An NAT Firewall is a valuable security tool, and a must-have feature when shopping for a new VPN service. But what is NAT, and how does it affect your online security?
In this article, you’ll learn:
- What a NAT firewall does and why you should want one
- How an NAT firewall works
- Which VPN providers include NAT protection
- The difference: Personal firewall vs. NAT firewall
What is an NAT Firewall?
An NAT Firewall is a technology that filters data packets, when routing them between networks.
NAT stands for Network Address Translation, which is a technology designed to rewrite ‘headers’ on data packets, to correctly route them between networks. So when your VPN tunnel routes data between the public internet and your computer through the VPN server, this data must all go through NAT translation.
So an NAT firewall ensures that all the data routed to your computer is actually data that you specifically requested. It is designed to insure that no hacker, government, or attacker can malicious code or data to be routed to your computer. NAT helps protect your VPN-connected device from malware and port-scanning software.
It also can prevent certain decryption attacks, designed to guess your encryption key by inserting known packets into your VPN tunnel. To further reduce your risk, you should always use a VPN that has Perfect Forward Secrecy.
So to summarize:
An NAT firewall:
- Verifies the source of data packets routed between networks
- Make sure every packet sent over the VPN is one you’ve requested
- Reduces the risk of hackers injecting malware or discovering open ports
- Minimizes your vulnerability to certain cryptographic attacks.
Doesn’t my router have a firewall already?
Yes it does, in fact your router’s firewall is actually an NAT firewall as well.
But here’s the thing, your router won’t do a darn bit of good to stop any malicious packets sent through the VPN tunnel.
You see, routers have a feature called ‘VPN Pass-through’ which allows your vpn connections to go through router without being inspected or rerouted. The reason this feature exists is to ensure fast VPN speeds and make sure that your VPN traffic is always routed to the correct device on your network.
VPN pass-through is a good thing, but it also means that you need a firewall at the VPN provider level, because your router will automatically trust all VPN traffic, so we need to make sure that your provider is inspecting the traffic before it gets to your router.
Which VPN Services include an NAT Firewall filter?
As you can tell, an NAT firewall is a critical security precaution, and you should make sure to choose a VPN provider that offers one. Several VPNs include NAT security for free (all plans). Others may charge extra (PureVPN is an example). Finally, some VPN services don’t offer any sort of VPN firewall protection at all. You’d be best advised to avoid these services if you’re serious about protecting your online security.
Here are the VPN providers that take your security seriously:
IPVanish (Firewall Included)
IPVanish has topped several of our ‘best vpn’ lists, including being named: ‘Fastest non-logging VPN’, and the ‘Best VPN for Torrenting’ in 2016.
But they also excel at security. With a built-in NAT firewall (included in all plans), 256-bit AES encryption, and integrated kill-switch, IPVanish is one of the most secure VPN services available. They also have a full-time network security team, monitoring potential threats and defending the network against spam, botnets, and hackers.
Read: our complete IPVanish review (updated frequently)
IPVanish also has a true ‘Zero-log’ policy, meaning the record no information or metadata about your VPN usage or session history. Learn more about VPN Logs, and discover our other favorite non-logging VPNs.
Private Internet Access (Firewall Included)
Private Internet Access includes an NAT firewall with all of their unlimited VPN subscriptions. They may not strongly advertise that fact, but they do in fact filter malicious upstream packets
to ensure that your connection is as safe as possible.
In addition, PIA allows unlimited speed and bandwidth with every plan, 5 simultaneously connected devices, and unlimited p2p/torrenting. Best of all, annual unlimited subscriptions cost only $3.33/month, less than half the price of most competitors, making PIA our ‘Best Cheap VPN’ of 2016.
Read: Private Internet Access review, comparison, and speedtest
VyprVPN (Firewall Included)
VyprVPN also has an excellent NAT firewall built into their VPN server network. It’s included for free with their top 2 plans, but not Vypr ‘basic’ (which we don’t recommend anyway).
Vyprvpn isn’t cheap, but since they actually own their own data network, they’re one of the world’s fastest vpn providers. They also have an incredibly high-quality software client for Windows, Mac, iOS and Android.
If having an excellent software UI is important to you, VyprVPN is a great choice.
Read: Our 2016 VyprVPN review
PureVPN (Firewall optional)
PureVPN also has an NAT firewall option, however they don’t include it automatically with your VPN subscription. Instead it’s available as a $1.99/month addon. While a VPN firewall is a valuable security upgrade, it’s hard to justify spending $2/month just for the firewall, when you get an unlimited PIA subscription for $3.33/month.
That said, if you’re already a PureVPN subscriber, it may be worth the upgrade.
NAT Firewall vs. Personal Firewall (software)
Many of you are wondering — ‘Don’t I already have a firewall installed on my computer?’. And you probably do. Many antivirus software suites include a firewall. And windows PC’s also include the basic, but functional, ‘Windows Firewall’. Application.
Unfortunately, software firewalls on your individual devices will do almost nothing to protect you against malicious upstream traffic through the VPN tunnel.
Here’s why:
Your VPN traffic is automatically granted a firewall exception, meaning it’s treated as a trusted connection and is never blocked. This ensures that the encrypted VPN packets always reach your computer quickly and intact (good). But it also assumes that your VPN traffic isn’t dangerous.
Let me reassure you, there’s no reason to be fearful of using a VPN. There is nothing inherently dangerous about communicating via a VPN. In fact, it’s much more secure and safe than an unencrypted connection. But in the rare event that a hacker or botnet decides to target your VPN IP address directly, an NAT Firewall may be your best (or only) line of defense.
So if possible, always try to choose a VPN provider that includes one.
Conclusion and additional tips
An NAT firewall is important consideration when choosing a truly secure VPN, but it’s only one piece of the puzzle.
It’s also important to consider important security features like:
- Privacy and Logging Policy
- Encryption strength and algorithms used
- DNS Leak Protection
- Kill-switch (prevent IP leaks if the VPN disconnects)
It’s also important to realize that this isn’t a complete list of VPN providers that do have an NAT firewall. Some providers don’t advertise it as a feature, considering it so essential a security feature that it shouldn’t need to be flaunted.
If you’re not sure whether your provider offers a firewall, make sure to contact tech support via live chat or email to confirm.
Even if your VPN doesn’t include NAT protection, you can still monitor your internet activity for suspicious connections by using the free tool Glasswire, which shows you every single application on your computer that is uploading/downloading information. You can trace trends over time and analyze apps or patterns that appear suspicious.
And if you know of any other providers that include a firewall, make sure to let us know in the comments below. Thanks!