The best VPNs for Linux in 2018 (and the worst)

Published by on January 11, 2018 in VPN & Privacy

ubuntuUbuntu, Fedora, OpenSUSE, and Mint users often get the short end of the stick when it comes to software, and VPN services are no different. Let’s be honest: Linux users are low on the priority list for most companies and developers. That’s why we set out to find the best VPN providers who have taken the time to give Linux fans some attention.

To connect to a VPN on Linux, OpenVPN, OpenConnect, and Network Manager are all popular options. But even better is a VPN provider with a plug-and-play native client. They require far less configuration and tend to come with more features and perks than their generic peers. That’s why every VPN we recommend in this list offers a slick app just for you.

1. ExpressVPN

ExpressVPN Linux

ExpressVPN released its official Linux app in April 2016. It runs using a command-line interface rather than the desktop GUI available on Windows and Mac, but it’s still far easier than downloading and managing config files for each server. The server list is always kept up to date, and users can easily switch between UDP and TCP over the OpenVPN protocol. ExpressVPN costs a little more than some rivals, but it does offer a 30-day money back guarantee and clocked much faster speeds in our testing. ExpressVPN works on Ubuntu, Debian, Fedora, and CentOS.

ExpressVPN tops our list as it scores well in all key areas including privacy, speed and customer support. It is also the only VPN on this list that has consistently worked to unblock all content we have tested, including Netflix, Hulu, BBC iPlayer and HBO.

Update: ExpressVPN have made some notable improvements by allowing up to 3 simultaneous devices and introducing a kill switch.

DEAL ALERT: ExpressVPN is now more affordable after putting together an offer of 3 months extra free with their 12 month package here, this a 49% discount on the monthly plan. The 30-day money-back guarantee still applies so you can try it risk free and get a full refund for any reason.

Read our full review of ExpressVPN.

2. Private Internet Access

PIA logo

Private Internet Access (PIA) is one of our best reviewed VPNs to date but does lose some points for not unblocking content such as Netflix and other geo-restricted content. It’s not pretty, but it’s remarkably affordable, lets you connect five simultaneous devices, offers acceptable (if not great) speeds, and is as secure as they come. PIA is one of the most popular premium VPNs among Linux users, and deservedly so. OpenVPN encrypted with 256-bit AES is the default protocol, but this can be tweaked to your heart’s content. PIA will work on both Debian and Fedora distros, but Fedora and OpenSUSE users will find the process a bit more complicated.

At the time of writing PIA is available for as little a $3.33 per month.

Read our full review of Private Internet Access.

3. AirVPN
airvpn_logo

AirVPN offers native Linux apps for Debian/Ubuntu and openSUSE/Fedora. These can be used through either the command line or a GUI. You won’t find more comprehensive security settings on a VPN client. AirVPN lets users activate a kill switch, connect using OpenVPN over SSH and SSL, and forward traffic through a number of alternative ports. Prices are mid-range.

Stay tuned for our full review of AirVPN.

4. Buffered

buffered logo

Based in Hungary, this relative newcomer offers three simultaneous connections, a no-logging policy, and a 30-day money back guarantee. Like ExpressVPN, it’s a bit on the expensive side. One cool perk is that the client can search for open ports on password-protected networks, allowing you to bypass those annoying login pages at hotels and airports. Servers are limited to 16 countries, but speeds are fast. Buffered works across most Linux distros.

Read our full Buffered review.

5. Mullvad

mullvad logo

Mullvad’s open-source Debian/Ubuntu client comes with an internet kill switch, DNS and IPv6 leak protection, and IPv6 routing. It keeps no logs–not even connection logs, so it’s airtight when it comes to security. It allows three simultaneous connections. Port forwarding is available for evading firewalls. The server selection is limited, but it’s quite affordable. Mullvad currently only offers a Debian/Ubuntu package.

Stay tuned for our full review of Mullvad.

VPNs that Linux users should avoid

Several tutorials out there will show you how to install OpenVPN. That’s great, because OpenVPN is probably the best VPN protocol on the market. However, OpenVPN is just a protocol and a client. It is not a VPN service in and of itself. You will still require a server or servers to connect to, and this is where many people run into privacy issues.

All of the above paid services we’ve listed above have zero-log policies, meaning they don’t monitor or record how you use the VPN. This means a hacker can’t breach the provider’s servers and find dirt on you, the company can’t sell your info to third parties, and law enforcement can’t coerce the company into giving up private info about customers.

With free VPNs, the reality is often very different. A company isn’t going to waste money hosting and maintaining a VPN server without expecting something in return. That’s why it’s very important to read up on a company’s privacy and logging policies before you connect.

