On paper it’s hard to beat a VPN service like NordVPN. It has a large and diverse collection of servers, an impressive arsenal of rarely seen tools, strong privacy and security practices, and approachable clients for every major platform. After a data breach, the company says it stepped up its security game, putting it in a good position for the future. Its challenge now is rebuilding trust, which takes longer than setting up new servers. Still, it’s an excellent service, and one that performed well in our testing.
What Is a VPN?
When you switch on a VPN, it creates an encrypted tunnel between your computer and a server controlled by the VPN service. All your web traffic is routed through this tunnel, meaning that no one—not even someone on the same network as you—can sneak a peek at your data. It also prevents malicious network operators from intercepting your information or using DNS poisoning techniques to trick you into visiting phishing pages. A VPN even protects your web traffic from being monitored by your ISP, which is critically important now that ISPs can sell anonymized user data.
NordVPN Pricing and Features
NordVPN offers four pricing tiers: $11.95 per month, $83.88 annually, $119.76 every two years, or $125.64 every three years. The company accepts credit cards, various anonymous cryptocurrencies, and PayPal, as well as other online payment methods.
As of this writing, the average price for a VPN service is about $10.10 per month and $73.05 per year, putting a NordVPN subscription well above most other VPN services. Some VPNs cost significantly less. Kaspersky Secure Connection, for instance, is just $4.99 per month. Windscribe VPN, alternatively, lets you build your own plan to fit your budget.
If that’s still too pricey, a few free VPNs are worth considering, with ProtonVPN being foremost among them. While all free VPNs have some kind of limitation, ProtonVPN is the only one I’ve tested that doesn’t limit the amount of data free subscribers can use. NordVPN has discontinued its free trial offering, stating that scammers were taking advantage of it. Instead, the company offers a 30-day money-back guarantee.
You can use up to six devices simultaneously on NordVPN, though there are some limitations concerning connecting multiple devices to the same server at the same time. Most VPN services limit you to five simultaneous connections, but that’s starting to change. Avira Phantom VPN, Encrypt.me VPN, Surfshark VPN, and Windscribe VPN allow an unlimited number of devices. Most services let you add more device slots to your subscription for a fee, but NordVPN does not give you that option.
One of the perks of using a VPN is that your actual IP address is hidden from the outside world. Some people may also want a static IP address, which NordVPN can provide for $5.83 per month ($69.96 per year). NordVPN offers dedicated IP addresses in France, Germany, the Netherlands, the United Kingdom, and the United States.
VPN Protocols
There are several ways to establish a VPN connection, and my preference is for services that use the OpenVPN protocol, which is open source and therefore has been thoroughly examined for potential problems. NordVPN supports OpenVPN and my second-best choice, IKEv2/IPSec, on all platforms.
The new hotness in the world of VPN protocols is WireGuard. This technology is still under development, but NordVPN is already tinkering with the technology. I’ve done some limited testing of NordVPN’s Linux implementation of WireGuard and the results were, frankly, astounding. A company representative informs me that WireGuard is now available in the company’s iPhone app, too.
VPN Servers and Server Locations
Part of what you’re paying for when you buy a VPN subscription is access the company’s network of VPN servers. The best services offer lots of server locations, giving you many options for spoofing your location and improving the odds that there will be a server near your actual, physical location. That’s important, because the closer you are to the VPN server you’re using, the better performance you’re likely to experience.
NordVPN lets you select one from a list of 59 countries. The bulk of NordVPN’s servers are in the US and the UK, which is not unusual for VPN companies. However, NordVPN also has a good mix of servers the world over, covering several locations across Asia, Central and South America, Central and Eastern Europe, and a handful in India and the Middle East. The company currently offers one location in Africa (South Africa), a region ignored by most other VPN services.
NordVPN provides good geographic diversity with its servers, but other VPN companies outshine it. ExpressVPN, for example, covers 94 countries.
