TorGuard Review (2023)
TorGuard is one of the longest-running VPN services and has 10 years of solid service under its belt. However, this VPN provider doesn’t get as much attention as the market leaders, such as ExpressVPN, NordVPN, and Surfshark. We investigate why that is.
What we like
- User-friendly TorGuard app
- Plans that include a dedicated IP
- Gift card payment options
- Stealth VPN servers for China and other restrictive countries
- No-logs policy
- Business VPN options
- Good for BitTorrent and other P2P protocols
What we don't like
- In tests, TorGuard halved transmission speeds
- The money-back guarantee only 7 days
- Not very good at getting cross-border access to streaming services
|Price:||$3.89 – $14.99 per month|
|Refund period:||7 days|
|Based in which country:||Panama|
|# devices per license:||8, 12, or 30|
|Server locations:||68 locations in 50 countries, including the USA, UK, Germany, Canada, Australia, and Hong Kong|
|Streaming sites unblocked:||Netflix, NBC, and Channel 4|
|Does VPN keep logs:||No|
|24/7 customer support:||Yes|
TorGuard VPN started operations in 2012, so it now has 10 years of steady service under its belt. While previously based in the small Caribbean country of St Kitts and Nevis, the service is now headquartered in Orlando, Florida, USA. The business that owns the VPN provider is called VPNetworks LLC.
TorGuard can be regarded as one of the top VPN providers. However, it doesn’t grab as much attention as its major rivals, such as IPVanish, which is also based in Orlando, Florida. The company has a diversified portfolio of services and isn’t solely a consumer VPN provider. TorGuard has extended its stable of products to email protection systems, a business VPN service, and the provision of VPN routers.
How VPNs work
Before we get into examining TorGuard’s VPN service, we will just give you a quick run-through of what a VPN is and how it works, so you can understand our assessment of the TorGuard service.
VPN stands for “virtual private network.” The system was invented for use by businesses with remote workers. The theory is that those distant PCs should be able to connect to the business’s network with the same level of privacy enjoyed by workstations that are physically located within the building.
Privacy is a little different from security. Data travels across networks and the internet in segments, and these chunks of data are put inside the payload of a structure that is called a packet. As the network is connected to the internet, a packet can travel through a router/gateway and then is passed along to its remote destination by a series of routers. Addresses on the internet are called IP addresses, and the header on a packet contains its source and destination address.
Security for the data payload is provided by encryption. However, the addresses are transmitted in plain text, and so anyone intercepting them, such as an internet service provider (ISP), can read them. Privacy blocks that intrusion by encrypting the entire packet, including the header.
VPNs create a private network over the public medium of the internet by encrypting entire packets in a session that is called a “tunnel.” A VPN client on the computer contacts a VPN server. The pair negotiate an encryption cipher that is applied to all packets in the session. When the session ends, the cipher’s details are discarded.
Routers can’t read the destination of a packet if the header is encrypted, so the VPN client puts each packet inside a carrier packet, which is unencrypted, and addresses that to the VPN server.
The user didn’t want to contact the VPN server. The user wanted to open a page in Yahoo, visit Netflix, or read the news. It doesn’t matter what the ultimate destination of the packet is, the VPN client tunnels all traffic over the VPN connection to the VPN server.
The VPN server unpacks the packet, decrypts it, and sends it on to its final destination. The contacted Web server will send back a response. The VPN server receives it, encrypts it, encapsulates it, and sends it through to the VPN client. The VPN client unpacks all VPN traffic and forwards it to the application that sent the original request.
The tunnel keeps all of the customer’s internet access activities private up to the server. The VPN server adds on another privacy service before it communicates with the final destination server of the packet. It replaces the customer’s IP address in the source address field of the packet with one of its own. This is an important service because it unblocks streaming services and other Web systems that operate location detection – more of which later.
Privacy and security
TorGuard has taken the approach of offering a broad choice of options for privacy and security. While rivals have slimmed down their list of provided VPN protocols to just two or three, TorGuard manages six protocol options. This is a big commitment and shows that the VPN service is prepared to go the extra mile to ensure customers have a wide choice of services.
The biggest privacy and security weaknesses of TorGuard stem from the service’s location in the USA. The USA is the largest market in the world for VPNs, and so you would imagine that being close to its consumer base is a good thing. However, in the VPN market, that isn’t a good idea.
There are many strategies that a VPN provider can adopt in order to confound detection and legal compromise. While technical feats are important, administrative statuses also influence the durability or vulnerability of service, and is located in the USA makes TorGuard very vulnerable.
