In this article, we are showing you how to setup and configure a VPN on Linux. This guide contains simple steps to help you download and install a virtual private network service on your Linux distro, as well as quickly connect and disconnect from a server. You will also find out how to configure VPN settings and how to uninstall the VPN.
Before diving into the instructions and screenshots, it is necessary to choose a VPN service. It might seem like a simple task, but it is crucial to compare the pros and cons of using a virtual private network tool. If you need help with making a good decision, you can trust our recommendations.
When we took on the challenge to find the best VPN services of 2019, we tested, reviewed and ranked over 50 virtual private network applications. Out of all, ExpressVPN (review here) and NordVPN (review here) came out on top due to their user-friendly interface, wide array of servers, security protocols, and excellent connection speed.
Therefore, if you are looking for recommendations, you can use either of these two services to secure your browsing, bypass censorship, and access streaming sites. This tutorial contains instructions for VPN setup on Linux using ExpressVPN and NordVPN. Before you begin, please make sure you have an active subscription plan to ExpressVPN (buy here) or NordVPN (buy here).
Here is a quick review of the topics (click to jump)
- How to setup a VPN client on Linux
- How to manually add a VPN connection on Linux
- What to choose between native apps and manual configuration?
The entire guide and screenshots below were taken on Debian 9 (with Gnome 3.22.2 shell extension). As such, please note that instructions may vary, depending on which Linux distro you are running.
How to setup a VPN client on Linux
Installing the VPN app specially designed for your distro is the easiest way to setup a VPN on Linux. You can easily switch through servers and take advantage of advanced settings like kill switch. Here are the instructions that come with the ExpressVPN and NordVPN native clients.
ExpressVPN is the best VPN service available today. As such, we recommend using it for secure your browsing, bypass firewalls, access streaming sites, have private conversations, and so on. Here is the complete guide for using the app: download and install, connect to VPN server locations, configure VPN settings and uninstall the app.
Downloading and installing the app
There are only eight steps involved with installing the ExpressVPN app on Linux, and each one corresponds to an image in the gallery slider. Here is what you need to know.
Step 1: Do the following actions
- Go to the ExpressVPN site
- Click My Account and then sign into your premium account with a username and password (requires email confirmation for unknown devices)
- If you do not have an active subscription plan, you can buy one here (click Get ExpressVPN to get started)
- Return to the desktop
- To find out which architecture type you are running, go to Network
- Click to open Details (at System)
- Go to the ExpressVPN site
- Step 2: Your architecture type is mentioned at Base system (either 32-bit or 64-bit). Keep this in mind
Step 3: Using your web browser, go back to My Account (at Step 1)
- Click Setup (the red button on the upper-right side of the page)
- The setup page does not become available if you do not sign in first (at Step 1)
- In the setup page, click Linux
- Select your Linux distro from the drop-down menu and make sure it matches your architecture type (the info you learned at Step 2)
- Click Download and save the file to your hard drive
- Copy the Activation Code displayed on this page by clicking the copy button on the upper-right part of its box (you will need it later after setup)
- Step 4: Click to open the Activities bar, then click to launch a Terminal session
Step 5: In the Terminal
- Navigate to the directory where you downloaded the ExpressVPN setup file
- For example, if it is in Downloads, type cd ~/Downloads/
- Use dir to find out the correct name of the file (e.g., expressvpn_2.2.0-1_i386.deb)
- Select the name, right-click to open the context menu, and choose Copy
Step 6: Depending on which distro you are running, type the following command (paste the file name copied at Step 5)
- for Ubuntu, Mint and Debian: sudo dpkg -i <filename> (e.g., sudo dpkg -i expressvpn_2.2.0-1_i386.deb)
- for Fedora and CentOS: sudo yum install <filename> (e.g., sudo yum install expressvpn_2.2.0-1_i386.deb) or sudo dnf install <filename> (e.g., sudo dnf install expressvpn_2.2.0-1_i386.deb)
Step 7: To activate the premium version of ExpressVPN
- Type expressvpn activate
- When prompted by the Enter activation code message, paste what you copied at Step 3
- When asked to Help improve ExpressVPN, type Y if you are not sure
Step 8: Congratulations! You have successfully setup a VPN service on Linux using the ExpressVPN native application
- To connect, type expressvpn connect
- To disconnect, type expressvpn disconnect
Connecting to a different VPN server location
By default, ExpressVPN connects you to the last used VPN server location every time you use the expressvpn connect command. And, if it is the first session, it connects you to the Smart Location, which is automatically selected by ExpressVPN so that it is the nearest server to your actual location.
However, here are four steps to explore various ExpressVPN server locations when using Linux.
Step 1: In a Terminal
- Type expressvpn list to view the recommended locations
- Alternatively, type expressvpn list all to see all locations supported by ExpressVPN
Step 2: To connect to a specific server location
- Type expressvpn connect ALIAS, where ALIAS is associated with a particular country from the displayed table. For example, if you enter expressvpn connect frpa1, you will be connected to a France server.
