As a Linux user, you are probably techie enough to know what a VPN is and why you need one. So, in this article, we will look at VPN issues that uniquely affect Linux users.
The best VPNs for Linux at a glance
We have summarized our 5 favorite VPNs for Linux in the list below. If you would like more information or some other alternatives, click here.
[[post-object type=”best-buy-table” /]]
[[post-object type=”gotolink” class=”btn btn-md btn-primary” provider=”privateinternetaccess”]]Try PIA our #1 VPN pick for Linux users[[/post-object]]
Of the VPN issues that affect Linux users, the biggest of these is the relative lack of support for Linux by VPN services. This has a knock-on effect on the availability of VPN features that users on other platforms typically take for granted.
In this guide we have tried to focus on the most developed Linux VPN apps available, offering key features and a full GUI where possible.
The services we recommend in this guide are highly rated because they offer:
- A Linux GUI
- Key VPN Features
- The same privacy offered on other platforms
- Good VPN speeds
For more information on the services above, scroll to the next section.
8 Best Linux VPN clients: In-depth analysis
In the list below, we take a more in-depth look at look at why we recommend these VPNs for Linux users. Have a look through each description to see which Linux VPN will work best for your own particular needs.
[[post-object type=”reviewsc” title=”##”/]]
[[post-object type=”useful-articles” ids=”8914,7966,9131,8228″ title=”Useful Guides”/]]
Why use Linux?
Many people move over to Linux because they want to make use of the added security it offers. Most viruses are targeted at mainstream Operating Systems like Windows and macOS, which means that using Linux can make you much safer. Other people want to move away from Windows and Mac because of the privacy ramifications caused by the high levels of surveillance capitalism those companies are known to engage in.
Whether you opt for Ubuntu, Fedora, Kali, Mint, OpenSUSE, etc, you will gain vastly more control over your device, and the data that it controls. This is great news for your privacy because Apple and Microsoft were both previously found to be working alongside the NSA to snoop on users.
Even years after the Snowden Revelations first surfaced, plenty of credible evidence and rumors persist over the implementation of NSA backdoors in Windows and macOS/iOS devices.
Using Linux is a concerted move in the direction of privacy. However, even Linux can only do so much when it comes to data that must ass over the internet. Thus, using a VPN to encrypt your web traffic – to prevent it from being harvested by your ISP, local network administrators, and the government – is an absolute must.
It’s not just about this serious stuff, either! A Linux VPN lets you bypass geo-restrictions to gain more privacy online. It will let you watch more shows on US Netflix or BBC iPlayer from anywhere in the world, and with the right VPN you can torrent without anybody finding out.
Why should I use a VPN for Linux?
Most Linux users already know what a VPN is, and why it is an essential online tool, and the vast majority already have a service installed on their device. For anybody who has only just made the switch, however, here is a quick guide to explain what a VPN can do:
A Virtual Private Network creates an encrypted connection between your PC and a VPN server operated by the VPN provider. Most VPN providers run VPN servers in countries all over the world. As a result:
- A VPN prevents your ISP from tracking what you do online by acting as your personal proxy. When connected to the VPN, all your ISP can see is that you have connected to the VPN’s IP address- not what you do on the internet following that.
- Your ISP also won’t be able to see the contents of your data because it is encrypted between your PC and the VPN server.
- Given that every government mass surveillance project in the world relies on ISPs logging your data to know what you get up to online, what your ISP doesn’t know, neither will your government (unless it is actively investigating you as an individual, of course).
- The proxy works both ways, so websites you visit can’t see your real IP address. They only see the IP address of the VPN server you are connecting through. Note that websites also use other sneaky ways to follow you online, so a VPN should always be supplemented with anti-tracking browser add-ons.
- Like websites, P2P torrent peers also won’t be able to see your real IP address, allowing you to torrent away with peace of mind.
- VPNs are great for defeating censorship, be it on political, “moral,” or copyright grounds. Simply connect to a VPN server located in a region that doesn’t censor the internet!
- And because VPN servers are located all over the place, they are also very useful for unblocking BBC iPlayer and US Netflix (which has a much bigger catalog than is available to paying customers elsewhere).
- Using a VPN protects against WiFi hackers and unreliable WiFi hosts when using public WiFi hotspots, since all data between your PC and the VPN server is securely encrypted.
So if you use Linux, then we think you should also use a VPN!
How to use a VPN for Linux
Using a VPN on a Linux machine is often trickier than on Windows or Mac. VPN providers rarely have a custom VPN app with a Graphic User Interface, which means that you must set up the VPN connection manually.
Thankfully, in recent years things have started to change. Some premium VPNs have started rolling out GUI clients, and nearly all market-leading providers have fully illustrated guides for setting up the VPN manually.
