VPNRank.io
How-To Guides

How to Set Up a VPN on Linux: Native Apps, OpenVPN, WireGuard and a Kill Switch

Native apps, OpenVPN and WireGuard config files, a firewall kill switch, and DNS-leak checks — the complete hands-on setup for Ubuntu, Debian, Fedora and Mint.

Diego PereyraBy Diego PereyraPublished 9 min read

vpnrank.io is reader-supported: we may earn a commission if you buy through links in this article. This never affects our rankings.

A Linux terminal window showing WireGuard and OpenVPN VPN commands next to a shield icon, on Ubuntu, Fedora and Mint desktops.

Setting up a VPN on Linux takes one of two paths: install a provider's native app (a few clicks on Ubuntu, Debian, Fedora or Mint), or use the universal terminal route with OpenVPN or WireGuard config files. Both work on every major distro. This guide covers each, plus a firewall kill switch and DNS-leak checks.

Two ways to run a VPN on Linux

Before touching a terminal, it helps to know that Linux gives you two genuinely different setup routes, and the right one depends on your provider and your comfort level. One is a packaged native app that behaves like the Windows or macOS client; the other is the distro-agnostic command-line method that works with almost any service.

The native-app route means downloading a .deb or .rpm package (or running a one-line install script) that a provider maintains for Linux. You get auto-connect, a built-in kill switch and one-command server switching, but you are limited to providers who actually ship a Linux client. The config-file route uses the open OpenVPN or WireGuard protocols with files any provider can export, and works even on headless servers with no desktop at all.

  • Native app — easiest, provider-maintained, includes a kill switch; only some brands offer it.
  • OpenVPN / WireGuard config files — universal, works on any distro and on servers; you wire up extras like the kill switch yourself.
  • NetworkManager GUI — import a config into your desktop's network menu for a point-and-click toggle without a dedicated app.

A quick rule of thumb: if your provider ships a maintained Linux client and you're on a mainstream desktop distro, the native app is almost always the better experience because the kill switch and DNS handling are done for you. The config-file route earns its place on servers, on unusual distros, or when you want to see and control exactly what the tunnel is doing.

If you just want the shortlist of services that both run natively on Linux and don't log, our editors keep that current on the main best VPN roundup and the privacy-focused VPN guide. This article is the hands-on how-to; those pages are where the picking happens.

Native GUI and CLI apps for Ubuntu, Debian, Fedora and Mint

Several major providers now ship real Linux clients, and in 2026 the experience is closer to the desktop apps than it has ever been. ExpressVPN, for instance, added a proper graphical interface to its Linux app in 2025, ending years of terminal-only operation. NordVPN, Surfshark, Proton and others distribute native packages too, so many mainstream services now cover Linux out of the box.

Installing a .deb package (Ubuntu, Debian, Mint)

Debian-family distros use APT and .deb packages. The usual flow is to download the provider's installer, mark it executable if needed, and install it with the package manager. A typical NordVPN install, for example, uses the official one-line script:

  1. 1Download the package or install script from the provider's Linux download page.
  2. 2For a script installer: sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh) pulls and installs the app. (No curl? Swap in wget -qO - for the same URL.)
  3. 3For a downloaded .deb: run sudo apt install ./package-name.deb from the download folder.
  4. 4Add your user to the app's group if prompted (NordVPN uses sudo usermod -aG nordvpn $USER), then log out and back in — skipping this is the usual cause of a "permission denied" error on first run.
  5. 5Sign in — either nordvpn login in the terminal, or via the GUI's sign-in button.

Installing an .rpm package (Fedora)

Fedora uses DNF and .rpm packages, and native clients are available here too: NordVPN supports Fedora 32 and newer, while ExpressVPN's graphical Linux app supports Fedora 39 and newer. Either way you have a real client rather than being forced onto config files, though you should always confirm the current supported versions on the provider's own Linux download page before installing.

  1. 1Download the provider's .rpm for Fedora, then run sudo dnf install ./package-name.rpm from the download folder.
  2. 2Alternatively, add the provider's official DNF repository (NordVPN publishes one at repo.nordvpn.com) so future updates arrive through dnf upgrade like any other package.
  3. 3Authenticate exactly as on Debian — sign in via the CLI or the GUI's sign-in button — and add your user to the app's group if prompted.

