Douglas Crawford

Douglas Crawford

March 6, 2017

In this Shellfire VPN review, I look at the “traditional” software-based VPN service offered by this German provider. Please see my Shellfire Box review for a look at the portable VPN router also offered by this company. As we shall see, this German VPN service does have things to recommend it, but is let down primarily by very poor connection speeds.

  • No logs (at all)
  • No IP leaks
  • Android and iOS apps
  • BBC iPlayer and US Netflix worked (on some servers)
  • Good encryption with perfect forward secrecy (PremiumPlus plan)
  • Only one connection at a time
  • Slow

Visit Shellfire »

Pricing and Plans

Shellfire VPN offers three pricing plans (not including the router, which I have reviewed separately). A free plan is available, but unsurprisingly is quite limited (as all such free plans are).

Shellfire VPN Review Pricing

  • Free users’ bandwidth is capped at 1 Mbps, and you are limited to servers in just two countries (Germany and the US). You must also wait 25 seconds for a nag screen to close each time you connect. Shellfire states that streaming is not available to free users, but I was able to stream even from US Netflix using a free account.
  • The Premium plan costs $4.00 per month, or $3.20 per month if paid annually. Premium users’ bandwidth is capped at 12 Mbps, and they have access to 20 servers
  • The PremiumPlus plan costs $9.00 per month, or $5.60 per month if paid annually. PremiumPlus users enjoy unlimited bandwidth, and servers in 31 countries. These include some more unusual options, such as Australia, Iceland (great for privacy) and South Africa. Do note, however, that full unlimited “PremiumPlus” bandwidth is only available on some servers.

In addition to the above benefits, VPN encryption improves with each upgrade in plan (more on this below). Disappointingly, all Shellfire users are limited to a single concurrent connection.

This review is for the PremiumPlus plan.


Shellfire VPN offers a fairly basic VPN service, with little in the way of additional features. By default, Shellfire uses the OpenVPN VPN protocol. Premium users can configure devices using PPTP, and PremiumPlus users can also use L2TP/IPSec.

Visit Shellfire »


Shellfire states that, “We don’t log any connection data.” But then again, it also states that, “You’re surfing absolutely securely and anonymously!” I really wish VPN providers would stop saying this.

Shellfire knows exactly who you are via your IP address, and could keep logs any time it chooses to. So you are not in any way anonymous when using the service.

Looking more closely at its privacy policy, Shellfire says that,

Connection and usage data (for example file transfers, connection times) are only collected if they are required as means of accounting. This is not the case for flat rate tariffs.”

Given that all its VPN plans use flat rate tariffs, it does seem that Shellfire is a genuine no logs service. Yay!

Shellfire is based in Germany, which has among the strongest privacy laws in the world. New surveillance and mandatory data retention laws, however, are chipping away at this. Many fear the situation will get worse. Please see here for more details.

As I understand things, though, the new mandatory data retention laws do not currently apply to VPN providers.

In addition to the above issue, the German intelligence service (BND) actively monitors German citizens, and cooperates closely with GCHQ and the NSA.

Germany is therefore usually regarded as not being an ideal location to base a privacy-focused VPN service. However, there is some debate over the issue thanks to the reputation of its privacy laws.

P2P is permitted by Shellfire, but on the Finland server only.


Shellfire uses shared IP addresses.

We use OpenVPN with AES-256-CBC as our cipher for Premium Plus, AES-192-CBC for Premium and AES-128-CBC for our Free accounts. We use 2048 bit RSA keys and certificates. DHE is used for forward secrecy.

OpenVPN Encryption
Control Auth
Forward Secrecy
Logs & Legal
Handshake is unspecified in the .ovpn config files, so I will assume that it is the standard HMAC SHA-1, which is absolutely fine.

These encryption settings are nothing to get very excited about. PremiumPlus encryption matches our minimum recommendation for a “secure” VPN connection, which should be resistant against any known form of attack for the foreseeable future.

And the encryption used for other plans should be plenty good enough for most purposes.

For more information on this subject, please see here.

