I Built a VPN to Compete with NordVPN. Here’s What I Learned.
I was terrified to share this project.
Not because of the code. Code is the easy part. I was afraid of the obvious reaction: “A VPN? In 2026? Competing with NordVPN and ExpressVPN? Good luck with that.”
And yes, that reaction is valid if you frame it as a price war against companies with millions in marketing budgets. But NautilusVPN wasn’t born for that.
It was born to answer a more interesting question: what are the giants ignoring?
The Mistake Everyone Makes When Analyzing the VPN Market
When people look at the VPN market they see NordVPN, ExpressVPN, Surfshark. They see massive advertising budgets, millions of users, global infrastructure. And they conclude there’s no room.
But that’s looking at the market from the top down. If you look from the bottom up, from where real users actually are, you see something different:
→ The big players are generic. They serve everyone, so they’re perfect for no one.
→ Their onboarding flows are a mess. Download apps, create accounts, configure manually…
→ Their analytics tracks everything. A VPN that spies on you with Google Analytics has a brand coherence problem.
→ Their affiliate programs are rigid. Fixed price for everyone regardless of where they come from.
That’s the niche. Not in the product itself, but in the experience and in consistency.
What I Actually Built: The Tech Stack
NautilusVPN is a complete SaaS built on Next.js 15 with App Router and Turbopack, TypeScript 5.7.2, Supabase as a unified backend (database + file storage), Stripe for payments, and Resend for transactional emails.
The complete flow is:
No friction. No “download the app, create your account, go to settings, import manually…”. The config file arrives directly in your inbox.
Why I Chose Supabase for Everything
One key decision was using Supabase not just as a database but also for storing VPN configuration files. One service for both PostgreSQL + Storage significantly reduces operational complexity.
In production I discovered something nobody warns you about: Supabase puts connections in idle mode if there’s no activity. Real solution I had to implement:
This commit (b9b29a8) was from October last year and saved me more than one headache in production.
The Design Decision I Like Most: The Affiliate System
Here’s one of the most interesting technical decisions in the project.
Instead of a fixed price for everyone, NautilusVPN detects the user’s origin through URL parameters. If you arrive through an affiliate link, you see a different price — with a significant discount — dynamically, without touching the backend.
The displayed price and the Stripe checkout adapt on the client based on that hook. No database, no complex server-side logic. Lightweight and it works.
Why does this matter? Because it enables flexible partnerships without changing infrastructure each time. A content creator can have their own link with different terms in minutes.
Coherent Privacy: Why I Don’t Use Google Analytics
This detail seems minor. It isn’t.
A VPN whose landing page loads Google Analytics is contradictory in its message. It’s like a doctor smoking in the consultation room.
In October last year I added Vercel Analytics (8d6a447). First-party analytics, no third-party cookies, no browsing data going to Mountain View. Perfectly aligned with the product’s privacy message.
It’s a small technical decision with a huge brand coherence impact.
Multi-Protocol Support: WireGuard + IKEv2
Another real differentiator versus many simpler solutions in the market.
NautilusVPN generates configurations for both protocols and for all platforms: iOS, macOS, Android, Windows, and Linux. For Apple devices, it additionally generates auto-configuration profiles that install with a single tap.
Combined with DNS-level ad blocking as a native service feature, the product offers more than a basic access VPN.
The Uncomfortable Moment: The CVE
In December last year CVE-2025-66478 was disclosed for Next.js. The first commit I made that day was updating to Next.js 15.5.7 (c14e977).
This is what maintaining a product in production means. It’s not glamorous. But if you have real users paying, a security vulnerability in a VPN — of all products — is not optional to ignore.
The lesson: keeping dependencies updated is not technical debt, it’s minimum responsibility.
What Competing with Giants Actually Means
NautilusVPN is not going to take users from NordVPN this year. That’s not the goal.
The goal is finding the segment the giants serve poorly:
- Spanish-speaking users who want support in Spanish
- Technical professionals who want WireGuard with automatic configuration
- Creators and affiliates who want flexible pricing terms
- Anyone who wants a VPN whose company doesn’t track them with the same tracking they promise to avoid
The VPN market is not winner-takes-all. It’s a market with many segments and the big players only serve the center of the distribution well.
The edges are yours if you want them.
Next Steps in 2026
The project is alive. The newsletter with a free trial added in December last year (4cd5252) is the next experiment: acquiring users with low initial commitment and converting them to paid plans.
In 2026 the focus is on:
- Improving onboarding for non-technical users (config files are still intimidating for some)
- Iterating the affiliate program with real conversion metrics
- Spanish-language SEO to capture traffic from users looking for alternatives to the giants
The Real Takeaway
If you’re thinking about launching in a “saturated” market, stop. Saturation is relative to the customer you serve.
Don’t compete head-on. Compete in the niche the big players can’t serve well because they’re too big to do it.
NautilusVPN is not better than NordVPN for the generic user. But for its specific niche — Spanish-speaking, technical user, who values privacy coherence and wants frictionless setup — it can be exactly what they’re looking for.
That’s enough to build a business.
Are you building in a market that seems impossible? Tell me in the comments what niche you’ve identified.
