Why Linux VPN support still varies so much
Most VPN providers build their Linux client last, after Windows and macOS are polished. The result: some Linux clients are full GUI apps that work well across distributions, and some are command-line-only tools with sparse documentation. A few providers genuinely invest in Linux. Those are the ones worth your money if Linux is your primary OS.
This guide covers five providers that do Linux well, with the specific packages they ship, the CLI commands you actually need, and the practical details around kill switches and DNS leaks on modern Linux systems.
ProtonVPN: open-source Linux app with WireGuard native
ProtonVPN offers a native Linux GUI app that runs on Ubuntu, Debian, Fedora, and Arch-based distributions. The app is open source and available on GitHub, which means anyone can audit it. WireGuard is the default protocol and connects in under a second on most hardware. OpenVPN is available if you need it for specific network conditions.
Packages: ProtonVPN ships both a .deb package (for Ubuntu, Debian, Linux Mint) and a .rpm package (for Fedora, CentOS, RHEL). Installation is straightforward. The kill switch works correctly and blocks all traffic if the VPN connection drops. The free tier includes unlimited bandwidth, which makes ProtonVPN worth testing before you commit.
Basic CLI commands: protonvpn-cli connect connects to the fastest server. protonvpn-cli connect --cc DE connects to a German server. protonvpn-cli disconnect disconnects. protonvpn-cli status shows current connection state. NetworkManager integration is available via a separate package for users who want to manage the connection from the GNOME network menu rather than the CLI.
Mullvad: WireGuard plus OpenVPN, CLI and GUI on any distro
Mullvad has one of the best Linux setups of any VPN provider. The GUI app works on Ubuntu, Fedora, and Debian-based distributions without extra dependencies. A fully functional CLI is included in the same package for headless server use. Mullvad requires no email address to sign up: you get a randomly generated account number and nothing else ties the account to your identity.
Packages: Mullvad ships .deb and .rpm packages directly from their website, and the app is also available on Flathub. WireGuard is the default. OpenVPN is available as a fallback. The kill switch is native to the app and works reliably across distributions.
Basic CLI commands: mullvad connect to connect. mullvad disconnect to disconnect. mullvad relay set location se to set country to Sweden. mullvad status for current state. mullvad lockdown-mode set on activates a system-level kill switch that persists even when the app is not running, using iptables rules under the hood. Price: 5 euros per month flat, no annual discount.
ExpressVPN: CLI only on Linux, Lightway protocol
ExpressVPN has a Linux CLI client. There is no native GUI app for Linux; you control it entirely from the command line. This is a limitation if you want a graphical interface, but the CLI is well-documented and reliable. Lightway, ExpressVPN's proprietary protocol, is supported on Linux in addition to OpenVPN. Lightway is faster than OpenVPN and reconnects more quickly after network interruptions.
Packages: ExpressVPN ships a .deb package and a .rpm package. The installer handles the setup automatically.
Basic CLI commands: expressvpn connect connects to the recommended server. expressvpn connect smart uses Smart Location to pick the best server. expressvpn connect US - New York - 1 connects to a specific location. expressvpn disconnect to disconnect. expressvpn status for current state. The kill switch is configurable via expressvpn preferences set network_lock on.
NordVPN: Linux CLI with NordLynx WireGuard protocol
NordVPN offers a well-maintained Linux CLI client. NordLynx, NordVPN's protocol built on WireGuard, is available on Linux and delivers strong performance. There is no native GUI app; all operations go through the terminal. The documentation is thorough and the client receives regular updates.
Packages: NordVPN provides a .deb package and a .rpm package. They also publish an official installation script that detects your distribution and installs the correct package. This is the easiest install path if you are not sure which package to use.
Basic CLI commands: nordvpn connect connects to the fastest server. nordvpn connect Germany connects to a server in Germany. nordvpn disconnect to disconnect. nordvpn set killswitch on enables the kill switch. nordvpn set technology nordlynx switches to the WireGuard-based protocol. nordvpn status shows connection details including your current IP.
