All systems operational status.ollavpn.com
FEATURE · ALWAYS CURRENT

What is Post-Quantum Cryptography and Why Does OllaVPN Use It?

You've probably heard the buzz about quantum computers, and while they might seem like science fiction, they pose a very real, long-term threat to the encryption that protects your online life. The math securing your banking, emails, and even your VPN connections today could be vulnerable to future quantum attacks. This article explains what post-quantum cryptography (PQC) is, why OllaVPN uses it, and how it ensures your data stays private not just now, but for decades to come, protecting against a future where your past data might otherwise be exposed.

✓ Reviewed
Hannah Wu · Senior Security Engineer
Last fact-checked 10 June 2026
Available on Free Pro Business Same security stack on every tier.
TL;DR

Post-quantum cryptography (PQC) is about making sure your private data stays private, even when incredibly powerful quantum computers arrive. Right now, most VPNs use encryption that these future machines could easily break, putting your past and present online activity at risk of being exposed years down the line.

OllaVPN takes a different approach. We combine the strongest current encryption with PQC algorithms. This hybrid method gives your connection a powerful, dual layer of protection, securing you against both today's threats and the quantum threats of tomorrow. It's automatically enabled for everyone, even if you're just using our free, 10 Mbps plan.

This proactive step means your sensitive information isn't just protected now; it's future-proofed against the day quantum computers become a reality. It's a core part of how we ensure your privacy is truly long-lasting, all without needing your credit card or tracking your email, ever.

What exactly is Post-Quantum Cryptography?

Post-Quantum Cryptography (PQC) is a new generation of encryption designed to protect your data from attacks by future quantum computers.

Right now, the encryption that keeps your online activity private is incredibly strong. Even the most powerful supercomputers would take billions of years to break it. But there's a new threat on the horizon: quantum computers. While they're still in early development, these machines operate on different principles than traditional computers and could, theoretically, break today's standard encryption algorithms with relative ease. That's where PQC comes in.

Imagine someone recording all of your encrypted internet traffic today, storing it, and then waiting a few years for powerful quantum computers to become available. This is known as a "harvest now, decrypt later" attack. All your past communications, once thought secure, could then be exposed. This is especially concerning for VPNs, which are designed for long-term data security and privacy. OllaVPN's commitment to PQC is about preventing this exact scenario, giving you true future-proofing for your sensitive information.

By integrating quantum-resistant algorithms now, OllaVPN ensures that even if quantum computers become a reality in the future, your past, present, and future browsing history remains private. It's about building a VPN that's secure not just for today, but for decades to come, protecting your digital life against threats that haven't even fully materialized yet.

How does OllaVPN actually use Post-Quantum Cryptography?

OllaVPN uses a hybrid handshake that combines classical and post-quantum algorithms during the initial connection to protect your data against future quantum computer attacks.

We're serious about future-proofing your privacy, which is why OllaVPN was built from the ground up with post-quantum cryptography (PQC) in mind. While today's computers can't break current encryption standards, the concern is that future quantum computers will be able to retroactively decrypt traffic captured now. That's why we've implemented a hybrid handshake for every connection you make.

What does "hybrid handshake" mean? It means that when your OllaVPN client connects to our servers, it performs two separate key exchanges simultaneously. One uses a classical, proven algorithm like Diffie-Hellman, which is secure against all known conventional attacks. The other uses a post-quantum algorithm, specifically Kyber-768, which is designed to withstand attacks from even the most powerful theoretical quantum computers. By combining both, your connection's security is as strong as the stronger of the two algorithms. If a weakness is found in one, the other still protects you.

This PQC layer works seamlessly with the underlying WireGuard protocol, which is already known for its strong cryptography and efficient key management. WireGuard handles the secure tunneling and data transfer, while our hybrid handshake ensures that the initial key exchange—the crucial part where your device and our server agree on the secret keys for that session—is quantum-resistant. It's an extra layer of protection that doesn't slow you down, ensuring your past, present, and future data remains private.

