NordVPN Review (2023)
NordVPN has more VPN server locations than its main rivals and is particularly good for US sports fans who want to avoid fixture blackouts on streaming services. The user-friendly NordVPN app offers split tunneling, a Tor interface, a double VPN option, and security features to protect torrenting, gaming, streaming, and any other online activities, making this one of the best secure VPN service providers in the world.
What we like
- A large number of servers
- Threat protection with a proprietary security system called CyberSec
- Split tunneling
- Obfuscated servers for China and other locations where VPNs are discouraged
- No-logs policy
- Automatic wi-fi protection
What we don't like
- Parts of the server network have poor download speeds
- No servers in India
- Onion over VPN can be slow
|Price:||$3.99 – $13.99 per month|
|Refund period:||30 days|
|Based in which country:||Panama|
|# devices per license:||6|
|Server locations:||81 locations in 59 countries, including the USA, UK, Germany, Canada, Australia, and Hong Kong|
|Streaming sites unblocked:||Netflix, Hulu, Disney+, BBC iPlayer, Amazon Prime, ABC|
|Supports torrenting:||Yes, on specific servers|
|Does VPN keep logs:||No|
|24/7 customer support:||Yes|
NordVPN started up operations in Lithuania 12 years ago, and it is a property of Nord Security. The VPN service has a much stronger cybersecurity angle than rival systems, and recently NordVPN has been developing business systems, offering a secure access service edge (SASE) package, which deploys VPN technology to protect cloud-based applications.
The provider included unique security tools that make this one of the best VPN services on the market. These include the option to create a double hop VPN and to access the Tor network through a VPN connection. All NordVPN subscription plans include malware protection systems based on the CyberSec package, which scans sites for malware, blocks pop-ups, trackers, and cookies, and scans data transfers for viruses. The app offers automatic wi-fi protection and a kill switch that prevents unprotected connections from occurring.
Other functionalities offered by NordVPN include a password manager, a tracker and ad blocker, NordVPN servers optimized for torrenting, and obfuscation procedures to evade detection. The VPN provider also offers an option for a dedicated IP address.
The desktop interface for the VPN service features a cheerful map of the world, zoom in, zoom out, and scroll to find a country, click on it, and get connected. Alternatively, the user can open a list of locations to select a server. NordVPN also includes a Dark Web Monitor that alerts you if a data breach has placed your personal details on hacker marketplaces.
The mobile apps for the VPN look exactly the same as the desktop interface.
Privacy and security
There are many layers of systems and setups that provide the security and privacy systems of NordVPN. These range from the choice of legal domicile to the treatment of IP packets that make up communication over the internet.
The VPN provider’s official headquarters in Panama is actually a legal dodge to minimize the service’s exposure to prosecution for copyright infringement. The main offices of the service are still in Europe, with a large site in Lithuania and major branches in the UK, the Netherlands, and Finland.
Although NordVPN has its legal domicile in Panama, it doesn’t operate a VPN server there. This is because Panama is not entirely without anti-piracy legislation. However, copyright lawyers would still need to fly to Panama to implement their court case there because the company doesn’t have a legal presence in most of the countries where the VPN network has servers, which are all outsourced.
Nord Security is switching over to running its own servers. However, these are intended for use with the NordVPN Business package, and all are located in Finland.
VPNs are constructed with a set of standards called VPN protocols, and NordVPN offers a selection of these. The user can decide to switch to a specific protocol or just leave the app to select the most appropriate option for the current. The NordVPN app offers three protocol options:
- OpenVPN – This is the most widely-used protocol for VPNs. It is an open-source system that is based on the OpenSSL library. SSL is the system that protects eCommerce websites and has Transport Layer Security (TLS) at its heart as an authentication and encryption system. This system operates over TCP.
- NordLynx –The NordLynx protocol was created by NordVPN and released in 2019. It is based on the WireGuard protocol. WireGuard was only released in 2019, so NordVPN’s adaptation came very quickly after that. WireGuard is an open source system, which means anyone can adapt it as NordVPN did – NordLynx is also an open source system. The main encryption cipher used for this protocol is ChaCha20. This protocol runs over UDP.
- IKEv2/IPSec – This combination of two complementary protocols is implemented especially for use with mobile devices. The lighter processing of IKEv2 is less of a drain on the batteries of mobile devices. IPSec is an Internet Layer protocol, which means that it runs at a lower level than the session control features of TCP, and so it is a UDP system. IKEv2 is a key exchange system that sits on top of IPSec.
