Using a VPN on Linux
Keep your internet traffic private, hide your location, and stay safe on public WiFi.
What Does a VPN Actually Do?
Imagine your internet connection is a postcard — anyone handling it along the way can read what's on it and see where it's going. A VPN (Virtual Private Network) puts that postcard inside a locked envelope.
When you turn on a VPN, two things happen:
- Your internet traffic gets encrypted. Nobody between you and the VPN server — not your ISP, not the coffee shop WiFi owner, not anyone snooping on the network — can see what you're doing online.
- Your location gets hidden. Websites see the VPN server's address instead of yours, so they can't tell where you really are.
That's it. A VPN is just a secure tunnel between your computer and a server somewhere else in the world.
When Would You Want One?
- Public WiFi — Coffee shops, airports, hotels. These networks are easy to snoop on. A VPN keeps your browsing, passwords, and banking safe.
- Privacy from your ISP — Your internet provider can see every website you visit. A VPN prevents that.
- Accessing content — Some streaming services and websites are only available in certain countries. A VPN lets you connect through a server in that country.
- Avoiding censorship — In some places, certain websites are blocked. A VPN can get around those blocks.
VPN Providers That Work Well on Linux
Not all VPN services bother making Linux apps. These ones do, and they do it well:
| Provider | Linux Support | Highlights |
|---|---|---|
| Mullvad | Full GUI app | Privacy-first. No email required to sign up. Flat price. Open source. Based in Sweden. |
| ProtonVPN | Full GUI app | Has a free tier (limited servers, no speed cap). Made by the Proton Mail team. Open source. Based in Switzerland. |
| NordVPN | CLI app | Huge server network. Fast speeds. Has a CLI tool that works great on Linux. |
| ExpressVPN | CLI app | Easy to use CLI. Good speeds. Supports many distros out of the box. |
| Surfshark | GUI app | Unlimited simultaneous devices. Budget-friendly. Graphical app for Linux. |
How to Set Up a VPN
There are three ways to get a VPN running on Linux. Pick whichever feels most comfortable.
Method 1: Use the Provider's Official App (Easiest)
This is the simplest way. Most providers offer a Linux app you can download from their website. Here's how it typically works:
Mullvad
# Download the .deb or .rpm from mullvad.net, then:
# For Ubuntu/Mint/Debian:
sudo apt install ./MullvadVPN-*.deb
# For Fedora:
sudo dnf install ./MullvadVPN-*.rpm
# Then just open "Mullvad VPN" from your app menu and log inProtonVPN
# For Ubuntu/Mint/Debian:
# Download the .deb repository package from protonvpn.com, then:
sudo apt install ./protonvpn-stable-release_*.deb
sudo apt update
sudo apt install proton-vpn-gnome-desktop
# Open "Proton VPN" from your app menu and sign inNordVPN
# Install the NordVPN CLI (works on most distros):
sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)
# Log in and connect:
nordvpn login
nordvpn connectExpressVPN
# Download the .deb or .rpm from expressvpn.com, then:
sudo apt install ./expressvpn_*.deb # Ubuntu/Debian
sudo dnf install ./expressvpn-*.rpm # Fedora
# Activate and connect:
expressvpn activate
expressvpn connectSurfshark
# Download the .deb from surfshark.com, then:
sudo apt install ./surfshark-release_*.deb
sudo apt update
sudo apt install surfshark
# Open the Surfshark app from your app menuMethod 2: Through Your Desktop's Network Settings
Both GNOME and KDE have VPN support built right into their network settings. This is handy if you want to use your VPN provider's config files without installing a separate app.
You'll need to grab a config file from your VPN provider first — look for "manual setup" or "OpenVPN/WireGuard config files" on their website.
GNOME (Ubuntu, Fedora, Pop!_OS)
- Install the VPN plugin you need:
# For OpenVPN configs: sudo apt install network-manager-openvpn-gnome # Ubuntu/Debian sudo dnf install NetworkManager-openvpn-gnome # Fedora # For WireGuard configs: sudo apt install wireguard # Ubuntu/Debian sudo dnf install wireguard-tools # Fedora - Open Settings → Network → VPN and click the + button
- Choose "Import from file..." and select the config file you downloaded
- Enter your username/password if prompted, then click Add
- Flip the VPN toggle to connect
KDE Plasma (Kubuntu, KDE Neon, openSUSE KDE)
- Install the VPN plugin:
# For OpenVPN: sudo apt install network-manager-openvpn # Kubuntu sudo dnf install NetworkManager-openvpn # Fedora KDE # For WireGuard: sudo apt install wireguard # Kubuntu sudo dnf install wireguard-tools # Fedora KDE - Open System Settings → Connections
- Click + and choose "Import VPN connection..."
- Pick your config file, fill in any credentials, and save
- Click the network icon in your system tray and select the VPN connection
Method 3: OpenVPN / WireGuard from the Terminal
Terminal setup (more advanced)
WireGuard (recommended)
WireGuard is the modern choice — it's fast, simple, and built into the Linux kernel.
# Install WireGuard
sudo apt install wireguard # Ubuntu/Debian/Mint
sudo dnf install wireguard-tools # Fedora
sudo pacman -S wireguard-tools # Arch/Manjaro
sudo zypper install wireguard-tools # openSUSE
# Download a WireGuard config file from your VPN provider
# (usually a .conf file). Save it to /etc/wireguard/
sudo cp ~/Downloads/wg0.conf /etc/wireguard/wg0.conf
# Make sure only root can read it (it contains your private key)
sudo chmod 600 /etc/wireguard/wg0.conf
# Connect
sudo wg-quick up wg0
# Disconnect
sudo wg-quick down wg0
# Check status
sudo wg show
# Auto-connect on boot
sudo systemctl enable wg-quick@wg0OpenVPN
OpenVPN is the older, more established option. Still perfectly fine and widely supported.
