The best VPNs for Linux in 2017 (and the worst)

Published by on July 27, 2017 in VPN & Privacy

ubuntuUbuntu, Fedora, OpenSUSE, and Mint users often get the short end of the stick when it comes to software, and VPN services are no different. Let’s be honest: Linux users are low on the priority list for most companies and developers. That’s why we set out to find the best VPN providers who have taken the time to give Linux fans some attention.

To connect to a VPN on Linux, OpenVPN, OpenConnect, and Network Manager are all popular options. But even better is a VPN provider with a plug-and-play native client. They require far less configuration and tend to come with more features and perks than their generic peers. That’s why every VPN we recommend in this list offers a slick app especially for you.

1. ExpressVPN

ExpressVPN Linux image

ExpressVPN released its official Linux app in April 2016. It runs using a command-line interface rather than the desktop GUI available on Windows and Mac, but it’s still far easier than downloading and managing config files for each server. The server list is always kept up to date, and users can easily switch between UDP and TCP over the OpenVPN protocol. ExpressVPN costs a fair bit more than some rivals, but it does offer a 30-day money back guarantee and clocked much faster speeds in our testing. ExpressVPN works on Ubuntu, Debian, Fedora, and CentOS.

ExpressVPN tops our list as it scores well in all areas including privacy, speed and customer support. It is also the only VPN on this list that has consistently worked to unblock all content we have tested, including Netflix, Hulu, BBC iPlayer and HBO.

Update: ExpressVPN have made some notable improvements by allowing up to 3 simultaneous devices and introducing a kill switch.

DEAL ALERT: ExpressVPN is now more affordable after putting together an offer of 3 months extra free with their 12 month package here, this a 49% discount on the monthly plan. The 30-day money-back guarantee still applies so you can try it risk free and get a full refund for any reason.

Read our full review of ExpressVPN.

2. Private Internet Access

PIA logo

Private Internet Access (PIA) is one of our best reviewed VPN to date but does lose some points for not unblocking content such as Netflix and other geo-restricted content. It’s not pretty, but it’s remarkably affordable, lets you connect five simultaneous devices, offers acceptable (if not great) speeds, and is as secure as they come. PIA is one of the most popular premium VPNs among Linux users, and deservedly so. OpenVPN encrypted with 256-bit AES is the default protocol, but this can be tweaked to your heart’s content. PIA will work on both Debian and Fedora distros, but Fedora and OpenSUSE users will find the process a bit more complicated.

At the time of writing PIA is available for as little a $3.33 per month.

Read our full review of Private Internet Access.

3. AirVPN
airvpn_logo

AirVPN offers native Linux apps for Debian/Ubuntu and openSUSE/Fedora. These can be used through either the command line or a GUI. You won’t find more comprehensive security settings on a VPN client. AirVPN lets users activate a kill switch, connect using OpenVPN over SSH and SSL, and forward traffic through a number of alternative ports. Prices are mid-range.

Stay tuned for our full review of AirVPN.

4. Buffered

buffered logo

Based in Hungary, this relative newcomer offers three simultaneous connections, a no-logging policy, and a 30-day money back guarantee. Like ExpressVPN, it’s a bit on the expensive side. One cool perk is that the client can search for open ports on password-protected networks, allowing you to bypass those annoying login pages at hotels and airports. Servers are limited to 16 countries, but speeds are fast. Buffered works across most Linux distros.

Read our full Buffered review.

5. Mullvad

mullvad logo

Mullvad’s open-source Debian/Ubuntu client comes with an internet kill switch, DNS and IPv6 leak protection, and IPv6 routing. It keeps no logs–not even connection logs, so it’s airtight when it comes to security. It allows three simultaneous connections. Port forwarding is available for evading firewalls. The server selection is limited, but it’s quite affordable. Mullvad currently only offers a Debian/Ubuntu package.

Stay tuned for our full review of Mullvad.

VPNs that Linux users should avoid

Several tutorials out there will show you how to install OpenVPN. That’s great, because OpenVPN is probably the best VPN protocol on the market. However, OpenVPN is just a protocol and a client. It is not a VPN service in and of itself. You will still require a server or servers to connect to, and this is where many people run into privacy issues.

All of the above paid services we’ve listed above have zero-log policies, meaning they don’t monitor or record how you use the VPN. This means a hacker can’t breach the provider’s servers and find dirt on you, the company can’t sell your info to third parties, and law enforcement can’t coerce the company into giving up private info about customers.

With free VPNs, the reality is often very different. A company isn’t going to waste money hosting and maintaining a VPN server without expecting something in return. That’s why it’s very important to read up on a company’s privacy and logging policies before you connect.

Furthermore, stay away from VPN services that only offer a PPTP connection. PPTP is fast and simple to set up, but it contains several security vulnerabilities.

itshidden

This free VPN service only uses PPTP connections, so it’s clearly not secure. The privacy policy is one sentence long and even that has typos in it. Granted, the one sentence claims the service doesn’t keep any traffic logs, but we’d hardly call that a policy.