You don't need to do anything special to enable it; it's active by default on all OllaVPN connections, ensuring you're future-ready against potential threats from quantum computing. This forward-looking approach is a core part of how we protect your privacy, whether you're using our free plan or OllaVPN Plus.

Could you walk me through a connection with OllaVPN's PQC?

When you connect to OllaVPN, your device and our server establish a secure tunnel using a combination of classical and post-quantum encryption to protect your data from current and future threats.

It all starts when your client initiates a connection to an OllaVPN server. First, your device and our server perform a handshake. This isn't just any handshake; it's a dual-layered one. We use a traditional, highly-trusted elliptical curve cryptography (ECC) key exchange for immediate security, but simultaneously, we establish a second, post-quantum-resistant key exchange. This dual approach means your connection is secure against today's known attacks and also built to withstand the theoretical power of future quantum computers. Both keys are used together to derive the session keys that will encrypt your data. Once these dual encryption keys are established, our server authenticates itself to your client. This ensures you're connecting to a genuine OllaVPN server and not an imposter. With mutual trust established and keys exchanged, a secure data tunnel is created. All your internet traffic, from browsing to streaming, now travels through this encrypted tunnel. Even your DNS requests are handled within the tunnel via our in-tunnel DNS, which prevents your internet provider from seeing what sites you're trying to visit. This entire process happens in milliseconds, completely transparent to you. The post-quantum readiness isn't an add-on; it's baked into how OllaVPN works from the ground up. It means that even if someone recorded your encrypted traffic today, they wouldn't be able to decrypt it years from now when quantum computers might be powerful enough to break classical encryption. It's about protecting your privacy not just for the moment, but for the long haul.

How does OllaVPN's PQC approach compare to other VPNs?

OllaVPN takes a proactive approach to post-quantum cryptography, building in quantum-resistance now, while most other VPNs still rely on standard encryption that will eventually be vulnerable.

Most VPNs today, whether they're ad-funded free VPNs, freemium throttled VPNs, or even honest-loss-leader free VPNs, use what's called "standard encryption." This means they're secure against today's threats, but they haven't started preparing for the future. Specifically, they're not ready for the advent of quantum computers powerful enough to break these traditional encryption methods. It's a bit like building a fort out of wood when you know a fire-breathing dragon is coming eventually.

OllaVPN, on the other hand, is built with a post-quantum-ready design. We use a hybrid handshake that combines a classical, proven encryption algorithm with a quantum-resistant one. This means your connection is secure against both current threats and the theoretical threats posed by future quantum computers. We're not waiting for the "quantum apocalypse" to happen before we act; we're building for the long term now, ensuring your privacy remains protected for decades to come, not just until the next technological leap.

This proactive stance is a key differentiator. While others might eventually adapt, they'll be playing catch-up. Our approach means that from day one, you're getting forward-secure encryption designed to withstand even the most advanced attacks. It's a significant investment in your privacy that most providers simply aren't making yet, choosing instead a reactive approach to security upgrades.

What real-world scenarios does OllaVPN's PQC protect me from?

OllaVPN's post-quantum-ready encryption protects your data from future decryption by powerful adversaries, safeguarding sensitive communications and long-term privacy against government surveillance and corporate espionage.

Most VPNs use encryption that's secure against today's computers, but vulnerable to quantum computers that are currently in development. These future machines could retroactively decrypt recorded encrypted traffic. This is a critical concern for anyone with data that needs to stay private for decades, not just days or months. Think about medical records, legal documents, or journalistic sources – information that, if exposed years from now, could still cause significant harm. Our post-quantum-ready protocols ensure that even if your encrypted data is collected today, it will remain unreadable by quantum computers tomorrow.

This long-term security is especially vital when considering threats like government surveillance. Agencies with vast resources often collect encrypted traffic now, hoping to decrypt it later once quantum computing power becomes available. OllaVPN's approach prevents this "harvest now, decrypt later" attack. Your browsing history, online communications, and other sensitive data are protected not just from current prying eyes, but from future ones too. This gives you genuine, lasting peace of mind that your digital footprint won't be compromised years down the line.

