Nord is one of the biggest names when it comes to personal VPNs, but can it cater to businesses? NordVPN’s enterprise counterpart, NordLayer, is the company’s foray into the enterprise space. Formerly called NordVPN Teams, NordLayer offers small to medium-sized businesses safe and easy-to-deploy SASE infrastructure.
SASE, or Secure Access Service Edge, isn’t exactly a VPN, although it offers many of the same benefits. SASE combines zero-trust network access (ZTNA) and software-defined wide area networking (SD-WAN), two key terms that we’ll discuss more in this review.
Suffice to say for now that NordLayer lets organizations set up secure site-to-site connections between geographically distant locations, manage remote employee access to company resources, and increase endpoint security. It claims to be well-suited to hybrid environments and bring-your-own-device policies. In this review, I’ll take NordLayer for a spin to see how it performs on all of these fronts.
If you don’t have time to read the full review, then check out the summary below!
Summary: Do I recommend NordLayer?
NordLayer makes the daunting task of managing a secure network far more approachable for small organizations. If you have remote workers who need secure access to company resources, or need to securely connect two or more office locations, I recommend NordLayer. It’s ideal for small to medium-sized businesses with limited IT staff.
There are a couple of caveats. NordLayer does not play well with IPv6, and NordLayer tells us it won’t work in China. I’ll discuss those points later in this review, but if those limitations are not a concern for you, then give NordLayer a go.
- Easy to use for admins and clients
- Strong security overall
- Adaptable and scalable to a wide range of organizations
- Straightforward pricing
- 24/7 support
- Fast servers in 30+ countries
- Doesn’t work in China
- IPv6 is not supported
- DNS leaks
- Best features are restricted to more expensive plans
NordLayer admin setup
Administrators can manage NordLayer via a dashboard accessible from any web browser. From here admins can create gateways, set up servers, monitor connections, and assign privileges to specific groups and team members.
On a Basic NordLayer plan, getting set up is as simple as installing the client app on endpoint devices and then adding those devices to your organization through the NordLayer web dashboard. Users can then securely access the internet via the service’s shared gateways. From the client’s perspective, this isn’t much different than using the standard NordVPN service with additional oversight.
In addition to shared gateways, Advanced plan users get far more control and options. You’ll start by spinning up a dedicated server, then attaching a gateway to it. Crucially, only members of your organization can access this gateway. Team members can be assigned to groups, which are granted access privileges according to group policies.
If you want to give remote employees access to on-premises file storage, for example, then set up a site-to-site VPN to a local router or firewall device. The file storage or local server will be inaccessible publicly, but if you connect to a NordLayer dedicated server that has site-to-site set up with your office, remote employees can access company resources as if they were physically there.
The same process works if you want to give remote employees access to cloud storage or applications. Or, if your cloud app allows IP allowlisting, you can enter your dedicated IP address in NordLayer.
Admins can monitor user activity through the NordLayer dashboard. You can see a list of recent connections and which actions each user took while connected.
Admins can choose how users log into NordLayer. An email and password combination is the default, but NordLayer also supports:
- Two-factor authentication
- Single sign-on (SSO) through Google, Azure AD, Okta, and OneLogin
- SCIM provisioning with Azure AD and Okta
- Biometric verification
You can take advantage of shared servers or spin up dedicated servers in any of the following countries:
- United Kingdom
- Czech Republic
- United Arab Emirates
- Hong Kong
If you’re annoyed by the fact that the above list isn’t ordered alphabetically, you should know that this is the order in which countries appear in the client app, as a user in the US, with no option to sort them otherwise. More on those endpoint device apps next…
Client apps: What devices work with NordLayer?
NordLayer makes client apps for the following operating systems:
The desktop apps can be downloaded from NordLayer’s website, and the mobile apps are available from their respective official app stores.
The Linux app comes in .deb and .rpm file types and, unlike the other four, doesn’t have a graphic user interface (GUI). Instead, it runs from the command line.
The SWG browser extension, once set up with your gateway, will make your browser connection work as if you were connected through the NordLayer native app. It’s available for Edge, Firefox, and Chrome, but only if you subscribe to the more expensive plan.
The overall app design is simple and easy to use. On desktop, it displays as a panel on the right-hand side of your screen. Changes made by the administrator immediately take effect in the client apps without needing to restart them.
As an endpoint user, you can add trusted wifi networks to a list. By default, you won’t be automatically connected to the VPN when using these, though the apps can be set to auto-connect when using untrusted wifi or when the app launches.