A note on internet protocols
The main set of rules that govern the movement of data across the internet is called TCP/IP. This is a family of protocols grouped in two levels – the Internet Layer and the Transport Layer.
The most important protocol of the Internet Layer is the Internet Protocol. This is where the “IP” that you see everywhere comes from, like IP address and IPSec (Internet Protocol Security).
Connection encryption systems usually belong to the TCP group of protocols because this group maintains a session. TCP stands for Transmission Control Protocol. This is a connection-oriented protocol because it maintains data about a session between two endpoints. TCP provides assurance because it enables the receiver to know the intended order of packets and whether a packet got lost.
TCP is good, but it can delay the receipt of data, so some applications prefer not to use it. Without TCP, a communication is termed “connectionless,” and its Transport Layer feature is governed by the User Datagram Protocol (UDP).
These few facts offer a little insight into the differences between the protocols used by NordVPN. Network protocols don’t relate to the activities of applications, which sit on top of TCP/IP. Application data goes in the data payload of an IP packet, a Transport Layer header goes on the front of that, and an IP header goes on the front of that.
The difference between privacy and security is that security requires the data payload of a packet to be encrypted, and privacy requires the entire packet to be encrypted, including the header.
NordVPN explains that it adapted the WireGuard protocol by adding a double network address translation process (more about that later). This implies that NordLynx uses the same session encryption cipher as WireGuard. The WireGuard system uses ChaCha20 for encryption. However, NordVPN doesn’t mention ChaCha20 anywhere in its publicity about NordLynx.
The only encryption system that NordVPN admits to is AES. This is the Advanced Encryption Standard, which was commissioned by the US government for its own use. The AES system is judged to be the strongest encryption cipher in the world. It protects the internet communications of the secret services and the military.
An encryption cipher transforms text so each character is translated into another. In a very basic format, you could think of a lookup table that would include records such as A = Q, B = 4, C = V, and so on. In order to reverse the encryption, the receiver needs the same cross-reference table used to create the encrypted message.
In computerized encryption systems, the translation is implemented with a formula, like X = Y + 7 ^ Z. The formula is published and known to everyone. To transform the character Y into X, the sender needs to pick a value for Z. To decrypt the message, the receiver needs to know Z. This is called the key.
AES is a lot more complicated than the formula explained above. However, the important variation that stops outsiders from decrypting a message is the key. Those interlopers can try to guess the key through trial and error. A longer key makes it harder to guess. Encryption keys are measured in bits; the longest key length available for AES is 256 bits. This is expressed as AES-256, and it is the encryption cipher that NordVPN uses. This is uncrackable.
Session establishment encryption
AES-256 is very secure. However, it has a procedural weakness that can give snoopers and government agencies a chance to decipher all of your encrypted communications. As you can see from the description of how encryption works, the same key is used for encryption and decryption, so both sides in a secure connection need to share the key.
How do both sides of a connection get the same key? One side needs to generate the key and send it to the other side. So, anyone that wants to decrypt all communications just needs to intercept that key when it is being sent. If outsiders can capture the encryption key, an encryption cipher is completely useless and offers no security.
AES is what is called a symmetric key cipher – that means both sides need the same key. While NordVPN encrypts its sessions with AES-256, it uses a different encryption system for session establishment. This is called Diffie-Hellman (DH) key exchange.
Diffie-Hellman is a public key system. This type of encryption method uses a different key to encrypt data than the one that was used to encrypt it. You can guess the decryption key if you know the encryption key. Thus, you can publish the encryption key, others can use it, and then only you can decrypt it. The encryption key is known as the public key, and the decryption key is known as the private key.
The most widely-used public key encryption system is known as RSA. DH is stronger than RSA because it requires both sides to apply the key to a connection – the public key of A is combined with the private key of B and vice versa.
Public key encryption systems can be cracked faster than symmetric key systems, so their keys need to be a lot longer. Typical key lengths for RSA and DH are 1024 bits, 2048 bits, and 4096 bits. NordVPN uses a 4096-bit DH cipher for its session establishment procedures.
The DH encryption protects the transmission of the AES key when you connect your VPN app to a VPN servicer in the NordVPN system. This public key system has an additional purpose because it is used to enable both sides in a connection to prove their identities.
The purpose of authentication procedures is to block a snooping strategy called “main in the middle attack.” In this, a hacker convinces the client that it is the server. It then contacts the server and masquerades as the client. The hacker passes through traffic on both sides, injecting its own data wherever it wants to.