Furthermore, stay away from VPN services that only offer a PPTP connection. PPTP is fast and simple to set up, but it contains several security vulnerabilities.

itshidden

This free VPN service only uses PPTP connections, so it’s clearly not secure. The privacy policy is one sentence long and even that has typos in it. Granted, the one sentence claims the service doesn’t keep any traffic logs, but we’d hardly call that a policy.

SecurityKISS

Searching for a free VPN for Linux on Google might lead you to SecurityKISS. The company stores connection logs and IP addresses of users, a practice which privacy advocates frown upon. In the free version, your usage is capped at 300MB per day. In the paid version … well it doesn’t really matter because there are at least a half dozen better options.

USAIP

Another mediocre VPN service that somehow weaseled its way into search results, USAIP’s latest Linux client only uses PPTP. It also doesn’t provide its own DNS servers or default to Google’s, which means your ISP can still monitor your activity. On top of that, it doesn’t disclose its logging policy.

Securing Linux

A VPN is a great step toward securing your Linux system, but you’ll need more than that for full protection. Like all operating systems, Linux has its vulnerabilities and hackers who want to exploit them. Here are a few more tools we recommend for Linux users:

  • Antivirus software
  • Anti-rootkit software
  • Tripwire
  • Firewall
  • Security-focused browser extensions

You can learn about all of these tools, which ones to use, and how to install them in our Linux Security Guide. There you’ll also find tons of other tips and advice for securing Linux.

Why should I use a VPN for Linux?

A VPN has multiple uses and can be applied in a number of different scenarios.

Privacy

At its core, a VPN is a tool designed for privacy. If you’re worried about someone monitoring what you do online, such as an internet service provider, hacker, or government agency, a VPN can help. A VPN achieves privacy in two key ways.

First, all of the data you send and receive over the internet is encrypted before it even leaves your device. So long as the encryption is strong–128-bit and 256-bit AES are both sufficient and common with modern VPNs–no one will be able to crack it. If, for example, your ISP wanted to record your browsing history, it would instead only see indecipherable text.

Second, using the same example, the ISP cannot see where a VPN user’s internet traffic is going to or coming from. It can only see that data is travelling between your computer and the VPN server. It cannot see the destination of your internet traffic and can therefore not monitor what websites, apps, and services you use. Websites that you visit won’t be able to track you so easily, as your IP address is hidden behind that of the VPN server, and IP addresses play a huge role in how advertising companies and other data gathering entities create user profiles.

An important distinction to make here is the difference between VPN logging policies. All of the VPN providers we recommend do not keep traffic logs, meaning they do not monitor your activity while connected to the VPN. Many other VPNs log your activity in different ways and should generally be avoided; being tracked by your VPN is hardly better than not having a VPN at all.

Related: Best logless VPNs

Security

Security and privacy often go hand in hand. A VPN can help secure your device by protecting it from online threats. Public wifi, for example, is a minefield for unprotected devices. Hackers can hijack unsecured wifi routers or create their own fake hotspots and wreak all sorts of havoc on any device that connects to them. An attacker could steal or modify any data sent over an unsecured network.

Even when you’re not on public wifi, a VPN can protect your device from several threats. By masking your IP address–a common a VPN removes a common attack vector used by hackers to target a specific person. Many VPNs also come with built-in malware filtering.

Unblocking geo-locked content

Many websites, apps, and online services are restricted to residents of certain countries or regions. A popular use case for VPNs is unblocking geographically restricted, or “geo-locked,” content. This includes streaming video sites like Netflix, Hulu, BBC iPlayer, and Amazon Prime Video. It also applies to online banking and shopping sites by “spoofing” your location. The website in question only sees the location of the VPN server you chose to connect to and not your real location. You can even avoid blackout restrictions on live streaming sporting events.

Bear in mind that many streaming video providers are adverse to VPN use because of content licensing agreements that force them to only offer content within certain countries. As such, they often block connections from known VPN servers. A handful of VPNs can bypass these restrictions; just use the search bar on this site to find a list of the [best VPNs for your favorite streaming site](6 VPNs that are fast enough to stream without buffering, even in HD!). From the list above, ExpressVPN is the most capable unblocker.

Bypassing censorship

Censorship stinks, whether you’re in an authoritarian country like China or an office building with an overzealous firewall. By routing your internet traffic around the firewall through a VPN server, you can evade such restrictions and freely access the open internet. In all but a very small fraction of countries, using a VPN is perfectly legal.

Be warned, however, that some countries block known VPN servers, so not all providers can bypass censorship measures. Be sure to check with the individual provider and ask if it can unblock censored sites from your country.

Torrenting

ISPs often frown upon torrenting, whether you’re downloading legally or illegally. An ISP might penalize your account by restricting bandwidth, for example. Furthermore, the BitTorrent network is rife with copyright trolls looking to make a quick buck by collecting IP addresses of downloaders and sending them threatening settlement letters through their ISP.

