Getting Started

Welcome to NorexVPN

NorexVPN gives you your own dedicated private server — not a shared pool. Your IP, your traffic, your server. Nobody else on it. This guide will get you set up in minutes.

What makes NorexVPN different: Most VPN providers put thousands of users on the same server and IP address, which makes your traffic traceable, slows your speeds, and gets your IP flagged and associated with strangers' activity. With NorexVPN, a server is provisioned exclusively for you the moment you sign up.

Fast Setup

Your VPN server is automatically provisioned when you sign up. No manual configuration needed — just scan and connect.

Dedicated IP

Your IP address is yours alone — never shared with other users, never flagged, never throttled by overloading.

Always Fast

WireGuard is the fastest VPN protocol available. Combined with a server all to yourself, speeds stay consistently high.

Installation

Setting Up Your VPN

Getting connected takes about two minutes. Install WireGuard on your device, then import your config from the dashboard. That's it.

1

Create your account

Sign up at norexvpn.com/signup. Choose your plan — Basic or Pro. Your dedicated server starts provisioning immediately after payment.

2

Download WireGuard

WireGuard is the free, open-source VPN app your NorexVPN server uses. Download it for your platform:

iOS Android Windows / Mac / Linux
3

Import your config

Go to your dashboard and open your deployment. You'll see a QR code — on mobile, tap "Import from QR Code" in the WireGuard app and scan it. On desktop, download the .conf file and import it into WireGuard.

4

Activate the tunnel

In the WireGuard app, toggle your NorexVPN tunnel on. You're connected. Your traffic is now routed through your private dedicated server.

Server provisioning typically takes 2–5 minutes after signup. If your dashboard shows "Provisioning" wait a moment then refresh. If it takes longer than 10 minutes, contact support.

Device Setup

Setting Up on Every Platform

NorexVPN runs WireGuard, which has native apps on every major platform. The process is the same everywhere — get your config from the dashboard, import it, connect.

Windows

1

Download WireGuard for Windows

Go to wireguard.com/install and download the Windows installer. Run it — no special settings needed during install.

2

Get your config file from the dashboard

Log in to your dashboard, open your deployment, go to the Devices tab, and click Download on your device. Save the .conf file somewhere accessible.

3

Import the tunnel

Open WireGuard. Click Import tunnel(s) from file at the bottom of the window. Select your .conf file. The tunnel appears in the list immediately.

4

Activate and verify

Click Activate. The status will change to Active. Open a browser and visit ipleak.net — your IP address should show your NorexVPN server's IP, not your home IP.

Windows tip: WireGuard adds itself to the system tray on startup. You can set the tunnel to connect automatically on login by right-clicking the tray icon → your tunnel → Connect on login.

Linux

1

Install WireGuard

On Ubuntu / Debian:

sudo apt install wireguard -y

On Fedora / RHEL:

sudo dnf install wireguard-tools -y

On Arch:

sudo pacman -S wireguard-tools
2

Download your config and place it

Download your .conf file from the dashboard. Copy it to /etc/wireguard/ — the filename becomes your tunnel name:

sudo cp ~/Downloads/mydevice.conf /etc/wireguard/norexvpn.conf sudo chmod 600 /etc/wireguard/norexvpn.conf
3

Connect

sudo wg-quick up norexvpn

To disconnect:

sudo wg-quick down norexvpn
4

Auto-connect on boot (optional)

sudo systemctl enable wg-quick@norexvpn sudo systemctl start wg-quick@norexvpn

To disable auto-connect:

sudo systemctl disable wg-quick@norexvpn
5

Verify

curl -4 https://ipv4.icanhazip.com curl -6 https://ipv6.icanhazip.com

Both should return your NorexVPN server's IP addresses.

Linux tip: Use sudo wg show to see live tunnel status, connected peers, and last handshake times.

iPhone / iPad / Android

1

Install the WireGuard app

Download for iOS →  |  Download for Android →

2

Scan the QR code from your dashboard

Log in to your dashboard on another device or browser, open your deployment, go to the Devices tab, and tap Show QR on your device. In the WireGuard app tap +Create from QR code and scan it. Name your tunnel and save.

3

Activate and allow VPN

Toggle the tunnel on in the WireGuard app. iOS and Android will ask you to allow a VPN configuration — tap Allow. Your phone's status bar will show a VPN indicator when connected.

iOS battery tip: Enable On-Demand in the WireGuard tunnel settings to automatically reconnect whenever you switch networks (WiFi, cellular) without draining extra battery.

macOS

1

Install from the Mac App Store

Download WireGuard for macOS →

2

Import your config

Download the .conf file from your dashboard. Open WireGuard, click Import tunnel(s) from file, and select the file.

3

Activate

Toggle the tunnel on. macOS will prompt you to add a VPN configuration — click Allow. A VPN icon appears in your menu bar when connected.