Once connected through a native app, switching countries for streaming is usually one command or one click — handy if you're using the VPN to reach a home library while travelling. If that's your goal, our streaming VPN guide and the can I watch tool cover which services actually work with the big platforms.

The universal route: OpenVPN and WireGuard config files

If your provider has no native Linux client — or you're on a server, a Raspberry Pi or a niche distro — the config-file method is the fallback that always works. You download a small text file describing the connection, then hand it to openvpn or wg-quick. Nothing about it is distro-specific beyond the install command.

OpenVPN with a .ovpn file

OpenVPN is the mature, widely-supported option. Install the client, download your provider's .ovpn profile for a chosen server, then connect. On Debian and Ubuntu the package is openvpn; on Fedora it's the same name via DNF. Because it's been around so long, an .ovpn profile will run on almost any system you're likely to meet.

  1. 1Install: sudo apt install openvpn (Ubuntu/Debian/Mint) or sudo dnf install openvpn (Fedora).
  2. 2Download the .ovpn config for the server you want from your provider's dashboard.
  3. 3Connect: sudo openvpn --config /path/to/server.ovpn and enter your VPN credentials when prompted.
  4. 4Leave that terminal open; the connection stays up until you press Ctrl+C or close it.

WireGuard with a .conf file

WireGuard is newer, leaner and generally faster than OpenVPN, and it's built into modern Linux kernels. You install the userspace tools, drop a .conf file into /etc/wireguard/, and bring the tunnel up with wg-quick. The config file's name (minus .conf) becomes the interface name, so a file saved as wg0.conf gives you a wg0 interface.

  1. 1Install: sudo apt install wireguard or sudo dnf install wireguard-tools.
  2. 2Save your provider's config as /etc/wireguard/wg0.conf (it holds Address, DNS, PrivateKey and a Peer block).
  3. 3Bring it up: sudo wg-quick up wg0 — this sets the interface, routes and DNS automatically.
  4. 4Check status with sudo wg show; tear it down with sudo wg-quick down wg0.
  5. 5To start it at boot: sudo systemctl enable --now wg-quick@wg0.

One caveat if you automate startup: don't mix the systemd service and your desktop's NetworkManager controls for the same tunnel. Pick one. If you enable wg-quick@wg0 through systemd, manage it with systemctl; if you'd rather use the tray, import the config into NetworkManager instead and leave systemd out of it. Toggling the same interface from both can leave it in a state neither will cleanly restart.

Importing a config into NetworkManager

If terminal windows aren't your thing, most desktops let you import either file type into NetworkManager, giving you a toggle in the system tray. It's the middle ground between a full native app and raw command lines: you keep the universal config-file approach but drive it with a click. The commands underneath are the same — the GUI is just a friendlier front end.

  • Point-and-click: open your desktop's network settings, add a VPN, and choose the import option, then pick your .ovpn or WireGuard .conf file.
  • Command line: sudo nmcli connection import type openvpn file /path/to/server.ovpn adds an OpenVPN profile that then appears in the tray menu too.
  • After import, the VPN toggles on and off from the network menu like any Wi-Fi or wired connection.

Curious how these protocols and terms fit together? Our DNS leak glossary entry is a good jumping-off point for the underlying concepts, and it feeds straight into the leak checks later in this guide.

Building a kill switch with firewall rules

A kill switch cuts your internet the instant the tunnel drops, so your real IP and unencrypted traffic never leak while you're offline from the VPN. Native apps include one you toggle in a single command. With the config-file route you build it yourself using the firewall — either UFW or raw iptables/nftables rules that only permit traffic through the VPN interface.

The easy way: native app toggle

If you installed a native client, the kill switch is one setting. On NordVPN it's nordvpn set killswitch on, which internally writes iptables rules to block everything if the daemon loses its connection. Other apps expose an equivalent switch in their GUI settings. This is the least error-prone option and worth using when available.

The manual way: UFW rules

For OpenVPN or WireGuard configs, UFW (Uncomplicated Firewall) is the most readable approach. The idea is to deny all traffic by default and then only allow it out through the VPN interface — tun0 for OpenVPN, wg0 for WireGuard. Substitute your interface name accordingly, and test carefully so you don't lock yourself out of a remote box.