A VPN is an essential tool for torrenting. When connected to a VPN, your ISP cannot distinguish between different types of traffic, torrenting or otherwise. And because your IP address is masked by the VPN server’s IP address, copyright trolls cannot track you down. Just make sure to choose a VPN provider that doesn’t log your real IP address. You can cross reference the list above with our list of the best VPNs for torrenting to find the best fit for you.

A note on OpenVPN

Even if a VPN provider doesn’t make a dedicated native client for your Linux distro, almost all of them will provide configuration files that work with OpenVPN. All you need to do is download a config file for each server you want to connect to. This can get tedious if you like to have a lot of options, but it’s perfectly feasible.

OpenVPN is great, but the generic client isn’t as packed with features like DNS leak prevention and internet kill switches. Again, you can find scripts and packages that will take care of these for you, but we prefer the convenience of clients with all this stuff built in.

How to install and connect to OpenVPN on Linux

Here we’ll show you how to install the OpenVPN client on Ubuntu. Other distros, such as Mint and CentOS, should work similarly, but the commands might vary slightly.

  1. Open a terminal
  2. Type sudo apt-get install -y openvpn and hit Enter (depending on your distro, this might be sudo yum install openvpn)
  3. Type your admin password and hit Enter
  4. Type y and hit Enter to accept all dependencies and complete the installation.
  5. If you’re using Ubuntu 14.04 or earlier, type sudo apt-get install network-manager network-manager-openvpn network-manager-openvpn-gnome and hit Enter
  6. If you’re using Ubuntu 14.04 or earlier, type sudo apt-get install openvpn easy-rsa

Once OpenVPN is installed, you need config files. Usually you can download .ovpn config files from your VPN provider’s website. Each config file is associated with a particular server and location so grab a few of them for each location you want to connect to. Make sure to have backups in case a server goes down.

To connect via command line, which should work across most distros:

  1. With OpenVPN installed, type sudo openvpn –config in the terminal and hit Enter
  2. Drag and drop the .ovpn config file for the server you want to connect to into the terminal. The correct path will be automatically captured.
  3. Hit Enter and wait for the “Initialization Sequence Completed” message. You are now connected to the VPN. You can minimize the terminal window, but closing it will disconnect you from the VPN.

This is just one way to connect. You can also try the Ubuntu Network Manager or the OpenVPN GUI. These may require CA certificates and/or private keys from your VPN, so make sure those are available from the provider’s website.

How to make a VPN kill switch in Linux

In the event that the VPN connection unexpectedly drops, the computer will continue to send and receive traffic sent over your ISP’s unprotected network, possibly without you even noticing. To prevent this behavior, you can make yourself a simple kill switch that halts all internet traffic until the VPN connection is restored. We’ll show you how to write some easy rules using iptables and the Ubuntu Ultimate Firewall (UFW) application.

First, create a startvpn.sh script that puts firewall rules in place. These firewall rules only allow traffic over the VPN’s tun0 network interface, and they only allow traffic over that interface to go to your VPN’s server.

$ cat startvpn.sh
sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow out on tun0 from any to any
sudo ufw allow out from any to 54.186.178.243 # <-- note this is the IP from the "remote" field of your configuration file
sudo ufw enable
sudo ufw status
sudo openvpn client.conf &

Network traffic cannot pass over any other network interface with these firewall rules in place. When your VPN drops, it removes the tun0 interface from your system so there is no allowed interface left for traffic to pass, and the internet connection dies.

When the VPN session ends, we need to remove the rules to allow normal network traffic over our actual network interfaces. The simplest method is to disable UFW altogether. If you have existing UFW rules running normally, then you’ll want to craft a more elegant tear down script instead. This one removes the firewall rules and then kills openvpn with a script called stopvpn.sh

$ cat stopvpn.sh
sudo ufw disable
sudo ufw status
sudo kill `ps -ef | grep openvpn | awk '{print $2}'`

If you use some other means to connect to your VPN, you can eliminate the last two lines of each script. In such a configuration, you will have to remember to manually run the startvpn.sh script prior to starting your VPN using some other method. Once your VPN session ends, remembering to run the stopvpn.sh script isn’t hard; you’ll probably notice the lack of internet connectivity until you run it.

Which Linux distro is best for privacy?

If you’re concerned about privacy, switching from MacOS or Windows to any open-source Linux distro is already a step in the right direction. Apple and Microsoft both collect personal data from users on their respective operating systems. Both companies are known to cooperate with law enforcement and intelligence agencies like the NSA. Microsoft uses customers’ data to sell ads. Both OSes are closed source, meaning the public cannot peak at the source code to see where vulnerabilities or backdoors lie.

Linux, on the other hand, is open source and frequently audited by the security community. While Ubuntu once flirted with Amazon to monetize users, it and other distros are generally not out to make a buck by selling your data to third parties.

