ExpressVPN doesn’t offer a NAT Firewall because there’s no need to

A network blueprint with keys to show how secure ExpressVPN is.

If a VPN provider offers a NAT Firewall, it’s a good indication they assign each user a unique IP address. As this is suboptimal for privacy, ExpressVPN has the opposite approach—multiple users share a single IP address, for internet anonymity and security.

Like a firewall, ExpressVPN blocks incoming requests to their IP addresses and never forwards them to users. A port-blocking policy is a core feature of a privacy product, and ExpressVPN doesn’t charge extra for it.

ExpressVPN doesn’t need a NAT firewall

A server where multiple users share the same public IP (like ExpressVPN’s network) acts as a firewall by default. Any additional products intended to shield the user from unwanted requests is unnecessary.

Services which assign a unique IP address to each user might choose to leave their ports open. An option to close the ports can be disguised as “protection against DDoS attacks” and sold as an extra service.

A router works as a firewall

A firewall is a device or software that prevents unwanted communications, either between two networks or between a computer and a network.

In a home network, a router often acts as the primary firewall and is set by default only to allow outgoing connections. It will usually allow devices inside of the network to talk to each other. But this is dangerous if you have an open Wi-Fi access point or a device in your network is infected.

Routers and Network Address Translation (NAT)

When you use a device to look up a website, it requests information from the router and identifies itself with a private IP address. The router will translate this request and forward it to the site’s servers, along with the router’s public IP address as a return slip.

A copy of the website is sent back to your router in response, which forwards the content to your device. This forwarding process is called Network Address Translation.

Your ISP assigns a router a single IP address. Each of your home devices (TV, phone, computer, Internet of things) share this address when facing the public. For the NAT process, the router then assigns private IP addresses to each connected device, usually starting with 196.168 or 10.10.

Your home router, mobile phone company or VPN service will all undertake the NAT process. The purpose is to cope with a limited number of IPv4 addresses and protect devices inside a private network.

IPv4 uses addresses of only 32 bytes in length (4 x 8 byte)–about 4.3 billion–not enough addresses for every human on the planet, let alone the multiple devices people use. IPv6 solves this issue in theory, but as not all services support IPv6, the IPv4 network must be employed.

Proxies, VPNs, and NAT Firewalls

Proxy services, Firewalls, and VPNs also employ Network Address Translation.

A VPN will assign a private IP address to identify you, but nobody outside of the VPN can see it. On the web only the IP address assigned to you by the VPN provider is visible.

ExpressVPN adds extra security by assigning the same IP address to multiple users. A shared public IP makes it hard to identify individuals, which is an integral part of protecting user’s privacy.

ExpressVPN’s servers remember all requests and broadcast them from different ports on the server. The user receives a reply from ExpressVPN, but other ports remain closed. Keeping the ports closed protects users as a firewall would.

Some VPN servers may assign a unique IP address to each user and leave ports open. Open ports are convenient when you are running services behind a VPN but do little for privacy. A passive observer, such as the ISP of the VPN service, could observe unencrypted traffic to deanonymize a user.

Stay safe and use a VPN

When connected to ExpressVPN you don’t need to worry about the firewall of your router. You can also configure your router with ExpressVPN to keep all your devices’ traffic hidden from your ISP with the included benefit of a firewall.

When choosing a private VPN provider, inquire about whether the service maintains logs. Shared IP addresses are also important as sharing is better for anonymity. Importantly, a good VPN will block incoming connections and won’t use unnecessary features.

Featured image: MyVector / depositphotos

Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.