A sneak peek inside a NordVPN server

Network servers in data room Domestic Room
(Image credit: Shutterstock)

VPN use has increased considerably over the past five years. While users in the west are less likely to go online through a VPN client, those in Asia and BRICS nations are the top subscribers. This affords online privacy, encryption, and even the avoidance of region blocking, useful for watching overseas TV or Netflix.

But what are you getting for your $10 a month? To find out what goes on behind the scenes in a VPN server, we spoke to NordVPN.

In what is believed to be an industry first, TechRadar Pro and NordVPN have teamed up for a guided tour of a VPN server. NordVPN technicians helpfully set up an SSH session to demonstrate the key aspects of a random selection of VPN servers.

Mark Halstead is the CTO of NordVPN and he guided us through the company's policy on logging and how this is implemented. His colleague Tom Okman also joined us for some further explanations.

Anatomy of a VPN server

We started by looking at a VPN server.

Using a VPN is simple as a subscriber. You sign into the server via the VPN client, which by default encrypts and routes all activity from your PC to the chosen VPN server. From this point, the VPN server authenticates access and provides a gateway to the internet beyond. The server is protected by a NAT/Firewall, while recursive DNS helps to guarantee a successful connection to the intended website or service (perhaps streaming a YouTube channel). A database of live sessions might also be running, alongside some statistical monitoring.

A VPN is supposed to enhance your privacy and help ensure online anonymity. One of the key advantages of using a paid VPN subscription is that the company providing access to its VPN servers keeps as little information about you and your activity as possible.

Operating systems create logs by default, which means that any conscientious VPN provider would take steps to disable this. So, how meticulous has NordVPN been?

The session revealed that NordVPN's Linux servers are configured with various tools that enhance security, privacy, and authentication. FreeRADIUS is used for authentication, while the squid proxy software is also used. SaltStack is used for correct server configuration, controlling the infrastructure.

A running VPN server (in this case a box based in Ireland with 149 days of uptime) is configured with OpenVPN as well as IPsec for encrypting data. Four threads on TCP and four on UDP are routed through OpenVPN, with both transport protocols given equal status.

(Image credit: Shutterstock)

How DNS leaks are prevented

One important privacy aspect of VPNs is protecting against DNS leakage. This is when requests to a DNS server (basically an index of IP addresses and corresponding website URLs) are visible to anyone monitoring the connection, despite using a VPN.

Observation of your online activity in this regard could leak information that could prove inconvenient at best. DNS leaks can be checked at IPleak.com, but what are VPN services doing to prevent DNS leakage?

NordVPN's servers, as expected, use their own DNS. But operating systems offer challenges. For example, on Android the operating system must disable IPv6 to avoid DNS leak possibility. This appears to be a short-term solution, however, as NordVPN have plans to commission IPv6 VPN servers. 

Another risk to VPN users that has transpired in recent months is the arrival of VPN servers that claim to be in country X but are in fact situated in country Y. This is not something that NordVPN practices. "We have a really strict policy on that… we think we should only have our servers in the locations we say they are." 

Ensuring the no logging policy

VPN users expect their activity to be private. As the data is being encrypted between the client device and VPN server, it is reasonable to assume that logs won't be kept of activity beyond. 

But what if a government demands it? VPNs based in certain countries (such as the USA, Canada, United Kingdom, Australia, and New Zealand, the so called Five Eyes) would be compelled by law to provide logs of its subscribers' activity on one or more servers.

NordVPN's approach to no logging is to simply disable logs on their servers. By basing the company in Panama, it is under the jurisdiction of an authority that has no mandatory data retention laws. In addition, Panama is not involved in the Five Eyes or Fourteen Eyes alliances. NordVPN operate a "warrant canary" page on their site so subscribers can check if the VPN service has received warrants, gag orders, or "National Security letters."

We've already seen that a VPN server is complicated; with 5629 servers in 58 countries, how do NordVPN ensure their servers don't log subscriber activity? 

Simply, logs are configured to write to a virtual device that does not exist. All generated data about connections, destinations, and activity are simply discarded into the ether using the dev/null path.