Beyond governments, corporate espionage and data harvesting operations also pose significant risks. Imagine a competitor or a data broker recording your company's proprietary information or your personal browsing habits, banking on future decryption. With OllaVPN, your connections are secured with a hybrid handshake that combines a classical and a post-quantum algorithm, making it extremely difficult for any entity to ever unlock your past data. This commitment to long-term privacy means your secrets stay secret, even as technology evolves.

Is OllaVPN's Post-Quantum Cryptography on by default?

Yes, OllaVPN's post-quantum cryptography is on by default for all users, with no configuration needed.

It's actually a core part of how OllaVPN works, not an optional extra you need to remember to switch on. From the moment you connect, your traffic is protected by a hybrid cryptographic handshake that includes a post-quantum algorithm. This means you get the best of both worlds: the proven security of traditional cryptography today, combined with forward-looking protection against potential future threats from quantum computers. It's built in for everyone, whether you're on the free plan or a Plus subscriber. We believe true privacy shouldn't require you to be a security expert. That's why we bake these advanced protections directly into the service. There's no user configuration needed for our post-quantum features; it just works automatically in the background. This ensures you always have the strongest possible encryption without having to tinker with settings or understand complex security concepts. It's designed for seamless integration into your everyday internet use. You won't find a toggle switch for "post-quantum mode" because it's always active. This approach guarantees that every connection you make through OllaVPN benefits from this advanced layer of security, protecting your data not just now, but well into a future where quantum computing might become a threat to conventional encryption. It's our way of making sure your privacy is built for the long term.

How can I verify OllaVPN's Post-Quantum Cryptography is working?

You can verify OllaVPN's Post-Quantum Cryptography (PQC) is active by inspecting the handshake details with network analysis tools, though it requires some technical know-how.

It's a really good question, and one we encourage you to ask any VPN provider. The core of "trust but verify" means you shouldn't just take our word for it. While directly seeing a "PQC active" light isn't a thing, you can use technical verification methods to confirm the post-quantum handshake is happening. This involves capturing your network traffic and analyzing the cryptographic negotiation. Specifically, you'll be looking for the inclusion of the CRYSTALS-Kyber algorithm during the WireGuard handshake. Our client is open-source, so you can even dig into the code if you're so inclined, but for most people, using network analysis tools like Wireshark is the go-to. You'd set up a capture, connect to OllaVPN, and then filter for the handshake packets. Inside those packets, you should see the Kyber parameters being exchanged alongside the traditional elliptic curve Diffie-Hellman keys. This isn't something the average user will do daily, for sure. It requires a decent understanding of network protocols and cryptography to interpret the results correctly. However, the fact that you *can* do it is important. It's our commitment to transparency and our way of showing that when we say we're post-quantum-ready, we mean it with verifiable, concrete steps, not just marketing fluff. This forward-secure approach is built for the long term, protecting your data even against future quantum computing threats.

What are the limitations or trade-offs of using PQC?

Post-quantum cryptography isn't a magic bullet; it primarily addresses the threat of future quantum computer attacks on current encryption, with minimal performance impact.

You’re right to ask about limitations. While PQC is a huge step forward for long-term security, it's important to understand that it's not a silver bullet. It doesn't prevent all attacks, nor does it magically solve every cybersecurity problem. For instance, PQC won't protect you from phishing scams, malware, or social engineering. Good security practices, like using strong, unique passwords and being wary of suspicious links, remain crucial regardless of the encryption under the hood.

The primary focus of PQC is to secure your data against decryption by future, powerful quantum computers. It's about ensuring that the information you send today can't be stored and decrypted years from now by an adversary with a quantum machine. That's a very specific, albeit critical, threat. Other vulnerabilities, like those related to software bugs or misconfigurations, still need to be addressed through diligent development and security auditing, which we take very seriously at OllaVPN.

From a practical standpoint, the biggest "trade-off" for you is barely noticeable. There's a minimal performance impact with post-quantum algorithms compared to classical ones. We're talking milliseconds, not seconds, on a modern CPU. For our free users, your connection is capped at 10 Mbps anyway, so you absolutely won't feel any difference from PQC. For OllaVPN Plus users enjoying 10 Gbps, any overhead is still negligible – the bottleneck is almost always your internet connection or the server load, not the PQC itself. We've optimized our implementation to ensure that this crucial security upgrade doesn't slow you down.

