When innovation knocks, what will you do: let it in or shut the door? Being forever-curious and imaginative geeks, we at NordVPN are always open to innovation. Today we are excited to announce our latest project: the NordLynx technology built around the WireGuard® protocol.

The background

Offering a high-speed connection while maintaining top-notch security is one of the biggest challenges for a VPN provider. What if there was something that could bring a radical change?

The emergence of WireGuard, a new VPN tunneling protocol, seemed like a breath of fresh air in the industry.

Modern, extremely fast, and insanely lean in its architecture, WireGuard uses state-of-the-art cryptography and is backed by thorough academic research. With this combo, it outshines the current leading protocols – OpenVPN and IPSec. WireGuard consists of only 4000 lines of code, making it easy to deploy, audit, and find bugs. To compare: OpenVPN runs on 400,000 lines of code, meaning that WireGuard would make up only 1% of the massive OpenVPN’s architecture.

However, it’s not all as great as it sounds. There’s been a lot of buzz about WireGuard lately. The protocol is still under heavy development, and it’s far from perfection. Yes, WireGuard can promise better connection speeds already, but its capabilities to keep users anonymous fall behind.

But an opportunity to offer a faster and more reliable VPN connection to our users was right there. And we took it as a challenge.

That’s how project NordLynx came to life.

Project NordLynx

The WireGuard protocol alone can’t ensure complete privacy. Here’s why. It can’t dynamically assign IP addresses to everyone connected to a server. Therefore, the server must contain a local static IP address table to know where internet packets are traveling from and to whom they should return. It means that the user's identity must be stored on the server and linked to an internal IP address assigned by the VPN.

To put it less technically: by implementing the out-of-the-box WireGuard protocol in our service, we would have put your privacy at risk. And we would never do this.

So we had a puzzle to solve: how can we bring WireGuard’s benefits to our users while strengthening the wobbly privacy part?

How we made it work

We needed to find a way for the WireGuard protocol to work without posing a risk to our customers’ privacy.

And we found it. We developed something called a double NAT (Network Address Translation) system.

To put it simply, the double NAT system creates two local network interfaces for each user. The first interface assigns a local IP address to all users connected to a server. Unlike in the original WireGuard protocol, each user gets the same IP address.

Once a VPN tunnel is established, the second network interface with a dynamic NAT system kicks in. The system assigns a unique IP address for each tunnel. This way, internet packets can travel between the user and their desired destination without getting mixed up.

The double NAT system allows us to establish a secure VPN connection without storing any identifiable data on a server. Dynamic local IP addresses remain assigned only while the session is active. Meanwhile, user authentication is done with the help of a secure external database.

Linux users, try NordLynx now

In fall 2018, we invited a small group of users to take our WireGuard implementation for a test drive as a part of a closed beta. Today, after months of further research, development, and testing, we’re going public with NordLynx – our solution for a fast, private and secure VPN connection. And we’re inviting every curious soul out there to try it!

Our Linux users are the first ones to get hands-on experience with NordLynx. The NordVPN Linux app already supports it.

By default, NordVPN for Linux runs on the OpenVPN protocol. Follow these steps to switch to NordLynx:

Update your app to the latest version. Install WireGuard. Tutorials for different distributions are available in our Help Center. Open the terminal and enter ‘nordvpn set technology NordLynx’. Enter ‘nordvpn c’ to connect to VPN.

That’s it – now your Linux app is running on NordLynx. You can always switch back to OpenVPN by entering ‘nordvpn set technology OpenVPN’.

Not using Linux but want to try NordLynx? We will soon provide tutorials on how to set it up on any third-party WireGuard client.

We believe that NordLynx has the potential to be a game-changer in the VPN industry. But we’re nothing without your feedback – please let us know about your experience with NordLynx and help us make the internet better!

For more news and tips about cybersecurity with NordVPN and beyond, subscribe to our monthly newsletter below!

WireGuard® is a registered trademark of Jason A. Donenfeld.