Step 3: To connect to the fastest server from a country
- Type expressvpn connect COUNTRY (e.g., expressvpn connect France)
Step 4: To connect to the Smart Location, type expressvpn connect smart
- The Smart Location cannot be changed
Configuring VPN settings
To view all commands supported by ExpressVPN on Linux, type man expressvpn in a Terminal window. Also, while entering a command, you can use the tool’s autocomplete feature by hitting Tab twice. To check out the status of the current ExpressVPN configuration settings, type expressvpn preferences.
Check out the image below to see what we mean.
The VPN protocols supported by ExpressVPN for the Linux app are OpenVPN TCP and OpenVPN UDP. It is set to automatic mode by default, which means that it chooses the best server for you automatically, depending on your network settings.
However, you can force the VPN service to use either TCP or UDP, depending on what you wish to do while staying connected to the virtual private network. Here are simple instructions.
- To switch to OpenVPN UDP, type expressvpn protocol udp
- UDP is faster, excellent for online activities that require a speedy connection, like downloading torrents or streaming media. But it is not recommended for unstable networks, like public hotspots
- To use OpenVPN TCP instead, type expressvpn protocol tcp
- TCP is slower but more reliable. It is recommended for general browsing and for users who live or travel to countries with government censorship. That is because TCP is excellent for bypassing firewalls and unlocking websites with forbidden content
- To reset the protocol to default (automatic mode), type expressvpn protocol auto
If you frequently connect to a VPN server as soon as you turn on your computer, then you can resort to ExpressVPN’s Auto connect to do this automatically, without your intervention. However, you should keep in mind that Linux will take longer to start, because it needs time to launch all startup processes.
Here is how you can control the auto connect feature with minimum effort.
- To view the ExpressVPN automatic connection status, type expressvpn autoconnect
- By default, auto-connect is disabled
- To enable auto connect, type expressvpn autoconnect true
- To disable auto connect, type expressvpn autoconnect false
ExpressVPN’s Network Lock is a security feature that cuts off your Internet access in case the VPN connection suddenly drops. It is designed to prevent IP leaks which may occur in the time in takes your ExpressVPN to reconnect to a VPN server. Network Lock can be best used alongside DNS Leak Protection.
Here are instructions for controlling this setting.
- To change the Network Lock setting, type expressvpn preferences set network_lock MODE, where MODE can be off, strict or default
- off means that Network Lock is deactivated so that ExpressVPN cannot protect you in case of VPN connection drops. There is no benefit to disabling this setting
- strict means that ExpressVPN blocks all Internet traffic when the VPN disconnects, without any exceptions
- default means that the VPN service disables all Internet traffic in case of VPN disconnections, except for traffic to some local IP addresses. It is helpful for reaching resources in your local network, such as printers or file servers
- To check the Network Lock status, type expressvpn preferences network_lock
- By default, Network Lock is set to default
IPv6 Leak Protection
ExpressVPN’s IPv6 Leak Protection setting is also dedicated to security. If you have both an IPv4 and IPv6 address, you can disable IPv6 connectivity to prevent your computer from exposing your location. But this means that you cannot host servers accessible via IPv6.
Here is how you can control it.
- To check the IPv6 leak protection status, type expressvpn preferences disable_ipv6
- By default, the setting is enabled, which means that you do not risk revealing your IPv6 address
- To deactivate IPv6 leak protection, type expressvpn preferences set disable_ipv6 false
- To re-enable IPv6 leak protection, type expressvpn preferences set disable_ipv6 true
DNS Leak Protection
Your DNS requests are vulnerable if they are routed through your system’s DNS servers. If hackers could decipher your DNS requests, they would be able to tell which websites you are visiting, thus compromising your online privacy.
But you can stop this from happening by activating ExpressVPN’s DNS Leak Protection feature. It creates firewall rules automatically to route all DNS requests through the ExpressVPN exclusive DNS servers. They do not record activity or connection logs, nor block DNS requests. All traffic is encrypted in 256-bit mode.
DNS Leak Protection works well with Network Lock. Here is how you can control it.
- To check the DNS leak protection status, type expressvpn preferences force_vpn_dns
- By default, the setting is activated so that you do not have to worry about compromising your DNS requests
- To disable DNS leak protection, type expressvpn preferences set force_vpn_dns false
- To re-enable DNS leak protection, type expressvpn preferences set force_vpn_dns true
ExpressVPN shows desktop notifications to let you know as soon as you connect or disconnect from a VPN server. However, it might interrupt you if you are carrying out other computer activities which require your undivided attention.
Here is how you can easily enable or disable this feature.