One notable feature of NordVPN is that it has around 5,300 servers available. That’s second only to CyberGhost’s network of 5,900 servers. VPN services spin up new servers on an as-needed basis, so the total number of servers is partly a reflection of how popular a service is. Ideally, a large pool of servers ensures that no one server becomes overcrowded. You can’t correlate performance directly to server count, but the sheer size of NordVPN’s network suggests that you’re unlikely to encounter an overburdened server.
While most of us think of a server as a physical box with computer guts inside, it’s also possible to create multiple virtual servers hosted on a single, physical machine. Many VPNs use virtual servers to keep up with demand, but some VPNs configure their virtual servers to appear in a different country than the physical machine that hosts them. Virtual servers aren’t necessarily a bad thing, but it should be clear to users where exactly their data is headed.
A NordVPN representative told me that all of its servers are dedicated, and none are virtual servers. That means that the servers are physically located where they claim to be. Other services approach virtual servers differently. ExpressVPN has three percent of its servers in locations other than where they are listed, and offers a list of those servers’ true locations. HMA VPN, on the other hand, claims to have servers in 190 countries, but only has physical hardware in 56 sites.
VPNs are sometimes used to bypass government censorship by connecting to a VPN server in another country. We don’t make a specific recommendation for a VPN to bypass government censorship, because the stakes of getting it wrong are simply too high. NordVPN does provide obfuscated servers designed to be accessible from within China.
Notably, NordVPN offers servers in Hong Kong, Turkey, and Vietnam, all of which have restrictive internet policies. Connecting to one of these servers will not bypass censorship, but it could provide a modicum of privacy when browsing the web within those countries.
Beyond VPN
NordVPN’s best feature is the variety of additional tools it provides for improving your privacy. It and ProtonVPN are the only two VPN companies that provide direct access to the Tor anonymization network. This makes it even harder to trace your connection, and it lets you access hidden websites, though at greatly reduced speeds.
If Tor isn’t already overkill (and in many cases, it is) NordVPN also offers multihop connections, which it calls Double VPN. This way, if one leg of the connection is somehow compromised, you can be assured that your connection is still secure. IVPN, Mullvad VPN, ProtonVPN, Surfshark VPN, and VPNArea all offer this feature. ProtonVPN is notable for the extreme lengths it goes to secure its multihop connections, in some cases storing secure servers in an old NATO bunker. Whether that’s safer than the average server farm is open to discussion.
In addition to its network protections, NordVPN offers malicious site protection with the CyberSec tool. We don’t test the efficacy of malicious site blocking, but it’s nice to see. It is not, however, a replacement for standalone antivirus or a dedicated tracker blocker. NordVPN also offers standalone products: an encrypted file vault called NordLocker and the NordPass password manager.
2018 Server Breach
In October 2019, a Tweet storm surfaced alleging that NordVPN and TorGuard VPN servers had been breached in 2018. NordVPN confirmed that its VPN server in Finland had a remote access feature that the company was not aware of, which was used by an attacker to access this one server. The upshot is that the attacker could potentially have observed the traffic moving through that server, and used the TLS keys to launch a man-in-the-middle attack. NordVPN says there is no evidence that either event occurred, and would have been prohibitively difficult.
In this era, it’s unfair to judge a company too harshly for security incidents because attacks are a frequent occurrence. It’s better to judge a company on how it handles a security issue, rather than hold them to the impossible standard of perfection. And it’s in that way that NordVPN fell short. The company took over a year to disclose the incident, and the only after being called out on social media. While a company representative tells me that NordVPN has learned its lesson about disclosing security events, it will take some time to rebuild its damaged reputation.
Since the breach was disclosed, NordVPN has taken several steps to improve its security and win back the trust of the public. In addition to the privacy practices outlined below, NordVPN has launched a bug bounty program with HackerOne, to reward people who disclose potential vulnerabilities.
The company has also made moves to harden its infrastructure. A company representative tells me that NordVPN is in the final stages of auditing the datacenters it contracts with and terminating relationships with vendors it deems unsafe. NordVPN is also building a network of collocated servers exclusively under the company’s control. Additionally, NordVPN has pledged to undergo an audit of its infrastructure which, I am told, includes “the audit of infrastructure hardware, VPN software, backend architecture, backend source code, and internal procedures.” In a similar vein, the company is switching to diskless servers, which are run only on RAM. That way, if a server is disconnected, there’s nothing left to examine. This effort, I am told, is ongoing and rolling out “slowly.”
