The Best VPNs for Linux (and Which to Avoid) in 2019

Last Updated by Sam Smith on April 24, 2019

Linux Penguin TuxSo, you’ve completed the first step. You’ve successfully migrated to Linux and you are now well accustomed to its own unique benefits and quirks.

You’ve been enjoying the added security features of your distro and everything is going great but there is still that niggle at the back of your mind that your privacy might be at risk.

Well, you’ll be pleased to know that just like with Windows and MacOS, a VPN can be installed to take your security up to the next level.

VPN stands for Virtual Private Network and it is used to spoof a person’s IP address, making their location anonymous to anyone trying to trace them.

Just because Linux isn’t full of backdoors like proprietary operating systems, it doesn’t mean it is unhackable and most hacks start by obtaining an IP. With an IP address, a hacker can do all sorts of things such as:

  • Find out which network you are on
  • Look at what devices are on that network
  • Figure out which operating system you are using based on which device is yours
  • Plan an attack on that system
  • Install malware
  • Potentially steal data or hold your system at ransom, among other things

The fact that all of this can be done just by obtaining an IP address is pretty scary, which is why it is imperative that you protect your anonymity with a top-notch VPN.

Before we look at the best VPNs for Linux though, let’s take a look at ways to secure your Linux system itself, as it always best to build from a solid foundation, rather than tape over the cracks.

Quick navigation:

1What makes a good VPN for Linux?

Now that your Linux system is fairly secure, it’s time to look at VPNs. Choosing a VPN isn’t that easy as you want to make sure you are getting good value for your money.

Therefore, let’s establish a few key things to look for in a VPN.

  • Servers
    As VPNs work by spoofing your location, you want to be sure you are going to have plenty of servers across a wide range of locations to choose from. This will not only allow you to access content in a range of different countries but it will also mean that you should always be able to find a decent connection in your country of choice.
  • Security
    This one is obvious, but you need to be sure the VPN you choose is secure. This can be done simply by checking reviews for the service or by looking at the security specs themselves. Without adequate security, you run the risk of having your IP leaked which could potentially lead to a loss of data if in the wrong hands.
  • Interface
    A good VPN usually doesn’t come cheap. For this reason, the interface should be easy to use with plenty of options for configuration. Money buys convenience after all and there’s no point spending big on a VPN if it too complicated for you to make full use of.

2Three Best VPNs for Linux

Now that we have established what to look for in a VPN, let’s take a look at the best VPNs for Linux.

1ExpressVPN – Compatible with Multiple Distros

ExpressVPN
Key features:

  • Linux Support
  • Onion routing
  • Fast

This VPN is currently the most popular in the world thanks to its wide range of features and built-in onion routing. It also supports both 32-bit and 64-bit versions of various Linux distros, such as Ubuntu, Debian, Fedora, and CentOS, making it an excellent option for anyone using those systems.

In terms of performance, ExpressVPN delivers fast and consistent speeds over both short and long distances. There are also over 2000 different servers to choose from that span across 148 locations in 94 different countries.

One thing to note, however, is that the Linux version doesn’t include a desktop GUI, meaning all configuration needs to be done in the Terminal. The good news is that the setup process is still very easy and arguably faster thanks to the text-based interface.

Try Now Risk Free

2NordVPN – Enhanced Encryption

NordVPN
Key features:

  • Dedicated Linux App
  • Great server selection
  • Tight security

If you are looking for a VPN with advanced configuration options, NordVPN is a great option. This complex level of configurability probably won’t appeal to a lot of casual users but it does mean that NordVPN is able to offer some of the tightest security options available.

There are also a over 5,000 amount of servers to choose from in over 60 locations, meaning a fast connection should never be too hard to find.

Lastly, the service is also relatively cheap and the value of money you get is really good considering the level of control you get over the VPN.

Get it Now

3AirVPN

AirVPN client
Key features:

  • Full GUI
  • Accepts Bitcoin
  • Has a kill switch

AirVPN runs on an OpenVPN-based service and has received a lot of praise about being highly transparent and open about its network. Like ExpressVPN, it works with both 32-bit and 64-bit Linux systems making it highly compatible.

Unlike ExpressVPN though, there is also a GUI included, giving you the option of either using the graphical interface or the command line. The GUI itself is rather basic but includes all of the necessary features you will need to get the VPN up and running.

One of the weaker aspects of this VPN though is that there is a relatively small number of servers and locations to choose from. This will most likely improve if the VPN continues to grow in popularity, but as it stands, you might find the service to be a little limited.

Get it Now

3Some VPNs to avoid

Although there are many good VPNs available for Linux there are also a few you should steer clear of. Some VPNs to avoid include:

  • Betternet – Part of an ad platform that accesses cookies so that it can target you with personalized ads.
  • Hide.me  – Slow speeds and it doesn’t support OpenVPN which is the recommended protocol for online security.
  • Hola – This one is a peer-to-peer proxy browser extension that works like a VPN but has no centralized servers. Instead, users route their data through the devices of other Hola users. This could, therefore, make you responsible for the activities of other users.

