Changing from PureVPN to NordVPN

Posted on: 2018-03-25

In a previous article I talked about the importance of having a VPN. When I decided to choose a VPN service I looked around and did some research. I ended up on PureVPN. It seemed to work fairly well when I initially set it up.

Unfortunately it seems it wasn't a great choice. They claimed that they kept no logs. Well that appears to have been untrue

https://betanews.com/2017/10/09/purevpn-logs-fbi/#comments

I contacted PureVPN about it. They never responded and just closed my inquiry. Later I received a mail out that I've attached at the bottom of this post, where they claim that there are 'browsing logs' and 'network maintenance logs', and they claim they never said anything about network maintenance logs. I mean really? Your claim is no logs. No logs means no logs. Claim you have 'no browsing logs' and you may have had a point.

Months later when I checked the site again they still claimed 'no logs'.

To be clear I think it was probably good that the FBI used the supposedly non existent logs to capture a stalker. But you can't claim you don't keep logs.

The other reason for leaving PureVPN is that for me their service is flaky. I was connecting through PPTP (which seems like it wasn't the greatest idea), using a linux laptop and an AdvancedTomato based router to connect. The first thing that makes me kind of wonder about their service is very few of their servers work for me. Some do. Some don't. The one's that do allow me to connect do so unreliably. Sometimes they will connect. Sometimes they won't. When I get a connection from the Linux machine sometimes it will stay up but sometimes even after only a few minutes the connection just stops working.

The fact that only some servers worked, and the server closest to my location hardly ever worked meant I ended up using a fairly remote server. This lead to performance that was far from stellar. At first this was a somewhat low grade annoyance, but of late it started to be a bit of a grind.

Okay - time to look at what my options are. I've been looking at two AirVPN (https://airvpn.org/) and NordVPN (https://nordvpn.com).

In the end I went with NordVPN - not for any amazing reasons, more that I found more reviews about them and they generally rated well. You could argue that AirVPN is the better choice if privacy and security and your main concerns.

I signed up for the two year plan on NordVPN with the idea of trying it out and if it didn't work within 30 days I'd use the money back guarantee. It turns out setting it up was far from trivial. Previously I have used PPTP in part because it seemed simpler, but NordVPN claims that it's not advisable to use that protocol, because it's old and somewhat insecure. Their recommendation is to use OpenVPN. To do so seemed significantly more complicated and in fact it was.

My first attempt was to try to get it to work from my linux laptop. The idea being that it is an easier way to test out the service. The first surprise was that only some NordVPN servers are segregated by protocols. Also NordVPN somewhat helpfully gives you a recommended server to connect to - but doesn't seem to have an easy mechanism where you can decide for yourself. That's a problem if it's recommendation doesn't work or is wrong - in my case it was wrong because I was behind a VPN - PureVPN!

Eventually I got OpenVPN to work via linux by following the instructions here. I actually set up the connection via the network manager GUI.

https://nordvpn.com/tutorials/linux/openvpn/

It seemed to connect more reliably. It was also much nippier - latency dropped from 60ms to 20ms, and I was getting slightly higher download speed (from speedtest.net), as well as the high speed happening almost immediately. On PureVPN it took until past half way through the test before it fully got up to speed. At this point I was feeling pretty good about it - and decided to try it out on my AdvancedTomato based VPN router.

Here's how NordVPN guides how to do it

https://nordvpn.com/tutorials/tomato/openvpn/

It's significantly more complex than doing PPTP. I tried it first with UDP. Note that on AdvancedTomato there is no start or stop button - look for the tiny square, or triangle in the top right corner of OpenVPN window to start and stop. Unfortunately if I looked at status - I could see no packets were making it through. So I tried with TCP. Again it seemed to have connection problems.

The problem appeared to be around 'TLS Error: TLS handshake failed'. Okay on searching around I find

https://serverfault.com/questions/709860/fix-tls-error-tls-handshake-failed-on-openvpn-client

This seemed plausible. In my configuration I have two routers. A router that connects to the internet, and then another router behind that which is the VPN router. I have it configured this way so that devices that need to be outside the VPN can easily do so - just use the main router not the VPN router. But it seems for OpenVPN running on Tomato I need to configure the main router to port forward to the VPN router. So I did this with TCP (port 443) and UDP (1194). Note that on the main router I have given the VPN router a fixed IP address, so I can port forward easily to it.

Now I'm getting somewhere. With a UDP connection I can now see on the status page for OpenVPN, that it's sending some packets. But I still can't make a connection. So after another hour of trying to figure out the problem I decided to go to NordVPN support chat. The person seemed knowledgeable, and asked for screen grabs of my tomato configuration. He quickly went to asking if I would in the 'Advanced Tab' of the OpenVPN configuration, in the 'Custom Configuration' remove the # before auth sha512.