- To check the status, type expressvpn preferences desktop_notifications
- By default, the setting is enabled, which means that ExpressVPN shows desktop notifications on VPN connections and disconnections
- To disable the feature, type expressvpn preferences set desktop_notifications false
- To re-enable the feature, type expressvpn preferences set desktop_notifications true
Uninstalling the app
If you changed your mind about using the VPN client on Linux, here are the instructions to help you uninstall the ExpressVPN native app.
- For Ubuntu: type sudo dpkg -r expressvpn
- For Fedora: type sudo yum remove expressvpn
NordVPN is the best alternative to ExpressVPN. Therefore, we will not hesitate to recommend using this server when you want to protect your online privacy, hide your browsing history from your ISP, access the US movie library of Netflix, keep your identity safe when downloading torrents, and so on.
In the next part of this article, you can check out detailed instructions about how to download and install NordVPN, connect to various VPN servers, use the NordVPN settings as well as remove the app from your Linux distro if you no longer want to use it.
Downloading and installing the app
The following instructions are available for Debian, Ubuntu and Linux Mint. Only eight steps must be taken to setup the NordVPN app on Linux, as can be seen in the gallery slider below.
Step 1: Visit the NordVPN site
- Click My Account on the top-right side of the page
- Enter your Email address and Password to sign into your premium account
- If you have not purchased a NordVPN account until now, you can do it here (click the red button to get started)
- Click VPN Apps to open the downloads page and select Linux
- Click Download .deb, save the downloaded file to a folder on your computer, and remember this location
- Step 2: Click to open the Activities bar and select Terminal
Step 3: In the Terminal
- Go to the folder where you downloaded the NordVPN installation file (at Step 1)
- For instance, if it is located in Downloads, then type cd ~/Downloads/
- Once you are in the directory, use dir to obtain a list of all file names
- Locate the NordVPN file, select the name and Copy it from the right-click menu (for example, nordvpn-release_1.0.0_all.deb).
Step 4: Type the next command but make sure to match your Linux distro (paste the NordVPN filename you copied at Step 3)
- for Ubuntu, Mint and Debian: sudo dpkg -i <filename> (e.g. sudo dpkg -i nordvpn-release_1.0.0_all.deb)
- for Fedora and CentOS: sudo yum install <filename> (e.g. sudo yum nordvpn-release_1.0.0_all.deb) or sudo dnf install <filename> (e.g. sudo dnf install nordvpn-release_1.0.0_all.deb)
- Step 5: Update the package list by typing sudo apt-get update
- Step 6: Install the NordVPN app with sudo apt-get -y install nordvpn
- Step 7: To log into your NordVP account, type nordvpn login. When prompted, enter your Email / Username (full email address) and NordVPN Password
Step 8: Congratulations! You managed to setup a VPN service on Linux with the help of the NordVPN native application
- To connect, type nordvpn connect
- To disconnect, type nordvpn disconnect
Connecting to a different VPN server location
By default, the VPN client connects you to the nearest server when typing nordvpn connect. If you want to consult the complete manual of NordVPN, type man nordvpn in a Terminal window.
To explore the various VPN server locations supported by NordVPN, here is what you need to do. Keep in mind that you must disconnect before attempting to connect to a new VPN server (with nordvpn disconnect). Connecting to various VPN server locations works best with the Auto connect setting.
Step 1: To see the list of countries that you can connect to, use nordvpn countries
- To connect to the best server from a specific country, use nordvpn connect COUNTRY. For example, to connect to the best server from Canada, type nordvpnc connect Canada
- You can also connect using the country code (e.g. nordvpn connect CA)
Step 2: To check out all cities from a specific country, use nordvpn cities COUNTRY. For example, if you want to find out all cities from Canada, type nordvpn cities Canada
- To quickly see the list of countries while using the cities command, you can use NordVPN’s auto-complete feature: press Tab twice after typing nordvpn cities
- To connect to a city, use nordvpn connect CITY. For example, if you want to connect to Toronto, type nordvpn connect Toronto
Step 3: To view the NordVPN specialty folders, use nordvpn groups
- Here is a rundown of the NordVPN specialty folders
- Africa_The_Middle_East_And_India, Asia_Pacific, Europe and The_Americas are groups that contain VPN servers from those regions
- Dedicated_IP is a group with servers reserved for users who acquired private dedicated IP addresses from NordVPN (in addition to the NordVPN subscription plan). If you are interested, you can buy a dedicated IP here (use the norddedicatedip coupon code at checkout, it costs $70)
- P2P is a group with VPN servers optimized for peer-to-peer traffic. You can connect to it whenever you want to download or upload torrents
- Standard_VPN_Servers is a group that contains all NordVPN servers which have not been optimized for online tasks (unlike P2P, for example)
- Obfuscated_Servers (becomes available after enabling the Obfuscate setting) is a group that includes obfuscated servers. It means that anyone intercepting your VPN traffic will not be able to tell that you are using VPN. As such, it is not possible to block your VPN connections
- To connect to the best server from a certain specialty folder, type nordvpn connect GROUP. For instance, if you wish to connect to the best server for peer-to-peer traffic, type nordvpn connect P2P
- When you connect to one of these groups, NordVPN finds the nearest VPN server from the specified location
- Here is a rundown of the NordVPN specialty folders
Configuring VPN settings
NordVPN has several VPN settings that you can modify on your Linux distro. To get an overview of all options, type nordvpn settings in a Terminal window. If you cannot remember the correct name of an option, type a few letters and press Tab once to activate the auto-complete setting.
