Everything you need to know about the pros and cons of VPNs on Linux

Explore some of the best privacy tools that Linux pros can use to keep their internet connection private and secure.  

1. Streisand

There are a number of options when deploying your own VPN server. You can take a bare Linux install and deploy your own individual packages (which, admittedly, does give you the highest level of control), but this is undoubtedly extremely time consuming. The alternative is to use a tool to deploy a VPN server on your behalf. A number of open source tools are available that offer this feature, the first of which is Streisand (opens in new tab).

The Streisand script sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, a Tor bridge, and WireGuard. This provides you with a host of different connection methods you can use to suit your needs across a wide range of platforms.

It is particularly clever in that it also generates custom instructions for all of these services. At the end of the installation script, you are given an HTML file with instructions that can be shared with friends or family members, and the server itself also hosts instructions on how to connect on a website secured with a validated SSL certificate.

The script is designed to run against Ubuntu 16.04 and can be used to either provision an existing server via an IP address or alternatively to automatically deploy a new box at one of a number of cloud VPS providers, including Amazon EC2, DigitalOcean, Google Compute Engine, Linode or Rackspace. The Streisand developers plan to add support for Amazon Lightsail in the near future. 

The process is completely automated and only takes about 10 minutes. The great thing about using Streisand is that you can tear down the VPS and redeploy at will, which reduces the risk of compromise and is just plain convenient. As an open source product, Streisand is audited by many independent developers to help assure its safety.

2. Algo

While Streisand is a very popular VPN platform, it is not the only offering of its type. A frequently used alternative is Algo (opens in new tab) – a set of Ansible scripts, like Streisand, that simplifies the setup of your own IPSEC VPN. It contains the most secure defaults available, again works with common cloud providers, and crucially does not require client software on most devices.

So why would you use Algo over Streisand? Algo is a lot more limited than Streisand, and that is frequently touted as its main benefit. Algo supports only IKEv2 with a single cipher suite – AES-GCM, HMAC-SHA2, and P-256 DH. It does not install Tor, OpenVPN or other servers that some deem as ‘risky’ and with a single widely supported protocol, it doesn’t require client software on most devices. Algo is also much better at handling multiple users than Streisand, providing a script that can be used post-build to update the user list at your convenience.

This core difference aside, many other aspects of Algo are similar to Streisand. It deploys on Ubuntu, can install to DigitalOcean, Amazon EC2, Microsoft Azure or your own server and generate the required config files for connections when complete. Algo also has a few optional install features, such as ad blocking via a local DNS resolver and HTTP proxy, and limited SSH users for traffic tunneling.

The Algo homepage contains details on how to connect from Apple, Android, Windows and, of course, Linux devices. Linux connectivity is provided using the strongSwan client, which connects extremely quickly and reliably. If you want to connect from another type of client or configure the connection yourself, the appropriate certificate/key files are provided.

As with Streisand, the project is open source and being constantly updated with fixes and improvements.

3. WireGuard

A lot of the VPN protocols and solutions used today such as PPTP and L2VPN have been around for a long time and are considered by many to be inefficient. A quick look at discussions about Streisand and Algo will show you this – there is always a lot of conversation regarding which services and protocols should be included in the product, and the polar opposite approaches of the two most popular deployment solutions above demonstrate that there is by no means a consensus on this issue. Maybe WireGuard is the answer.

WireGuard is an extremely simple yet fast and modern VPN that uses state-of-the-art cryptography. Its stated aims are to be faster, simpler, leaner, and more useful than IPSec, while avoiding the latter’s painful setup. It is designed to be considerably better performing than the ubiquitous OpenVPN standard.

WireGuard is designed as a general purpose VPN for running on a wide range of platforms for all types of usage. WireGuard was initially released for the Linux kernel, but is now available for Windows, macOS, and BSD, with mobile VPN apps for iOS and Android too.

How good is it? While it is currently undergoing heavy development, it’s already regarded by many as the most secure, easiest to use, and simplest VPN solution in the industry.