You might think of the Chinese and Russian authorities hauling people off to jail without a trial, but you probably don’t realize that the US legal system uses those tactics, too. If a security or law enforcement agency gives a VPN provider a court order, that business has to comply, or its employees and directors go to jail. Even copyright lawyers have access to those powers.
The actions that VPNs and their employees can be forced into extending beyond disclosure by handing over records. The service can be coopted to place a trace on the activities of a specific client, and those participating in such activities are bound by the courts to keep that tracing a secret from the person under investigation.
Although you are probably not planning a terrorist act, these methods are available to copyright lawyers who want to prosecute individuals for torrenting. So, even though TorGuard allows file sharing on its network, you should perhaps think twice before doing it.
The issue of traceability is very important when selecting a VPN. This is why most VPN providers make a big point about operating a no logs policy and draw attention to it extensively on their websites.
The way VPNs work requires the VPN server to keep a cross-reference between a user’s real IP address and a temporary IP address that they have been allocated. If this mapping is retained, anyone who gets a court order can trace the activities of an individual through the activity logs of internet service providers (ISPs) to the VPN and then out to the actual websites visited.
Many countries require ISP to keep these activity records for a period that ranges from six months to two years, according to the country. Activity tracking for prosecution is usually chained backward. Law enforcement or copyright lawyers find a website that they don’t like, and they decide to prosecute everyone that accessed it.
The hosting service of the site gets served a subpoena for their access logs, and this produces a list of IP addresses with time and dates of access. Tracing these addresses sometimes reaches a VPN. At that point, the trail should go cold. However, if the VPN keeps logs, the lawyers grab them and continue the trace through the VPN address allocation tables to the ISP. They then have to track through IP logs to identify which customer was allocated that IP address at that moment – then they’ve got you.
TorGuard does not keep logs, so you are safe from being jailed under this scenario.
Gift card payments
A big hole in the anonymity armor that VPNs offers is that a customer’s association with a VPN can be traced through the payment method used – a credit card or PayPal. In the past, many VPNs offered anonymous payment options. However, probably due to money laundering legislation, most of these have disappeared. TorGuard still offers two avenues to disassociate payment for VPN service. This is provided through gift cards.
The first option is to pay with a store gift card. This is only available in the USA, but it accepts coupons from a long list of stores, which you can see here. During the checkout process, you cash in your store gift cards with a company called Paygarden. This generates an amount of cash that is credited to your TorGuard account.
The second option is to buy a TorGuard Gift Card for someone else (or for yourself) and use that at checkout. The TorGuard purchase will appear on your credit card statement. However, you could argue in court that you bought it for someone else.
The Gift Card system allows you to disassociate the payment method from your TorGuard service. The only identifying information that you have to give when signing up for a TorGuard account is your email address, but you can set up an anonymous webmail account for this purpose, thus, keeping your TorGuard membership separate from your usual email address.
The most anonymous of these options is the store gift card system because you can completely sever any paper trail by walking into one of the stores on the list and paying cash for a gift card.
TorGuard VPN protocols
Networks and the internet have to follow a set of rules and guidelines. This enables software produced by different companies to talk to each other, and it enables the producer of one piece of equipment to receive a plug made by another manufacturer.
VPNs are constructed along sets of rules, and these are called “protocols.” There are many VPN protocols available, and TorGuard implements more of them than most of its rival VPN providers. These are:
- OpenVPN – Widely used for VPNs, this is an open-source system that includes an implementation of Transport Layer Security. TorGuard offers OpenVPN in all its apps.
- WireGuard –A new VPN system that is rapidly taking over the dominance of OpenVPN because it performs the same tasks but quicker. Available for Windows, macOS, Linux, iOS, and Android.
- IKEv2/IPSec – A lighter VPN system that was created by Cisco systems. It is popular for use with mobile devices because it uses less battery power than OpenVPN. This service is available for iOS devices.
- L2TP – An aging VPN protocol that isn’t really used much anymore. This protocol isn’t offered inside the app but just for manual setup on Windows, Android, macOS, iOS, Chromebook, and routers.
- Stunnel – This system uses TLS for the entire connection – others use TLS for session establishment and then switch to a different system. This option is only available as a double VPN service on OpenVPN connections. Check the Enable SSL box in the VPN protocol settings of the app to get it.
- AnyConnect – A Cisco-created VPN system that is very similar to Stunnel, but it switches to a proprietary version of TLS, called DTLS, and so will only work if both ends of the tunnel are operated by AnyConnect. This VPN is offered as a setting on the server rather than in the VPN app. There is a separate free AnyConnect app available in Google Play and the Apple App Store for use on mobile devices.