# Install OpenVPN
sudo apt install openvpn # Ubuntu/Debian/Mint
sudo dnf install openvpn # Fedora
sudo pacman -S openvpn # Arch/Manjaro
sudo zypper install openvpn # openSUSE
# Download an OpenVPN config file from your VPN provider
# (usually a .ovpn file)
# Connect (it will ask for your username and password)
sudo openvpn --config ~/Downloads/server.ovpn
# The terminal will stay open while connected.
# Press Ctrl+C to disconnect.
# To run it in the background instead:
sudo openvpn --config /etc/openvpn/client/server.conf --daemonWireGuard vs OpenVPN
These are the two main VPN protocols — the technology that actually creates the encrypted tunnel. Here's how they compare:
| WireGuard | OpenVPN | |
|---|---|---|
| Speed | Faster — noticeably so on most connections | Slightly slower but still plenty fast for most uses |
| Age | Newer (built into the Linux kernel since 2020) | Battle-tested since 2001 |
| Code size | ~4,000 lines (easy to audit for security) | ~100,000+ lines |
| Setup | Simple config files | More options, more complex configs |
| Battery usage | Lower — great for laptops | Higher |
| Support | Most major providers support it now | Supported everywhere |
Bottom line: Use WireGuard if your provider supports it. It's faster, lighter on your battery, and just as secure. Only use OpenVPN if WireGuard isn't available or you need a specific feature OpenVPN has.
A Warning About Free VPNs
The answer is usually one or more of these:
- Selling your browsing data — Defeating the entire purpose of using a VPN
- Injecting ads into the websites you visit
- Selling your bandwidth — Other people's traffic gets routed through your connection
- Logging everything and handing it over when asked
If you need a free option, ProtonVPN's free tier is the safest choice. It's run by the same team behind Proton Mail, they have a clear business model (paid subscribers fund the free tier), and they've been independently audited.
Kill Switch: What Happens If the VPN Drops?
Sometimes VPN connections drop for a moment — your WiFi glitches, the server hiccups, whatever. When that happens, your computer might send traffic over your normal, unprotected connection without you noticing. A kill switch prevents this.
When a kill switch is enabled, it blocks all internet traffic unless it's going through the VPN. If the VPN disconnects, your internet stops working until the VPN reconnects. No accidental leaks.
How to enable it depends on your provider:
- Mullvad: On by default (they call it "Always require VPN")
- ProtonVPN: On by default in the app
- NordVPN CLI:
nordvpn set killswitch enabled - ExpressVPN CLI:
expressvpn preferences set network_lock on - WireGuard manual setup: Add
PostUpandPreDownfirewall rules to your config (see the DNS leak section below for related tips)
DNS Leak Basics
Even with a VPN active, there's a sneaky way your browsing can leak: through DNS requests.
Every time you visit a website, your computer asks a DNS server to translate the domain name (like "google.com") into an IP address. If those DNS requests go to your ISP's DNS server instead of the VPN's, your ISP can see which websites you're visiting even though the rest of your traffic is encrypted. That's a DNS leak.
How to check for DNS leaks
- Connect to your VPN
- Visit dnsleaktest.com and run the extended test
- The results should only show your VPN provider's DNS servers — not your ISP's
How to fix DNS leaks
Most VPN apps handle this automatically. But if you're using a manual WireGuard or OpenVPN setup, you may need to set your DNS explicitly:
# In your WireGuard config file (/etc/wireguard/wg0.conf),
# make sure the [Interface] section includes a DNS line:
[Interface]
PrivateKey = your-private-key
Address = 10.x.x.x/32
DNS = 10.64.0.1 # Use your VPN provider's DNS server address
# You can also use privacy-respecting public DNS:
# DNS = 9.9.9.9 # Quad9
# DNS = 1.1.1.1 # CloudflareFor OpenVPN, you can push DNS settings by adding these lines to your .ovpn config:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-confOr install openvpn-systemd-resolved on Ubuntu/Debian for more reliable DNS handling.
Per-Distro Install Commands
Here are quick install commands for common VPN tools across different distros.
WireGuard
| Distro | Install command |
|---|---|
| Ubuntu / Mint / Debian | sudo apt install wireguard |
| Fedora | sudo dnf install wireguard-tools |
| Arch / Manjaro | sudo pacman -S wireguard-tools |
| openSUSE | sudo zypper install wireguard-tools |
OpenVPN
| Distro | Install command |
|---|---|
| Ubuntu / Mint / Debian | sudo apt install openvpn |
| Fedora | sudo dnf install openvpn |
| Arch / Manjaro | sudo pacman -S openvpn |
| openSUSE | sudo zypper install openvpn |
NetworkManager VPN Plugins (for desktop integration)
| Distro | OpenVPN plugin | WireGuard plugin |
|---|---|---|
| Ubuntu / Mint / Debian | sudo apt install network-manager-openvpn-gnome |
sudo apt install wireguard |
| Fedora | sudo dnf install NetworkManager-openvpn-gnome |
sudo dnf install wireguard-tools |
| Arch / Manjaro | sudo pacman -S networkmanager-openvpn |
sudo pacman -S wireguard-tools |
| openSUSE | sudo zypper install NetworkManager-openvpn-gnome |
sudo zypper install wireguard-tools |