How does PQC fit with OllaVPN's other privacy features?

Post-quantum cryptography adds a critical layer to OllaVPN's existing privacy features, creating a more robust and future-proof shield for your online activity.

Think of post-quantum cryptography (PQC) as the latest upgrade to your digital armor. While features like our always-on kill switch prevent accidental data leaks if your VPN connection drops, and our in-tunnel DNS ensures your internet provider can't snoop on your DNS requests, PQC protects the fundamental encryption itself. It's about ensuring that even with hypothetical, incredibly powerful future computers, your past and present encrypted communications remain private. It's a proactive step against a threat that hasn't fully materialized yet, but one we take seriously.

This isn't about replacing our other strong security primitives; it's about building on them. Our layered security approach means that each feature works in concert. For instance, our unique 4-layer peer isolation prevents any cross-talk or data leakage between users on the same server, adding a powerful internal privacy boundary. PQC then ensures that the very tunnel protecting you from the outside world — from your ISP, from government surveillance, from malicious actors — is resilient against even the most advanced decryption attempts imaginable.

So, while you're enjoying the everyday benefits of a VPN – like bypassing geo-restrictions or simply browsing privately – OllaVPN is also thinking years, even decades, ahead. It's all part of our holistic privacy approach. We're not just patching immediate vulnerabilities; we're designing for a future where your digital footprint is inherently more exposed. PQC is a cornerstone of that long-term vision, ensuring that the foundation of your privacy remains impenetrable, no matter what technological advancements the future holds.

Will OllaVPN's PQC still be effective in 5-10 years?

Yes, OllaVPN's post-quantum cryptography is designed to remain effective for decades, not just years, thanks to its adaptable approach.

You can count on OllaVPN's post-quantum encryption to protect your data long into the future. We're not just picking one "post-quantum" algorithm and hoping for the best; instead, we use a hybrid approach that combines a classical, well-understood encryption method with a new, quantum-resistant one. This means your connection is secure even if the new post-quantum algorithms hit an unexpected snag down the line, because the classical encryption is still there as a fallback. It's about building for long-term security.

Our implementation is also built with algorithm agility in mind. The field of post-quantum cryptography is still evolving, with new research and potential breakthroughs happening regularly. The US National Institute of Standards and Technology (NIST) is leading the charge in standardizing these algorithms, and as their recommendations solidify and new, stronger algorithms emerge, OllaVPN can seamlessly update its systems. This adaptability ensures that we can always deploy the most secure and up-to-date post-quantum methods without you needing to do a thing.

Think of it like this: we've designed our encryption to be future-proof by being flexible. As the world of quantum computing develops and new cryptographic standards are set, OllaVPN will be ready to integrate them, keeping your data safe from threats that don't even exist yet. It's a commitment to protecting your privacy not just today, but for decades to come.

Is Post-Quantum Cryptography included in OllaVPN's free plan?

Yes, OllaVPN includes post-quantum cryptography in its free plan, available to all users without any restrictions.

That's right, post-quantum-ready encryption isn't a premium feature or an add-on you have to pay for. It's built into every connection you make with OllaVPN, whether you're using our free plan or OllaVPN Plus. We believe that robust, future-proof security should be a standard, not a luxury. You get it automatically, for $0 forever, with no card or email required.

You might be wondering how we can afford to offer such advanced security for free. The answer is simple: OllaVPN's free tier, which gives you 10 Mbps and access to every country in our network, is funded entirely by our Plus subscribers. When you upgrade to OllaVPN Plus for just $2/month, you're not just getting 10 Gbps speeds on five devices; you're also directly supporting our mission to provide free, private, and secure internet access to everyone, worldwide. This model allows us to keep the free plan genuinely free, without resorting to ads or selling your data.

Who actually does "harvest now, decrypt later," and at what cost?

Bulk traffic capture is a documented practice of multiple nation-state intelligence services and well-funded private actors. Petabyte-scale storage costs roughly $10,000 in 2026 and keeps trending down; the decryption value grows with time. The economics favor the patient adversary.

