** comes in. OllaVPN implements a 4-layer peer isolation system that essentially puts each user in their own separate "room" within that shared VPN server "building." It isolates your connection, making sure that your device is completely invisible to anyone else connected to the same server. You get privacy from other users, even if they're literally using the same server at the exact same moment. This is a critical privacy feature because it eliminates a common vulnerability. Without it, someone with malicious intent on the same shared VPN servers could try to exploit weaknesses in your device's network visibility, even if your internet traffic itself is encrypted. Our peer isolation ensures that your local network presence remains private and secure, safeguarding you from potential snooping or attacks from other VPN users.How does OllaVPN's 4-layer peer isolation work under the hood?
OllaVPN implements a 4-layer peer isolation strategy by segmenting network traffic and preventing direct communication between users on the same server, ensuring your online activity remains private and separate from others.
Think of it like this: when you connect to OllaVPN, you're not just joining a big, open network where everyone can see everyone else. Instead, we've designed our network architecture to put you in your own little digital bubble. This means that even if another OllaVPN user is connected to the exact same server location as you, their traffic and your traffic are kept completely separate. There's absolutely no direct peer-to-peer communication possible between users on our network, which is a fundamental part of how we protect your privacy.
Our 4-layer approach starts right from the moment your device connects using the WireGuard protocol. Each user gets a unique, isolated tunnel to our infrastructure. Within that tunnel, we use advanced routing and firewall rules to ensure that your data can only go where it's supposed to – out to the internet and back to you. It can't, for example, accidentally or maliciously be routed to another OllaVPN user's device. This traffic separation is crucial, as it stops any potential snooping or data leakage between users.
The layers build on each other. So, first, you have the encrypted WireGuard tunnel. Secondly, we have network-level firewalls that block any attempts at local communication between clients. Thirdly, our internal routing ensures that packets originating from your connection are tagged and only delivered back to you. Finally, even our in-tunnel DNS requests are handled in a way that prevents them from revealing anything about other users or your own activity to them. This multi-layered defense means that even if one layer were somehow compromised (which is highly unlikely), the others would still keep your data safe and isolated. It's all about building redundancy and defense in depth, ensuring that your online world stays private and yours alone.
What do other VPNs typically get wrong with peer isolation?
Many generic VPNs either completely neglect peer isolation, leaving you exposed to other users on the same server, or they implement it poorly, creating potential security and privacy risks.
Most generic VPNs, especially the ad-funded free VPNs or even some freemium throttled VPNs, often don't bother with peer isolation at all. When you connect to one of their servers, you're frequently lumped into a shared network segment with dozens, if not hundreds, of other users. This lack of isolation means that if one of those other users is malicious or has a compromised device, they could potentially see your device on the local network, or even attempt to exploit it. It’s like being in a crowded room with no walls between you and strangers – not ideal for privacy or security.
Even those that claim some form of isolation might only implement a basic firewall that blocks incoming connections but doesn't prevent outing scanning or other forms of local network discovery. This can still lead to security vulnerabilities, as a determined attacker could try to identify and exploit other users on the same VPN server. It’s a common oversight, and often it’s not even a feature you can easily configure; it's simply part of their default settings.
At OllaVPN, we take a different approach. We implement 4-layer peer isolation, which means every connection through our network is treated like its own private tunnel, completely separated from every other user. You're not just behind a basic firewall; you are effectively on your own isolated segment, making it virtually impossible for other users on the same server to see or interact with your device. This isn't an optional setting; it's how we design our network from the ground up, ensuring your privacy and security are paramount, whether you're on our free plan or OllaVPN Plus.
What does peer isolation protect you against in real-world scenarios?
Peer isolation protects you by preventing other users on the same VPN server from seeing or interacting with your device, safeguarding you from network-based attacks.
Imagine you're connected to a shared public Wi-Fi network at a coffee shop or airport. This is already a risky environment, but when you connect to a VPN, you're sharing a server with other users, some of whom might be malicious actors. Without peer isolation, those other users could potentially see your device on the shared VPN subnet. This opens the door to things like network scanning, where they try to identify your device, its operating system, and any open ports.
Once they can "see" your device, they could attempt device discovery, trying to figure out what services you're running or even attempting to exploit known vulnerabilities. This is where data theft attempts can start, as they might try to access shared folders, unencrypted network traffic, or exploit weaknesses in your device's security. Peer isolation acts as a crucial barrier here, making your device invisible to these other users on the VPN server, even if they're actively trying to find targets.