#Delete `#` in the line below when connecting to our newest servers:
auth sha512

And then, after clicking the triangle to start the VPN connection, to my surprise things started to work!

Once things were working I followed the original guide, and set up DNS lookup from 'Automatic' (in the Basic Settings/Wan Settings) to point to their DNS servers. Then I set up and tested the 'kill switch' which is Administration -> Scripts and under Firewall. The kill switch stops the router from working if there isn't a VPN connection. I tested this by turning off the VPN - and indeed internet access was lost.

So far NordVPN is looking pretty good. It feels much faster. It will take a few weeks to see how it performs in terms of dropping connections and other issues. So far I'm optimistic.

I now believe I have significantly better privacy using NordVPN over PureVPN because

• It's now running OpenVPN rather than PPTP
• PureVPN is based out of Hong Kong. Their 'no logs' claim appears bogus.
• I'm using NordVPNs DNS to avoid DNS leaks
• I have a working kill switch (PureVPN may have this - but I didn't get to setting it up)

And having significantly better performance is good too.

I would also note, that once again VPN configuration is surprisingly complicated and unfortunately the NordVPN guide, whilst good - still missed a vital aspect.

Update 1:

So first major problem with NordVPN - well other than the configuration problem. I try to do something almost everybody does at some point - go to amazon.com. The browser sit's there wheels spinning. Eventually it fails with

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Ok. That's weird. So I wonder if it will do it if I access through the VPN router. The same thing happens. I've had some problems in the past where an update on Firefox has extra security protections, so I try it out on Chromium. Same result. Weird. So I try connecting to an other NordVPN server and I get the same problem.

So I've spent a while looking for answers on the internet, and come up pretty blank. So I ask NordVPN support. They go 'oh - that's a known problem, try this list of other servers, or use a server in Canada'. I'm a little surprised by this, and I wonder how I'm supposed to know which of these servers to connect to - because they don't seem to have a list by location - just a way to recommend the closest. In the chat window I get a big list of servers and locations.

So to try and find out which servers will work with amazon - I ping a bunch of servers, and find one that appears closest. Unfortunately it remains significantly slower than the original server I connected to.

Later I tried to set this up on the router - but for some reason and currently I don't know why I couldn't get it to work.

So... PureVPN had some problems connecting to other services that I wrote about elsewhere. But not being able to use amazon whilst on the VPN?! On top of that I still don't know why it doesn't work. All I have is a special list from NordVPN support.

If I can't get this to work well I might have to pull the plug on NordVPN! This is not what I was expecting.

 

Here is PureVPNs email...

_ October, 2017

How We Protect Your Privacy: Setting The Record Straight

Dear Valued Customer,

There is nothing more important to us than providing you peace of mind through our secure, reliable networks. We work hard every day to earn your trust, and are committed to living up to your expectations for online freedom and privacy.

PureVPN welcomes and respects the free will of its users to use the Internet as they desire – securely and anonymously. We firmly believe that activities such as file sharing, downloading, streaming, messaging, calling, and secure and private browsing are unquestionable rights of every Internet user. The very reason we chose Hong Kong as our home is because of its very liberal, broad and privacy-friendly laws.

In light of recent news reports, we felt it was important to reach out to clarify our privacy policy and to set the record straight about our role in helping stop an aggressive cyber stalker. To do so, it’s important to clarify some technical terms which may be confusing or too broad at times.

Within the context of a VPN service there are two types of logs: Browsing Logs & Network (Troubleshooting and/or Optimization) Logs. Browsing logs are extremely personal and private to users, and we believe no one should collect or have access to these logs, since they have the potential to directly invade users’ privacy. Our “No Log” policy ensures our commitment to this belief.

Network logs, on the other hand, are purely for troubleshooting and optimization, with no information about the browsing habits or other private activities of users. These logs, among other system logs such as bandwidth consumed, contain mostly the timestamps of users (identified by their non-VPN IP address), connection initiation, and disconnection times. As stated in our Privacy Policy, these are the logs that we collect and store for business and service optimization purposes. For additional information we have provided a more detailed explanation here.

We have never shied away from our core philosophy of protecting the individual privacy of our customers. Because of this, we have taken a very clear, proactive stance against cyberstalking, and believe that our actions in this situation simply reaffirm that commitment.

Our commitment to privacy goes even further. Unlike other organizations, having selected Hong Kong as our base of operations, our users enjoy a unique, inherent privacy advantage. Other organizations, who operate in USA, UK, Canada, Australia or similar other regions, are involuntarily subjected to infamous mass surveillance programs like PRISM, ECHELON, XKeyscore, Tempora and others. Thus, PureVPN users are significantly safer.

Please don’t hesitate to contact us with any further questions or concerns, and we look forward to continuing to provide you with the same level of service that you have come to expect from your trusted VPN partner.

Regards, PureVPN