Router Setup

Connecting Your Entire Network

Running NorexVPN on your router protects every device on your network — phones, laptops, smart TVs, game consoles, and anything else that connects to your WiFi — without installing anything on each device individually.

How it works: Instead of installing WireGuard on each device, you install it once on your router. All traffic leaving your home network flows through the VPN tunnel automatically. Any device that connects to your WiFi is protected — including devices that can't run VPN software themselves, like smart TVs and IoT devices.

Whole-network coverage

Every device on your network is automatically protected — no per-device install or config needed.

Covers unsupported devices

Smart TVs, game consoles, and IoT devices that can't run WireGuard are protected through the router tunnel.

Ad blocking for everyone

Your NorexVPN server's built-in Pi-hole blocks ads and trackers for every device on your network, not just the ones with the VPN app.

Important: Your router config uses one device slot, just like any other device. You can add individual device configs alongside it — phones, laptops, tablets — up to your plan's limit. Just keep in mind that when your router is connected, any device on your network is already tunneled through it, so you don't need to run NorexVPN separately on those devices too.

Step 1 — Create a Router device in your dashboard

1

Add a new device

Go to your dashboard → Devices tab → Add Device. Name it something like "Home Router" and set the device type to Router. Download the .conf file — you'll need this in the next steps.

2

Note the MTU setting

The config file has MTU = 1420. This is important for routers — see the MTU section below for a full explanation of why and when to change it.

Router-specific setup guides

GL.iNet routers have native WireGuard support built into their admin panel — no manual config needed.

Steps:

  1. Log in to your GL.iNet admin panel at 192.168.8.1
  2. Go to VPN → WireGuard Client
  3. Click Add Manually
  4. Paste the contents of your .conf file into the configuration box
  5. Give the profile a name (e.g. "NorexVPN") and click Next
  6. Toggle the WireGuard Client switch to On
  7. Verify: visit ipleak.net from any device on the network

DNS on GL.iNet: GL.iNet routers honour the DNS setting in your WireGuard config automatically. No extra DNS configuration is needed.

OpenWrt supports WireGuard via the luci-proto-wireguard package.

Install WireGuard packages (SSH into router first):

opkg update opkg install wireguard-tools luci-proto-wireguard kmod-wireguard

Then in LuCI (web interface):

  1. Go to Network → Interfaces → Add new interface
  2. Name it wgnorex, Protocol: WireGuard VPN
  3. Paste your Private Key from the .conf file
  4. Set IP Addresses to 10.8.0.x/32 (from your config's Address line)
  5. Set MTU to 1420
  6. Under Peers, add your server: paste the server Public Key, Endpoint, Preshared Key, and set Allowed IPs to 0.0.0.0/0, ::/0
  7. Enable Route Allowed IPs
  8. Under Firewall, assign the interface to the wan zone
  9. Save and Apply

OpenWrt DNS: OpenWrt does not automatically use the DNS from your WireGuard config. Go to Network → DHCP and DNS and manually set the DNS server to your VPN server's IP address (the Endpoint IP in your config). Otherwise DNS queries will bypass your NorexVPN ad blocker.

DD-WRT added native WireGuard support in builds from 2022 onward. Make sure your firmware is up to date before proceeding.

  1. Log in to your DD-WRT admin panel (usually 192.168.1.1)
  2. Go to Setup → Tunnels → WireGuard
  3. Click Add Tunnel
  4. Paste your Private Key, set the Address from your config
  5. Set MTU to 1420
  6. Under Peers, add your server's Public Key, Endpoint (IP:51820), Preshared Key
  7. Set Allowed IPs to 0.0.0.0/0
  8. Enable Persistent Keepalive and set it to 25
  9. Save and Apply

DD-WRT DNS: Like OpenWrt, DD-WRT does not automatically use the DNS from your WireGuard config. Go to Setup → Basic Setup and set Static DNS 1 to your VPN server's IP address.

Firewalla supports WireGuard as a VPN client through its mobile app.

  1. Open the Firewalla app on your phone
  2. Tap your Firewalla device → VPN Client → WireGuard
  3. Tap the + button to add a profile
  4. Choose Import from file and select your .conf file
  5. Enable the VPN client and set it as the default for your network

Firewalla DNS: Firewalla automatically applies the DNS from your WireGuard config. No extra steps needed.

Most modern routers and firewall platforms support WireGuard. The details vary but the information you need from your NorexVPN config is always the same:

Field in your .confWhat to enter in your router
PrivateKeyYour WireGuard private key
AddressTunnel IP address (e.g. 10.8.0.2/32)
DNSDNS server — set this manually in router DNS settings
PublicKey (under [Peer])Server public key
PresharedKeyPre-shared key (extra layer of encryption)
EndpointServer IP:51820
AllowedIPs0.0.0.0/0, ::/0 (route all traffic)
PersistentKeepalive25
MTU1420 (see MTU section)

If your router firmware doesn't have WireGuard built in, consider flashing it to OpenWrt — it supports nearly all consumer router hardware and has excellent WireGuard support.