The screenshot below portrays the default configuration of NordVPN, so you can come back here whenever you need a reminder.
In the following instructions, you will find out how to pick the technology and protocol used by the app to go online, how to secure your connections with the kill switch and CyberSec, as well as how to hide the fact that you are using VPN with obfuscation methods.
Further, you can control the NordVPN desktop notifications, ask the application to run at every system startup and automatically connect to a VPN server, as well as set custom DNS servers to speed up and secure your VPN connections.
NordVPN supports two technologies for the Linux app: OpenVPN and NordLynx. While OpenVPN is arguably the best all-round protocol because it brings balance between security and speed, NordLynx is a NordVPN exclusive technology built around the WireGuard protocol.
Here is how you can control it.
- To see all supported technologies, use nordvpn set technology -h
- By default, NordVPN uses the OpenVPN protocol
- To switch to NordVPN Lynx, type nordvpn set technology nordlynx
- Please note that WireGuard must be installed, in order to use the NordLynx protocol
- To switch back to OpenVPN, type nordvpn set technology openvpn
NordVPN features two protocols that can be used with OpenVPN: TCP and UDP. You can only toggle them if you set Technology to OpenVPN. Here is how you can easily control the protocol setting.
- To check out all supported protocols, use nordvpn set protocol -h
- By default, NordVPN uses UDP
- UDP is the NordVPN recommendation because it is an excellent choice for carrying out resource-demanding online activities, like streaming or torrenting. It is faster than TCP but less reliable
- TCP is a general-purpose solution because it can bypass firewalls and unlock websites, particularly aiding users who live or travel to countries with government censorship. It is slower than UDP but more reliable
- To switch to TCP, use nordvpn set protocol tcp
- To switch back to UDP, type nordvpn set protocol udp
The NordVPN kill switch adds an extra layer of security. Once enabled, it monitors your Internet connection and disrupts it as soon as the VPN connection drops unexpectedly. It is meant to protect you in case your IP address leaks in the time it takes NordVPN to reconnect to a VPN server.
Here is how you can control it on Linux with minimum effort.
- To find out how to use the kill switch correctly, use nordvpn set killswitch -h
- By default, the kill switch is disabled. This means that NordVPN does not cut off your Internet access in case of VPN disconnections
- To turn it on, use nordvpn set killswitch on (or 1, true, enable, enabled)
- Please note that your Internet connection remains untouched if you manually disconnect from a NordVPN server
- To reset the kill switch to default and turn it off, type nordvpn set killswitch off (or 0, false, disable, disabled)
CyberSec is a NordVPN exclusive security feature. If you activate it, the VPN service will block ads and keep you safe from phishing sites and other kinds of online threats. Note that it only works while you are connected to a VPN server. Further, CyberSec cannot work when DNS is enabled.
Here is how you can take over the CyberSec feature.
- To see how you can use the setting, use nordvpn set cybersec -h
- By default, CyberSec is disabled
- To activate the setting, type nordvpn set cybersec on (or 1, true, enable, enabled)
- To deactivate it, use nordvpn set cybersec off (or 0, false, disable, disabled)
Some people reside in countries which prohibit or restrict the usage of VPN services. As such, it is impossible to unblock certain websites with the help of VPN technology. However, NordVPN’s Obfuscate setting is designed to override that.
When you enable obfuscation mode, NordVPN will only connect to servers that conceal the fact that you are using VPN. Therefore, you can overcome network boundaries made to block, throttle or log your VPN traffic. But the connection will be slower than using typical NordVPN servers.
Please note that you can activate Obfuscate only if Technology is set to OpenVPN. Here is how you can control this setting with ease.
- To find out how to use the obfuscation feature, type nordvpn set obfuscate -h
- By default, obfuscation is disabled
- To turn it on, use nordvpn set obfuscate on (or 1, true, enable, enabled)
- When obfuscation is enabled, you can connect to NordVPN obfuscated servers
- To disable it, type nordvpn set obfuscate off (or 0, false, disable, disabled)
Like any other application, NordVPN shows you notifications on the screen to draw your attention. The alerts let you know when you have connected or disconnected from a VPN server.
But it can be too distracting if you are currently busy working on something else. Besides, there are cases when desktop notifications exit a full-screen app by force. Thus, it can be helpful to toggle this setting. Here is how you can do that.