- OpenConnect – An improvement of AnyConnect that can communicate with the VPN servers provided by other network equipment manufacturers. This option is built into the desktop apps for Windows, macOS, and Linux. You have to use the OpenConnect option if you are connecting to a server that is marked as operating AnyConnect.
You saw TLS mentioned often in those VPN protocol descriptions. This is the security system that makes HTTPS websites secure. It was originally known as SSL, which stands for the Secure Socket Layers. SSL was discovered to have a security flaw, and so it was replaced by Transport Layer Security (TLS). Even though SSL is no longer in use, the name is still referred to, so networking experts will talk about SSL when they really mean TLS.
TorGuard also offers a SOCKS5 Proxy. This is a little complicated to use because it has to be set up manually. You would use this system as a setting in your torrent client. The proxy provides anonymity by changing your IP address, but it doesn’t use encryption, so it doesn’t qualify as an anonymous VPN system.
Transport Layer Security is used for session establishment. It provides server authentication and also protects the exchange of VPN encryption keys by using a public key encryption system. With this format of cipher, the encryption key and decryption key are complementary but different. You cannot decrypt a message with the encryption cipher, and you cannot guess the decryption key if you know the encryption key. Therefore, the encryption key of the pair can be made public. TLS uses this as part of its authentication process to guard against a man-in-the-middle attack.
In a man-in-the-middle attack, a hacker intercepts a transmission and pretends to be the client when communicating with the server and also pretends to be the server when communicating with the client. By this method, the hacker can present his own public key to the client and then decrypt all messages.
Under TLS, the client gets the encryption key off an SSL certificate, which is held by a third-party system. The client encrypts a challenge message with this key and sends it to the server. An interceptor does not have the corresponding decryption key and so cannot continue the masquerade. If the client receives back the right answer, it knows that it is communicating with the server. TorGuard uses Diffie Hellman key exchange, which means that the client also has a public key for the server to encrypt responses with.
TorGuard isn’t explicit about its public key cipher. However, looking into the details of its DNS-over-TLS service, it seems that the company has a 4096-bit RSA key on its SSL certificate. This is good because it is the strongest key length available. The longer the key, the more attempts it takes a hacker to crack it by substitution. A 4096-bit RSA key would take more than a lifetime to crack.
All VPN protocols use a symmetric cipher for encapsulation. This is the Advanced Encryption Standard, which uses the same key to encrypt and decrypt. The result of that symmetry is that one side has to send the key to the other. This is the session establishment routine that is protected by RSA-4098 encryption.
WireGuard uses ChaCha20 with AES-128 at its heart. This is the AES cipher with a 128-bit key. The OpenConnect implementation also uses AES-128. This is secure, but a longer key is better. The OpenVPN implementation in the TorGuard apps offers the user a choice between AES-128 and AES-256 – that higher version has a 256-bit key and is incredibly secure.
DNS is the Domain Name System, which is a cross-reference between Web addresses and internet addresses. When you enter a URL in the address bar of your browser, the browser first has to go and get the IP address of the Web server that holds that site before it can send a request for the page. This lookup is performed at a DNS server. Your ISP usually controls your DNS server, and it uses DNS requests to log your activities. It can also block access to sites by storing a fake IP address for a given URL. This makes it impossible for your browser to get the page.
TorGuard provides its own DNS and blocks reference to any external DNS system. Thus, the controlling and logging uses that ISPs have for DNS queries are blocked.
IP leak protection
An IP leak occurs when, for some reason, a packet with the real destination address in its header passes through the ISP unencrypted. While the VPN is turned on, this cannot happen. However, IP leaks occur if the VPN connection drops and the user doesn’t realize that the internet connection is no longer protected.
TorGuard prevents this from happening by providing a kill switch in its apps. This blocks all internet access if the VPN is not active. The user soon realizes that something is wrong because the internet stopped working. On turning the VPN on, the user gets the internet back.
TorGuard has a unique system that other VPNs don’t offer, which is a kill switch modification setting. This is called App Kill, and it terminates specific applications if the VPN connection drops.
TorGuard offers three plan levels. Each allows a different number of devices to be connected to the service at the same time – a simultaneous connection allowance. That allowance is:
- Anonymous VPN – 8
- Anonymous VPN Pro – 12
- Anonymous VPN Premium – 30
Those are all very high allowances. Some VPN services have an unlimited allowance for simultaneous connections, while others only allow four or six. You probably won’t ever need a very high allowance because one of the conditions of use for TorGuard and most of its rivals is that a VPN account cannot be shared with others. An exception to this is that a family can share an account.
The VPN allowance gets even more generous if you install the VPN on your home router. An active router VPN connection uses up just one of your simultaneous connection allowance while protecting every internet-connected device in your home. With this, you only need those other connection allowances for mobile devices.
