- 15 server locations
- 3 concurrent connections
- No usage logs
- BBC iPlayer support
- Android and iOS apps
- 7-day money back guarantee
Visit PandaPow »
Speed and Performance
All tests were performed using my Virgin UK 50 Mbps/3 Mbps fiber connection. To their UK servers I was averaging between 35 and 45Mbps, and to the US 20 to 35Mbps. My download speeds dropped considerably to the Netherlands, where I was hovering around 10Mbps during my tests.
The UK and US results were decent enough, if not up there with the likes of ExpressVPN. I was quite surprised, however, at how poor the Netherlands results were.
Most IPv4 DNS requests were fielded by proxied Google DNS servers. This is not the privacy nightmare it might at first seem, as all requests appear to come from PandPow. Netherlands DNS resolution, however, is performed by US servers, which may scuttle geo-spoofing attempts.
Even worse, I encountered DNS leaks! This is not good.
Unfortunately, my ISP (Virgin Media) does not support IPv6 connections. So I was unable to test for IPv6 leaks.
OpenVPN has now fixed IP leakage via WebRTC, so it is no surprise to see no WebRTC leaks here.
I found US Netflix blocked when connected to a US server, but BBC iPlayer worked when connected to a UK server.
Pricing and Plans
Prices for PandaPow Classic start at $9 per month, dropping to $7 per month if an annual subscription is purchased. A seven-day money-back guarantee is available.
A PandaPow WiFi (router) and PandaPow Classic combo package is available for $149 per year (with three months extra for free).
Privacy and Security
It does, however, keep various connection (metadata) logs:
“In addition to any personal information you provide us, we may store the following pieces of data: IP address, times when connected to our service, the total amount of data transferred, and transfer speed information.”
On the plus side, the NSA and its ilk have no jurisdiction in Hong Kong. Regarding P2P and copyright.
Despite telling me that PandaPow uses a proprietary SSL-based protocol, it does, in fact, use regular OpenVPN. Indeed, its Windows client is a custom build of the open source OpenVPN 2.3.11 client.
PandaPow claims its “proprietary” VPN protocol is “designed specifically to avoid detection and blocking that otherwise breaks standard VPN protocols.” When I asked for further details, I was told that,
“We don't want to describe in detail what may be used against us, by those who want to block our VPN. Let's just say our VPN service has been successful for years in places where many of our competitors are having problems getting blocked.”
My guess is that OpenVPN connections are simply routed over TCP Port 443. And even then, probably only when you specify during setup that your location is in China (see below).
The OpenVPN configuration and log files make it clear that the following encryption is used: Blowfish-128 cipher, RSA-2048 handshake, and HMAC SHA-1 hash authentication. In other words, baseline OpenVPN settings. Please see VPN Encryption Terms Explained for more details.
PandaPow says that perfect forward secrecy (PFS) is implemented. This would not be surprising, as PFS has been implemented in the latest official OpenVPN 2.4.0 update. But the PandaPow Windows software client is based on OpenVPN 2.3.11, and no Diffie-Hellman or ECDH keys are specified in the config files. This suggests that PFS is, in fact, not used.
This configuration should be fine for more casual use. But it falls below our minimum recommendation for a “secure” VPN connection that should be resistant against any known form of attack for the foreseeable future. PandaPow tells me that,
"We are in process of adding options for even stronger encryption, e.g. AES-256."
PandaPow Classic offers a decent “budget” level VPN service. Unfortunately, its pricing is more toward the premium end of the spectrum. Terrible support that took two weeks to answer, and then either didn’t know what it was talking about or actively lied to me, has not improved my feelings about this service.
I find the attempt to claim that PandaPow uses a proprietary VPN protocol particularly baffling. I would always recommend the open source OpenVPN protocol over an unknown and unaudited alternative! So PandaPow has managed to shoot itself not once, but twice, over this issue!
Throw in some highly variable performance results plus DNS leaks, and I find it very hard to recommend PandaPow on any level.
Visit PandaPow »