- To see how to use the notification feature, type nordvpn set notify and press Tab three times
- By default, notifications are enabled
- To deactivate the setting, use nordvpn set notify off (or 0, false, disable, disabled)
- To re-activate it, type use nordvpn set notify on (or 1, true, enable, enabled)
If you typically use the same VPN server as soon as you turn on your computer, you can automate this process by asking NordVPN to auto connect at every system startup.
Here is what you need to know.
- To see how to use the auto connect feature, type nordvpn set autoconnect -h
- By default, the option is disabled
- To enable it, type nordvpn set autoconnect on SERVER
- Instead of on, you can also use 1, true, enable or enabled
- At SERVER, you can specify a VPN server in any format we discussed at Connecting to a different VPN server location
- nordvpn set autoconnect on COUNTRY (e.g., nordvpn set autoconnect on Canada)
- nordvpn set autoconnect on COUNTRY_CODE (e.g., nordvpn set autoconnect on CA)
- nordvpn set autoconnect on CITY (e.g., nordvpn set autoconnect Toronto)
- nordvpn set autoconnect on GROUP (e.g., nordvpn set autoconnect on P2P)
- To disable automatic connections, use nordvpn set autoconnect off SERVER
- Besides off, you can also type 0, false, disable or disabled
DNS is a technology used to translate the domain names you type into the IP addresses you visit. Your DNS servers are assigned by your Internet service provider, but they can be slow. Sometimes, they can be dangerous as well, because hackers could intercept your DNS requests to see what websites you visit, even while you are connected to a VPN server, thus compromising your online privacy.
Thankfully, NordVPN lets you set custom DNS servers. By opting for faster and safer DNS, you can significantly improve your Internet browsing experience while using the VPN service. However, keep in mind that you cannot set DNS servers and have CyberSec enabled at the same time (choose one to enable or keep both settings disabled).
Here is how you can set custom DNS servers in NordVPN. We have also included a few DNS recommendations, which are public and free to use by anyone.
- To discover how to correctly use the DNS settings, type nordvpn set dns -h
- By default, custom DNS servers are disabled
- To enable the feature, use nordvpn set dns SERVER1 SERVER2 SERVER3
- For example, you can type
- Up to three custom DNS servers can be enabled at the same time (e.g., nordvpn set dns 18.104.22.168 22.214.171.124 126.96.36.199)
- Note that the server addresses are separate by a blank space
- To disable the setting, type nordvpn set dns off (or 0, false, disable, disabled)
Uninstalling the app
If you changed your mind, here are simple instructions to help you uninstall the NordVPN app from Linux distros using a Terminal session.
- Type sudo apt-get –purge remove -y nordvpn
- Alternatively, you can use the following commands: sudo dpkg -P nordvpn and sudo dpkg -P nordvpn-release
How to manually add a VPN connection on Linux
Under normal circumstances, you should consider VPN manual configuration mode only if it is not possible to resort to the app setup mode on your Linux distro. When you setup a VPN connection on Linux in manual config, there are typically more steps involved.
Moreover, you must go through all instructions for every VPN server you wish to connect to. When it comes to ExpressVPN, here are the steps for manually configuring OpenVPN via the Terminal and OpenVPN via Ubuntu Network Manager.
ExpressVPN (OpenVPN with Terminal)
To install ExpressVPN with OpenVPN through the Linux Terminal, you must setup a third-party application that can handle this protocol: the official OpenVPN client. There are only eight steps involved, so check out the gallery slider below to understand them better.
Step 1: Head over to the ExpressVPN site
- Click My Account to enter your email address and password for login (you must confirm the login from your email account for unknown devices)
- If you do not have an ExpressVPN account, you can purchase one here (click Get ExpressVPN to get started)
- After login, click Setup (the red button on the upper-right side of the browser page)
- Click Manual configuration and select OpenVPN
- Copy the Username and Password displayed below by clicking the copy button on the top-right side of each box
- Paste the info somewhere safe that can be easily reached later
Step 2: Scroll down this page
- You will spot the list of ExpressVPN regions: Americas, Europe, Asia Pacific, Middle East and Africa
- Click a region to expand it and view the list of available servers
- Decide which OpenVPN server you want to connect with, then click to download it to your computer (in our example, we used Israel)
- Remember where you saved it because it will be needed later
- Step 3: Open Debian’s Activities bar and click to open a Terminal
- Step 4: To update your Linux distro with the latest packages, type sudo apt-get update. Then, enter your Password
- Step 5: To download the OpenVPN client, type sudo apt-get install -y openvpn
- Step 6: To configure OpenVPN, type sudo openvpn –config but do not hit Enter yet. Open the folder where you downloaded the OpenVPN server file at Step 2, then drag and drop it onto the Terminal. It will automatically paste its full path. Press Enter
Step 7: Here is what you do next
- At Enter Auth Username, specify the Username you copied at Step 1
- At Enter Auth Password, enter the Password you copied at Step 1
- Step 8: Wait a few seconds until OpenVPN finishes its configuration. Once you see the Initialization Sequence Completed message, you become connected to the VPN. Congratulations! You have successfully setup a VPN connection on Linux using ExpressVPN with OpenVPN
Note: The Terminal window must remain opened to keep the VPN connection alive. But you can get it out of your way by minimizing it. To disconnect, you simply need to close the window. To reconnect, start again from Step 6.