The translation between user IP addresses and allocated IP addresses within the VPN service is called network address translation (NAT) – the system actually uses a port address translation mechanism. A NAT service is often referred to as a firewall (NAT firewall) because it makes it impossible for outsiders to send a connection request to a device behind the server.
The NAT system is great for security, but it sucks for those who want to run their own games server to get superfast downloads with torrents. In both of these instances, you want to allow outsiders to connect to your computer, and that isn’t possible with NAT.
TorGuard provides a service that is called port forwarding. This allows through incoming requests on certain ports and sends that traffic to a specific port on your computer. This is a little complicated to set up because it isn’t a setting in the VPN app. You specify it in your account settings on the TorGuard website.
A quick note on ports
In this instance, a port is not a physical hole in a computer to stick a cable plug into. Instead, it is a logical concept that forms an address for an application/protocol. Protocols are assigned a number, and within the computer, an application sets a looping program running that constantly checks incoming packets for a specific port number in the packet header that indicates that the packet is meant for it.
Think of an IP address as the address of an apartment building and the port number as the apartment number within that building. When mail comes into the building, the front desk posts each letter into the mailbox for the apartment named in the address. Residents passing through the lobby check their mailboxes regularly. This action is the same as the application checker (known as a daemon) looking for a port number.
TorGuard runs more than 3,000 servers in 50 countries. If you are in the USA, it is important to choose a VPN server location down to the city for watching sports. This is because many sports streaming services block viewers if a game is on in their hometown or if they are from the city of one of the teams that are playing. Choosing a US server in another city gets around this restriction.
TorGuard has servers in 11 US cities:
- Las Vegas
- Los Angeles
- New Jersey
- New York
- Salt Lake City
- San Francisco
Some websites check where a request for a page or service has come from before delivering the requested content. This is possible because all of the IP addresses in the world are controlled by a central authority that distributes addresses for sale in blocks, allocated to local organizations in each country.
This trick is used by news sites to switch the articles that they display, and this is how e-Commerce sites can know the local currency and sales taxes for the people buying their products on the Web. The biggest sector of the internet that uses this location access control is entertainment. Streaming services won’t let you in if you are in the wrong country.
Not only do streaming services reference the origin of a request, but they also detect VPN activity and block it. So, you need a really good VPN to dodge these restrictions. Here are the results of our tests of the TorGuard service.
|Netflix||Works for access to the USA, France, and the UK|
|Disney+||Failed to get into the site for the USA, France, and the UK|
These results are surprising because usually, Netflix is considered to be the hardest streaming service to get cross-border access to it. TorGuard got into Netflix, but Disney+ and the BBC iPlayer spotted the VPN and wouldn’t even load the screen.
TorGuard offers three plans:
- Anonymous VPN – Allows eight simultaneous connections
- Anonymous VPN Pro – Allows 12 simultaneous connections, includes a dedicated IP address
- Anonymous VPN Premium – Allows 30 simultaneous connections, includes a dedicated IP address, and a free Gli Shadow router (on the annual plan)
There are five payment periods offered for each plan, which are:
- Monthly (one month)
- Quarterly (three months)
- Semi-Annually (six months)
- Annually (one year)
- Biennially (two years)
- Triennially (three years)
The prices per month decrease with longer subscription periods, but you have to pay for the whole period in advance. Subscriptions are charged in US dollars no matter which country you are in.
The prices for the Anonymous VPN package are:
- Monthly – $9.99
- Quarterly – $19.99 ($6.66 per month)
- Semi-Annually – $29.99 ($5.00 per month)
- Annually (one year) – $59.99 ($5.00 per month)
- Biennially (two years) – $99.99 ($4.17 per month)
- Triennially (three years) – $139.99 ($3.89 per month)
The prices for the Anonymous VPN Pro package are:
- Monthly – $12.99
- Quarterly – $34.99 ($11.66 per month)
- Semi-Annually – $69.99 ($11.67 per month)
- Annually (one year) – $119.99 ($10.00 per month)
- Biennially (two years) – $179.98 ($7.50 per month)
- Triennially (three years) – $249.99 ($6.94 per month)
The prices for the Anonymous VPN Premium package are:
- Monthly – $14.99
- Quarterly – $40.99 ($13.66 per month)
- Semi-Annually – $70.99 ($11.83 per month)
- Annually (one year) – $129.99 ($10.83 per month)
- Biennially (two years) – $180.00 ($7.50 per month)
Only the one-year plan of Anonymous VPN Premium includes a free router. All new subscribers get a 7-day money-back guarantee. However, you don’t get a refund on the element of the subscription that paid for the dedicated IP address – TorGuard doesn’t explain the proportion of the price that represents.