  • sudo ufw default deny outgoing — block all outbound traffic by default.
  • sudo ufw default deny incoming — block inbound by default.
  • sudo ufw allow out on tun0 from any to any — permit traffic only through the tunnel.
  • Add a rule allowing the connection to your VPN server's IP and port so the tunnel can establish, then sudo ufw enable.

Prefer a Linux app that ships a kill switch and DNS-leak protection out of the box, so you can skip the firewall scripting?

See our top-ranked VPNs →

Prefer raw iptables? The equivalent is three OUTPUT rules: accept traffic on tun0, accept RELATED/ESTABLISHED connections, and REJECT everything else — with an added rule that drops DNS (port 53) on any interface other than the tunnel. That last part is what prevents the DNS leaks we cover next.

Verifying for DNS leaks

A working tunnel isn't proof of a private one. If DNS lookups escape outside the VPN, your ISP still sees every domain you visit even though your traffic looks encrypted — that's a DNS leak. After connecting, always confirm both your IP and your DNS resolver have changed to the VPN's, not your ISP's.

The fastest checks run right in the terminal and in a browser:

  1. 1Confirm your public IP changed: curl ifconfig.me should return the VPN server's IP, not your home one.
  2. 2Visit a leak-test site in a browser and confirm the DNS servers listed belong to your VPN, not your ISP.
  3. 3Force DNS through the tunnel at the firewall: drop port 53 on any interface except tun0/wg0 so lookups can't escape.
  4. 4Re-run the test after reconnecting to make sure the fix holds across sessions.

It's also worth checking for the related WebRTC leak, which can expose your IP straight from the browser regardless of your VPN. Our glossary explains both — see DNS leak and WebRTC leak — and vpnrank.io hosts a quick VPN speed test if you want to gauge the performance hit from your chosen protocol while you're at it.

Which setup should you pick?

For most desktop users on Ubuntu, Mint or Fedora, a native app is the sane default: it bundles the kill switch and leak protection you'd otherwise script by hand, and updates itself. Reach for config files when your provider has no Linux client, when you're on a headless server, or when you want the leanest possible WireGuard setup.

  • Want simplicity — install the native app and toggle the kill switch on.
  • No native client, or a server — use WireGuard config files with a UFW kill switch.
  • Maximum compatibility — OpenVPN .ovpn profiles work almost everywhere, if a little slower than WireGuard.
  • Point-and-click on the desktop — import either config into NetworkManager.

Whichever route you take, the two non-negotiable steps are the same: put a kill switch in place and verify there's no DNS leak. Do those and your Linux VPN is genuinely private, not just apparently connected. For the shortlist of services worth installing in the first place, start at our best VPN and privacy VPN guides, and check router setups if you'd rather protect the whole network at once.

Frequently asked questions

Do I need the terminal to set up a VPN on Linux?

Not always. Providers like ExpressVPN and NordVPN ship native apps for Linux, and ExpressVPN added a full graphical interface in 2025. You can also import OpenVPN or WireGuard config files into your desktop's NetworkManager for a tray toggle. The terminal is only strictly required on headless servers or when no GUI client exists for your distro.

What's the difference between OpenVPN and WireGuard on Linux?

OpenVPN is the older, extremely widely supported protocol using .ovpn files and the openvpn client. WireGuard is newer, built into modern Linux kernels, uses a short .conf file with wg-quick, and is generally faster with lower overhead. Both are secure; WireGuard is leaner and quicker to set up, while OpenVPN has the broadest compatibility across older systems.

How do I add a kill switch without a native app?

Use your firewall. With UFW, set default deny for incoming and outgoing traffic, then allow output only on your VPN interface (tun0 for OpenVPN, wg0 for WireGuard), plus a rule permitting the initial connection to your VPN server. With raw iptables, accept traffic on the tunnel and RELATED/ESTABLISHED connections, then reject everything else.

How can I tell if my Linux VPN is leaking DNS?

Connect, then run curl ifconfig.me to confirm your public IP is the VPN's. Next, open a DNS leak-test site in a browser and check the listed resolvers belong to your VPN, not your ISP. If your ISP's DNS shows, add a firewall rule dropping port 53 on every interface except the tunnel so lookups can't escape.

Does NordVPN or ExpressVPN work on Fedora?