The DH system enables each site to prove its identity through a challenge. Side A gets side B’s public key; if side B really is the server and not a hacker that has diverted traffic to it, it holds the private key that corresponds to that public key. So, side A encrypts a challenge with the public key and sends it. An interceptor doesn’t hold the decryption key and so cannot decrypt the challenge and answer it.
So, NordVPN customers are protected from man-in-the-middle attacks as long as they have the VPN system turned on and protect all of their traffic.
You just heard about hackers trying to divert traffic. Hackers aren’t the only people who do this. Government agencies and even internet service providers (ISPs) do this too.
Increasingly, parts of the Web are being shut off and blocked. Websites that do nothing wrong and have nothing to do with terrorism or harmful activities are being blacked out without any legislation or public demand to remove those sites.
Surprisingly, there are many ISPs that block access to the website of NordVPN. Many also block access to bestvpn.org. This is because the governments of the world do not want the general public to find out about VPNs because they enable people to bypass government controls on the World Wide Web. For example, Virgin Media, the third largest ISP in the UK, blocks access to bestvpn.org and NordVPN.com even though both of those websites are perfectly legal. Virgin Media’s broadband system serves 5.42 million households, and it is part of Liberty Global.
ISPs can make a website inaccessible by manipulating DNS records. DNS is the Domain Name System. It reconciles an addressing issue with the World Wide Web. The Web is not the same as the Internet. If you remember our description of internet protocols, the Web is an application. Its data goes in the payload of an IP packet. The Web is not part of the internet, it is an application that is transported across the internet. Think of the Web as a vehicle and the Internet as the road.
Web addresses mean nothing to the routers on the internet – only IP addresses matter. So, before a Web browser can go out and get the page for the address you entered, it needs to find the IP address for that site. The DNS provides the cross-reference between Web addresses and IP addresses.
The DNS system starts local and then searches further and further away until it finds the reference. There is a DNS server on your computer, which is the most local to your browser. However, DNS is very big, so your local DNS server only holds address mappings for the devices on your local network and passes through Web address queries. The next closest server is specified by your ISP. The ISP can run its own DNS server or pass through to some other system.
Most ISPs run their own DNS servers. If they want to block a site, they don’t delete its DNS entry, they map it to an IP address that doesn’t exist or to an IP address owned by the ISP that has nothing at its location. If the DNS didn’t have a record for a site, your browser would then look at the next closest DNS server, and your ISP doesn’t want that to happen. Returning a useless IP address to a DNS query is called DNS sinkholing.
NordVPN runs its own DNS server. This is set as the default DNS server for your browser, and it doesn’t miss out on the sites that you want to access. This includes torrenting, gambling, and poker, sites that you might want to access but the government doesn’t want you to reach. In some countries, even Twitter, Facebook, and WhatsApp are blocked by DNS sinkholing.
Once you establish a connection to a VPN server, NordVPN creates a tunnel for all traffic, and that includes DNS queries. From the point that traffic leaves your computer to the point that it arrives at the VPN server, your communications are kept private.
Remember that internet privacy involves encrypting the headers of IP packets. This is because anyone who can read IP headers can see which Web servers you are contacting and which websites your browser is requesting. This is important information.
ISPs are obliged by law to record the IP addresses and, therefore, the Websites that each of their customers accesses. The length of time that these records need to be kept varies according to jurisdiction. The purpose of these records is to give government agencies and copyright lawyers time to investigate the Web activities of the general public.
When your VPN is turned on, the client program on your device entirely encrypts each packet that it sends out. If the destination address in the header is encrypted, your ISP can’t log your visit to that site. However, the routers on the internet can’t read that address either.
The VPN client puts that encrypted packet into the payload of another packet. That outer packet is addressed to the NordVPN server that you selected before turning the VPN on. Your ISP will record a connection to the NordVPN server, and it can’t tell what you are doing.
Masking your activity on the Web can have another benefit, which is to improve your internet speeds while streaming. Some ISPs, particularly in the USA, have been proven to throttle traffic. That is, to reduce the bandwidth available to streaming connections.
Bandwidth throttling is difficult to detect because ISPs don’t do this on all traffic, so if you use a speed test system, such as Ping, the speed restrictions won’t apply. The VPN covers up streaming traffic, so your ISP can’t distinguish between types of traffic.
The VPN covers the trail of its users. However, anyone wanting to identify the users of a VPN service just needs to get a court order and force the VPN to hand over its records. Therefore, it is very important that the VPN service doesn’t keep any records.
When reading about VPNs, you will notice that they declare that they have a no-logs policy. This is a big deal in the VPN world because the authorities can’t grab their logs if they don’t have any.