Finally, NordVPN joined with several other VPN companies to form a trade group called the VPN Trust Initiative. Its aim, among other things, is to set standards for the industry, perhaps bringing some clarity to this rather opaque world.
These are all excellent improvements, and NordVPN will a better company for them. While all of these show a good-faith effort from NordVPN, most of these initiatives have yet to be completed.
For a much deeper dive into the breaches, please read NordVPN and TorGuardVPN Breaches: What You Need to Know.
Your Privacy With NordVPN
When you use a VPN, it has as much insight into your online activities as your ISP does. If it desired, it could examine every bit of information passing through its system. It also can potentially identify you to another party (read: law enforcement), making it possible to track you online. That’s why it’s important that before you buy a VPN subscription, you understand and are comfortable with the steps the company takes to safeguard your privacy.
In general, I’m satisfied with NordVPN’s stance on privacy and the efforts it makes to protect customers. It is difficult, however, to fully endorse the privacy practices of any given VPN company. To do so would require deep access to the company’s code and hardware, as well as the technical expertise to interpret it all. As always, however, you as the consumer should ask yourself whether or not you are comfortable with trusting any given company with your personal information.
NordVPN operates under the legal jurisdiction of Panama, where there are no laws requiring the company to retain data for any period of time. The company says that were it to be subpoenaed, it would only respond to a court order or subpoena issued by a Panamanian court. Furthermore, the company says it holds no information on user activity.
The NordVPN privacy policy states that the company does not log “connection time stamps, session information, used bandwidth, traffic logs, IP addresses or other data.” Instead, NordVPN retains the username and time of the last session, but only for 15 minutes after you disconnect from the VPN. That’s good. All of this information is available in the company’s privacy policy.
A representative from NordVPN assured me that the company does not profit from the sale of user data. The company does not generate revenue from sources other than customer subscriptions.
In November of 2018, NordVPN announced that it had passed a third-party audit of its no-log policy by PricewaterhouseCoopers, with a second audit. NordVPN has said it intends to do such audits annually. In October, 2019, the company also underwent an audit of its apps by VerSprite. Penetration testing revealed several vulnerabilities the company patched. NordVPN joins several VPN companies, including TunnelBear VPN, that are undertaking similar audits. We appreciate these efforts at improved security and transparency, though it’s worth noting that not all audits are created equal. Still, NordVPN’s continued efforts are laudable.
NordVPN also does not make it easy to find the name of its parent company, or information on corporate leadership, on its website. A company representative told me that it is owned by Tefincom S.A., however. NordVPN does not issue transparency reports about requests for informations by law enforcement, but does maintain a warrant canary that indicates it has not received any National Security letters, gag orders, or government-issued warrants. A company representative told me it has not received any government or law enforcement requests for information.
NordVPN says that its policy is to disclose any security incident “that involves the data of our customers immediately after the vulnerability is patched.”
Security is really an issue of trust. Even if a company does everything right, it doesn’t matter much if you, the customer, don’t trust them. We recommend that consumers consider this information, and choose a service based on which company they feel they can trust.
Hands On With NordVPN
While you can always opt to manually set up your VPN, I highly recommend using apps provided by the VPN company. These are not only easier to use, they do all the hard work of staying up to date, and they let you access features beyond VPN protection that you simply can’t get at via a manual installation. I used a Intel NUC Kit NUC8i7BEH (Bean Canyon) laptop running the latest version of Windows 10.
NordVPN has always offered an excellent user experience with its apps, regardless of the platform you use. The Windows client shares a lot of design features with the NordVPN mobile apps, with a monochrome blue map as its focus. It’s a bit whimsical, with submarines and ships on the cartoon seas, but it’s an easy way to select the server you want.
