NordVPN

NordVPN is a Lithuanian VPN service provided by Nordsec Ltd with applications for Microsoft Windows, macOS, Linux, Android, iOS, Android TV, and tvOS. Manual setup is available for wireless routers, NAS devices, and other platforms.

NordVPN is developed by Nord Security (Nordsec Ltd), a company that creates cybersecurity software and was initially supported by the Lithuanian startup accelerator and business incubator Tesonet. NordVPN operates under the jurisdiction of Panama, as the country has no mandatory data retention laws and does not participate in the Five Eyes or Fourteen Eyes intelligence sharing alliances. Its offices are located in Lithuania, the United Kingdom, Panama, and the Netherlands.

History
NordVPN was established in 2012 by a group of childhood friends, which included Tomas Okmanas. It presented an Android app in late May 2016, followed by an iOS app in June the same year. In October 2017, it launched a browser extension for Google Chrome. The service launched applications for Android TV in 2018 and tvOS in 2023. As of September 2023, NordVPN was operating 5,600 servers in 59 countries.

In March 2019, it was reported that NordVPN received a directive from Russian authorities to join a state-sponsored registry of banned websites, which would prevent Russian NordVPN users from circumventing state censorship. NordVPN was reportedly given one month to comply, or face blocking by Russian authorities. The provider declined to comply with the request and shut down its Russian servers on April 1. As a result, NordVPN still operates in Russia, but its Russian users have no access to local servers.

In September 2019, NordVPN announced NordVPN Teams, a VPN solution aimed at small and medium businesses, remote teams, and freelancers, who need secure access to work resources. Two years later, NordVPN Teams rebranded as NordLayer and moved towards SASE business solutions. The press sources quoted the market rise in SASE technology as one of the key factors in the rebrand.

On October 29, 2019, NordVPN announced additional audits and a public bug bounty program. The bug bounty was launched in December 2019, offering researchers monetary rewards for reporting critical flaws in the service.

In December 2019, NordVPN became one of the five founding members of the newly formed 'VPN Trust Initiative', promising to promote online security as well as more self-regulation and transparency in the industry. In 2020, the initiative announced 5 key areas of focus: security, privacy, advertising practices, disclosure and transparency, and social responsibility.

In August 2020, Troy Hunt, an Australian web security expert and founder of Have I Been Pwned?, announced a partnership with NordVPN as a strategic advisor. On his blog, Hunt described this role as "work with NordVPN on their tools and messaging with a view to helping them make a great product even better."

In 2022, NordVPN closed its physical servers in India in response to the CERT-In's order for VPN companies to store consumers’ personal data for a period of five years.

In April 2022, NordVPN's parent company Nord Security raised $100 million in a round of funding led by Novator. The company's valuation reached $1.6 billion.

In 2022, Surfshark and Nord Security merged under one holding company.

Technology
NordVPN routes all users' internet traffic through a remote server run by the service, thereby hiding their IP address and encrypting all incoming and outgoing data. For encryption, NordVPN has been using the OpenVPN and Internet Key Exchange v2/IPsec technologies in its applications and also introduced its proprietary NordLynx technology in 2019. NordLynx is a VPN tool based on the WireGuard protocol, which aims for better performance than the IPsec and OpenVPN tunneling protocols. According to tests performed by Wired UK, NordLynx produces "speed boosts of hundreds of MB/s under some conditions."

In April 2020, NordVPN announced the gradual roll-out of the WireGuard-based NordLynx protocol on all its platforms. The wider implementation was preceded by a total of 256,886 tests, which included 47 virtual machines on nine different providers, in 19 cities, and eight countries. The tests showed higher average download and upload speeds than both OpenVPN and IKEv2.

NordVPN once used L2TP/IPSec and Point-to-Point Tunneling Protocol (PPTP) connections for routers, but these were later removed, as they were largely outdated and insecure.

NordVPN has desktop applications for Windows, macOS, and Linux, as well as mobile apps for Android and iOS and Android TV app. Subscribers also get access to encrypted proxy extensions for Chrome and Firefox browsers. Subscribers can connect up to six devices simultaneously. NordVPN has released their Linux client under the terms of the GPLv3 only.

In November 2018, NordVPN claimed that its no-log policy was verified through an audit by PricewaterhouseCoopers AG.