4Securing Linux

1 Install only what you need

The first thing you want to make sure of is that you are only installing exactly what you need to. Keeping your distro lean will not only mean better performance but it will also mean that you are less likely to install malware disguised as something else. Basically, if something is optional, leave it out.

2 Secure console access

One of the most important things you should do is protect the Linux servers console access by disabling the booting from external devices such as DVD’s, CD’s, and flash drives after BIOS set up. You should also set a password on your BIOS and grub boot loader to protect these settings.

3 Encrypt your drive

When you install your Linux distro, you will be asked if you would like to encrypt your drive. This is worth doing as it will mean your data remains safe. It does mean you will be asked for a password to decrypt the drive upon login, but this a small price to pay for securing your data.

4 Enable your firewall

This is something that every Linux user should do when they first install a Linux distribution. It is more of a security ethic advise though as even with the firewall disabled, the ports are locked down either way. But, of course, you never know and for this reason, it is best to enable the firewall just in case.

To do so, you will need to open your Terminal and enter:

sudo apt-get install guf

GUFW stands for “Graphical Uncomplicated FireWall”. The command above will install it. Once the install is complete, open the program by typing “gufw” in your Terminal and hitting Enter.

After you open it, you should be presented with a simple interface that has a few different options to play with. Simply navigate to the “Status” button and turn it from OFF to ON. then, exit the program.

The firewall is now enabled.

5 Disable SSH login via Root

Another thing you will want to do is disable anyone from logging in via SSH. To do this, you will first need to access the file responsible for the configuration of SSH. The file has the following location:

/etc/ssh/sshd_config

After you have located this file, open it using a text editor and remove the ‘#’ symbol from the following line of code.

#PermitRootLogin no

6 Turn on SELinux

Security-Enhanced Linux (SELinux) is an access control security mechanism provided in the kernel. The mechanism has three basic levels of operation which include:

  • Enforcing – This is the default mode which enables and enforces the SELinux protocol on the machine.
  • Permissive – This mode is a little less secure as it doesn’t enforce the security policy. Instead, it simply warns and logs actions.
  • Disabled – in this mode, SELinux is turned off.

SELinux can be managed from the ‘/etc/selinux/config’ file, where you can enable or disable it.

5Use Anti-Virus

I know, I know, anti-virus software is completely unnecessary for Linux systems right? Wrong. Although most malware is targeted at Windows machines, there is still plenty of malware out there designed to attack Linux systems as well. The probability of being hit with one of them is low but an article on Linux security wouldn’t be complete without mentioning this so here it is.

The good news is that there are a lot of anti-virus programs out there and the easiest way to find them is with a simple Google search. A lot of them should be free as well which is a bonus.

6Most secure Linux distributions

Now that we have established a few ways to help secure your Linux system, let’s take a look at a list of the most secure Linux distributions currently available.

Top 5 most secure distros:

  1. Qubes OS
    If you are looking for the most secure distro for your desktop, Qubes is the way to go. It is a Fedora-based OS with a focus on desktop security. One of the things that makes it so secure is its ability to isolate and virtualize various VMs separately.
  2. Tails
    This distro has been targeted at personal computers and has been designed to prioritize keeping you safe and secure while you browse the internet.
  3. Parrot Security OS
    This operating system is a game-changer to security and privacy. It has been designed primarily for forensics but regular people can also make use of some of its built-in security features such as onion routing for increased anonymity online.
  4. Kali Linux
    When it comes to security, Kali Linux is probably the most famous distro of them all. It has been designed for pentesters and forensics experts and comes with a wide range of security tools just like Parrot OS.
  5. Whonix
    If your main concern is protecting your IP, Whonix is a great distro to go for. It focuses specifically on privacy and anonymity and this is provided by isolation. The OS is developed by two major programs. One is a Workstation and the other is a Gateway. The gateway acts as a middleman and uses the Tor network to keep all connections anonymous.

7Common questions about using a VPN

At this point, you probably have a number of questions related to using a VPN. So before we continue, let’s go over some of the most commonly asked questions when it comes to VPNs.

Will a VPN keep logs?

The short answer is no, provided it is a good VPN. As the VPN business model is centered around maintaining privacy it would be rather hypocritical for providers to then keep logs of your activity. Having said that, there are some VPNs that do so make sure to check before signing up to any of them. Usually logs are only kept to help generate personalized ads, but even so, you should still see it as a red flag.

Can you use two VPNs at the same time?

For even more security, two VPNs can be used at the same time. Think of it like wearing an extra pair of socks to keep your feet warm. The first pair does the job but by adding more layers you reduce the chances of any cold air getting through.