DNS on routers — the most common mistake: Most routers do not automatically use the DNS server specified in a WireGuard config file. If you don't manually set DNS on your router to point to your VPN server's IP, your DNS queries will go to your ISP or Google/Cloudflare — bypassing your NorexVPN ad blocker and potentially leaking your DNS activity. Always set DNS manually in your router's WAN or DHCP settings to your server's IP address after connecting.

IPv6 & Dual-Stack

IPv6 Support on NorexVPN

Every NorexVPN server runs a fully dual-stack VPN tunnel — meaning your connection is protected on both IPv4 and IPv6 simultaneously. There's nothing to configure; it works automatically.

What is IPv6?

The internet runs on IP addresses — unique numbers that identify every device. IPv4, the original system, uses 32-bit addresses like 172.235.149.48 and has a hard limit of about 4.3 billion addresses. We ran out of those years ago. IPv6 is the modern replacement — it uses 128-bit addresses like 2a01:7e04::2000:c8ff:fe5b:58a5 and provides a practically unlimited address space. Most modern devices and networks now support both IPv4 and IPv6 simultaneously — this is called dual-stack.

Why does IPv6 matter for a VPN?

!

The IPv6 leak problem on other VPNs

Many VPN providers only tunnel IPv4 traffic. If your device has IPv6 connectivity (which most modern connections do), your IPv6 traffic goes straight to the internet completely outside the VPN tunnel — exposing your real IPv6 address to every website you visit. This is called an IPv6 leak and it completely undermines the point of a VPN.

How NorexVPN handles it

NorexVPN routes all IPv6 traffic through the tunnel using AllowedIPs = 0.0.0.0/0, ::/0 in every device config. The ::/0 entry means "all IPv6 addresses" — nothing escapes the tunnel. Your real IPv6 address is never exposed.

What dual-stack looks like in practice

When you're connected to NorexVPN, your device's outbound IP addresses are both your server's public IPs. You can verify this yourself:

curl -4 https://ipv4.icanhazip.com # Returns your server's IPv4 curl -6 https://ipv6.icanhazip.com # Returns your server's IPv6

The WireGuard config — what the IPv6 fields mean

[Interface] PrivateKey = <your private key> Address = 10.8.0.2/32, fd86:ea04:1115:0001::2/128 ← IPv4 + IPv6 tunnel addresses DNS = 172.235.149.48 ← Your server's IPv4 (Pi-hole) MTU = 1420 [Peer] PublicKey = <server public key> PresharedKey = <preshared key> Endpoint = 172.235.149.48:51820 AllowedIPs = 0.0.0.0/0, ::/0 ← Route ALL traffic (IPv4 + IPv6) PersistentKeepalive = 25

Address (dual-stack)

Your device gets two tunnel addresses — one IPv4 (10.8.0.x) and one IPv6 (fd86:..::x). The IPv6 address uses a private ULA prefix unique to your server — it's not publicly routable but gives you a proper IPv6 identity inside the tunnel.

AllowedIPs = ::/0

This is the critical entry. It tells WireGuard to route all IPv6 traffic through the tunnel — no exceptions. Without this, IPv6 traffic would bypass the VPN entirely and leak your real address.

DNS stays on IPv4

DNS is intentionally set to your server's IPv4 tunnel address. This is by design — Pi-hole listens on IPv4 and resolves both A (IPv4) and AAAA (IPv6) DNS queries. Your IPv6 DNS queries are also ad-blocked through the same Pi-hole.

How to test for leaks: While connected to NorexVPN, visit ipleak.net or browserleaks.com/ip. Both your IPv4 and IPv6 addresses shown should be your NorexVPN server's addresses. If you see any address from your ISP or home network, contact support immediately.

How It Works

WireGuard & Your Private Server

WireGuard is the modern VPN protocol powering NorexVPN. It's faster, leaner, and more secure than older protocols like OpenVPN or IPSec.

Blazing Fast

WireGuard runs in the Linux kernel and uses state-of-the-art cryptography with minimal overhead. Speeds are consistently faster than traditional VPN protocols.

Modern Cryptography

Uses ChaCha20, Poly1305, Curve25519, and BLAKE2 — battle-tested algorithms that provide strong encryption with low CPU usage.

No Logs

WireGuard doesn't log traffic by design. Your activity data is never written to disk on your server.

Stealth Reconnection

WireGuard automatically re-establishes the tunnel when you switch networks — WiFi to cellular, café to home — without dropping your connection.

Your dedicated server advantage: With NorexVPN your WireGuard tunnel connects to a server that belongs only to you. Other VPN providers share one server among hundreds or thousands of users — meaning shared bandwidth, shared IP reputation, and a shared target. Your server is private infrastructure.

Dashboard Guide

Using Your Dashboard

Your dashboard is the control centre for everything — server status, device management, config downloads, and account settings.