Not all Linux distros are created equally, however, and some are more secure than others. If you’re looking for a distro that functions as a day-to-day desktop replacement but is also built with privacy and security in mind, we recommend Ubuntu Privacy Remix. UPR is a Debian-based Ubuntu build that stores all user data on encrypted removable media, such as an external hard drive. The “non-manipulatable” OS is supposedly immune to malware infection.

You’ll still need a VPN to encrypt your internet connection. Most of the apps from the VPN providers above should work fine on UPR.

If UPR isn’t enough and you want to use your computer with complete anonymity, we recommend TAILS. Short for The Amnesiac Incognito Live System, TAILS is a Linux distro built by the same people who created the Tor network. TAILS is a live OS designed to be installed on and run from a USB drive or CD. It’s a hardened version of Linux that routes all internet traffic through the Tor network. It leaves no trace of ever being used after removing it from the device.

Making your own VPN

If you don’t trust commercial VPN providers or you just prefer a DIY solution, you could always roll your own VPN. You’ll need to set up your own server. Common options are virtual private cloud services like Amazon Web Services and Digital Ocean. A variety of tools at your disposal that will assist you in getting a homegrown VPN up and running:

  • OpenVPN
  • Streisand
  • Algo
  • SoftEther
  • StrongSwan

Each has its own pros and cons in terms of protocol, security, features, and ease of use. We’ve got a great tutorial on how to set up OpenVPN with a Linux client and Amazon EC2 Linux instance.

But even though rolling your VPN gives you full control over almost every aspect of how the VPN operates, there are some drawbacks. First, it’s much more difficult than using pre-existing servers and pre-configured apps. Secondly, if you’re using a cloud service like AWS or Digital Ocean, your data still passes through the hands of a third party. Third, you only get a single server and location to connect to.

Finally, and perhaps most importantly, rolling your own VPN likely means that only you and perhaps a handful of acquaintances will be using it. That makes it much easier to trace activity back to a specific person. Commercial VPNs, on the other hand, typically assign users shared IP addresses. Dozens and even hundreds of users can be pooled together under a single IP, effectively anonymizing traffic after it leaves the VPN server.

14 thoughts on “The best VPNs for Linux in 2018 (and the worst)

  • I built my own VPN servers on cloud service providers based in Europe and elsewhere outside the US and I route my traffic through them. After the initial testing I turned off all logging.

  • At this point in time, PIA’s so-called “plug and play native client” does not work on Ubuntu 17.04. And their support is TERRIBLE. It took them three weeks to respond to my last service problem. Three weeks even to acknowledge that I’d contacted them.

  • Drag the config file into the terminal window BEFORE pressing enter.
    If you press enter BEFORE dragging the config file to the window, as suggested, you’ll get an error from the partially completed command.

  • great article, hope everyone in linux land sees this, esp since the new world order is hellbent on sending all info to corporate hq world wide. =/

  • the use of nordvpn is also very simple and really good – looking for a gui frotnend to make it a little comfortable and faster … regards

  • Thanks for the list. From my experience PIA does not work with Linux Mint. I have tried it and gone back and forth with support for weeks and gave up. I am now looking for another client that actually supports Linux.

  • For AIRVPN.ORG I use this way :

    install if needed stunnel (apt-get install stunnel)

    rename :
    AirVPN_example_name_SSL-443.ovpn to airvpn.conf
    AirVPN_example_name_SSL-443.ssl to stunnel.conf

    copied

    airvpn.conf to /etc/openvpn
    stunnel.conf to /etc/stunnel
    stunnel.crt to /etc/stunnel

    edit :

    /etc/default/openvpn and add the line #AUTOSTART=”home office” to AUTOSTART=”airvpn” and remove the #

    /etc/stunnel/stunnel.conf and change the line CAfile = stunnel.crt to CAfile = /etc/stunnel/stunnel.crt

    /etc/default/stunnel4 and change the line ENABLED=0 to ENABLED=1 (to enable stunnel automatic startup)

    Then reboot and everything is working.

  • Bulltwinkie!

    Linux ubuntu will not allow you to install via command line, you must 1st download from the linux software (aka we will share your data anyway) center

    • Bulltwinkie? I’ve NEVER had a problem installing anything from an Ubuntu command line. Learn to use your Linux!

  • What annoys me is that I have Expressvpn which is not the cheapest and works well on android but will not work on Linux Mint 18.
    Why should I have to pay for a second VPN which will work on linux

    • You can just use it manually by installing the OpenVPN package for Linux and downloading the server config files.

  • CyberGost isn’t free for Linux. There is a free version for Windows but you have to have a paid account to use it with Linux.

Leave a Reply

Your email address will not be published. Required fields are marked *