If you changed your mind about using ExpressVPN with OpenVPN in the Terminal, here is what you need to do to get rid of it.
- To remove the OpenVPN configuration file, you simply have to delete it like you would delete any regular file using the file browser
- To uninstall the OpenVPN client from Linux, open a Terminal window and type sudo apt-get remove -y openvpn
ExpressVPN (OpenVPN with Ubuntu Network Manager)
If you want to install ExpressVPN on Linux using another solution for OpenVPN, you can go with the Ubuntu Network Manager. There are eighteen steps involved, which can be seen in the gallery slider below.
Step 1: Access the ExpressVPN site
- Click My Account to log into your premium account by inputting your email address and password (must be confirmed from your email account on new devices)
- If you have not purchased a premium account yet, you can do it here (click Get ExpressVPN to get started)
- Click Setup (a red button on the top part of the screen)
- In the setup page, click Manual configuration and then select OpenVPN
- Copy the Username and Password shown beneath. This can be done by clicking the copy button on the upper-right part of each field
- Make sure to paste these details in a place that you can quickly reach later
Step 2: Scroll down on this page
- Here are the regions with servers supported by ExpressVPN regions: Americas, Europe, Asia Pacific, Middle East and Africa
- Select any preferred region to expand its menu and check out all corresponding servers
- Choose a server that you would like to connect through OpenVPN, then click to download it (we selected Israel for this tutorial)
- Please note the folder where you saved the downloaded OVPN file because you will need it later
Step 3: Scroll down to 4. Optional
- Click the ZIP file link to download the archive
- Extract the archive contents to a folder on your PC and remember this location
- Step 4: Open the Activities bar in Debian and click Terminal
- Step 5: Update the system to the latest version: type sudo apt-get update. When prompted, enter your system Password
Step 6: Perform the two following actions
- To install the network-manager-openvpn-gnomepackage, type sudo apt-get install -y openvpn network-manager-openvpn network-manager-openvpn-gnome
- To restart the networking service, type sudo service network-manager restart
- Step 7: Click the notifications area to open a menu and click the settings button
- Step 8: In All Settings, find and click Network
- Step 9: In Network, click the + button on the lower-left part of the window
- Step 10: When you see the Add VPN window, click Import from file
- Step 11: Head to the folder where you downloaded the OVPN file at Step 2. Select it and click Open
Step 12: After importing the OpenVPN file, set
- Authentication Type to Password with Certificates (TLS)
- User name and Password to the information you copied at Step 1
- User Certificate to client.crt
- CA Certificate to ca2.crt
- Private Kry to client.key
- Click Advanced
Note: The client.crt, ca2.crt and client.key files can be imported from the ZIP archive you previously downloaded at Step 3.
Step 13: In the General tab, make sure that
- Use custom gateway port is enabled and set to 1195
- Use LZO data compression is enabled
- Use custom tunnel Maximum Transmission Unit (MTU) is enabled and set it to 1500
- Use custom UDP fragment size is enabled and set to 1300
- Restrict tunnel TCP Maximum Segment Size (MSS) is enabled
- Randomize remote hosts is enabled
- The remaining options are disabled
Step 14: Go to the Security tab and ensure that
- Cipher is set to AES-256-CBC
- Use custom size of cipher key is disabled
- HMAC Authentication is set to SHA-512
Step 15: Go to TLS Authentication
- Enable Use additional TLS authentication
- At Key File, import the ta.key file from the ZIP archive you downloaded at Step 3
- Set Key Direction to 1
- Click OK
- Step 16: For the initial VPN connection, click the slider button of the OpenVPN connection in Network to turn it on. If prompted, paste the Password you copied at Step 1, then click Connect
Step 17: Congratulations! You have setup a VPN connection on Linux using ExpressVPN with Network Manager
- To quickly connect, click the notification area to open a menu, click VPN Off and Connect
- Step 18: To disconnect, click the notifications area again, then select the OpenVPN profile and click Turn Off
If you no longer want to use ExpressVPN with OpenVPN in the Ubuntu Network Manager, here are the uninstall instructions.
- To delete the ExpressVPN OpenVPN connection
- Go to Network
- Select the ExpressVPN entry from the list
- Click the – button on the lower-left part of the window
- To uninstall Ubuntu Network Manager
- Launch a Terminal session
- Type sudo apt-get remove -y openvpn network-manager-openvpn network-manager-openvpn-gnome
NordVPN (OpenVPN with Terminal)
Just like the case of ExpressVPN, you can use the official OpenVPN client to install NordVPN on Linux using the Terminal. Only seven steps are necessary to make this happen, which are portrayed in the gallery slider below.