As a result, it has become much easier to set up a VPN on Linux. However, it is important to remember that if you do opt for a VPN that does not have a GUI client, you may miss out on certain features by setting up a manual connection. We have listed those features below:
DNS leak protection
In theory, any VPN client will route all DNS requests through the VPN tunnel to be resolved either by the VPN provider itself or be proxied by the VPN provider to a public DNS service in order to hide their originator.
But for a variety of reasons, Linux can sometimes route DNS requests directly to the OS-default DNS services (usually your ISP), thus bypassing the VPN’s DNS resolution. VPN clients with DNS leak protection guard against this by using firewall rules to ensure no connections are possible outside the VPN tunnel (IPv6 connections are usually just disabled).
Manual VPN setup in Linux, whether using NetworkManager, the CLI OpenVPN client, StrongSwan, or whatever, provides no DNS leak protection. Fortunately, there are steps you can take to fix this issue, although they complicate the VPN setup process.
You can modify resolvconf to push DNS to your VPN’s DNS servers, or you can manually configure the iptables firewall to ensure all traffic (including DNS requests) cannot leave your Linux machine outside the VPN tunnel. An excellent guide to doing this is available from IVPN.
Most modern browsers support WebRTC, a communication protocol that allows seamless VoIP and video chat between users inside the browser window.
A feature of WebRTC is that it allows easy communication through firewalls, but this is a problem for VPN users as it allows any website to ask for your real IP address and WebRTC STUN servers will just give it to them! Thus bypassing the VPN.
Many custom VPN clients help mitigate against WebRTC leaks by tightening up VPN settings and using firewall rules, although this is never as secure as preventing WebRTC leaks at the browser level. Fortunately for manual Linux VPN users, disabling WebRTC in the browser is easy.
A kill-switch ensures that your IP address is not exposed in the event of a VPN dropout, during network switches, and suchlike. These days, most custom VPN clients use firewall rules to ensure no connection is possible when the VPN tunnel is inactive.
You won’t get this protection with a manual VPN setup method, however. As mentioned above, configuring iptables will also work as a kill-switch.
For more information on DNS leaks, WebRTC leaks, and kill-switches, please see A Complete Guide to IP Leak Protection.
Custom Linux CLI clients
An increasing number of VPN services now offer custom Linux command-line interface (CLI) clients. These are invariably wrappers to the open-source OpenVPN CLI client. As such, they don’t usually offer any advanced features, although ExpressVPN’s client does feature DNS leak protection.
They do, however, make life easier, as they come pre-configured to use that services’ VPN servers.
Custom Linux VPN GUI clients
To get the full functionality enjoyed by users of custom Windows and macOS clients, however, requires a full custom graphical user interface (GUI), Linux client. Only a few of which exist on the market at the time of writing this – those from Private Internet Access, AirVPN, Mullvad, and TorGuard.
The GUI VPN clients are effectively identical to their Windows and macOS counterparts and offer the same features. These include full DNS leak protection, WebRTC mitigation, kill-switches, and other bells and whistles unique to each provider.
On top of offering additional functionality, most people find that GUI clients are much easier to use thanks to the visual prompts they provide. You do, after all, need to be a seasoned Linux user to not flinch when faced with a blinking command prompt in Terminal!
Using a VPN for different Linux distros
Ubuntu is by far the most popular desktop version of Linux and is, therefore, widely regarded by both developers and as the “default” version of Linux. VPN services are no different, with most Linux VPN support out there heavily focused on Ubuntu users.
You’re no doubt used to this if you use a different version of Linux. If you’re a Debian, Mint, Kali, or any other Debian-based user, most Ubuntu guides (and DEB packages) should be useable on your distro of choice. Unfortunately, you’re often on your own if you use an entirely different version of Linux.
Custom Linux VPN clients
Linux is Linux, so any Linux VPN app can be re-compiled from its source code (usually in Tarball form) to work on any Linux platform.
Most VPN providers, however, also make their apps available as executable DEB files for Debian (Ubuntu/Mint/etc.) users and RPM files for Red Hat (Fedora, RHEL, CentOS/etc.) users. Some may even offer install packages in Snaps or Flatpack format.
However, it’s fair to say that installing and using a VPN client (whether GUI or CLI) works pretty much exactly the same as any other Linux app on your system.
Using NetworkManager as a Linux VPN GUI
Many Linux distros, including most Debian flavors, use NetworkManager as a GUI interface to manage their network connections. Even with distros that don’t (such as Raspbian), it is usually possible to manually install NetworkManager.