SecurityKISS

Searching for a free VPN for Linux on Google might lead you to SecurityKISS. The company stores connection logs and IP addresses of users, a practice which privacy advocates frown upon. In the free version, your usage is capped at 300MB per day. In the paid version … well it doesn’t really matter because there are at least a half dozen better options.

USAIP

Another mediocre VPN service that somehow weaseled its way into search results, USAIP’s latest Linux client only uses PPTP. It also doesn’t provide its own DNS servers or default to Google’s, which means your ISP can still monitor your activity. On top of that, it doesn’t disclose its logging policy.

A note on OpenVPN

Even if a VPN provider doesn’t make a dedicated native client for your Linux distro, almost all of them will provide configuration files that work with OpenVPN. All you need to do is download a config file for each server you want to connect to. This can get tedious if you like to have a lot of options, but it’s perfectly feasible.

OpenVPN is great, but the generic client isn’t as packed with features like DNS leak prevention and internet kill switches. Again, you can find scripts and packages that will take care of these for you, but we prefer the convenience of clients with all this stuff built in.

How to install and connect to OpenVPN on Linux

Here we’ll show you how to install the OpenVPN client on Ubuntu. Other distros, such as Mint and CentOS, should work similarly, but the commands might vary slightly.

  1. Open a terminal
  2. Type sudo apt-get install -y openvpn and hit Enter (depending on your distro, this might be sudo yum install openvpn)
  3. Type your admin password and hit Enter
  4. Type y and hit Enter to accept all dependencies and complete the installation.
  5. If you’re using Ubuntu 14.04 or earlier, type sudo apt-get install network-manager network-manager-openvpn network-manager-openvpn-gnome and hit Enter
  6. If you’re using Ubuntu 14.04 or earlier, type sudo apt-get install openvpn easy-rsa

Once OpenVPN is installed, you need config files. Usually you can download .ovpn config files from your VPN provider’s website. Each config file is associated with a particular server and location so grab a few of them for each location you want to connect to. Make sure to have backups in case a server goes down.

To connect via command line, which should work across most distros:

  1. With OpenVPN installed, type sudo openvpn –config in the terminal and hit Enter
  2. Drag and drop the .ovpn config file for the server you want to connect to into the terminal. The correct path will be automatically captured.
  3. Hit Enter and wait for the “Initialization Sequence Completed” message. You are now connected to the VPN. You can minimize the terminal window, but closing it will disconnect you from the VPN.

This is just one way to connect. You can also try the Ubuntu Network Manager or the OpenVPN GUI. These may require CA certificates and/or private keys from your VPN, so make sure those are available from the provider’s website.

How to make a VPN kill switch in Linux

In the event that the VPN connection unexpectedly drops, the computer will continue to send and receive traffic sent over your ISP’s unprotected network, possibly without you even noticing. To prevent this behavior, you can make yourself a simple kill switch that halts all internet traffic until the VPN connection is restored. We’ll show you how to write some easy rules using iptables and the Ubuntu Ultimate Firewall (UFW) application.

First, create a startvpn.sh script that puts firewall rules in place. These firewall rules only allow traffic over the VPN’s tun0 network interface, and they only allow traffic over that interface to go to your VPN’s server.

$ cat startvpn.sh
sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow out on tun0 from any to any
sudo ufw allow out from any to 54.186.178.243 # <-- note this is the IP from the "remote" field of your configuration file
sudo ufw enable
sudo ufw status
sudo openvpn client.conf &

Network traffic cannot pass over any other network interface with these firewall rules in place. When your VPN drops, it removes the tun0 interface from your system so there is no allowed interface left for traffic to pass, and the internet connection dies.

When the VPN session ends, we need to remove the rules to allow normal network traffic over our actual network interfaces. The simplest method is to disable UFW altogether. If you have existing UFW rules running normally, then you’ll want to craft a more elegant tear down script instead. This one removes the firewall rules and then kills openvpn with a script called stopvpn.sh

$ cat stopvpn.sh
sudo ufw disable
sudo ufw status
sudo kill `ps -ef | grep openvpn | awk '{print $2}'`

If you use some other means to connect to your VPN, you can eliminate the last two lines of each script. In such a configuration, you will have to remember to manually run the startvpn.sh script prior to starting your VPN using some other method. Once your VPN session ends, remembering to run the stopvpn.sh script isn’t hard; you’ll probably notice the lack of internet connectivity until you run it.

Which Linux distro is best for privacy?

If you’re concerned about privacy, switching from MacOS or Windows to any open-source Linux distro is already a step in the right direction. Apple and Microsoft both collect personal data from users on their respective operating systems. Both companies are known to cooperate with law enforcement and intelligence agencies like the NSA. Microsoft uses customers’ data to sell ads. Both OSes are closed source, meaning the public cannot peak at the source code to see where vulnerabilities or backdoors lie.