Think of it like being in a large building with many apartments. A regular VPN might put everyone in the same open-plan office, where anyone can walk up to your desk. Peer isolation is like giving every user their own soundproof, opaque office with a locked door. You're all in the same building (the VPN server), but you can't see or hear what anyone else is doing, and they can't see you. This significantly reduces your attack surface and enhances your privacy and security, especially when you're connected to any shared network, public or otherwise.
Is peer isolation on by default, and can you configure it?
Yes, peer isolation is on by default in OllaVPN, and there's no configuration needed or available because it's baked into how our network works.
When you connect to OllaVPN, you're not just getting a secure tunnel; you're also automatically protected from other users on the network. This four-layer peer isolation is one of our fundamental security features, meaning no matter which server you connect to, you're isolated from anyone else using that same server. You don't have to toggle a setting or worry if it's active — it just is, from the moment you hit connect. This design choice prioritizes your privacy and security above all else, and it's part of why we can offer a free plan without compromising on safety. We want to make using a VPN as simple and secure as possible, so features like peer isolation and our always-on kill switch are enabled by default, requiring no extra thought from you. It’s part of our commitment to ease of use and making strong privacy accessible to everyone. Because it's a core architectural component, peer isolation isn't something you can turn off or adjust. It's always active, ensuring that your traffic remains private and separate from other users, even on shared servers. This means you get the benefits of a shared IP address for anonymity without the risks of direct peer-to-peer exposure.How can you verify OllaVPN's peer isolation is working?
You can verify OllaVPN's peer isolation by performing network tests like ping and traceroute while connected to the VPN, and observing that other VPN users' internal IP addresses are not visible to you.
Confirming that peer isolation is active and working on OllaVPN involves using common network tools to observe your connection. When you connect to our VPN, you're assigned an internal IP address within our network, but crucially, other users on the same server are also assigned their own distinct internal IPs. Our 4-layer peer isolation ensures that these internal addresses are not discoverable by other peers, which is a key privacy feature.
One of the simplest testing methods is to use diagnostic tools like `ping` or `traceroute` from your device while connected to OllaVPN. If you were on a network without proper peer isolation, you might be able to discover or even attempt to connect to other devices on the same VPN server by trying common internal IP ranges. With OllaVPN, you won't be able to do this. You'll only see your own traffic and the VPN server's external IP address.
You can also use online tools that report your IP address visibility. While these mainly show your external, public IP (which will be one of OllaVPN's exit nodes, shared with other users for anonymity), the absence of any leaks showing your real IP or internal network details is a good sign. The true test for peer isolation, however, really comes down to trying to identify or connect to other internal VPN clients, and finding that you simply can't.
What are the limits of peer isolation, and what doesn't it solve?
Peer isolation protects your network traffic from other users on the VPN, but it's not a silver bullet for all online threats and doesn't protect against issues outside the VPN's scope.
Peer isolation is a powerful security feature, but it's important to understand its boundaries. What it does is prevent other OllaVPN users from seeing or interacting with your device on the network segment you share. Think of it like giving every user their own private subnet within the VPN, even though you're all using the same exit server. This stops things like local network attacks or accidental data exposure to other VPN users. However, it's not a complete cybersecurity solution. Peer isolation doesn't offer protection against malware you might download, phishing scams you encounter, or vulnerabilities in the websites you visit. These are issues that happen at your device or on the web itself, independent of how your traffic is routed through the VPN. You still need good antivirus software, a careful eye for suspicious links, and common sense when browsing. It also doesn't prevent things like browser fingerprinting, where websites gather unique characteristics about your browser and device to identify you, or tracking through cookies and other web technologies. Your online anonymity largely depends on your user behavior, regardless of the VPN's network-level protections. While OllaVPN secures your connection and hides your IP address, it can't control what you choose to share or where you browse online.Does peer isolation affect my connection speed or performance?
No, OllaVPN's peer isolation has a negligible impact on your connection speed or performance.
You might think adding a security layer like peer isolation would slow things down, but that's not how we've built it. Our 4-layer peer isolation is designed to be incredibly efficient, meaning it adds almost no noticeable network overhead. We've engineered it to protect your privacy without getting in the way of your online experience, whether you're just browsing or streaming video.
The system is built to be lightweight, so the extra processing needed to keep your connection isolated from others on the same server is minimal. This means you won't see a hit to your speed because of peer isolation. Network efficiency is a core principle in our design, allowing us to offer robust security features without compromising on performance.
