Skip to main content

NordVPN is about to get a lot faster — thanks to WireGuard

The NordVPN Google Play page displayed on an Android phone.
(Image credit: Sharaf Maksumov/Shutterstock)

The new, fast, light WireGuard VPN protocol is now available for all users of NordVPN, which today (April 22) began rolling out its NordLynx implementation of WireGuard for its Windows, Mac, Android and iOS client-software applications. 

NordVPN's Linux software has had NordLynx as an option since July 2019. NordVPN said the new technology "significantly outperformed" OpenVPN and IKEv2/IPsec, the predominant VPN protocols used by NordVPN and most other VPN service providers, in its own internal tests.

NordVPN customers will first have to update their client software, then wait for the NordLynx option to appear in the Settings menu. Not all users will get NordLynx right away, but NordVPN plans for full deployment by April 24.

OpenVPN will remain the default NordVPN protocol for the time being, so anyone who wants to use WireGuard will have to manually select NordLynx. Users who prefer to set up NordVPN connections manually through their operating systems, without using the client software, will not be able to use WireGuard for now.

However, NordVPN said there's a bit of a problem with WireGuard, which it has resolved with NordLynx.

"It doesn't dynamically assign IP addresses to everyone connected to a server," said NordVPN privacy expert Daniel Markuson, referring to WireGuard. "Thus, it requires storing at least some user data on the server, compromising their privacy."

To DHCP or not to DHCP

To put that in plain English, when your computer connects to most remote servers, VPN or otherwise, the remote server assigns your computer a random Internet Protocol (IP) address and uses that address for the duration of the connection session. 

That process is part of the dynamic host resolution protocol, or DHCP. Your home Wi-Fi router likely uses DHCP to assign IP addresses to each device on the Wi-Fi network.

But the next time you connect to the same server, your computer might be assigned a completely different IP address. If so, anyone who sees it might not be able to tell it was the same computer connecting both times.

That's the way most VPN servers work, but not WireGuard servers. Instead, WireGuard currently demands that each device on the network get a fixed, or "static," IP address. Each device's encryption key is tied to that IP address.

That procedure significantly cuts down on complexity and processing time. But because it means that a returning device will likely have the same IP address next time, it makes it much easier to track a specific device.  

The NordLynx sandwich

The WireGuard static-IP issue also bothered Mullvad, another VPN service that has rolled out WireGuard to its Linux, Mac, Windows and iOS client applications. (The Android version is in beta testing.) 

"Keeping a static IP for each device, even internally, is not ideal," Mullvad said in a blog post. "That static internal IP address could leak externally" in the case of WebRTC leaks or if information-stealing malware is present on the client device.

For now, Mullvad lets users manually regenerate their WireGuard encryption keys, and hence their static IP addresses, by pushing a button in the application settings. (It's working on doing this automatically.) 

NordVPN takes a, well, more dynamic approach. Its solution, NordLynx, creates a sandwich of two network address translation (NAT) implementations to hide many IP internal addresses behind a single public-facing IP address. 

Your home Wi-Fi router does something similar: It uses NAT to present one IP address to the outside world while assigning dozens of internal IP addresses to devices on your home network. 

But because NordLynx uses NAT twice, NordVPN says it can handle WireGuard static IP addresses without having to log them.

"The double NAT system allows establishing a secure VPN connection without storing any identifiable data on a server," NordVPN says. "Dynamic local IP addresses remain assigned only while the session is active."