A VPN needs to map between the IP address of a client and the representative IP address that is assigned to that client for use on packets that leave the VPN server on to its final destination. This record has to exist while the user is connected. With NordVPN, records are deleted 15 minutes after the client ends the VPN session.
The VPN has a record of all customers and flags whether the client has been connected to the server during the previous 30 days. This does not constitute a record of activity, and so NordVPN has a justifiable claim that it keeps no logs and doesn’t store user data. Authorities in Russia and India instituted requirements for VPN systems to keep activity logs. NordVPN refused to do this and shut down its servers in those countries instead. NordVPN also does not keep VPN servers in China, where operating such a service is a criminal activity.
You can install NordVPN on as many devices as you like, but only six can be connected to the service simultaneously. This is a high allowance and compares favorably with rival VPN services. There are NordVPN apps for these operating systems:
- Kindle Fire
There are also browser extensions available for:
- Microsoft Edge
The system can be set up manually on routers, and there are apps to let you use NordVPN on set-top boxes, including Android TV and all the major game consoles. While you download the desktop systems from the NordVPN website, you need to get the Android version through Google Play and the iOS version from the Apple App Store.
NordVPN offers 5,430 servers that are available in 81 locations based in 59 countries. The service has more locations in Australia than many other VPN systems – it has a presence in five cities there. In the USA, NordVPN has servers in 16 cities:
- Kansas City
- Los Angeles
- New York
- Saint Louis
- Salt Lake City
- San Francisco
There are three server locations in Canada.
Not all servers have the same capabilities. You are allowed to engage in P2P downloading on most servers but not all. A few of the servers have special obfuscation services on top of the regular encryption system, and even fewer can be included in a double hop VPN connection.
NordVPN offers dedicated IP addresses for an extra fee but only on servers in the USA, the UK, France, Germany, and the Netherlands.
We have already explained that governments and ISPs try to block your access to some websites and how NordVPN gets around those restrictions. However, there are many websites that impose their own bans on access. This is usually related to laws over legal access to specific services in specific locations and is mostly found with streaming services.
You will find that you are not allowed to access a streaming service for a country that you are not in. In the case of international sites, such as Netflix, Amazon Prime, and Disney+, if you travel abroad, you get the version of the country you go to, not that of the country you are from. As you travel, you will find that some shows disappear from your media library.
NordVPN can unblock the following sites and grant subscribers to the service in one country access to the versions intended for another country:
|Netflix||Tests confirmed for access to the USA and France from the UK|
|Disney+||Tests confirmed, accessing the USA and France from the UK|
|BBC iPlayer||Tests confirmed, accessing the UK from the USA|
|ITV Hub||Tests confirmed, accessing the UK from the USA|
|Channel 4||Tests confirmed, accessing the UK from the USA|
|ABC||Tests confirmed, accessing from the UK|
|NBC||Tests confirmed, accessing from the UK|
Other major streaming services that NordVPN gets cross-border access to include ESPN +, Amazon Prime, HBO, and Hulu.
NordVPN offers three plans:
- Standard – All of the VPN services, malware protection, plus an ad and tracker blocker
- Plus – The Standard plan plus a password manager and identity theft protection
- Complete – The Plus plan with 1 TB of encrypted cloud storage space added
There are three payment periods offered for each plan, which are:
- One month plan
- One year plan
- Two-year plan
The prices are lower per month with the longer payment periods, but you have to pay upfront for the whole period. So, you need to pay a big sum for the two-year subscription to all of the plans.
The prices for the Standard package are:
- One month – $11.99
- One year – $99.99 discounted to $59.88 for the first year ($4.99 per month)
- Two years – $198.96 discounted to $95.76 for the first two years ($3.99 per month)
The prices for the Plus package are:
- One month – $12.69
- One year – $126.96 discounted to $68.28 for the first year ($5.69 per month)
- Two years – $253.76 discounted to $112.56 for the first two years ($4.69 per month)
The prices for the Complete package are:
- One month – $13.99
- One year – $198.96 discounted to $83.88 for the first year ($6.99 per month)
- Two years – $397.68 discounted to $143.76 for the first two years ($5.99 per month)
All new subscribers get a 30-day money-back guarantee.
You can pay with a credit card, PayPal, or cryptocurrency (Bitcoin, Ethereum, or Ripple). It is also possible to pay through Google Pay and Amazon Pay.
NordVPN will add the sales tax (VAT) for your location on top of that price.
We tested the performance of NordVPN in the UK on public Wi-Fi hotspots provided by Sky UK’s The Cloud. This service is owned by Comcast, which operates the same technology in the USA as the Xfinity Hub network. Tests were carried out using the Ookla system at speedtest.net.