Overview tab

See your server's live status, IP address, region, and uptime. A green indicator means your server is online and accepting connections.

Devices tab

Each device you connect gets its own WireGuard peer configuration. Add a device, download or scan its QR code, and connect. Basic plan supports up to 8 devices, Pro supports up to 16.

Config download

You can download your WireGuard config file at any time from the dashboard. Use this to set up on desktop clients (Windows, Mac, Linux) by importing the .conf file.

Settings & subscription

Manage your plan, update payment info, change your password, and cancel or upgrade your subscription — all from the Settings tab in your dashboard.

Billing & Plans

Plans & Pricing

Two simple plans, billed monthly or annually. No contracts, no hidden fees. Cancel any time from your dashboard.

Monthly Plans

Feature Basic — $9.99/mo Pro — $19.99/mo
Dedicated private server
Dedicated IP address
WireGuard protocol
Connected devicesUp to 8Up to 16
Server region1 region1 region
Free trial at sign up
7-day money-back guarantee
Cancel any time

Annual Plans 2 months free

Plan Annual Price Monthly Equivalent Savings
Basic Annual$99.99/year$8.33/moSave $19.89
Pro Annual$199.99/year$16.67/moSave $39.89

Annual plans are billed once upfront and renew automatically after 12 months. You get the equivalent of 2 months free compared to monthly billing. Free trial is available on all plans — no charge until your trial ends. 7-day money-back guarantee applies after your first charge if you're not satisfied.

Billing FAQ

You're billed monthly or annually (depending on your plan) on the same date your trial ended. Payments are processed securely by Stripe — we never store your card details. You'll receive an email receipt after each charge.
Yes. Cancel from your dashboard under Settings → Subscription. Your server stays active until the end of the current billing period, then it's deprovisioned. No cancellation fees.
You'll receive an email notification and Stripe will retry the charge. If payment continues to fail your subscription will be paused and your server deprovisioned. You can reactivate at any time by updating your payment method in the dashboard.
Yes, upgrade any time from your dashboard. The price difference is prorated for the remainder of your billing period.
Security & Privacy

How We Protect You

Security is built into every layer of NorexVPN — from how your server is provisioned to how your account is protected.

Hardened Servers

Every server is locked down after provisioning — SSH access is closed, unnecessary ports are blocked, and management communication uses HTTPS with certificate verification.

Unique WireGuard Keys

Your WireGuard keypair is generated uniquely per customer and per device. Keys are never shared or reused.

Account Security

Passwords are hashed with bcrypt. Sessions use signed tokens. All forms are protected with CSRF tokens, rate limiting, and bot detection via Cloudflare Turnstile.

Stripe Payments

All payments are processed by Stripe. We never store your card number, CVV, or billing details on our servers.

No Traffic Logs

WireGuard does not log traffic by design. We do not record, inspect, or sell your browsing activity — ever.

Brute Force Protection

Login and signup endpoints are rate-limited per IP. Repeated failed attempts are automatically blocked to protect your account.

Troubleshooting

Common Issues & Fixes

Most issues are solved in under a minute. Find your problem below.

Server provisioning typically takes 2–5 minutes. Refresh your dashboard after a few minutes. If it's still showing "Provisioning" after 10 minutes, please contact support at support@norexvpn.com.
First check that your server status is "Online" in the dashboard. If it is, try re-downloading your config file and re-importing it into WireGuard. If you're on mobile, make sure WireGuard has VPN permissions in your device settings (Settings → VPN on iOS / Settings → Apps → WireGuard on Android).
WireGuard is the fastest protocol available, but speeds depend on your base internet connection and distance to your server's region. Try running a speed test with the VPN off vs. on to compare. If there's a significant drop, contact support and we can investigate your server's performance.
Log in to your dashboard, go to Devices, and select the device. Your QR code and config download are always available there. If you deleted the device, simply add a new device to generate a fresh config.
Basic plans support up to 8 devices, Pro supports up to 16. To add more devices, either remove an existing device from your dashboard or upgrade to the Pro plan.
Email us at support@norexvpn.com. Include your account email and a description of the issue. We typically respond within a few hours.
Deep Dive

Why Dedicated Beats Shared

Shared VPNs are fundamentally broken by design. Understanding why makes it clear why dedicated infrastructure is the only real answer.

The shared VPN problem: When you connect to a typical VPN provider, you're sharing a server and IP address with hundreds or thousands of other users — strangers whose behavior you have zero control over. Their activity becomes your reputation.

1

Shared IPs get flagged and blocked

When one user on a shared VPN server abuses a service — sends spam, commits fraud, violates terms of service — the IP address gets flagged. Every other user on that IP then gets blocked, CAPTCHAs, or denied access. With NorexVPN your IP is yours alone. Your behavior is the only thing affecting your reputation.

2

Shared bandwidth means throttled speeds

Shared VPN servers split bandwidth among hundreds of simultaneous connections. Peak hours mean congestion, slowdowns, and inconsistent speeds. Your NorexVPN server has dedicated bandwidth — no one else is using it, no one else can slow it down.