Yes. NordVPN supports Fedora 32 and newer via its .rpm package and DNF repository, and ExpressVPN's graphical Linux app supports Fedora 39 and newer. So a native client is available either way, and the OpenVPN or WireGuard config-file route always works as a fallback. Always check the provider's current Linux download page for supported distro versions before installing.

Can I use the same setup on Ubuntu, Debian, Fedora and Mint?

The config-file route is fully distro-agnostic — OpenVPN and WireGuard work identically everywhere, differing only in the install command (apt on Ubuntu/Debian/Mint, dnf on Fedora). Native apps differ: Debian-family distros use .deb packages, Fedora uses .rpm, and supported versions vary by provider, so confirm compatibility before downloading a native client.

Will a VPN slow down my Linux machine?

Some overhead is unavoidable because traffic is encrypted and routed through a remote server, but on Linux it's usually small — especially with WireGuard, which is designed for low overhead. Choosing a nearby server and a fast protocol minimises the hit. Run a before-and-after speed test to see the real impact on your connection rather than guessing.

The best VPNs of 2026, ranked

Now you know how — here are the VPNs we recommend, independently tested and ranked for speed, streaming, privacy and value. Any of them works for everything in this guide.

Editor’s Choice — Best VPN 2026
Visit ExpressVPN
1GET 79% OFF + 4 months FREE
ExpressVPN logo
9.9
Outstanding

ExpressVPN Ultra fast & secure. Great for privacy, downloads, and everyday browsing on all your devices. 24/7 live chat support.

3,000+ servers in 105 countries
Proprietary Lightway protocol
Works with all popular platforms, apps & services
Try risk free for 30 days
Visit IPVanish
2GET 83% OFF
IPVanish logo
9.8
Excellent

IPVanish Fast speeds with unlimited device connections. Strong no-logs privacy and 24/7 live chat support. Great for families.

3,200+ servers in 112+ countries
Unlimited simultaneous connections
Company-owned server network
Try risk free for 30 days
Visit NordVPN
3GET 74% OFF
NordVPN logo
9.7
Excellent

NordVPN Excellent speeds with one of the largest server networks. Strong security features and easy-to-use apps. 24/7 live chat support.

7,400+ servers in 118 countries
NordLynx protocol for top speeds
10 simultaneous devices
Try risk free for 30 days
Visit Proton VPN
4GET 70% OFF
Proton VPN logo
9.6
Excellent

Proton VPN Swiss-based VPN with strong privacy focus. Audited no-logs policy and open-source apps. Great for privacy-conscious users.

15,000+ servers in 120+ countries
Swiss-based — strongest privacy laws
Open-source & independently audited
Try risk free for 30 days
Visit CyberGhost
5GET 86% OFF + 2 months FREE
CyberGhost logo
9.5
Great

CyberGhost Fast speeds and strong privacy tools. Simple apps, automatic WiFi protection, and 24/7 live chat support.

Servers in 100 countries
Automatic WiFi protection
No activity logs & no IP/DNS leaks
Try risk free for 45 days
Cheapest VPN
Visit TotalVPN
6GET 80% OFF
TotalVPN logo
9.4
Great

TotalVPN Affordable VPN with strong privacy and reliable speeds. Easy-to-use apps for all major devices. No-logs policy.

Servers in 50+ countries
Fast & secure connections
Strict no-logs policy
Try risk free for 30 days
Visit Private Internet Access
7GET 85% OFF + 2 months FREE
Private Internet Access logo
9.3
Great

Private Internet Access High-speed VPN with a large server network and advanced security settings. Ad blocker included and 24/7 live chat support.

Servers in 91 countries
Ad & tracker blocker included
No activity logs & no IP/DNS leaks
Try risk free for 30 days
Visit Surfshark
8GET 88% OFF + 3 months FREE
Surfshark logo
9.2
Great

Surfshark Unlimited device connections at a budget-friendly price. Includes ad blocker and strong privacy tools. Great value for money.

3,200+ servers in 100 countries
Unlimited simultaneous connections
CleanWeb ad & malware blocker
Try risk free for 30 days

Rankings are based on our independent testing methodology. We evaluate speed, privacy, security features, and value for money. We may earn affiliate commissions from links on this page, which helps fund our testing — this does not influence our rankings.