To demonstrate, Mark showed us servers in Italy, Hong Kong, and Ireland. Hong Kong and Ireland were TechRadar Pro's choices, whereas Italy was NordVPN's. In all three cases, a grep command demonstrated the status of the chosen servers (or in the case of Italy, all servers). 

Each check showed that logs were discarded to the non-existent virtual path of dev/null. The result is logless VPN servers - exactly what a security and privacy-conscious VPN user is looking for.

NordVPN is so confident of its no-logging policy that it has contracted auditing giant PricewaterhouseCoopers to assess its VPN servers. Successful audits are a badge of honour that enhance reputations. 

(Image credit: Shutterstock)

Security and DDoS

Connecting to a VPN server should be straightforward. However, with the potential for so much activity to be exposed, VPNs are regularly targeted by DDoS attacks. Distributed denial of service attacks strike at a server's ability to process data effectively, resulting in the server's owner taking it offline.

"If a provider that we rent a server from is not prepared… there were some issues for customers connected to the server. It was more than 500Gb per second," Mark told us. "We never work in one country with one provider," continues Tom. "We have a mechanism that monitors the health of the systems, and automatically takes the service out of the quick connect and the APIs." 

This means that the target server is made intentionally unreachable for PC and mobile clients.

"We work with cloud providers such as Cloudflare and Amazon in some cases, so that's more mitigated."

While NordVPN has a strategy for dealing with DDoS attacks when targeted, they're also building faster servers. Relying purely on RAM, their diskless servers and new TCP technology are likely to have an impact on making the entire VPN industry faster. 

Making VPNs faster

In a busy marketplace, VPN companies need to stand out from the competition. One way to do this is to offer improved performance for VPN customers. NordVPN is developing several technologies to enhance speed and security and took the time to share details of two of them.

Diskless servers are pretty much what you would expect, servers with no moving parts. Designed to boot remotely and rely on RAM rather than a physical spinning HDD, diskless servers have been introduced with a triple benefit: reducing reliance on leased servers, enhancing security, and improving performance. 

In a theoretical DDoS attack, a VPN running on a diskless server can be taken offline instantly, mitigating the impact of the attack considerably. "With these servers in RAM, I don't think hacking into the system would make much sense," Tom tells us. "Once it's rebooted, once the credentials are changed, it's automatically reinstalled, fresh from the start."

Imagine going online via a VPN and finding that your internet connection speed has increased. It sounds back-to-front, but NordVPN's TCP splitting technology, upon which there is a patent pending, overcomes ISP throttling (also known as traffic shaping or data prioritisation, although the terms are not precisely interchangeable).

NordVPN's tests have revealed that connections to sites based outside Europe using TCP splitting are faster than those made without the technology in place. Performance like this can enhance streaming and online gaming, not to mention online collaboration on creative projects. It might just be the next big thing in VPN marketing: "Get faster internet with a VPN!"

(Image credit: Shutterstock)

Improving the VPN industry

A few bad business decisions can ruin an online reputation. Security software applications have been found selling customer data, for example. VPN companies have fallen by the wayside, but there is a maturity to the industry.

Part of the Internet Infrastructure Coalition (i2Coalition), the VPN Trust Initiative (VTI) is a consortium of VPN companies driven to improve digital safety for customers. NordVPN joined several well-known and influential VPN companies that have signed up to the VTI as founding members.

With the launch of a bug bounty program in December of 2019, NordVPN is making itself as open and honest as an encryption service can possibly be. If the rest of the industry follows this lead, everyone will benefit.

  • We've also highlighted the best VPN services
Christian Cawley

Christian Cawley has extensive experience as a writer and editor in consumer electronics, IT and entertainment media. He has contributed to TechRadar since 2017 and has been published in Computer Weekly, Linux Format, ComputerActive, and other publications. Formerly the editor responsible for Linux, Security, Programming, and DIY at MakeUseOf.com, Christian previously worked as a desktop and software support specialist in the public and private sectors.

TOPICS