A kill switch can be toggled on in the app. When enabled, the kill switch will halt all internet traffic whenever the VPN connection drops out. Unlike the NordVPN app, the kill switch is system-wide and not app-specific.
One small complaint as a desktop user is that I must open the app to know if I’m connected to NordLayer. The system tray icon always looks the same, so I can’t discern whether I’m connected at a glance. The mobile app puts an icon in the status bar, so it doesn’t have this problem.
NordLayer is chock-full of security features tailored to small and medium-sized businesses where employees constantly access company resources remotely from multiple devices. It keeps track of and protects all endpoint devices at once.
NordLayer’s security features include:
- Network access management sets permissions and security policies for users and apps to ensure only authorized staff can reach sensitive and confidential data.
- Network segmentation lets admins create teams and private gateways, each with a dedicated IP address. This lets you segment your local networks and restrict certain data to those who really need it.
- Zero Trust Network Access (ZTNA) is a “never trust, always verify” approach to network access. Authentication is required prior to access being granted.
- Cloud access security brokers (CASBs) enforce security policies between cloud infrastructure and users, controlling access to critical resources.
- Secure web gateways (SWGs) enforces security policies to keep organizations compliant. NordLayer SWGs filter unwanted traffic through application control and data loss prevention (DLP) filters, among others.
- Firewall-as-a-service (FWaaS) is a layer of security for a cloud-based network perimeter that detects unauthorized attempts to gain access.
- ThreatBlock automatically restricts untrusted websites and users to protect your users from malware, ransomware, and viruses. Threatblock can be disabled in the client app.
- Jailbroken device detection detects devices that are vulnerable to attack and alerts admins immediately.
- Automatic provisioning maintains and removes user identities as their statuses or roles change.
- Single sign-on (SSO) allows you to use one set of security credentials to access your multiple cloud applications.
- Biometrics authenticate users based on fingerprint scanning and face recognition.
- All traffic in transit is protected using 256-bit AES data channel encryption.
NordLayer integrates with platforms such as AWS and Azure.
NordLayer leaks DNS and IPv6
Unfortunately, NordLayer suffers from a few leaks as of time of writing. First, it fails to tunnel all IPv6 traffic, which means your IPv6 address and traffic will leak outside the VPN tunnel if you don’t disable IPv6 altogether in your end users’ device settings. In the screenshot below, you can see that the IPv6 address is not changed or hidden while connected to NordLayer on Windows:
Even though NordLayer doesn’t support IPv6, it should still have an option to toggle it off and prevent leaks in the client app settings.
It also suffers from DNS leaks on both IPv4 and IPv6. As a result, your ISP or other snoops on your network can track which apps and websites clients use, or which networks they try to access. The screenshots below show that my ISP’s DNS servers were still visible while connected to NordLayer.
These leaks are especially disappointing considering Nord’s consumer VPN doesn’t suffer from them. Given time, I think these problems will be fixed. I’ll update this review when they are.
NordLayer SASE and SD-WAN explained
SASE, or Secure Access Service Edge, combines SD-WAN and network security point solutions (FWaaS, CASB, SWG, and ZTNA) into a single cloud-based service.
SD-WAN stands for software-defined wide area networking. It’s a cloud-based approach to connecting offices in multiple locations. It allows administrators to separate traffic based on security level, authorization, and quality of service (QoS) settings. Compared to a VPN, SD-WAN benefits from lower latency and has some security failovers that VPNs do not.
SD-WAN requires less maintenance and expertise than a VPN, and is easier to scale up. Because of this, SD-WAN is better for work-from-home employees than traditional VPNs. SD-WANs channel traffic across cloud-compatible WANs for optimal application performance. Connections can be made over LTE, 4G, and MPLS, among others.
By default, SD-WAN doesn’t come with any security or access control. In the past, businesses had to set up their own, unwieldy network of gateways and firewalls. Enter SASE.
SASE, or Secure Access Service Edge, is a model for implementing SD-WAN that gives enterprises a single, centralized view of the entire network, allowing for easy management. It combines SD-WAN with ZTNA and the other security features listed above into a single, manageable solution. NordLayer gives admins the ability to manage their SASE entirely through a web dashboard.
NordLayer “Advanced” features
NordLayer’s Advanced plan allows admins to request several network, security, and access control upgrades as needed. These include:
- Site-to-site VPN that securely connects your business’ local network to the cloud or other on-premises resources via a dedicated server
- SWG browser extensions are available for Edge, Firefox, and Chrome browsers. They enable access to SaaS platforms via a web browser. Once SWG is set up with your gateway, your browser connection works as if you were connected through the NordLayer native app.