The WireGuard website has an installation guide (opens in new tab) and, of course, there are two options, either compiling from source or installing from packages. A PPA is provided for Ubuntu and you’re also catered for if you’re on Debian, Arch, Fedora, CentOS, OpenSUSE or a number of other distros. There’s a macOS version too, if you’re that way inclined.

WireGuard is more than just a curio despite its active development – it’s generally worth installing and configuring using the provided quick-start walkthrough. With its clever implementation as a simple network interface, extreme performance and minimal attack surface, it may well be the VPN solution of the future.

At the time of writing Wireguard has no built-in way of assigning dynamic IP addresses. This means you could end up using the same IP each time you connect. This can be an advantage, as it means that you won’t be banned for activities carried out by others from your shared IP. For this very reason, many providers actually offer a dedicated IP address for VPNs as an optional paid extra. 

Some third party providers can work around this problem. For instance TailScale uses an optimized mesh with Wireguard to bypass the need for Dynamic DNS servers/Firewall ports, adapting to a shifting IP address each time. IVPN has also come up with its own solution to dynamically assign IP addresses whilst using Wireguard. 

4. Shadowsocks 

Shadowsocks isn’t a VPN but provides a similar level of protection. It’s a free and open source internet encryption protocol that allows you to establish a secure connection to a SOCKS5 proxy server.

This has the effect of hiding your real IP address and encrypting your web traffic in a similar way to a VPN. However, Shadowsocks also works to disguise your encrypted data as regular HTTPS web traffic, making it extremely difficult for anyone with access to your connection records to know you’re doing anything unusual. This is particularly useful in countries which restrict the use of VPNs or ban them altogether through using advanced monitoring techniques like DPI (Deep Packet Inspection).

Shadowsocks can also be used with Wireguard to conceal your VPN traffic. The source code is freely available on GitHub and has been compiled for use with Linux, macOS, Windows and Android. 

5. VyprVPN 

(opens in new tab)

What if, rather than ‘rolling’ your own VPN solution, you’d prefer to simply sign up for a hosted service? You could do a lot worse than VyprVPN from Golden Frog, touted as ‘the world’s most powerful VPN’. 

What does VyprVPN bring to the table? You’ll get fast VPN speeds, 70+ global locations served by over 700 servers and 200,000 IP addresses, easy to use apps for a huge range of devices, and a clever cloaking technology called Chameleon – the real reason for considering VyprVPN.

What don’t you get? You don’t get an end-to-end open source solution, although Golden Frog asserts that it doesn’t use third-party providers at all, and that it owns and manages 100% of its hardware, software and network so your privacy is protected from end-to-end.

Behind the scenes, VyprVPN is based on Ubuntu servers and a huge open source stack including OpenVPN, strongSwan, Nginx, OpenSSL, Python and much more. The closed source part of the system is mostly what brings it all together – the web interfaces, clients, APIs etc. Golden Frog estimates that just 0.7% of its software stack is closed source software.

VyprVPNs Chameleon feature is closed source but is also a very compelling argument for using the service. Based on OpenVPN, Chameleon takes the packets that are going to be sent over the network and adds an obfuscation layer which is designed to defeat Deep Packet Inspection (that troublesome tool which enabled provider packet shaping).

And here’s the thing – it works beautifully. Whereas other VPN methods have struggled amongst particularly aggressive providers, Chameleon has performed admirably. If this feature is a key priority for your needs, VyprVPN may well be the best solution for you.

As a Linux user, you may only want to use free and open source software but consider that by having a commercial backer, VyprVPN can afford to employ coders to constantly review the safety of their Chameleon feature. Open source software also isn’t immune to security vulnerabilities. 

The bottom line 

Using a VPN is essential to stay safe, geo-spoof, and protect your identity online. If you’re an experienced Linux user, you also may well be more comfortable with taking a “do it yourself” approach to installing your own VPN client software and setting up your own VPN server. This means extra work but provided you’re using FOSS (free and open source software) and manage your own server, there’s no need to place your trust in third parties.

Take some time to think about the primary purpose for your VPN, such as streaming online shows or protecting your privacy. This will help you to decide on the best provider for you.