For most users, especially those on our 10 Mbps free plan, any impact would be completely imperceptible. Even if you're on the 10 Gbps Plus plan, pushing massive amounts of data, the design ensures that peer isolation isn't the bottleneck. We've optimized our entire network stack to ensure that security and speed go hand-in-hand, so you get the best of both worlds without compromise.
Will peer isolation prevent me from accessing local network devices?
No, peer isolation won't prevent you from accessing local network devices like printers or smart home gadgets when you're connected to OllaVPN.
We designed OllaVPN with your convenience in mind, especially for things that live on your local network. While our 4-layer peer isolation ensures that other users on the OllaVPN network can't see or interact with your device, it doesn't block your connection to devices within your own home or office network. So, you can still print documents, control your smart home devices, or access network shares without having to disconnect from the VPN.
This means you get the best of both worlds: enhanced privacy and security from the outside world through OllaVPN's post-quantum-ready encryption, while maintaining seamless access to everything you need on your local network. You won't find yourself constantly toggling the VPN on and off just to print a document or cast to your TV.
Some VPNs might require complex split tunneling configurations to achieve this, or they might simply block local network access altogether. With OllaVPN, we handle it automatically. Your internet traffic goes securely through our servers, but your requests to local IP addresses stay on your local network, ensuring everything just works as you'd expect.
How does peer isolation connect with OllaVPN's other privacy features?
Peer isolation at OllaVPN works hand-in-hand with our other privacy features like post-quantum encryption, the kill switch, and in-tunnel DNS to create a truly multi-layered, comprehensive privacy shield for your online activity.
Think of it like different security systems in a very secure building, all working together. Peer isolation is like having individual, locked rooms for each visitor, preventing anyone from seeing or interacting with others in the building. This means that even if you and another OllaVPN user are connected to the same server, your traffic is completely separated at a fundamental network layer. This isn't just about hiding your IP from websites; it's about making sure no other user on our network can even accidentally (or maliciously) snoop on your connection or identify you.
Now, layer that with our post-quantum readiness. While peer isolation keeps you separate on our network, post-quantum encryption protects your data as it travels across the internet, making it unreadable to anyone outside our VPN tunnel. This forward-looking encryption ensures your data remains secret even against future, more powerful computers. Then, you have the kill switch, which acts as an automatic deadbolt. If your VPN connection ever drops unexpectedly, the kill switch immediately cuts your internet access, preventing any data from leaking outside the secure tunnel. Coupled with our in-tunnel DNS, which handles all your domain requests securely within the VPN, we're ensuring every aspect of your online presence is protected, right down to the websites you visit.
Every piece of our architecture, from the four-layer peer isolation to our strict no-logs policy, is designed to complement the others. It's not just a collection of features; it's a carefully engineered system for comprehensive privacy. This multi-layered security approach means that even if one component were to face an unforeseen challenge, the others are there to back it up, ensuring your anonymity and data security remain intact, whether you're using our free plan at 10 Mbps or enjoying 10 Gbps with OllaVPN Plus.
Is OllaVPN's peer isolation future-proof against emerging threats?
Yes, OllaVPN's 4-layer peer isolation is designed with adaptability in mind, making it highly resilient against emerging threats and ensuring its long-term viability.
We built our network with the understanding that the threat landscape is always changing. That's why our approach to peer isolation isn't a static solution, but a layered defense system. This means it's inherently more flexible than single-point security measures. Each of the four layers acts as an independent barrier, so even if one layer were to face a novel attack, the others remain in place, protecting your privacy and data.
This layered architecture gives us significant room for continuous improvement and adaptation. As new vulnerabilities or attack vectors appear, we can update or reinforce individual layers without needing to overhaul the entire system. This modularity is key to its future-proofing, allowing us to maintain robust network security against even the most sophisticated evolving threats. It's not just about what threats exist today, but being prepared for what might come tomorrow.
Think of it like building a house with multiple locks on the door, reinforced windows, and a strong foundation – if one part is compromised, the others still stand strong. This design philosophy is what gives OllaVPN's peer isolation its long-term viability and helps us protect you in an ever-changing digital world.
The four-layer defense, in technical detail
Peer isolation on OllaVPN exits is enforced in four independent layers, each separately sufficient. Defense in depth means a bug in any single layer leaves the property intact via the other three.