In 2020, NordVPN underwent a second security audit by PricewaterhouseCoopers AG. The testing focused on NordVPN's Standard VPN, Double VPN, Obfuscated (XOR) VPN, P2P servers, and the product's central infrastructure. The audit confirmed that the company's privacy policy was upheld and the no-logging policy was true again.

In 2021, NordVPN completed an application security audit, carried out by a security research group VerSprite. VerSprite performed penetration testing and, according to the company, found no critical vulnerabilities. One flaw and a few bugs that were found in the audit have since been patched.

In October 2020, NordVPN started rolling out its first colocated servers in Finland to secure the hardware perimeter. The RAM-based servers are fully owned and operated by NordVPN in an attempt to keep full control.

In December 2020, NordVPN initiated a network-wide rollout of 10 Gbit/s servers, upgrading from the earlier 1 Gbit/s standard. The company's servers in Amsterdam and Tokyo were the first to support 10 Gbit/s, and by December 21, 2020, over 20% of the company's network had been upgraded.

In January 2022, NordVPN released an open-source VPN speed testing tool, available for download from GitHub.

Additional features
Besides general-use VPN servers, the provider offers servers for specific purposes, including P2P sharing, double encryption, and connection to the Tor anonymity network. NordVPN offers three subscription plans: monthly, yearly and bi-yearly.

In November 2020, NordVPN launched a feature that scans the dark web to determine if a user's personal credentials have been exposed. When the Dark Web Monitor feature finds any leaked credentials, it sends a real-time alert, prompting the user to change the affected passwords.

In February 2022, NordVPN introduced an antivirus functionality available as part of the regular VPN license. The opt-in Threat Protection feature blocks web trackers, warns users about malicious websites, and blocks downloaded files that contain malware. As of March 2022, the feature is available on the Windows and macOS apps and works without connecting to a VPN server.

In June 2022, NordVPN launched the Meshnet feature that allows users to create their own private network by linking up to 60 devices. Some of the promoted use cases include file sharing between different devices, multiplayer gaming, and virtual routing.

Reception
Several publications, including Tom's Guide, PC Magazine, CNET, and TechRadar have reviewed NordVPN. Most noted that NordVPN's features such as choosing server location, and speed are good. They also noted the service's high price compared to others in the category.

Criticism
On October 21, 2019, a security researcher disclosed on Twitter a server breach of NordVPN involving a leaked private key. The cyberattack granted the attackers root access, which was used to generate an HTTPS certificate that enabled the attackers to perform man-in-the-middle attacks to intercept the communications of NordVPN users. In response, NordVPN confirmed that one of its servers based in Finland was breached in March 2018, but there was no evidence of an actual man-in-the-middle attack ever taking place. The exploit was the result of a vulnerability in a contracted data center's remote administration system that affected the Finland server between January 31 and March 20, 2018. Evidence suggests that when the data center became aware of the intrusion, all accounts that had caused the vulnerabilities were deleted and NordVPN was not notified about the mistake.

According to NordVPN, the data center disclosed the breach to NordVPN on April 13, 2019, and NordVPN ended its relationship with the data center. In addition, experts state that there are no indications of any user’s private information such as user credentials, billing details or any other profile-related information being compromised during that event. Security researchers and media outlets criticized NordVPN for failing to promptly disclose the breach after the company became aware of it. NordVPN stated that the company initially planned to disclose the breach after it completed the audit of its 5,000 servers for any similar risks and later put regular updates on its blog.

On November 1, 2019, in a separate incident, it was reported that approximately 2,000 usernames and passwords of NordVPN accounts were exposed through credential stuffing.

In 2019, the Advertising Standards Authority (United Kingdom) (ASA) advised NordVPN not to repeat claims that public WiFi is so insecure it is equivalent to handing out your personal information to the people around you. The ASA ruled that HTTPS already provides "a significant layer of security" and that the impression the ad gave that users were at a significant risk from data theft was erroneous. In 2023, the ASA again ruled against NordVPN, this time over an advertisement which claimed NordVPN could "switch off... malware", holding that, in context, listeners were "likely to understand" it to mean the product would stop all malware, which NordVPN did not substantiate in response to the ASA.