3

Shared IPs are more likely to be flagged and blocked

Many websites and services maintain blocklists of known VPN IP ranges. Shared VPN IPs end up on these lists quickly because thousands of users hit the same services simultaneously — an easy pattern to detect. A dedicated IP used only by you is associated only with your own behavior, not thousands of strangers.

4

You can't trust who you're sharing with

On a shared VPN, you have no idea what other users are doing with the same IP address. Illegal activity, torrenting, abuse — if it happens on your shared IP, you're associated with it in logs kept by websites and services you visit. Dedicated means the IP history is only yours.

IssueShared VPNNorexVPN (Dedicated)
IP reputationShared with strangersYours alone
IP reputationTainted by other users' activityOnly your behavior affects your IP
SpeedsShared bandwidth, variableDedicated, consistent
IP blacklistingHigh risk from other usersOnly your behavior matters
CAPTCHA frequencyConstantRare — looks like normal traffic
Privacy from other VPN usersNoneComplete isolation
Encryption & Protocols

Encryption Explained

NorexVPN uses WireGuard, which employs a carefully selected suite of modern cryptographic primitives — each chosen for both security and performance.

ChaCha20 Encryption

Your traffic is encrypted using ChaCha20, a 256-bit stream cipher designed by Daniel J. Bernstein. It's faster than AES on devices without hardware acceleration and equally secure. Used by Google, TLS 1.3, and modern TLS stacks worldwide.

Poly1305 Authentication

Paired with ChaCha20, Poly1305 provides message authentication — ensuring every packet you receive is exactly what was sent, with no tampering in transit. This prevents man-in-the-middle attacks at the packet level.

Curve25519 Key Exchange

WireGuard uses Curve25519 (X25519) for Elliptic Curve Diffie-Hellman key exchange. This establishes a shared secret between your device and server without ever transmitting the secret itself — even if all traffic is captured, the key exchange cannot be reversed.

BLAKE2 Hashing

BLAKE2 is used for cryptographic hashing within the WireGuard handshake. It's faster than SHA-3 and SHA-2 while providing equivalent security — critical for maintaining low-latency connections on mobile devices.

SipHash-2-4

Used for hashtable operations inside WireGuard to prevent hash-flooding denial-of-service attacks. Keeps your connection resistant to certain classes of network-level abuse.

Perfect Forward Secrecy

WireGuard performs a new Diffie-Hellman handshake regularly, generating fresh session keys. This means even if a key is somehow compromised in the future, past sessions cannot be decrypted. Your historical traffic is always protected.

Why this matters: Older VPN protocols like OpenVPN can use outdated cipher suites (3DES, RC4) if misconfigured. WireGuard's cryptography is fixed and modern — there are no legacy modes to accidentally fall back to, and no configuration mistakes that can weaken your encryption.

The WireGuard Handshake

Every time your device connects, WireGuard performs a cryptographic handshake in under 100 milliseconds:

1

Initiation

Your device sends an encrypted handshake initiation message to the server using the server's known public key and an ephemeral Curve25519 key generated for this session.

2

Response

The server verifies your identity against your device's pre-configured public key, then sends an encrypted response using its own ephemeral key.

3

Session keys derived

Both sides independently derive identical symmetric session keys from the Diffie-Hellman exchange. These keys are used for all subsequent traffic encryption and are never transmitted.

4

Tunnel active

All traffic is now encrypted with ChaCha20-Poly1305. Keys are rotated every few minutes automatically — this is Perfect Forward Secrecy in action.

IP Reputation

Clean IPs & IP Reputation

Your IP address has a reputation score maintained by websites, threat intelligence services, and ad networks. A clean dedicated IP is one of the most practically valuable things a VPN can give you.

Never Blacklisted

Your IP starts fresh and only accumulates the reputation you build. Shared VPN IPs arrive pre-poisoned from years of abuse by thousands of prior users.

Payment Sites Work

Banks, PayPal, and payment processors flag or block transactions from known VPN IP ranges. A dedicated IP that's never been flagged looks like a normal user — transactions go through without friction.

Fewer CAPTCHAs

Google, Cloudflare, and most websites serve endless CAPTCHAs to shared VPN IPs. With a clean dedicated IP you look like a regular user — no challenge boxes, no "verify you're human" loops.

Consistent Identity

Because your IP never changes, websites that track you by IP (for "remember this device" or trusted login features) will consistently recognise your connection — no re-authentication loops.

Privacy & No-Logs

Privacy Policy & No-Logs Commitment

Your privacy is the entire point of NorexVPN. Here's exactly what we do and don't log — in plain English.