Layer 1 — WireGuard AllowedIPs restriction. Every connected peer's WireGuard configuration on the exit specifies AllowedIPs = peer-ip/32 — meaning the WireGuard packet processor will only accept and forward packets from that peer that are destined for the wider internet, not for another peer's /32. A peer that tries to send a packet to another peer's tunnel IP gets the packet dropped at the WireGuard layer before it even reaches the IP stack.
Layer 2 — nftables drop rule on the wg0 interface. Even if a packet somehow passes the WireGuard layer (a hypothetical implementation bug), an nftables rule on the wg0 interface drops any packet whose ingress interface is wg0 and whose egress interface is also wg0. The rule is iifname wg0 oifname wg0 drop. Packets that should leave the tunnel to reach the wider internet are not affected; only peer-to-peer-via-the-tunnel packets match this rule.
Layer 3 — sysctl forwarding disable. The wg0 interface has IP forwarding administratively disabled at the kernel level via sysctl net.ipv4.conf.wg0.forwarding=0. The wider internet egress works via a separate routing path that doesn't require the kernel to forward between two virtual interfaces; peer-to-peer-via-the-tunnel would require this forwarding capability, which is administratively off.
Layer 4 — automated end-to-end test that runs before every release. The tools/e2e/peer-isolation/ harness in the OllaVPN repository spins up two peers on a test exit, attempts to ping each peer from the other, and asserts that 100% of pings fail. A release that violates peer isolation fails this test and is blocked from shipping. The test catches both code regressions (someone changes the AllowedIPs logic) and configuration regressions (an exit gets deployed without the nftables rule).
No single layer is the load-bearing one. The defense-in-depth design specifically ensures that an undetected bug in any one layer still leaves the privacy property protected by the other three. The test layer ensures we catch any such bug before users do.
How can you verify peer isolation works?
Hardest of OllaVPN's privacy properties to verify alone, because it requires two devices on the same exit at the same time. The test code is published; the methodology is reproducible.
Peer isolation is harder to verify than DNS-leak or kill-switch behavior because the test requires two devices both connected to the same OllaVPN exit at the same time. If you have that setup (a laptop and a phone both on OllaVPN, both routed via the same exit) you can run the test:
Step 1 — Connect both devices to the same exit. In the OllaVPN app on each device, pick the same country and same city. The country picker shows the active exit ID; matching IDs means matching exit.
Step 2 — Identify each device's tunnel IP. On each device, open our what-is-my-IP tool and note the tunnel IP shown (this is the in-tunnel CGNAT address, not the exit's public IP). Or run ipconfig (Windows) / ifconfig (macOS) and look at the OllaVPN tunnel interface.
Step 3 — Attempt to ping across. From device A's terminal, ping device B's tunnel IP. The ping should fail with 100% packet loss. The same from device B to device A. If any pings succeed, peer isolation has failed (it hasn't, but verify). The expected result is total isolation — the two devices cannot see each other through the tunnel.
What if you only have one device? The published test code in our repository (tools/e2e/peer-isolation/) describes the methodology. You can run it against any exit if you have two test accounts and two simulated clients. It's not as accessible as a browser-based test, but the methodology is public, the code is open, and the test runs before every release as a CI gate.
How OllaVPN's peer isolation compares to other VPNs
Most paid VPNs claim peer isolation; few publish how it's enforced. OllaVPN's distinguishing posture is the four-layer defense-in-depth, the published e2e test, and explicit advertisement of all four layers — most competitors implement one or two layers and don't talk about the rest.
Single-layer implementations are common. Many commercial VPNs enforce peer isolation only at the WireGuard AllowedIPs layer (or the equivalent in OpenVPN). This works in practice — bugs in WireGuard's packet processor are extremely rare — but a defense that relies on a single layer is fragile against the day that layer regresses. Mullvad publishes detailed peer-isolation documentation describing a multi-layer approach similar to ours; we consider Mullvad the gold-standard reference for this specific property.
The test gate matters. A peer-isolation guarantee that's only enforced in code, with no automated test that fails the build when the guarantee breaks, is one regression away from silently failing. OllaVPN's tools/e2e/peer-isolation/ harness runs as a pre-release CI gate, so the property is continuously enforced rather than periodically reviewed. The test code is open in the repository — readers who want to know exactly what we're testing for can read the test.
The "we don't talk about it" tier. Some free VPNs simply don't discuss peer isolation. The absence of discussion is not proof of absence (some operators implement the property quietly), but in our experience the operators that quietly skip it tend to be the same ones that quietly skip other security properties. Asking the operator "do you isolate peers from each other, and how?" is a good vetting question whenever you're evaluating a free VPN.