NetworkManager provides an easy-to-use graphical interface for managing your VPN connections. Out-of-the-box, it usually only supports the PPTP VPN protocol, but plugins are available for OpenVPN, L2TP/IPsec, and IKEv2 (using strongSwan). As already noted, however, it does not provide any DNS leak protection or a kill-switch.
It is worth noting that AirVPN recommends against using NetworkManager “due to multiple, critical problems.” We have not been able to ascertain what there are, though, and most VPNs are happy to provide setup guides using NetworkManager.
With this being Linux, it’s only natural that you can set up and run a VPN from the command line! The exact commands will depend on the specific distro you’re using, but apps like OpenVPN will work well in any Linux environment.
As we have discussed, you will also need to configure iptables to enjoy a truly secure VPN experience.
How to install a VPN on Linux
We now have a dedicated guide on how to install a VPN in Linux. It focuses primarily on Debian/Ubuntu, but in the future, we hope to expand it to include other branches of Linux as well.
Can I get a free VPN for Linux?
Unfortunately, very few VPNs offer a free service compatible with Linux. The good news is that two market-leading services have a limited free plan that is available to Linux users!
Both [[post-object type=”gotolink” provider=”protonvpn” tag=”freecpc”]]ProtonVPN[[/post-object]] and [[post-object type=”gotolink” provider=”windscribe” tag=”freecpc”]]Windscribe[[/post-object]] offer command-line OpenVPN Linux tools.
ProtonVPN provides guidance on installing its CLI Linux VPN tool on Ubuntu, Archlinux, Manjaro, Solus, and Fedora, while Winscribe not only supports Ubuntu, Debian, Fedora, and CentOS, but also different versions of its tool optimized for different versions of each distro.
For more information on free VPNs (and why you need to take care when picking one), please head over to our Free VPN guide.
Is WireGuard a good option for Linux users?
Ever since its inception, the VPN encryption protocol WireGuard has been receiving a lot of praise. The tunneling protocol was developed by Jason Donenfeld and it incorporates stealth and results in faster tunneling speeds, which makes it a win for users.
The good news is that many VPN providers are now offering WireGuard connections, which means that if you prefer to, you can use this protocol instead of something like OpenVPN or IKEv2. If you are particularly untrusting of custom VPNs apps for some reason, you can opt to use WireGuard to connect to the VPN’s servers as this will be done via the third party WireGuard client.
However, let it be noted that your data will still pass through the VPN’s servers so you must still rust the VPN to handle your data as is always the case when you use a VPN provider. For this reason, if you do care strongly about privacy, it is wise to stick to one of the zero-log VPNs recommended in this guide.
It is also worth noting that WireGuard is still extremely new, and it is not as proven as something like OpenVPN, which has been audited countless times. That said, the cryptographic primitives that make up the WireGuard protocol are well known and they are considered extremely robust.
Although plenty of VPNs offer some level of Linux compatibility, it is rare for them to offer the same level of service as you get on their Windows or macOS clients. If you want to get the most out of your VPN for Linux, then getting one with a custom GUI for your distro is the best place to start. Here’s a quick reminder of our top VPNs for Linux:
If you still have questions – don’t worry! We’ve put together a FAQ that covers the most common questions related to Linux VPN services.
[[post-object type=”accordion” question=”Is it difficult to install a VPN on Linux?” answer=”Installing and using a VPN on Linux can be more tricky than on other platforms. However, we have been careful to only recommend services that have either a GUI client or in-depth guides for setting up the VPN manually using the CLI. This means that you can confidently pick any of the VPNs in this guide because they can all be set up easily. What’s more, if you do have any issues you can contact the VPN’s live chat support and they will be able to help you to install and use the VPN on your Linux computer.” /]]
[[post-object type=”accordion” question=”Will a VPN slow down my connection speeds?” answer=”Yes. In order to provide its benefits and services, a VPN must encrypt your traffic and route it via the VPN server. This causes some latency, and, as a result, you will almost certainly experience some loss of speed. The good news is that all the Linux VPNs in this guide were selected because they have super-fast Tier-1 server networks that should only cause a minimal (unnoticeable) reduction to your regular internet speeds.” /]]
[[post-object type=”accordion” question=”Can I get a free Linux VPN client?” answer=”If you want a free service for Linux, check out our <a href=’/vpn/comparison/free-vpn-services’>free VPN</a> services for Linux guide. We hand-picked five of the best free VPNs. However, remember that none of them fully support Linux. We’d recommend that you sign-up for a free ProtonVPN account on a different platform and then configure OpenVPN on Linux to use it.
The Linux OpenVPN client is free, and it’s available as either a stand-alone command-line app or as a set of packages that integrate with NetworkMananger. A similar situation exists for PPTP, L2TP/IPsec, and IKEv2.