Data TypeDo We Log It?Details
Browsing history / URLs visitedNeverWireGuard does not log traffic by design
DNS queriesNeverDNS is resolved by your server, not logged
Traffic contentsNeverAll traffic is encrypted end-to-end
IP addresses you connect toNeverDestination IPs are not recorded
Timestamps of connectionsMinimalServer uptime metrics only, not per-session
Account emailYesRequired for account management and billing
Payment informationVia StripeStored by Stripe, never on our servers

What this means for you: Even if we were compelled by a legal process to hand over data, there is no browsing history, no connection logs, no DNS query history to provide. The data simply doesn't exist on our systems.

Your Server, Your Data

Because your server is dedicated to you, there's no commingling of traffic with other users. There's no shared log file where your sessions sit next to someone else's.

No Third-Party Tracking

We don't sell your data, share it with advertisers, or use third-party analytics that profile your usage. Our business model is subscriptions — not data.

Minimal Account Data

We only collect what's necessary to run your service: your email address and subscription status. No phone numbers, no real name required, no address.

Speed & Performance

Speed & Performance

NorexVPN is engineered for maximum speed at every layer — from the VPN protocol to the underlying server hardware.

Sub-millisecond Overhead

WireGuard runs in the Linux kernel, not userspace. This means encryption and decryption happen at the OS level with minimal latency — typically adding less than 1ms compared to an unencrypted connection.

Dedicated Resources

Your server's CPU, RAM, and network bandwidth are allocated exclusively to you. No noisy neighbours, no resource contention during peak hours — performance is predictable and consistent.

Fast Reconnection

WireGuard reconnects in milliseconds when switching networks — from WiFi to cellular, or waking from sleep. No dropped connections, no re-authentication delays.

Low Latency Regions

Choose a server region close to your physical location to minimise round-trip time. The closer your server, the lower your ping — important for gaming, video calls, and real-time applications.

Speed tip: For best performance, choose a server region geographically close to you.

Protocol Comparison

WireGuard vs Other VPN Protocols

Not all VPN protocols are equal. Here's how WireGuard stacks up against the alternatives used by other providers.

FeatureWireGuardOpenVPNIPSec/IKEv2L2TP
Codebase size~4,000 lines~600,000 lines~400,000 lines~100,000 lines
SpeedFastestModerateFastSlow
Handshake time<100ms1–3 seconds~200ms1–2 seconds
Kernel-levelYesNo (userspace)YesNo
Modern cryptographyFixed, modernConfigurable (risky)VariableWeak (3DES)
Mobile battery impactVery lowHighMediumHigh
Audited codebaseYesYesPartialNo
Perfect Forward SecrecyYes (built-in)Yes (if configured)YesNo

Why codebase size matters: Smaller code means a smaller attack surface. OpenVPN at 600,000 lines has dramatically more potential for undiscovered vulnerabilities than WireGuard at ~4,000 lines. Security researchers can audit WireGuard's entire codebase in a fraction of the time — and have.

Threat Model

What NorexVPN Protects You From

A VPN is a powerful tool but not a magic shield. Understanding exactly what threats it addresses helps you use it effectively.

✓ What NorexVPN protects against

ISP monitoring & tracking

Your Internet Service Provider can see every website you visit without a VPN. With NorexVPN, all your traffic is encrypted before it leaves your device — your ISP sees only encrypted data going to your VPN server, nothing more.

Public WiFi attacks

On public networks (airports, cafés, hotels) attackers can intercept unencrypted traffic. NorexVPN wraps everything in strong encryption before it hits the local network — sniffers see nothing useful.

IP-based tracking & geolocation

Websites, advertisers, and analytics platforms track you by IP address. NorexVPN replaces your real IP with your dedicated server IP, masking your physical location and preventing IP-based tracking.

Geographic content restrictions

Content that's unavailable in your physical location becomes accessible through your server's region. Your connection appears to originate from your server's country.

Connections to known malicious domains

NorexVPN blocks DNS requests to known malicious domains at the network level. If a malicious link or malware tries to connect to a known bad domain, the request is blocked before it resolves — protecting every device on your connection automatically.

✗ What NorexVPN does not protect against

Unknown or zero-day malware

Domain-level blocking only covers known malicious domains from maintained blocklists. New, unknown, or sophisticated threats that use unlisted domains can still get through. Use a reputable antivirus for full endpoint protection.

Browser fingerprinting

Websites can identify you via your browser's unique combination of fonts, plugins, screen resolution, and other attributes — regardless of your IP. Use a privacy-focused browser for additional protection.

Logged-in account tracking

If you're logged into Google, Facebook, or any other service, that service can track your activity regardless of your IP address. A VPN doesn't anonymise authenticated sessions.

Infrastructure

Our Infrastructure

Every NorexVPN server is provisioned on enterprise-grade cloud infrastructure with security hardening applied automatically at deployment.

Dedicated Cloud Servers

Each customer receives their own virtual private server — not a container or a shared instance. Isolated at the hypervisor level with dedicated vCPUs and RAM.

Hardened at Provision

After provisioning, SSH is disabled, unnecessary ports are closed, and the management interface switches to HTTPS with certificate pinning. Attack surface is minimised by default.