The harvest-now-decrypt-later threat is concrete, not theoretical, and the people most exposed to it tend to be the people least aware that it applies to them. The bulk-capture capability has been publicly documented since the 2013 Snowden disclosures (the GCHQ "Tempora" programme, the NSA "Upstream" programme, and equivalent programmes in several allied jurisdictions). Captured ciphertext is cheap to store: a single petabyte of cold-tier disk costs roughly $10,000 in 2026 and the cost-per-byte trends downward every year. The capture itself is a one-time engineering investment (taps at major internet exchange points and cable landings); the storage is amortized indefinitely.

The decryption value, by contrast, compounds with time. Recently-public information has lost most of its leverage. A decade-old encrypted communication can still expose a source whose identity you forgot you had used encryption to protect, reveal a business strategy that is still in play, embarrass a public figure who had built their reputation since, identify an activist whose protest movement has succeeded and whose government has begun retaliating, or compromise the operational security of a still-running negotiation. The defender's economics are the opposite: every day of unencrypted-after-the-fact traffic is one more day of pending exposure.

The class of attacker that does this includes signals-intelligence agencies of the major powers, organized cybercrime groups operating at industrial scale, and (per disclosures in the academic literature) a handful of well-funded corporate competitive-intelligence operations. None of them will tell you they captured your traffic in 2026; some of them will quietly decrypt it in 2036 or 2046 and use what they find. The defense — switching the key agreement to a quantum-resistant algorithm before the quantum computer exists — costs almost nothing today. Refusing to ship that defense, on the grounds that the threat hasn't materialized yet, is the same logic that historically led people to leave their doors unlocked because no one had broken in yet.

How can you verify OllaVPN's PQC claims independently?

Run a packet capture during an OllaVPN handshake and examine the key-exchange messages, or use the open WireGuard inspector with our public client source. The hybrid handshake's extra ML-KEM-768 message is observable on the wire.

Marketing claims that "we ship post-quantum cryptography" are easy to make and harder to verify. Here is how to verify ours from your own device, without taking our word for any of it.

Inspect the handshake message size. A vanilla WireGuard handshake initiation message is exactly 148 bytes. A WireGuard handshake initiation with the hybrid X25519 + ML-KEM-768 extension is substantially larger because the ML-KEM-768 encapsulation key adds roughly 1,184 bytes of additional payload. If you run a packet capture (Wireshark or tcpdump) on the WireGuard interface during a fresh OllaVPN connection, the size of the first handshake packet is the simplest evidence. If it's 148 bytes, you're on classical WireGuard. If it's substantially larger, you're on a hybrid handshake.

Read the client source. The OllaVPN client apps progressively open-source alongside our public launch. The PQC integration patches on top of wireguard-go are open today and link directly to the NIST reference implementation of ML-KEM-768 (FIPS 203). You can read the diff against upstream wireguard-go and confirm that the additional key-exchange step uses the standardized algorithm with the parameters specified in FIPS 203 — no novel cryptography, no proprietary tweaks, just integration.

Compare to other PQC-shipping VPNs. Mullvad ships post-quantum WireGuard on desktop paid (default-on since 2023) and has published the implementation details openly. ProtonVPN ships PQC on the paid tier and documents the rollout. Both use a similar hybrid construction. Cross-checking the wire-level behavior of OllaVPN against either gives you a second independent reference point. The hybrid handshake should look structurally similar on all three.

Check the FIPS 203 reference. NIST publishes the official FIPS 203 specification, the test vectors, and the reference implementation at nist.gov. The ML-KEM-768 parameter set is one of three (alongside ML-KEM-512 and ML-KEM-1024). Confirm that our handshake uses the 768-bit security level — the standard recommendation for general-purpose use, providing security comparable to AES-192 against both classical and quantum attacks.

If post-quantum cryptography is this important, why doesn't every VPN ship it?

Three reasons: it requires engineering work most operators have not yet prioritised, the standardisation only finalised in August 2024, and integrating it into WireGuard requires running a small fork off the upstream protocol — which not every operator is willing to maintain.