You might want to check out our <a href=’/vpn/guides/wireguard-hands-on-guide’>guide to WireGuard</a> following the news that native support for WireGuard is going to be built into future Linux kernels. Though WireGuard is a free software, you’ll still need to pay for a service unless you set up a private VPN on your own server).” /]]
[[post-object type=”accordion” question=”How to set up a VPN on Linux Mint or Kali?” answer=”Seeing as it’s a fork of Ubuntu, Linux Mint is almost identical to it under-the-hood – and as such, so are its setup instructions, whether via NetworkManager or Terminal. Ubuntu and Kali users can use this. Kali is based on Debian, as is Ubuntu (and by extension Mint), all Debian-based Linux distros basically share the same back-end. Check out our <a href=’/vpn/guides/install-vpn-linux’>How to set up a VPN on Linux guide</a> for detailed instructions of how to set up a VPN on either of these distros.” /]]
[[post-object type=”accordion” question=”How do I install and configure SoftEther VPN client for Linux?” answer=”The Linux <a href=’/open-source/guides/install-configure-softether-vpn-device’>SoftEther client</a> can be downloaded from the <a href=’https://www.softether-download.com/en.aspx?product=softether’>softether website</a>. They also have <a href=’https://www.softether.org/4-docs/1-manual/4._SoftEther_VPN_Client_Manual/4.2_Using_the_VPN_Client’>extensive instructions</a> on how to use it on their website.” /]]
[[post-object type=”accordion” question=”What VPN encryption should I use on my Linux machine?” answer=”You might be wondering which protocol to go with if you’re relatively new to VPNs. However, we’d always recommend sticking with OpenVPN. OpenVPN is not the most efficient VPN protocol, mind, but it is the only protocol known to be secure against the NSA when strong settings are used (most notably perfect forward secrecy).
IKEv2 is well-regarded, and new-kid-on-the-block WireGuard shows a great deal of promise, but neither has been “battle-tested” in the way that OpenVPN has. For more details please see our <a href=’https://proprivacy.com/vpn/guides/vpn-encryption-the-complete-guide’>Ultimate Guide to VPN Encryption</a>. PPTP is best avoided, as it’s not secure on any platform. Its most serious issue is the possibility of un-encapsulated MS-CHAP v2 Authentication. PPTP has been cracked in two short days using this exploit. The flaw has been patched by Microsoft (who developed PPTP), but has itself issued a recommendation to use L2TP/IPsec or SSTP instead. It should also come as no surprise that the NSA almost certainly decrypts PPTP encrypted communications as a standard. Even more worrying is that the NSA collected vast amounts of older data that was encrypted back when PPTP was considered secure, and it can almost certainly decrypt this legacy data as well.
Another important factor for Linux users is that almost every reputable VPN service offers standard .ovpn files, which can be used to configure OpenVPN in Linux, even when a provider does not officially support the platform (a situation which is all too common, we are afraid to say). OpenVPN can be installed from the command-line even if the “add VPN connection” option is grayed out for you. The specifics will depend on your package manager, but “sudo apt-get openvpn” should do the trick with most Debian-based distros. OpenVPN should now appear as an option in Network Manager, but if not, you’ll always be able to configure it using the command-line.” /]]
[[post-object type=”accordion” question=”How to disguise VPN traffic as HTTPS traffic?” answer=”By default, OpenVPN uses UDP port 1194, but it can be run over TCP port 443 to emulate regular HTTPS traffic. This trick can be effective at disguising OpenVPN traffic in a number of situations – but it won’t fool more advanced deep packet inspection (DPI) techniques.
In order to use TCP port 443 in OpenVPN, it must be configured both client-side and server-side, but most VPN providers do support TCP port 443 server-side. Chances are that your provider offers the OpenVPN config file (.ovpn) pre-configured for TCP port 443, but if it doesn’t, then you can create them yourself.
Edit the .ovpn file you want to use in any text editor, remove any existing settings, and add the lines:
remote server.address.com 443
Then save. If in doubt, contact your VPN provider for advice, as it is possible that it uses custom settings or that not all its servers support OpenVPN over TCP port 443.”/]]
[[post-object type=”accordion” question=”How to find my OpenVPN connection log file on Linux?” answer=”OpenVPN logs are typically found in the syslog at /var/log/syslog – though bear in mind that this can vary by distro. OpenVPN config files are usually found in /etc/openvpn/.” /]]
[[post-object type=”accordion” question=”Where are VPN config files imported to on Linux machines?” answer=”You can import OpenVPN files from any convenient location (such as your Downloads folder). Once imported, they can usually be found in the /etc/openvpn/ folder.” /]]