Clicking the Quick Connect option at the top of the screen or the System Tray connects you to the VPN server that NordVPN thinks is best (generally, the closest). That’s a great option for people unfamiliar with VPN services. You can change servers by clicking a location on the map, or with the search bar at the top of the screen if your geography skills are lacking. NordVPN’s specialized servers are at the top of the list, putting them within easy reach. I like that NordVPN gives you the option to drill down to specific cities and servers, and that it shows the current load on those servers.
NordVPN does not support split tunneling, which lets you designate which apps send their traffic through the VPN tunnel and which do not. It’s useful for apps that require a more robust connection but don’t need additional security, such as video games. TunnelBear($4.99 Per Month at TunnelBear) and ExpressVPN include this feature. The client also includes a Kill Switch that shuts off access to the internet for specific applications, should your computer become disconnected from the VPN.
One concern is that your VPN may be leaking your true IP address or DNS information. In my testing, NordVPN successfully changed my IP address and hid my ISP information. The DNS leak test tool indicated that the server I was connected to did not leak my DNS information.
NordVPN and Netflix
I am pleasantly surprised that Netflix did not block me from streaming content while I was connected to a US-based NordVPN server when I tested it. That’s great, because Netflix blocks VPNs aggressively. Previously, I was able to stream content from Netflix while connected to NordVPN servers in Australia, Canada, Japan, and the UK. In the past, it has been the most compatible with Netflix, but that could change at any point as Netflix often manages to block services that previously worked well.
Speed and Performance
When you use a VPN, it will have an effect on your web browsing performance. To get a sense how great an impact a VPN has, we conduct a series of speed tests using the Ookla speedtest tool. (Note that Ookla is owned by Ziff Davis, which also owns PCMag.) We explain our speed testing methodology in depth in our piece on How We Test VPNs.
In my testing, NordVPN performed very well while connected to a local server. It’s in the top ten fastest VPNs. It reduced download speed test results by 63 percent and upload speed test results by 57.3 percent. My tests showed that NordVPN increased latency by 67.5 percent. NordVPN beats the median result in all categories, though it was very close in some cases.
You can see how NordVPN compares in the chart below with the top performers among the over 40 services we tested. Note that these are ranked by download results, in descending order.
My tests showed that Hotspot Shield VPN is the fastest VPN, having the smallest impact on both download speeds and latency. Surfshark VPN, notably, snuck in excellent upload speed test results. That said, speed alone shouldn’t be the only criteria you use to choose a VPN. Value, ease of use, and a commitment to privacy are far more important factors.
NordVPN on Other Platforms
NordVPN supports Android, Chrome, Firefox, iOS, Linux, macOS, and Windows. Notably, its iOS client supports WireGuard. NordVPN’s mobile clients both allow you to purchase full subscriptions through their respective app stores. Alternatively, you can configure some routers to connect via NordVPN. Doing so supplies coverage for all the devices on your network, including smart home devices that can’t run a VPN on their own.
NordVPN also offers plugins for Firefox and Chrome. Note that, like all proxy browser plugins, the NordVPN plug-ins only secure the traffic of those respective browsers.
An Excellent VPN
NordVPN has long been at the top of PCMag’s ranking of VPNs, and it’s easy to see why. It commands an enormous fleet of servers across the globe, and takes a kitchen sink approach to security features. It does all that while not ignoring the user experience, featuring simple, approachable apps that anyone can get the hang of in a few seconds. The company is also looking forward, incorporating new technology like WireGuard into its core products.
Historically, the only drawback to NordVPN has been its price, which is still significantly higher than the average. That all changed in 2019, when the details of a server breach from the previous year emerged. The threat to users from the breach is debatable, and the steps that the company has since taken to secure its infrastructure may mean that the company is on firmer footing for security and privacy than ever, but the enormous delay in disclosing the incident is far more concerning. Every product or company is going to have some kind of security failure eventually, what matters is how the failure is handled. NordVPN initially fell short in its response, and while it remains an excellent product, it now has to follow through on the fence-mending work of rebuilding trust.
0 Comments