The post-quantum-cryptography landscape in 2026 looks roughly like this: the largest VPN operators by user count (NordVPN, ExpressVPN, Surfshark, CyberGhost) do not yet ship PQC anywhere. The strongest privacy-first operators (Mullvad, ProtonVPN) ship PQC on the paid tier and are rolling it out across platforms. A small number of forward-looking operators (OllaVPN being one) ship PQC on the free tier by default.

The reasons for the gap are not that the technology is hard, expensive, or experimental in 2026 — those reasons were true in 2022, less true in 2024, and substantially false in 2026 now that NIST has finalised the standards and reference implementations are mature. The actual reasons are organizational and product-strategy reasons.

Engineering attention. Most VPN operators have product backlogs full of features users explicitly ask for (more countries, faster servers, app polish). Post-quantum cryptography is a feature almost no end-user asks for, because most end-users don't know to ask. An operator prioritising what users explicitly request will rarely allocate engineering time to PQC.

WireGuard fork maintenance. Standard WireGuard does not yet include hybrid PQC handshakes in the upstream protocol. The IETF is actively working on a standardised PQ-WireGuard, but until that standard ships and propagates through implementations, shipping PQC means running a small fork off upstream wireguard-go (or equivalent). Some operators are unwilling to carry the fork-maintenance burden; OllaVPN, Mullvad, and ProtonVPN have all chosen to.

Marketing differentiation calculus. Some operators prefer to position PQC as a paid-tier-only feature because it provides upgrade motivation. We disagree with that strategy on principle — the privacy property is most valuable to the user who cannot afford to pay — but we recognise it as a defensible product decision for a paid-first operator.

The honest read: PQC will be table stakes for the privacy-VPN category by 2028 at latest, the way the kill switch became table stakes between 2018 and 2022. The question is whether your operator is ahead of that curve or behind it. OllaVPN's bet is that being ahead is the right place to be.

Common PQC questions, answered straight

Direct answers to the questions readers most often ask about post-quantum cryptography on a VPN — covering both the technology and OllaVPN's specific implementation.

Does PQC make my connection slower? Negligibly. The X25519 + ML-KEM-768 hybrid handshake adds roughly 1-2 milliseconds to the initial connection setup vs a classical handshake on modern hardware. After the handshake is complete, the session uses the same fast ChaCha20-Poly1305 symmetric cipher that WireGuard always uses — no ongoing PQC cost per packet. You will not notice the difference in everyday use.

Does PQC change how much battery the VPN uses? No measurable difference. The handshake happens once per session (or once every two minutes during key rotation), and the additional ML-KEM-768 work is well under a millisecond of CPU. On an Apple Silicon Mac or a modern Android device the overhead is undetectable in battery accounting. On older Intel hardware it adds perhaps 0.1% to total VPN-related battery impact, which is again undetectable.

If the quantum computer never arrives, was PQC a waste? No, for two reasons. First, the cost was negligible (see above), so even in the worst case the downside is small. Second, the relevant question isn't "will quantum computers arrive" but "will at least one cryptographically-relevant quantum computer arrive within the useful lifetime of today's captured ciphertext." Most experts put that probability between meaningfully-possible and likely; the conservative posture is to defend against it.

Will PQC need to be replaced as quantum technology advances? The current ML-KEM-768 parameter set is designed for security comparable to AES-192 against both classical and quantum attacks. If cryptanalysis substantially weakens it (which would require fundamental advances in lattice-problem mathematics), NIST would publish a successor and we would integrate it the same way we integrated ML-KEM-768. The hybrid construction means the cost of a graceful transition is low.

Is OllaVPN's PQC certified by NIST? NIST certifies algorithms, not implementations. ML-KEM-768 is the NIST-standardized algorithm (FIPS 203). Our implementation uses the NIST reference code with the standardized parameters; the algorithm itself is the certified piece. If you want a FIPS-validated implementation specifically (some US government use cases require this), you would need a FIPS-validated cryptographic module — none of the consumer VPNs ship one of these for their data plane.

