This PandaPow Classic Review covers the traditional software-based VPN service offered by this Hong Kong-based provider. PandaPow also offers a portable VPN router that effectively comes free with a subscription for its service. Please see my PandaPow WiFi Review for more details.
As we shall see, the service by-and-large works well enough. But it is very bare-bones, support is terrible (and that’s a generous assessment), and I encountered DNS leaks.
Prices for PandaPow Classic start at $9 per month, dropping to $7 per month if an annual subscription is purchased. A seven-day money-back guarantee is available.
A PandaPow WiFi (router) and PandaPow Classic combo package is available for $149 per year (with three months extra for free).
PandaPow operates servers in 14 countries, all of which are available to Classic customers. These are located in France, Germany, the Netherlands, Italy, Sweden, India, Hong Kong, Japan, Singapore, Tokyo, Australia, Canada, the UK, and the US).
You can connect up to three devices simultaneously.
The PandaPow Classic desktop clients and apps use the OpenVPN VPN protocol. But PPTP, IPSec and L2TP/IPSec are also available for devices without app support (such as Windows mobile).
“In addition to any personal information you provide us, we may store the following pieces of data: IP address, times when connected to our service, the total amount of data transferred, and transfer speed information.”
On the plus side, the NSA and its ilk have no jurisdiction in Hong Kong. Regarding P2P and copyright, PandaPow has this to say:
“If we receive complaints regarding copyrighted materials such as music and movies being shared over our network, we may be forced to take some measures to prevent legal actions towards our service. Such measures include filtering traffic in order to determine what account is misusing our service, and to cancel that specific account.”
Despite telling me that that PandaPow uses a proprietary SSL-based protocol, it does, in fact, use regular OpenVPN. Indeed, its Windows client is a custom build of the open source OpenVPN 2.3.11 client.
Logs & Legal
PandaPow claims its “proprietary” VPN protocol is “designed specifically to avoid detection and blocking that otherwise breaks standard VPN protocols.” When I asked for further details, I was told that,
“We don’t want to describe in detail what may be used against us, by those who want to block our VPN. Let’s just say our VPN service has been successful for years in places where many of our competitors are having problems getting blocked.”
My guess is that OpenVPN connections are simply routed over TCP Port 443. And even then, probably only when you specify during setup that your location is in China (see below).
The OpenVPN configuration and log files make it clear that the following encryption is used: Blowfish-128 cipher, RSA-2048 handshake, and HMAC SHA-1 hash authentication. In other words, baseline OpenVPN settings. Please see VPN Encryption Terms Explained for more details.
PandaPow says that perfect forward secrecy (PFS) is implemented. This would not be surprising, as PFS has been implemented in the latest official OpenVPN 2.4.0 update. But the PandaPow Windows software client is based on OpenVPN 2.3.11, and no Diffie-Hellman or ECDH keys are specified in the config files. This suggests that PFS is, in fact, not used.
This configuration should be fine for more casual use. But it falls below our minimum recommendation for a “secure” VPN connection that should be resistant against any known form of attack for the foreseeable future. PandaPow tells me that,
“We are in process of adding options for even stronger encryption, e.g. AES-256.”
The PandaPow website lacks visual polish, but is easy enough to navigate. An FAQ is available, but this is very much aimed at VPN newbies. A blog keeps readers updated with the latest developments at PandaPow.
Support is by ticketed email or live chat. It might be because my time zone in the UK is very different to that of Hong Kong, but live chat was never available when I visited the website. Phone support is available during Hong Kong business hours (GMT+8). Regular international call charges apply.
I sent some questions by email, and received an only partial response two days later. When I asked for clarification and additional details, PandaPow took a full two weeks to respond. Now, I know this all happened over the holiday period, but I was still rather surprised by this very long delay. Especially as the company was aware that I was reviewing its product!
As discussed under encryption above, when I did receive answers, these were either partial, evasive, or factually incorrect. Whether this is due to ignorance or a deliberate attempt to deceive, I have no idea.
Signing Up for PandaPow Classic
Signing up is easy enough. Payment is via credit or debit card, PayPal, Alipay, UnionPay, or TenPay. Payments are auto-recurring until cancelled. It is also possible to pay using bitcoins (via Coinbase) for increased privacy.
The PandaPow Windows Client
As noted, this is a custom build of OpenVPN 2.3.11. It is worth noting that OpenVPN 2.40.0 has recently been released, which introduces a raft of important improvements.
When you first run the client, it asks if you are in China. Saying yes presumably activates whatever obfuscation method PandaPow employs.
The main client is a simple affair.
The only options available, really, are whether to use TCP or UDP.
The Windows client gets the job done, but is about as bare-bones as these things can get.
Internet Performance (Speed, DNS, WebRTC, and IPv6 Tests)
All tests were performed using my Virgin UK 50 Mbps/3 Mbps fiber connection.
The graphs show the highest, lowest and average speeds for each server and location. See our full speed test explanation for more detail.
The UK and US results were decent enough, if not up there with the likes of ExpressVPN. I was quite surprised, however, at how poor the Netherlands results were.
Most IPv4 DNS requests were fielded by proxied Google DNS servers. This is not the privacy nightmare it might at first seem, as all requests appear to come from PandPow. Netherlands DNS resolution, however, is performed by US servers, which may scuttle geo-spoofing attempts.
Even worse, as we can see above, I encountered DNS leaks! This is not good.
Unfortunately, my ISP (Virgin Media) does not support IPv6 connections. So I was unable to test for IPv6 leaks.
OpenVPN has now fixed IP leakage via WebRTC, so it is no surprise to see no WebRTC leaks here. Please note that the local IP shown above under WRTC detection does not reveal your outfacing IP address, and so does not constitute an IP leak.
I found US Netflix blocked when connected to a US server, but BBC iPlayer worked when connected to a UK server.
PandaPow offers apps for Windows, MacOS/OS X, Android, and iOS. To the best of my knowledge, these all use OpenVPN (although this is very unusual for iOS apps). Instructions are also provided for configuring a number of other devices using PPTP and L2PP/IPSec.
I have no idea why the Android app wants access to my photos/media/files. It appears to work well, however. I should note, though, that comments on the Play Store complain about battery drain issues and unstable connections.
Remote port section is a useful feature.
I detected no DNS or WebRTC leaks while using the Android app.
PandaPow Classic Review: Conclusion
Based in Hong Kong
BBC iPlayer works
Android and iOS apps
No usage logs, but…
I wasn’t so sure about:
Extensive connection logs
Only baseline OpenVPN encryption used
Speed results were generally ok, but those NL results are worrying
Shockingly bad support
DNS leaks detected
PandaPow Classic offers a decent “budget” level VPN service. Unfortunately, its pricing is more toward the premium end of the spectrum. Terrible support that took two weeks to answer, and then either didn’t know what it was talking about or actively lied to me, has not improved my feelings about this service.
I find the attempt to claim that PandaPow uses a proprietary VPN protocol particularly baffling. I would always recommend the open source OpenVPN protocol over an unknown and unaudited alternative! So PandaPow has managed to shoot itself not once, but twice, over this issue!
Throw in some highly variable performance results plus DNS leaks, and I find it very hard to recommend PandaPow on any level.