It is possible to buy another dedicated IP address for streaming at $7.99 per month extra. This IP address cannot be used for torrenting. A residential streaming IP address costs $13.99 per month extra. Another option is to get your own VPN server, which is available in the USA, the UK, the Netherlands, and Canada. This costs $14.99 per month extra.
You can pay with a credit card (Mastercard, Visa, American Express, Discover), with PayPal, or with cryptocurrency (Bitcoin or Litecoin). It is also possible to pay through Paywall and Amazon Pay. You already know about the gift card payment option.
Unlike many VPN services, TorGuard does not add sales tax (VAT) to your bill.
We tested the performance of TorGuard in the UK on a Wi-Fi system provided by 3. This service is owned by CK Hutchison Holdings. Tests were carried out using the Ookla system at speedtest.net with the VPN protocol set to OpenVPN over TCP with AES-256 encryption.
Here are the results of a baseline test on a nearby server without the VPN:
The download speed shown was 10.40 Mbps, and the upload speed was 7.17 Mbps. Connecting the TorGuard VPN with a nearby server halved the connection speed to 4.19 Mbps for downloads but increased the upload speed slightly to 7.53 Mbps.
The performance of the unprotected connection to a remote destination slowed slightly – this test went to Sydney, Australia:
A connection to the other side of the globe involves a long roundtrip, and this time includes all of the processing performed by the many routers that the packet passed through. So, a download speed drop to 9.51 Mbps is not too bad the upload speed dropped to 6.62 Mbps.
With the nearby TorGuard VPN server engaged, speeds dropped to less than half again.
The download speed fell to 3.08 Mbps, while the upload speed actually improved to 7.22 Mbps.
International connections also showed a speed drop. Connecting to Sydney through the TorGuard server in New York, USA, gave a download speed of 3.82 Mbps and an upload speed of 2.86 Mbps. Connecting to Sydney while channeling traffic through the TorGuard server in Hong Kong gave a download speed of 3.12 Mbps and an upload speed of 1.35 Mbps.
How to install
- Choose a TorGuard Anonymous VPN plan, a payment period, and any add-ons.
- Enter your name and email address in the order form. The email address has to be one to which you have access because your login credentials will be sent to this address.
- Select your payment method and click to accept the Terms and Conditions of the account.
- Click on Checkout and complete the purchase process.
On completion of the purchase, you will be taken to an order confirmation page, and you will be automatically logged into the account space on the TorGuard website.
- The order confirmation page includes links to app downloads. For the Android app, this takes you over to the Google Play Store, and the iOS app link goes through to the Apple App Store. For the desktop systems, click on the relevant icon to get the download and click on the installer to activate it once it reaches your device.
- Click through the installer to get the app set up on your device.
- You need to enter your email address for your username and then the password you set up at checkout to open the app.
- Click on the location strap at the bottom of the app to get a list of available servers.
- Take a quick look at the settings of the app before starting up the VPN. This is where you set up features such as the kill switch. Click on the cog symbol at the top right of the app to get to the Settings system.
- Click on the hamburger menu symbol at the top left of the app to see VPN protocol settings.
The protocols available are dictated by the operating system that you run the app on. For example, the Windows app only offers WireGuard, OpenConnect, and Open VPN.
Can TorGuard be trusted?
TorGuard provides strong transmission protection and a no logs policy. However, the service’s headquarters in the USA could make it vulnerable to legal action from copyright lawyers.
What does TorGuard actually do?
TorGuard hides a user’s internet activity so that it cannot be traced or logged. The VPN server replaces the user’s internet address that goes out to the Web servers that it contacts, so they can’t work out where content requests have come from.
Is TorGuard free?
TorGuard is not free to use, and it doesn’t offer a free trial. However, every subscriber gets a full refund if canceling within the first seven days of service.
Is TorGuard owned by China?
TorGuard is owned by a US company. The VPN is very good at dodging internet controls in China.
Can Netflix detect TorGuard?
Netflix tries very hard to prevent cross-border access and also scans incoming requests for signs of VPN activity. The system is not able to identify TorGuard traffic, and so TorGuard’s users dodge the location blocks of Netflix.
To sum it up
TorGuard’s prices are reasonable, and the VPN provider has put a lot of work into the product. However, rivals such as IPVanish, ExpressVPN, and Surfshark are faster and better at dodging location-based access restrictions on streaming services.
If the primary reason that you want a VPN does not involve accessing premium streaming services. You would get a good deal and good service from TorGuard.