The Best VPNs for Linux (and Which to Avoid) in 2020Last Updated by Sam Smith on June 01, 2020
You’ve been enjoying the added security features of your distro and everything is going great but there is still that niggle at the back of your mind that your privacy might be at risk.
Well, you’ll be pleased to know that just like with Windows and MacOS, a VPN can be installed to take your security up to the next level.
Just because Linux isn’t full of backdoors like proprietary operating systems, it doesn’t mean it is unhackable and most hacks start by obtaining an IP. With an IP address, a hacker can do all sorts of things such as:
- Find out which network you are on
- Look at what devices are on that network
- Figure out which operating system you are using based on which device is yours
- Plan an attack on that system
- Install malware
- Potentially steal data or hold your system at ransom, among other things
The fact that all of this can be done just by obtaining an IP address is pretty scary, which is why it is imperative that you protect your anonymity with a top-notch VPN.
Before we look at the best VPNs for Linux though, let’s take a look at ways to secure your Linux system itself, as it always best to build from a solid foundation, rather than tape over the cracks.
- 1 What makes a good VPN for Linux?
- 2 Three Best VPNs for Linux
- 3 Some VPNs to avoid
- 4 Securing Linux
- 5 Use Anti-Virus
- 6 Most secure Linux distributions
- 7 Common questions about using a VPN
- 8 How to install and connect to OpenVPN
- 9 How to make a VPN kill switch in Linux
1What makes a good VPN for Linux?
Now that your Linux system is fairly secure, it’s time to look at VPNs. Choosing a VPN isn’t that easy as you want to make sure you are getting good value for your money.
Therefore, let’s establish a few key things to look for in a VPN.
2Three Best VPNs for Linux
Now that we have established what to look for in a VPN, let’s take a look at the best VPNs for Linux.
1ExpressVPN – Compatible with Multiple Distros
- Linux Support
- Onion routing
This VPN is currently the most popular in the world thanks to its wide range of features and built-in onion routing. It also supports both 32-bit and 64-bit versions of various Linux distros, such as Ubuntu, Debian, Fedora, and CentOS, making it an excellent option for anyone using those systems.
In terms of performance, ExpressVPN delivers fast and consistent speeds over both short and long distances. There are also over 2000 different servers to choose from that span across 148 locations in 94 different countries.
One thing to note, however, is that the Linux version doesn’t include a desktop GUI, meaning all configuration needs to be done in the Terminal. The good news is that the setup process is still very easy and arguably faster thanks to the text-based interface.
2NordVPN – Enhanced Encryption
- Dedicated Linux App
- Great server selection
- Tight security
If you are looking for a VPN with advanced configuration options, NordVPN is a great option. This complex level of configurability probably won’t appeal to a lot of casual users but it does mean that NordVPN is able to offer some of the tightest security options available.
There are also a over 5,000 amount of servers to choose from in over 60 locations, meaning a fast connection should never be too hard to find.
Lastly, the service is also relatively cheap and the value of money you get is really good considering the level of control you get over the VPN.
- Full GUI
- Accepts Bitcoin
- Has a kill switch
AirVPN runs on an OpenVPN-based service and has received a lot of praise about being highly transparent and open about its network. Like ExpressVPN, it works with both 32-bit and 64-bit Linux systems making it highly compatible.
Unlike ExpressVPN though, there is also a GUI included, giving you the option of either using the graphical interface or the command line. The GUI itself is rather basic but includes all of the necessary features you will need to get the VPN up and running.
One of the weaker aspects of this VPN though is that there is a relatively small number of servers and locations to choose from. This will most likely improve if the VPN continues to grow in popularity, but as it stands, you might find the service to be a little limited.
3Some VPNs to avoid
- Betternet – Part of an ad platform that accesses cookies so that it can target you with personalized ads.
- Hide.me – Slow speeds and it doesn’t support OpenVPN which is the recommended protocol for online security.
- Hola – This one is a peer-to-peer proxy browser extension that works like a VPN but has no centralized servers. Instead, users route their data through the devices of other Hola users. This could, therefore, make you responsible for the activities of other users.
1 Install only what you need
The first thing you want to make sure of is that you are only installing exactly what you need to. Keeping your distro lean will not only mean better performance but it will also mean that you are less likely to install malware disguised as something else. Basically, if something is optional, leave it out.
2 Secure console access
One of the most important things you should do is protect the Linux servers console access by disabling the booting from external devices such as DVD’s, CD’s, and flash drives after BIOS set up. You should also set a password on your BIOS and grub boot loader to protect these settings.
3 Encrypt your drive
When you install your Linux distro, you will be asked if you would like to encrypt your drive. This is worth doing as it will mean your data remains safe. It does mean you will be asked for a password to decrypt the drive upon login, but this a small price to pay for securing your data.
4 Enable your firewall
This is something that every Linux user should do when they first install a Linux distribution. It is more of a security ethic advise though as even with the firewall disabled, the ports are locked down either way. But, of course, you never know and for this reason, it is best to enable the firewall just in case.
To do so, you will need to open your Terminal and enter:
GUFW stands for “Graphical Uncomplicated FireWall”. The command above will install it. Once the install is complete, open the program by typing “gufw” in your Terminal and hitting Enter.
After you open it, you should be presented with a simple interface that has a few different options to play with. Simply navigate to the “Status” button and turn it from OFF to ON. then, exit the program.
The firewall is now enabled.
5 Disable SSH login via Root
Another thing you will want to do is disable anyone from logging in via SSH. To do this, you will first need to access the file responsible for the configuration of SSH. The file has the following location:
After you have located this file, open it using a text editor and remove the ‘#’ symbol from the following line of code.