Does PQC protect me against an attacker who is already inside my device? No. PQC protects the cryptographic session keys against future quantum attacks on captured ciphertext. An attacker who has compromised your operating system or your browser is reading your plaintext before it ever enters the tunnel — PQC, classical encryption, and the tunnel itself are all irrelevant in that case. Use endpoint security (an up-to-date OS, a reputable browser, anti-malware on Windows) as a complement to a VPN.

What's the difference between PQC and quantum key distribution (QKD)? Different defenses against the same threat. PQC uses classical mathematics (lattices, hash functions, codes) believed to be hard for quantum computers. QKD uses quantum-mechanical effects to detect eavesdropping on a key-exchange channel. PQC works over the existing internet without special hardware; QKD requires dedicated optical links between the two endpoints. For consumer VPNs, PQC is the only practical option. QKD is research and government infrastructure, not consumer technology.

Does PQC interact with TLS for the website I'm visiting? No. The OllaVPN tunnel and the TLS connection to the destination website are independent layers. The tunnel protects your traffic from your ISP and from the local network; TLS protects your traffic from anyone observing between the OllaVPN exit and the destination. TLS in 2026 is starting to ship its own PQC hybrid (Cloudflare and Google are early adopters), but that is a separate rollout. Both can help; both are valuable; neither makes the other redundant.

Why ML-KEM-768 specifically, instead of -512 or -1024? ML-KEM-768 is NIST's recommended general-purpose parameter set, providing security comparable to AES-192. ML-KEM-512 is comparable to AES-128 and is faster but with a smaller security margin. ML-KEM-1024 is comparable to AES-256 and is stronger but with larger handshake packets. For consumer VPN use, ML-KEM-768 is the right balance. The same choice is what Mullvad and ProtonVPN made.

Will OllaVPN switch to PQ-WireGuard when it standardises? Yes. The IETF is actively working on a standardised PQ-WireGuard extension that would obsolete our small fork off upstream wireguard-go. When that standard ships and stable implementations are available, we will migrate to the standard and our fork will be retired. The user-facing behavior will not change; the maintenance burden on our side will decrease.

About this guide

This guide is maintained by Nathan Pratt, OllaVPN's Privacy & Security Lead. The cryptographic claims (X25519, ML-KEM-768, FIPS 203, the hybrid handshake construction, the wireguard-go fork) were fact-checked against the production codebase by Hannah Wu, Senior Security Engineer, during the June 2026 update cycle. We refresh this page quarterly. Last full re-evaluation: 23 June 2026.

Cross-references for deeper reading: the technology stack page covers the complete OllaVPN architecture beyond just PQC. The PQC pillar blog covers the cryptography fundamentals in plain English. The best free VPN 2026 guide covers the competitive landscape including PQC support across operators. The Mullvad vs ProtonVPN comparison includes their respective PQC implementations as a point of comparison.

If you spot a factual error — a cryptographic parameter that's drifted, an algorithm name that's been renamed in a NIST revision, an implementation claim that no longer matches the code — email guides@ollavpn.com and we will correct it in the next refresh.

Why we publish this level of detail. Most VPN marketing pages on PQC stop at "we support post-quantum encryption" without naming the algorithm, the parameter set, the construction (hybrid vs pure), the implementation library, or the wire-level evidence a curious reader can verify. We publish the details because the privacy-conscious reader who actually evaluates these claims is exactly the reader we want — and the privacy-conscious reader has been burned enough times by under-specified marketing claims that they default to skepticism. The remedy for skepticism is verifiable detail. This page is our attempt to provide that detail.

One last note on integrity. If at any point our PQC implementation regresses, gets superseded by a stronger standard we have not adopted, or is found to have a bug we have not fixed promptly, we will update this page to reflect that — even when the update is unflattering. The honesty calculus on a privacy product is the same as for a backup product: the time to find out it didn't work is not when you needed it. We would rather lose a reader to an honest disclosure of a temporary regression than retain them through silence.

Want this on your device?

OllaVPN is free forever for 1 device. No card, no email tricks.

Get OllaVPN free Or see all plans