Linux, on the other hand, is open source and frequently audited by the security community. While Ubuntu once flirted with Amazon to monetize users, it and other distros are generally not out to make a buck by selling your data to third parties.

Not all Linux distros are created equally, however, and some are more secure than others. If you’re looking for a distro that functions as a day-to-day desktop replacement but is also built with privacy and security in mind, we recommend Ubuntu Privacy Remix. UPR is a Debian-based Ubuntu build that stores all user data on encrypted removable media, such as an external hard drive. The “non-manipulatable” OS is supposedly immune to malware infection.

You’ll still need a VPN to encrypt your internet connection. Most of the apps from the VPN providers above should work fine on UPR.

If UPR isn’t enough and you want to use your computer with complete anonymity, we recommend TAILS. Short for The Amnesiac Incognito Live System, TAILS is a Linux distro built by the same people who created the Tor network. TAILS is a live OS designed to be installed on and run from a USB drive or CD. It’s a hardened version of Linux that routes all internet traffic through the Tor network. It leaves no trace of ever being used after removing it from the device.

Making your own VPN

If you don’t trust commercial VPN providers or you just prefer a DIY solution, you could always roll your own VPN. You’ll need to set up your own server. Common options are virtual private cloud services like Amazon Web Services and Digital Ocean. A variety of tools at your disposal that will assist you in getting a homegrown VPN up and running:

  • OpenVPN
  • Streisand
  • Algo
  • SoftEther
  • StrongSwan

Each has its own pros and cons in terms of protocol, security, features, and ease of use. We’ve got a great tutorial on how to set up OpenVPN with a Linux client and Amazon EC2 Linux instance.

But even though rolling your VPN gives you full control over almost every aspect of how the VPN operates, there are some drawbacks. First, it’s much more difficult than using pre-existing servers and pre-configured apps. Secondly, if you’re using a cloud service like AWS or Digital Ocean, your data still passes through the hands of a third party. Third, you only get a single server and location to connect to.

Finally, and perhaps most importantly, rolling your own VPN likely means that only you and perhaps a handful of acquaintances will be using it. That makes it much easier to trace activity back to a specific person. Commercial VPNs, on the other hand, typically assign users shared IP addresses. Dozens and even hundreds of users can be pooled together under a single IP, effectively anonymizing traffic after it leaves the VPN server.

14 thoughts on “The best VPNs for Linux in 2017 (and the worst)

  • I built my own VPN servers on cloud service providers based in Europe and elsewhere outside the US and I route my traffic through them. After the initial testing I turned off all logging.

  • At this point in time, PIA’s so-called “plug and play native client” does not work on Ubuntu 17.04. And their support is TERRIBLE. It took them three weeks to respond to my last service problem. Three weeks even to acknowledge that I’d contacted them.

  • Drag the config file into the terminal window BEFORE pressing enter.
    If you press enter BEFORE dragging the config file to the window, as suggested, you’ll get an error from the partially completed command.

  • great article, hope everyone in linux land sees this, esp since the new world order is hellbent on sending all info to corporate hq world wide. =/

  • the use of nordvpn is also very simple and really good – looking for a gui frotnend to make it a little comfortable and faster … regards

  • Thanks for the list. From my experience PIA does not work with Linux Mint. I have tried it and gone back and forth with support for weeks and gave up. I am now looking for another client that actually supports Linux.

  • For AIRVPN.ORG I use this way :

    install if needed stunnel (apt-get install stunnel)

    rename :
    AirVPN_example_name_SSL-443.ovpn to airvpn.conf
    AirVPN_example_name_SSL-443.ssl to stunnel.conf

    copied

    airvpn.conf to /etc/openvpn
    stunnel.conf to /etc/stunnel
    stunnel.crt to /etc/stunnel

    edit :

    /etc/default/openvpn and add the line #AUTOSTART=”home office” to AUTOSTART=”airvpn” and remove the #

    /etc/stunnel/stunnel.conf and change the line CAfile = stunnel.crt to CAfile = /etc/stunnel/stunnel.crt

    /etc/default/stunnel4 and change the line ENABLED=0 to ENABLED=1 (to enable stunnel automatic startup)

    Then reboot and everything is working.

  • Bulltwinkie!

    Linux ubuntu will not allow you to install via command line, you must 1st download from the linux software (aka we will share your data anyway) center

    • Bulltwinkie? I’ve NEVER had a problem installing anything from an Ubuntu command line. Learn to use your Linux!

  • What annoys me is that I have Expressvpn which is not the cheapest and works well on android but will not work on Linux Mint 18.
    Why should I have to pay for a second VPN which will work on linux

    • You can just use it manually by installing the OpenVPN package for Linux and downloading the server config files.

  • CyberGost isn’t free for Linux. There is a free version for Windows but you have to have a paid account to use it with Linux.

Leave a Reply

Your email address will not be published. Required fields are marked *