Step 1: Here is how you get started
- Visit the NordVPN site
- Click My Account on the top-right of the page, then enter your email address and password to sign in
- If you do not have an active subscription plan to NordVPN, you can get one here (click the red button to get started)
- Return to the Linux desktop
- Open the Activities bar and click to open a Terminal window
- Visit the NordVPN site
Step 2: To install the OpenVPN client
- Type sudo apt-get install openvpn
- When asked, enter your root password
Step 3: Go to the OpenVPN config folder using cd /etc/openvpn
- If you receive an error saying that ERROR: The certificate of `nordvpn.com’ is not trusted, then you must setup the ca-certificates package using sudo apt-get install ca-certificates
Step 4: While you are still in /etc/openvpn
- Extract files from the downloaded OpenVPN archive using sudo unzip ovpn.zip
- Remove the unnecessary OpenVPN archive with sudo rm ovpn.zip
- If you do not have the unzip package necessary for extracting files from the OpenVPN archive, install it with sudo apt-get install unzip, then proceed with Step 4
Step 5: Decide which protocol you want to use when connecting to NordVPN
- TCP is better for general browsing and steady connections
- UDP is better for streaming services but unreliable
- If you are not sure, go with TCP
- Once you make up your mind about the protocol
- Type cd /etc/openvpn/ovpn_tcp/ (for TCP) or cd /etc/openvpn/ovpn_udp/ (UDP) to open this subfolder
- Get a list of all available NordVPN servers using ls -al
Step 6: Here is what you do next
- Choose a NordVPN server from the list to connect
- If you want the best possible speed, go back to My Account (at Step 1)
- Click Servers on the top menu to open a new page, then click Recommended server
- At Server recommended for you, copy the server address displayed (select it, right-click to open the context menu, then pick Copy)
- In our case, the recommended server is ro46.nordvpn.com
- Return to the Terminal
- Type sudo openvpn <filename> (in our case, it is sudo openvpn ro46.nordvpn.com.tcp.ovpn). Do not forget to add the protocol type (tcp or udp) and ovpn to the filename
- When prompted with Enter Auth Username and Enter Auth Password, set the email address and password associated with your NordVPN account
- Choose a NordVPN server from the list to connect
Step 7: When you see the Initialization Sequence Completed message, it means that you have connected to the NordVPN server. Good job! You managed to setup a VPN connection on Linux using NordVPN with OpenVPN manual configuration via the Terminal
- To keep the connection running, do not close the Terminal session. But you can minimize it to get it out of your way
- To disconnect, simply close the Terminal window
If you changed your mind about using NordVPN with OpenVPN manual config mode in the Terminal, there are two steps you can take: deleting the OpenVPN file and uninstalling the OpenVPN client.
- To get rid of the NordVPN OpenVPN configuration, access it with your file browser and delete the file
- To remove the OpenVPN client from your Linux distro, launch a Terminal session and type sudo apt-get remove -y openvpn
NordVPN (OpenVPN with Ubuntu Network Manager)
The Ubuntu Network Manager can be used for NordVPN with OpenVPN manual config. Here are the eight instructions necessary to setup a VPN connection on Linux. Do not forget to open the gallery slider below to get an overview.
- Step 1: Visit the NordVPN official site
- Step 2: Open the containing folder from your web browser, then right-click on ovpn.zip and select Extract Here (or press Ctrl+O)
- Step 3: Click the notifications area to open a menu, click Wired Connected to expand its menu, then go to Wired Settings
Step 4: In Network
- Click the + button on the lower-left side to add a new VPN connection
- In the Add VPN window, click Import from file
Step 5: When importing from file
- Go to the folder where you extracted the OVPN files at Step 2
- Decide between connecting to TCP or UDP (opt for TCP if you are unsure)
- Open the ovpn_tcp or ovpn_udp subfolder (open ovpn_tcp if you are unsure)
- Select a preferred server file and click Open
- If you want to get the fastest server, go back to My Account (at Step 1)
- Click Servers on the menu displayed on top of the page, then click Recommended server
- This page contains all NordVPN servers that work with manual configuraiton mode
- Check out the server address displayed at Server recommended for you (in our case, it is ro48.nordvpn.com)
- Search for the server address name in the OVPN subfolder, select it, and click Open (in our case, it is ro48.nordvpn.com.tcp.ovpn)
- Step 6: After the OVPN file is imported, you will see the Add VPN window with connection details. At User name and Password, set the email address and password associated with your premium NordVPN account. Leave everything else untouched and click Add
- Step 7: Congratulations! You have successfully configured a VPN connection on Linux using NordVPN with OpenVPN manual configuration via the Ubuntu Network Manager. To connect, click the notifications area, then VPN Off and Connect
- Step 8: To disconnect, click the notifications area again, then the OpenVPN profile and Turn Off
If you changed your mind about using NordVPN with OpenVPN and the Ubuntu Network Manager, here is all you need to know.