First, to establish a performance baseline, we tested a connection to a nearby server:
The download speed shown was 9.78 Mbps, and the Upload speed was 0.81 Mbps. As can be seen below, turning on the VPN set within the UK didn’t make much difference to performance, with a download speed of 9.82 Mbps and an upload speed of 0.76 Mbps.
A big performance issue arose when testing the unprotected connection to a remote destination – this test went to Sydney, Australia:
As can be seen, a connection to the other side of the globe was slow, providing a download speed of just 2.26 Mbps, but the upload speed of 0.72 Mbps was very similar to the speed of a local connection without the VPN.
Channeling through the NordVPN London server, it can be seen that the VPN dramatically improved the transfer speed on the connection:
The download speed improved to 8.26 Mbps, which was similar to the speed shown without a VPN on a local connection.
International connections also showed an improvement. Connecting to Sydney, New York, USA, gave a download speed of 9.71 Mbps and an upload speed of 0.6 Mbps. Connecting to Sydney while channeling traffic through the ExpressVPN server in Hong Kong gave a download speed of 8.02 Mbps and an upload speed of 0.85 Mbps.
As you can see, the VPN improved speeds on long-distance connections.
How to install
- Select a plan and click through to the payment page. Make sure that you enter a valid email address because this will be used to validate your account.
- Once the payment goes through, you will be presented with a confirmation screen. Click on the Activate account button.
- You need to look at your email inbox and get a verification code from the NordVPN welcome email.
- Set up a password and then go to the apps download page. The website detects your operating system and presents the appropriate download package.
- Press the big download button to get the installer and then click on the downloaded file to run it.
- Click the Next button on the installer screen and wait for the installation to finish. Allow the installer to create a desktop shortcut and a line in the Start menu.
- Click through to the Install button and press it. Click on the Finish button to launch the app.
- The first time that the NordVPN interface opens, you will see a big Login button. Press it. This will open a Web page for you to select your account – you won’t need to enter your password.
- A popup asks for permission to allow the Web page to open the NordVPN app. Allow this action to get the app to start.
- The app presents a zoomable map of the world with markers in countries with NordVPN servers. You can zoom down to city level. Click on a node to get connected.
- The overlay message panel will show the connection progress, and your computer’s notification system will flash a message when the VPN is connected.
- Alternatively, click on Quick Connect. This selects the most convenient server for your location and connects to it.
- The left panel of the app shows a searchable list of server locations. Hover over a country name, and you will see three dots appear.
- Click on this to get a list of cities and servers in that country. The two lists are not dependent. So, if you click on a city and then look at the server list, you still get a full list of servers in that country, not just those for the selected city. If you click on a country name without being over the three dots, NordVPN will select a server in that country and connect to it.
Can NordVPN be trusted?
One of the server providers for NordVPN had a data breach a few years ago, and that event sparked a policy of very tight security checks, which includes a bug bounty that tempts penetration testers to find any security weaknesses in the system. This is now a secure system that can be trusted.
What does NordVPN actually do?
NordVPN is a protection system that prevents snooping on a connection, blocking government agencies and ISPs from tracking an individual’s Web activity. It also provides a fake location record to unblock geo-restricted sites.
Is NordVPN owned by China?
NordVPN is owned by Nord Security, which is a Lithuanian company. The VPN’s official headquarters is in Panama, but most of the business’s staff work in offices in Europe.
Is NordVPN free?
NordVPN charges for subscriptions, and there is no free version. However, if you cancel the service within the first 30 days, you get all of your money back.
Can Netflix detect NordVPN?
Netflix blocks cross-border access, and its terms of service explain that using a VPN to circumvent its access restrictions is not allowed. However, all of the connection test that Netflix implements fail to detect the presence of NordVPN.
Is NordVPN worth the money?
NordVPN has a good price that is a worthwhile deal when all of the services that the package provides are taken into account. A nice feature of NordVPN’s pricing is that it has three plan levels, so you can cut out the services you don’t need and reduce the price. For example, not many people expect the 1 TB of cloud storage space that comes with the Complete plan. You can also decide whether or not you need the Dark Web scanner and reduce the price even further if you don’t.
To sum it up
The functionality of NordVPN compares very favorably to its major rivals: ExpressVPN, CyberGhost, Surfshark, IPVanish, and Private Internet Access (PIA), for example. You should certainly take a look at these other major systems to see whether they suit your requirements better than NordVPN. However, this VPN can certainly hold its own in any head-to-head comparison.