The Website

I have seen prettier website themes, but Shellfire’s gets the job done. There is not a great amount of information on the website, however. The English-language version (the site is also available in German and French) is clearly not written by a native speaker, but is nevertheless easy enough to understand.


Other than various manual setup guides, support mainly relies on you contacting Shellfire. This can be done via web form, email, Facebook, or Twitter. A forum is available where you can ask questions, but at present, almost all the content is in German.

Shellfire responded to my questions fairly quickly (within a few hours), and its answers were knowledgeable and helpful.

The Process

Signing Up

Shellfire Free only asks for a valid email address. This requires verification, but a disposable email address should work fine. When signing up for a Premium or PremiumPlus plan, however, a great many personal details are asked for.

It is possible, however, to pay via bitcoins for increased privacy (always remembering that Shellfire will know your real IP address, regardless).

The Shellfire Windows VPN Client

shellfire windows 1

I have seen prettier software.


You can choose between UDP and TCP, but  you cannot specify a location from within a country on this list…

shellfire server map

…but you can by zooming in on this server map. This map would also look quite impressive if it wasn’t for the fact that my location is, in fact, in the UK.

An important thing to note is that only a limited number of servers offer unlimited “PremiumPlus” speeds.

shellfire streams

This is simply a list of links to US streaming services.

The Windows client is very short on features, but it gets the job done. And, as we see below, it does not leak your IP address.

Performance (Speed, DNS, WebRTC, and IPv6 Tests)

All tests were performed using my Virgin UK 50 Mbps/3 Mbps fiber connection. The US and Netherlands tests used PremiumPlus servers.

The UK tests were performed on a “Premium” server rated at 10 Mbps max speed. As we see below, the results I obtained greatly exceeded this speed. Rather worryingly, though, I also tested the UK “unlimited PremiumPlus” server, and found it considerably slower than the “Premium” server tested here. Make of that what you will.

shellfire downshellfire up

The graphs show the highest, lowest and average speeds for each server and location. See our full speed test explanation for more detail.

I think it fair to describe these results as disappointing.

ip leak results

Shellfire performed much better when it came to IP leaks. I detected none. Unfortunately, my ISP (Virgin Media) does not support IPv6 connections, so I was unable to test for IPv6 leaks.

Those DNS servers are run by Google. However, this is not the privacy nightmare it might at first seem, as all requests are proxied by Shellfire so Google does not know who made the DNS request.

I found that US Netflix was blocked on some servers, but did work on others (for example the New York server). I was also able to use BBC iPlayer. Despite its limitations in other areas, this makes Shellfire a good option for anyone who wants to stream content from these services.

Other Platforms

Shellfire offers dedicated apps for Windows, Mac OS X, Android, and iOS. Various manual OpenVPN, PPTP and IPSec setup guides are available for these platforms, plus Ubuntu (OpenVPN). Of course, the settings outlined in these guides can also be used to configure any other device compatible with these protocols.

The Android App

The Android app wants permission to access your Google Account identity and photos/media/files. I guess your Google ID is needed for in-app purchases, but can think of no reason why the app needs access to your files.

shellfire android 1

The Android app certainly looks prettier than the desktop client!

shellfire android 2

There are no features as such to speak of, but the app works and I did not detect any IP leaks, which is great.

Shellfire VPN Review: Conclusion

I liked:

  • No logs (at all)
  • No IP leaks
  • Android and iOS apps
  • BBC iPlayer and US Netflix worked (on some servers)
  • Good encryption with perfect forward secrecy (PremiumPlus plan)
  • P2P: yes (Finland server only)

I wasn’t so sure about:

  • Germany is probably not an ideal location
  • P2P: ?

I hated:

  • Only one connection at a time, even for PremiumPlus users
  • Slow (even on “unlimited” PremiumPlus servers)

Shellfire’s VPN service offers almost no bells and whistles. But it keeps no logs at all, uses decent encryption, and I detected no IP leaks at any time while using it. These are not things to be sniffed at.

The fact that I was able to stream US Netflix using even the free plan makes this provider worthy of consideration by those struggling to find a VPN service that isn’t blocked. Only one concurrent device is surprisingly miserly, however (many rivals allow five or more!), and those speed results are very off-putting.

Visit Shellfire »