The issue with using multiple VPNs though is that the speed will be affected quite considerably so it is recommended to just use one good VPN.

Which VPN protocol should I use?

When it comes to protocols, you have a few different ones to choose from such as L2TP/IPsec, PPTP, SSTP, and iKEv2. It is recommended, however, to use OpenVPN as it is the fastest and most secure.

What’s the difference between shared IP and dedicated IP?

A shared IP address is commonly used by VPN providers since it’s not feasible to give each user a unique IP address. It also helps with anonymity as it means a large number of people will all be using the same IP address.

A dedicated IP address is usually available if you are willing to pay a little extra. It can come in useful if you don’t want to have to enter extra information every time you log into online banking or any other site that simplifies the login process by remembering your IP.

What’s the difference between Smart DNS, proxy, and VPN?

Smart DNS works by masking an IP address, letting you access a website or service without geo-restrictions. It works by using the DNS proxy to override the selected DNS entries so that the DNS queries resolve to the proxy, instead of the real server.

A proxy works in a similar way to a VPN but is usually based on a web browser or application instead. Unlike a VPN, it doesn’t encrypt all of your outgoing traffic though, as it only focuses on one source.

A VPN, on the other hand, does encrypt all of your outgoing traffic while also masking your IP address. For this reason, it is usually the preferred solution for achieving maximum security on your computer.

8How to install and connect to OpenVPN

If you want to install OpenVPN instead and set up your own access server instead you can do this as well. To install OpenVPN enter either of the following commands, depending on your distro.

Fedora/CentOS/RedHat

yum install openvpn

Ubuntu/Debian

apt-get install openvpn

Once you have fetched and installed the program, run it using the “–version” argument to check you are using version 2.1.

openvpn –version

Now that you know you have the right package installed, it is time to make a connection. To manually start a connection using an auto-login profile, run the following command.

openvpn –config client.ovpn

Alternatively, if you wish to start a connection with a user-locked profile you will need to use the following command instead.

openvpn –config client.ovpn –auth-user-pass

There you have it, you should now have an OpenVPN server successfully running on your Linux machine. What you do with it next, of course, is your business.

9How to make a VPN kill switch in Linux

To prevent yourself from exposure in case your VPN disconnects, you’ll need to create a VPN kill switch. The kill switch will drop all your traffic outgoing traffic whenever you get a disconnection.

Linux users have the option of using either iptables or ufw to set up a VPN kill switch, but we’ll use iptables for this guide.

Step 1: Get Network Interface Name and Network Subnet

To start configuring your kill switch, you need to know:

  • The device’s network interface name.
  • The client’s local network’s subnet.

To get these details, run the command route on your device. You should get something similar to this:

Route Linux command install vpn Under the column Iface, you’ll see your interface name (wlps6s0 in this case)

The last line under the column Genmask should show you your local network’s subnet (255.255.255.0). We’ll use these details to replace wlp6s0 and 198.168.0.1/24 on the code in step 3.

Step 2: Configuring client.ovpn

We need to change the client.ovpn configuration file as follows:

  1. Turn dev tun to 0 to specify the virtual network adapter
dev tun0
  1. Now, make sure that your VPN server is listed by its IP address rather than a hostname. This is in the remote
remote 198.51.100.0 1194

Step 3: Setting up the kill switch / firewall

Create a shell script with the following iptables ruleset:

#!/bin/bash
iptables –flush
iptables –delete-chain
iptables -t nat –flush
iptables -t nat –delete-chain
iptables -P OUTPUT DROP
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A INPUT –src 192.168.0.0/24 -j ACCEPT -i wlp6s0
iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT -o wlp6s0
iptables -A OUTPUT -j ACCEPT -d 198.51.100.0 -o wlp6s0 -p udp -m udp –dport 1194
iptables -A INPUT -j ACCEPT -s 198.51.100.0 -i wlp6s0 -p udp -m udp –sport 1194
iptables -A INPUT -j ACCEPT -i tun0
iptables -A OUTPUT -j ACCEPT -o tun0

Note: You need to replace the interface name and IPs with the ones you retrieved in step 1.

Now, save the script as iptables-vpn.sh, and then set the permissions using chmod and execute the script:

chmod +x iptables-vpn.sh
./iptables-vpn.sh

This new ruleset has now replaced any existing iptables rules. To act as a kill switch, it now drops all your outgoing traffic other than the netblock we have allowed.

However, the ruleset is only temporary. To make it permanent, you might need to install “iptables-persistent” package for your distribution.

Otherwise, set it such that it runs on reboot by adding this line:

@reboot root /path/iptables-ks.sh

Your kill switch should now be active!

Sam Smith
Written By Sam Smith
Sam is a web security expert from the UK specializing in Cybersecurity and Computer Science.