- To get rid of the NordVPN OpenVPN connection
- Head over to the Network section
- Pick the NordVPN connection from the list on the left side
- Click the – button on the bottom-left side of the window
- To also remove Ubuntu Network Manager
- Open a Terminal window
- Type sudo apt-get remove -y openvpn network-manager-openvpn network-manager-openvpn-gnome
NordVPN (IKEv2/IPsec with StrongSwan)
The following twelve steps use the StrongSwan packages to install the IKEv2 over IPsec manual configuration mode of NordVPN. We advise you to use the gallery slider below for help.
Step 1: Here is how you begin
- Head over to the NordVPN site
- Click My Account on the upper-right corner of the page, then sign in using your NordVPN email address and password
- If you have not acquired a subscription plan for NordVPN until now, you can do it here (click the red button to get started)
- Go back to the Linux desktop
- Click the Activities bar and go to Terminal to launch a session
- Head over to the NordVPN site
- Step 2: To make sure that your Linux distro is running with the newest dependencies, type sudo apt-get update && apt-get upgrade
- Step 3: To install the StrongSwan packages, type sudo apt-get install strongswan libcharon-extra-plugins libcharon-standard-plugins
- Step 4: To access and edit the ipsec.secrets file, type sudo nano /etc/ipsec.secrets
Step 5: Except for some comments, the ipsec.secrets file is empty
- In a new line, write Username : EAP “Password”. Replace Username with your NordVPN email address and Password with your NordVPN password. Do not forget to add the : character, the blank spaces between and after the : character, EAP, as well as the double commas which wrap the password
- In our example, we added [email protected] : EAP “myNordVPNpassword”
- Press Ctrl + O and Enter to save file modifications
Step 6: To open and modify the ipsec.conf file, type sudo nano /etc/ipsec.conf. After the #Add connections here comment, paste the following block of code
- conn NordVPN
Step 7: Replace USERNAME with your NordVPN email address and SERVER with the server address you want to connect. If you are not sure about the server address
- Using your web browser, return to My Account (at Step 1) and click Servers
- After the new page is loaded, click Recommended server to open another
- This is the place that lists all NordVPN servers compatible with manual configuration mode
- At Server recommended for you, select the server address displayed, right-click to open a menu, then pick Copy
- Return to the Terminal and paste the server address in the SERVER field
- In our example, we replaced USERNAME with myNordVPN and SERVER with ro48.nordvpn.com
- When you are done editing, press Ctrl + O and then Enter to commit file modifications
Step 8: Open and edit the constraints.conf file. Type sudo nano/etc/strongswan.d/charon/constraints.conf
- Change load from yes to no so that it becomes load = no
- Press Ctrl + O and then Enter to save file changes
Step 9: Download the RSA certificate from NordVPN. Use
- sudo wget https://downloads.nordvpn.com/certificates/root.der -O /etc/ipsec.d/cacerts/NordVPN.der
- and sudo openssl x509 -inform der -in /etc/ipsec.d/cacerts/NordVPN.der -out /etc/ipsec.d/cacerts/NordVPN.pem
- Step 1o: Restart ipsec with sudo ipsec restart
Step 11: Good job, you managed to setup a VPN connection on Linux using NordVPN with IPsec!
- To connect, type sudo ipsec up NordVPN
- If the connection is successful, you receive the Connection ‘NordVPN’ established successfully message. Otherwise, you must have made a typo when editing the files earlier. Go back to recheck information, but make sure to restart ipsec before attempting to connect again (see Step 9).
- Step 12: To disconnect, type sudo ipsec down NordVPN
If you no longer want to use NordVPN in IKEv2/IPsec configuration mode, here is what you need to do.
- To delete the NordVPN IKEv2/IPsec configuration
- Open the ipsec.secrets file from Step 4 and delete all lines you added at Step 5
- Open the ipsec.conf file from Step 6 and delete the block of code you added there
- Open the constraints.conf file from Step 8 and change load from no to yes so that it becomes load = yes
- Delete the RSA certificate from NordVPN you downloaded at Step 9
- If you want to also uninstall the StrongSwan client
- Type sudo apt-get remove -y strongswan to uninstall just the client
- Or, type sudo apt-get remove -y –auto-remove strongswan to remove both the client and its dependencies
- Or, type sudo apt-get purge –auto-remove -y strongswan to purge all StronSwan configuration data
What to choose between native apps and manual configuration?
Whether you are a first-time or an experienced Linux user, it is better to always go with native apps whenever this is possible. There are fewer steps involved, and there is a smaller risk of encountering situations that require troubleshooting.
On the other hand, manual configuration mode gives you the possibility to setup multiple VPN configurations using information from various VPN providers. It offers a more flexible solution for Linux users interested in experimenting with free and open-source software.