Common peer-isolation questions, answered straight
Why would another VPN user want to reach my device? Most don't intentionally. The risk is incidental: an infected device on the same exit might portscan its local subnet and stumble onto your device; a misconfigured app on another user's device might broadcast to a range that includes you. Peer isolation makes both scenarios impossible at the network layer regardless of intent.
Does peer isolation affect my speed? No measurable impact. The nftables drop rule operates at packet receipt; matching packets are dropped immediately with negligible CPU cost. The sysctl forwarding disable is set once at exit boot, not per-packet. The WireGuard AllowedIPs check is part of the standard WireGuard packet flow and adds nothing measurable.
Does peer isolation affect my LAN access? No. Peer isolation only blocks tunnel-to-tunnel traffic on the exit. Your home LAN devices (printer, NAS, smart-home gear) are reachable via your local network interface, which is separate from the tunnel. RFC 1918 LAN ranges are explicitly carved out from the kill-switch firewall rules, so LAN access keeps working.
What about peer-to-peer apps like file-sharing or video calls? Direct peer-to-peer connections between two OllaVPN users on the same exit are blocked. Most modern P2P apps (Zoom, Discord, FaceTime) use external relay servers when direct connection fails, so the user-visible behavior is "calls work, slightly higher latency than direct P2P would have given." Apps that strictly require direct P2P (some torrent clients in specific configurations) may behave differently — try and see.
Is peer isolation different on the free vs Pro tier? No. Peer isolation is a network-architecture property of the exit servers, not a per-user feature. Free users and Pro users on the same exit are equally isolated from each other (and from all other users).
What if the exit's nftables rule gets accidentally deleted? The e2e test would catch it before release ships, the four-layer design means the WireGuard and sysctl layers still enforce the property, and our deployment automation re-applies the nftables rules on every restart. The window for a regression to escape into production is small.
About this guide
Maintained by Nathan Pratt, OllaVPN's Privacy & Security Lead. Fact-checked by Hannah Wu, Senior Security Engineer. The four-layer implementation details (WireGuard AllowedIPs, nftables drop rule, sysctl forwarding, e2e test) were verified against the production exit configuration and the test code in the June 2026 update cycle. Quarterly refresh; last full re-evaluation 23 June 2026.
For deeper context: the technology stack page covers OllaVPN's full architecture including peer isolation's interaction with the kill switch and in-tunnel DNS. The kill switch page documents the related OS-firewall-layer defense. The in-tunnel DNS page covers the resolver-layer defense. Together, the three privacy primitives form OllaVPN's core privacy guarantee — read all three for the complete picture.
Why peer isolation matters — historical incidents
The peer-isolation property exists because its absence has caused real incidents on real VPN services. The category history is worth knowing before you trust any VPN with your traffic.
Peer isolation isn't an abstract concern. Multiple commercial VPN services have shipped exits without proper peer isolation, with documented consequences:
The "broadcast traffic exposure" pattern. Without peer isolation, an exit acts a bit like a giant Wi-Fi network: thousands of users sharing the same broadcast domain. Misconfigured user devices that broadcast service discovery (Apple Bonjour, Windows SMB browsing, printer discovery) leak the device's hostname, OS, and sometimes user information to every other user on the same exit. Academic researchers have repeatedly demonstrated that they can passively listen on a poorly-isolated VPN exit and compile a list of connected users' device makes, models, hostnames, and software versions — all without sending a single probe packet.
The "lateral movement" pattern. An attacker connects to a VPN with a compromised device (one already infected with malware that scans local networks for vulnerable services). Without peer isolation, the malware scans the tunnel subnet and finds other connected peers — possibly with unpatched services exposed because the user assumed they were on a "safe" VPN. The attacker now has lateral movement opportunities against other paying customers of the same VPN service.
The "amplification" pattern. Some VPN services have been documented allowing peer-to-peer traffic at line rate, which lets a malicious peer use the exit as an amplification vector — sending small attack packets to other peers' broadcast addresses and triggering large response volumes that the operator's bandwidth then carries. The operator absorbs the cost; the legitimate users absorb the slowdown.
All three patterns are eliminated by enforcing peer isolation at the network layer, which is what OllaVPN does. We document the implementation explicitly because the category history of not documenting it has been bad for users.
Want this on your device?
OllaVPN is free forever for 1 device. No card, no email tricks.
Get OllaVPN free → Or see all plans