IVPN: open source, advanced routing, manual WireGuard
IVPN is a privacy-focused provider with a fully open-source client available on Linux. The app supports WireGuard and OpenVPN, and includes multi-hop routing (your traffic goes through two servers in different countries before reaching the destination). This adds latency but increases privacy significantly by separating the server that knows your IP from the server that knows your destination.
Packages: IVPN ships .deb and .rpm packages from their website. The app includes both a GUI and CLI. For advanced users, IVPN also provides WireGuard configuration files that work directly with Linux's built-in WireGuard kernel module, without needing the IVPN app at all.
Basic CLI commands: ivpn connect to connect. ivpn connect -multihop -exit de for multi-hop routing with exit in Germany. ivpn disconnect to disconnect. ivpn firewall on enables the kill switch. IVPN's WireGuard config files can also be imported directly into NetworkManager: right-click the network icon, select Import a saved VPN configuration, and point it at the .conf file.
Linux-specific details: .deb vs .rpm, kill switch, DNS leaks
.deb vs .rpm packages. Use .deb on Ubuntu, Debian, Linux Mint, Pop!_OS, and other Debian-based distributions. Use .rpm on Fedora, CentOS, RHEL, openSUSE, and SUSE-based systems. If you are on Arch or Manjaro, check the AUR first: ProtonVPN, Mullvad, and NordVPN all have AUR packages. Flatpak is an option for Mullvad and ProtonVPN if you want a distribution-agnostic install path.
Kill switch on Linux. VPN apps on Linux implement kill switches either through their own iptables rules or through NetworkManager's strict binding. Both approaches block traffic when the VPN drops. The difference is what happens if the app crashes or you kill the process: apps like Mullvad with lockdown mode use persistent iptables rules that survive an app crash. Apps that inject rules only while running may leave a gap if the process dies unexpectedly. Check your VPN's documentation to confirm which approach it uses.
To verify your kill switch manually: connect to the VPN, then run sudo iptables -L. You should see rules that DROP or REJECT traffic on interfaces other than the VPN tunnel. If the OUTPUT chain shows only ACCEPT with no interface filtering, the kill switch may not be active at the iptables level.
DNS leak prevention on systemd-resolved. Modern Linux distributions use systemd-resolved for DNS. When a VPN is active, DNS queries should go through the VPN tunnel and hit the VPN provider's DNS servers, not your ISP. Some VPN apps configure this correctly and some do not.
To check: connect to your VPN, then run resolvectl status. Look at the DNS Servers line for your VPN tunnel interface (usually wg0 or tun0). It should show the VPN provider's DNS server, not your router's IP or your ISP's DNS. If it shows your ISP's DNS, your DNS is leaking.
To fix manually: edit /etc/systemd/resolved.conf, set DNS= to the VPN's DNS server address, and set DNSOverTLS=yes if your provider supports it. Then run sudo systemctl restart systemd-resolved. The VPN apps from ProtonVPN and Mullvad handle this automatically in most cases; NordVPN and ExpressVPN require verification.
NetworkManager integration
All five providers support WireGuard or OpenVPN, both of which integrate with NetworkManager. You can import a .conf file directly into NetworkManager via the GUI (Settings, then Network, then the plus button) or via the command line with nmcli connection import type wireguard file yourconfig.conf. Once imported, the connection appears in your network menu and can be toggled without opening a terminal. This is the most convenient approach for desktop users who find the app CLI tedious.
Which VPN to choose for Linux?
For a full GUI experience with open-source code: ProtonVPN or Mullvad. For the strictest privacy with no email required: Mullvad. For multi-hop routing and advanced network control: IVPN. For users already subscribed on other platforms: NordVPN or ExpressVPN extend cleanly to Linux without extra cost. All five provide working kill switches and DNS leak protection when configured correctly.