- DPI Lite looks for certain patterns in headers, ports, protocols, IP addresses, et cetera in users’ traffic. Based on database matches, it blocks selected categories. Admins can choose from about 250 categories ranging from Apple Push notifications to WhatsApp messages.
- Custom DNS lets you set your own nameservers instead of Nord’s default DNS servers
- DNS filtering blocks websites and hostnames belonging to a specific content category
All of these features need to be requested from the NordLayer dashboard and can take up to 24 hours to be enabled.
Gateways can be enabled with Smart remote access, a feature that lets two users connect endpoint to endpoint when they are connected to the same server. Additionally, it gives users the ability to see each others’ endpoints even if they are not in the same local network.
Speed: Is NordLayer fast?
Using shared gateways, NordLayer’s average speed when downloading from the web measured 382 Mbps in our tests. Its speeds are similar to NordVPN, but Nord assures us that the server infrastructure for NordLayer is completely separate from its consumer VPN service.
Here are the average speeds for each region:
- North America (nearest): 355 Mbps
- Europe: 442 Mbps
- Asia: 349 Mbps
All our tests were run using the NordLynx protocol, which is a fork of the open-source Wireguard protocol. NordLynx offers the fastest speeds of all the available protocols, which include IKEv2 and OpenVPN.
We ran our tests on a 5 Gbps connection to shared gateway servers in North America, Europe, and Asia at various times of day. Our tests give a broad indication of the performance you can expect when using NordLayer, but the inherent volatility of the internet means you may see discrepancies between our results and your own experience.
As for dedicated gateways used exclusively by your team, both the Basic and Advanced plans give you access to 1 Gbps servers. You can get up to 10 Gbps servers with a custom plan. More on those plans below.
Price and billing
NordLayer offers three plans:
- Basic costs $7 per user per month or $84 per year
- Advanced costs $9 per user per month or $108 per year
- Custom plans vary in cost and are negotiated directly with Nord
The basic plan gets you 1 Gbps servers, shared gateways in more than 30 countries, and unlimited data. This plan essentially gives your staff members access to NordLayer’s shared gateways.
For most organizations, I recommend the advanced plan with at least one dedicated server. This will let you set up a private gateway to remotely access your organization’s internal resources, whether they exist locally or on the cloud.
The advanced and custom plans add:
- Site-to-site interconnectivity
- SWG browser extension
- Smart remote access (cloud LAN)
- Network segmentation
- Unlimited gateways and teams
- Custom DNS
- DNS filtering
- Deep packet inspection (DPI Lite)
- A dedicated account manager
Bear in mind that private gateways require dedicated servers. If you need a private gateway, dedicated servers are only available on the Advanced and custom plans, and cost an additional $40 per month per server. Most organizations will probably want at least one dedicated server.
You can choose whether your organization is billed monthly or once per year, with the annual plans costing less (up to 22% discount as of time of writing).
User licenses are transferable. If you let go of one employee and hire another, the departing employee’s account can be transferred to the new employee. Charges for any additional licenses will be prorated based on your initial contract with NordLayer. That makes it easy to scale up, but bear in mind there’s no further discount as you add more licenses unless you can negotiate it on a custom plan.
You can book a demo if you’d like to try NordLayer in advance.
NordLayer support is available 24/7 via email or live chat on its website. I posed a couple of questions to the live chat support regarding IPv6 and access from China. An agent responded immediately. Although curt, their answers were prompt and satisfactory.
NordLayer has an extensive, searchable knowledge base with setup and troubleshooting guides. These will help you especially in the early stages of getting NordLayer configured how you need it.
If you’re an Advanced or Custom plan subscriber, and you have at least 30 active licenses, a dedicated account manager will see to your needs.
Does NordLayer work in China?
No. Unlike NordVPN, NordLayer’s gateways are not accessible from China at this time. Shop elsewhere if your business has remote staff in China or other countries that routinely block VPNs.
Does NordLayer have a free trial?
You can request a demo of NordLayer to try for free before subscribing, but it may be a limited demonstration. The number of dedicated servers or gateways you can create might be restricted, for example.
What is Comparitech’s NordLayer testing methodology?
Comparitech puts every service it reviews through a series of tests, combined with real-world experience by expert analysts. Our testing methodology includes:
- Download speed tests
- DNS, IPv6, and WebRTC leak testing
- Review of security parameters and encryption suite
- Testing all available features in a real-world environment
- Engaging with customer support
And much more. You can see our full VPN testing methodology here.