24/7 Uptime Monitoring

Server health is continuously monitored. If your server becomes unreachable, our system detects it automatically and alerts you. Check live status in your dashboard at any time.

Automatic Updates

Security patches are applied to your server's base system automatically. WireGuard and system packages are kept current without any action required on your part.

Instant Deprovisioning

When you cancel, your server is fully deprovisioned and all data wiped. There's no lingering server sitting around with your configurations on it.

Global Regions

Servers are available in multiple regions worldwide. Choose the region closest to you for lowest latency, or choose a specific country to access regional content.

Ubuntu + WireGuard: Every NorexVPN server runs Ubuntu Linux with WireGuard installed at the kernel level. Ubuntu's LTS releases provide 5 years of security support, and WireGuard is maintained directly in the Linux kernel — your server benefits from the security work of thousands of contributors worldwide.

MTU & Packet Size

Understanding MTU

MTU is one of the most overlooked VPN settings — and one of the most impactful. Getting it wrong causes slow speeds, broken websites, and intermittent connection drops. Here's what it is and how to set it correctly.

What is MTU?

MTU stands for Maximum Transmission Unit — the largest packet of data that can be sent across a network in one piece. Think of it like the size of a box that can be shipped: if your box is too big for the conveyor belt, it gets cut in half (fragmented), which wastes time and causes problems.

Standard Ethernet has a default MTU of 1500 bytes. WireGuard adds its own overhead to each packet — specifically 60 bytes for IPv4 tunnels and 80 bytes for IPv6 tunnels. This means if you try to send a 1500-byte packet through a WireGuard tunnel, the resulting packet is 1560 bytes — too large for most networks, so it gets fragmented.

Why 1420? NorexVPN sets MTU = 1420 by default. This is 1500 (standard Ethernet) minus 80 bytes of WireGuard overhead — leaving safe headroom so packets always fit through without fragmentation. 1420 is the widely accepted safe default for WireGuard on most connections.

What happens when MTU is wrong

MTU too high

Packets get fragmented. Large downloads work but HTTPS connections may hang or time out, some websites won't load, and video streaming stutters. The tunnel appears to work for small requests but fails for large ones.

MTU too low

Packets are split more than necessary. The tunnel works correctly but throughput is reduced because each packet carries less data per trip. You'll see lower speeds than your connection should deliver.

MTU correct (1420)

Packets flow through cleanly without fragmentation. Full throughput, no hanging connections, no broken HTTPS. This is the target.

MTU on phones and desktops

On phones and computers, the WireGuard app reads the MTU = 1420 value from your config file and applies it automatically. You don't need to do anything — it just works.

MTU on routers — this is where it matters most

Routers are different. When WireGuard runs on a router, every device on your network sends packets through the tunnel — but those devices don't know the tunnel exists and send standard 1500-byte packets. The router needs to handle the MTU reduction itself. There are two ways it does this:

MSS

MSS Clamping (recommended — automatic)

Most router firmware (GL.iNet, OpenWrt, DD-WRT, pfSense) automatically applies MSS clamping when WireGuard is configured correctly. MSS (Maximum Segment Size) clamping tells devices on your network to send smaller TCP packets without them needing to know about the VPN. This is the cleanest solution and requires no extra configuration on your part if your router handles it.

2

Manual MTU setting on the router

Some routers require you to set the WireGuard tunnel MTU manually. Always set the WireGuard interface MTU to 1420 in your router's WireGuard settings. Additionally, if your router has a separate "WAN MTU" or "Internet MTU" setting, set that to 1420 as well to ensure device-level packets are sized correctly before they hit the tunnel.

Special cases — PPPoE and some ISPs

If your ISP uses PPPoE (common with some DSL and fiber connections), your base MTU may already be lower than 1500 — typically 1492. In this case, you should lower your WireGuard MTU further to account for both the PPPoE overhead and the WireGuard overhead:

# PPPoE connection (MTU 1492): # 1492 - 80 bytes WireGuard overhead = 1412 MTU = 1412

Not sure if you have PPPoE? Check your router's WAN settings page — it will list the connection type. If you see speeds that are significantly below what your ISP advertises when using the VPN, this is the first thing to check.

How to find your optimal MTU

If you suspect MTU issues, you can find the exact right value using ping with the "don't fragment" flag:

# On Linux / macOS — find the largest packet that doesn't fragment ping -M do -s 1392 your.vpn.server.ip # On Windows ping -f -l 1392 your.vpn.server.ip

Start at 1392 and increase by 10 until you get "Message too long" or fragmentation — the last value that worked, plus 28 bytes (IP + ICMP headers), is your path MTU. Set your WireGuard MTU 80 bytes below that value.

Rule of thumb: If everything works — leave it at 1420. Only adjust MTU if you're seeing broken HTTPS connections, websites that partially load, or speeds significantly below what your ISP delivers. For 95% of users on standard cable or fiber connections, 1420 is correct and requires no adjustment.