6 Turn on SELinux
Security-Enhanced Linux (SELinux) is an access control security mechanism provided in the kernel. The mechanism has three basic levels of operation which include:
- Enforcing – This is the default mode which enables and enforces the SELinux protocol on the machine.
- Permissive – This mode is a little less secure as it doesn’t enforce the security policy. Instead, it simply warns and logs actions.
- Disabled – in this mode, SELinux is turned off.
SELinux can be managed from the ‘/etc/selinux/config’ file, where you can enable or disable it.
I know, I know, anti-virus software is completely unnecessary for Linux systems right? Wrong. Although most malware is targeted at Windows machines, there is still plenty of malware out there designed to attack Linux systems as well. The probability of being hit with one of them is low but an article on Linux security wouldn’t be complete without mentioning this so here it is.
The good news is that there are a lot of anti-virus programs out there and the easiest way to find them is with a simple Google search. A lot of them should be free as well which is a bonus.
6Most secure Linux distributions
Now that we have established a few ways to help secure your Linux system, let’s take a look at a list of the most secure Linux distributions currently available.
Top 5 most secure distros:
7Common questions about using a VPN
At this point, you probably have a number of questions related to using a VPN. So before we continue, let’s go over some of the most commonly asked questions when it comes to VPNs.
Will a VPN keep logs?
The short answer is no, provided it is a good VPN. As the VPN business model is centered around maintaining privacy it would be rather hypocritical for providers to then keep logs of your activity. Having said that, there are some VPNs that do so make sure to check before signing up to any of them. Usually logs are only kept to help generate personalized ads, but even so, you should still see it as a red flag.
Can you use two VPNs at the same time?
For even more security, two VPNs can be used at the same time. Think of it like wearing an extra pair of socks to keep your feet warm. The first pair does the job but by adding more layers you reduce the chances of any cold air getting through.
The issue with using multiple VPNs though is that the speed will be affected quite considerably so it is recommended to just use one good VPN.
Which VPN protocol should I use?
When it comes to protocols, you have a few different ones to choose from such as L2TP/IPsec, PPTP, SSTP, and iKEv2. It is recommended, however, to use OpenVPN as it is the fastest and most secure.
What’s the difference between shared IP and dedicated IP?
A shared IP address is commonly used by VPN providers since it’s not feasible to give each user a unique IP address. It also helps with anonymity as it means a large number of people will all be using the same IP address.
A dedicated IP address is usually available if you are willing to pay a little extra. It can come in useful if you don’t want to have to enter extra information every time you log into online banking or any other site that simplifies the login process by remembering your IP.
What’s the difference between Smart DNS, proxy, and VPN?
Smart DNS works by masking an IP address, letting you access a website or service without geo-restrictions. It works by using the DNS proxy to override the selected DNS entries so that the DNS queries resolve to the proxy, instead of the real server.
A proxy works in a similar way to a VPN but is usually based on a web browser or application instead. Unlike a VPN, it doesn’t encrypt all of your outgoing traffic though, as it only focuses on one source.
A VPN, on the other hand, does encrypt all of your outgoing traffic while also masking your IP address. For this reason, it is usually the preferred solution for achieving maximum security on your computer.
8How to install and connect to OpenVPN
If you want to install OpenVPN instead and set up your own access server instead you can do this as well. To install OpenVPN enter either of the following commands, depending on your distro.
Once you have fetched and installed the program, run it using the “–version” argument to check you are using version 2.1.
Now that you know you have the right package installed, it is time to make a connection. To manually start a connection using an auto-login profile, run the following command.
Alternatively, if you wish to start a connection with a user-locked profile you will need to use the following command instead.
There you have it, you should now have an OpenVPN server successfully running on your Linux machine. What you do with it next, of course, is your business.
9How to make a VPN kill switch in Linux
To prevent yourself from exposure in case your VPN disconnects, you’ll need to create a VPN kill switch. The kill switch will drop all your traffic outgoing traffic whenever you get a disconnection.
Linux users have the option of using either iptables or ufw to set up a VPN kill switch, but we’ll use iptables for this guide.
Step 1: Get Network Interface Name and Network Subnet
To start configuring your kill switch, you need to know:
- The device’s network interface name.
- The client’s local network’s subnet.
To get these details, run the command route on your device. You should get something similar to this:
The last line under the column Genmask should show you your local network’s subnet (255.255.255.0). We’ll use these details to replace wlp6s0 and 18.104.22.168/24 on the code in step 3.
Step 2: Configuring client.ovpn
We need to change the client.ovpn configuration file as follows:
- Turn dev tun to 0 to specify the virtual network adapter
- Now, make sure that your VPN server is listed by its IP address rather than a hostname. This is in the remote
Step 3: Setting up the kill switch / firewall
Create a shell script with the following iptables ruleset:
iptables -t nat –flush
iptables -t nat –delete-chain
iptables -P OUTPUT DROP
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A INPUT –src 192.168.0.0/24 -j ACCEPT -i wlp6s0
iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT -o wlp6s0
iptables -A OUTPUT -j ACCEPT -d 198.51.100.0 -o wlp6s0 -p udp -m udp –dport 1194
iptables -A INPUT -j ACCEPT -s 198.51.100.0 -i wlp6s0 -p udp -m udp –sport 1194
iptables -A INPUT -j ACCEPT -i tun0
iptables -A OUTPUT -j ACCEPT -o tun0
Note: You need to replace the interface name and IPs with the ones you retrieved in step 1.
Now, save the script as iptables-vpn.sh, and then set the permissions using chmod and execute the script:
This new ruleset has now replaced any existing iptables rules. To act as a kill switch, it now drops all your outgoing traffic other than the netblock we have allowed.
However, the ruleset is only temporary. To make it permanent, you might need to install “iptables-persistent” package for your distribution.
Otherwise, set it such that it runs on reboot by adding this line:
Your kill switch should now be active!