Learn More

Dedicated VPN vs Shared VPN — What's the Difference?

Most VPN providers put hundreds or thousands of users on the same server and the same IP address. NorexVPN gives you your own private server that nobody else touches.

How shared VPNs work

With a shared VPN, you connect to a server alongside hundreds or thousands of other users. You all share the same IP address. If even one person on that server does something that gets the IP flagged — spam, abuse, scraping — everyone on it suffers. Websites block the IP, CAPTCHAs appear constantly, and services like Google, banking apps, and streaming platforms start treating you as suspicious.

You also have no idea who else is on your server or what they're doing with the shared bandwidth.

How NorexVPN works

NorexVPN provisions a dedicated cloud server exclusively for you. Your IP address has never been used by anyone else. No shared bandwidth, no shared reputation, no strangers on your connection. The server is yours — deployed on demand and deprovisioned when you cancel.

Shared VPN (NordVPN, ExpressVPN, etc.) NorexVPN (Dedicated)
Your own IP address✗ Shared with thousands✓ Yours only
Server shared with strangers✓ Yes✗ Never
IP reputationOften flagged/blockedClean, unused IP
BandwidthShared poolDedicated to you
Who controls your serverThe VPN providerYou (via dashboard)
Proof it's privateYou have to trust themYou can verify directly

Bottom line: A dedicated VPN is more expensive than a shared one — but you get what you pay for. A clean IP, a private server, and a connection that's actually yours. If privacy matters to you, shared isn't really private.

Use Cases

NorexVPN for Remote Work & Business

Working remotely means your traffic travels over networks you don't control — coffee shops, airports, home ISPs. NorexVPN encrypts everything between your device and your dedicated server, keeping your work traffic private.

Why remote workers use NorexVPN

When you connect to public WiFi, your traffic is visible to anyone on that network. Unencrypted HTTP traffic can be read directly. Even HTTPS traffic reveals which sites you're visiting. A VPN wraps all your traffic in encryption before it leaves your device — the coffee shop WiFi, your ISP, and anyone monitoring the network sees only encrypted noise.

WireGuard — built for modern remote work

WireGuard was designed with mobile and roaming users in mind. Unlike older VPN protocols that drop and reconnect when you switch networks (WiFi to cellular, for example), WireGuard maintains your tunnel seamlessly. Switch from your home WiFi to your phone's hotspot — your VPN stays connected without interruption.

Router-level protection for your home office

Running NorexVPN on your router protects every device in your home office without installing anything on each one. Your laptop, phone, tablet, and any smart devices all route through your dedicated VPN automatically. See the Router Setup guide for instructions.

For freelancers and small teams: NorexVPN's Pro plan supports up to 16 devices on a single dedicated server. One subscription covers your whole team's devices with a shared private IP — useful for whitelisting access to internal tools or APIs.

FAQ

Frequently Asked Questions

Common questions about NorexVPN, dedicated VPNs, WireGuard, and privacy.

A dedicated VPN gives you your own private server exclusively — not a shared server with other users. Your IP address is yours alone, your bandwidth is yours alone, and nobody else's traffic goes through your server. NorexVPN provisions a real cloud server for each customer.
Yes. WireGuard uses state-of-the-art cryptography — ChaCha20 for encryption, Poly1305 for authentication, Curve25519 for key exchange, and BLAKE2s for hashing. Its codebase is around 4,000 lines compared to OpenVPN's 100,000+, making it far easier to audit and less likely to contain vulnerabilities. It's been independently audited and is now built into the Linux kernel.
NordVPN is a shared VPN provider — thousands of users share the same servers and IP addresses. NorexVPN gives you a dedicated private server that only you use. With NorexVPN your IP is clean and has never been used by anyone else, you're not sharing bandwidth with strangers, and you have full control over your server through your dashboard.
No. NorexVPN does not log your browsing activity, DNS queries, connection timestamps, or IP addresses. We store only what is necessary to operate your account — your email address and billing information. See our full Privacy Policy for details.
Basic plan supports up to 8 devices. Pro plan supports up to 16 devices. Each device gets its own WireGuard config and can connect simultaneously. You can add and remove devices any time from your dashboard.
Choose the region closest to your physical location for the best speeds. If you need your traffic to appear from a specific country — for accessing region-restricted services or remote work — choose accordingly. You can see all available regions when deploying a new VPN from your dashboard.
NorexVPN includes built-in DNS-level ad and tracker blocking on every server. It works at the network level — meaning ads and trackers are blocked on every device connected to your VPN automatically, including apps and devices that don't support browser extensions. No configuration required.
Yes. Any router that supports WireGuard can connect to NorexVPN. This includes GL.iNet, OpenWrt, DD-WRT, Firewalla, and others. Running NorexVPN on your router protects every device on your network without installing anything on individual devices. See the Router Setup guide for step-by-step instructions.