Saturday, 16 January 2021

VPN Providers with Custom Clients for Linux (Updated)

Virtual Private Networking providers and company are more than you can shake a stick at these days. While there's always installable client software for Windows, Android and usually MacOS and whatever the mobile version is called not all are offering desktop clients for Linux distributions. Even if they do it's usually non-GUI, you know, with the excuse that Linux nerds love and want the power of the command line, with stripped-down functionality, or even a browser extension only which might work on a Chromebook but not on any other OS if you actually want to channel your entire traffic. And no, a proxy is not a replacement for a proper VPN.

Another constraint is the various packaging formats Linux and GNU/Linux distributions are using. Most providers only offer packages for Debian and Ubuntu-like distributions. RPMs are typically Fedora and/or CentOS but do not work on SUSE. On other distributions like Slackware and Arch you're basically on your own. You can hope that someone has provided a build on sbopkg for Slackware or in the AUR for the Arch base or that it can be transformed with the alien packaging tool but these are not official packages.

Then we have the issue of different init systems in use all over the Linux install base. When exploring Artix Linux I discovered that custom desktop client software is written to work with distributions that are using systemd to handle services and networking. Wanting to use them with OpenRC or Runit presents a bit of a challenge. It can be done but you got to know your init system's run levels or ask a distro developer to package it for you.  Thankfully I since discovered that the software of at least two companies I'm perusing supports SysVinit. Their packages worked flawlessly on Devuan 3.0 so all is not lost if you're not running systemd but still want to use your providers client instead of the Networkmanager OpenVPN plugin. Even more so since NM does not seem to work without systemd, haha. They also play nicely with Wicd, no conflicts there. They're not integrated but they don't integrate with NM either. 

Without any more ado, let's take a look at some of the companies that play nice(r) and at least give us some sort of client for Linux, be it CLI or GUI.

As stated, only offering a browser plugin does not count but in some cases these help to give us an extra layer of security for the browser which allows for a double-hop. Every company should offer a browser extension anyway for the scenarios where one really only wants to channel their browser traffic, for example to circumvent geo-restrictions on video sites.

Please bear in mind I'm not making recommendations as to how safe or anonymous the service is. Most companies are offering a slightly different thing and this is not the place to recommend a product. I have tried most of these and others. If you want to find out how the various providers compare, what they offer and how they perform there are review sites for this. I always find though that these are highly subjective and often outdated or at least not complete, for example not mentioning the availability of new protocols like Wireguard or Shadowsocks in certain providers packages although these have been there for many months and the review supposedly has been updated just three weeks ago.

Anyway, here's a rundown of companies that have their own desktop clients for Linux:

1.) Windscribe

The first of what I call generic terminal clients. That said, once you've added the repo and set it up it's easy to stick a shell script into ~/bin and tell it to autostart. On my distribution it even automatically started without that at boot time, presumably because it was active at shutdown. So once you've added your account information there's strictly speaking no need to interact with it again if you're happy with your location and choices regarding kill switch (here called firewall) and protocol. Defaults are sane.

I am mentioning this because with some other services you first need to invoke sudo which makes it impractical for connecting automatically at startup.

It's a good service for streaming too with good speed and even the notoriously finicky BBC not detecting it most of the time. If it does just connect again and it will rotate to a different IP.

The major drawback I see here is that we have a long list of server locations but in the terminal client there's no way to choose a particular node/city, only a country. Talk about discrimination. Otherwise quite good. As a fun bonus, we can connect to Fake Antarctica and become a troll.

Ubuntu, Debian, Fedora, CentOS. The Arch User Repository and Slackware have build scripts.

Forgot to mention that you can get 10GB use with a free account or build a custom plan for $1 per location. 

2.) NordVPN

Nord have been in the limelight for the last two years or so. I have nothing bad to say about them, their Linux client is terminal-based just like Windscribe and feels remarkably similar. I guess it comes down to what you like. While Nord is based in Panama which is outside the five eyes alliance US Patriot Act and EU jurisdiction Windscribe is based in Canada. Nord are using RAM only servers, Windscribe are not.

On the other hand NordVPN have recently upped prices and were always a bit dearer both than Windscribe and the next one on the list. As far as I can tell they are probably the best for circumventing and watching geo-blocked content if you want to be sure. For installation you obtain the release file which adds the repository and then download the client from there.

Debian and RPM files are provided, not specific to any distribution.

3.) Surfshark

Pretty much like the previous two but you need to provide the password for sudo which makes it slightly more cumbersome to start. For installation a release file is provided that sets up the repo, another command then downloads the actual client. Also, one does not start the service with the surfshark command but with surfshark-vpn. Go figure.

Positive is that the command line client gives us a numbered list of currently 105 locations, you enter the number and connect. This way we have the ability to choose a particular city and not just a country. They also have more locations in Germany if that's what you need, not only the overused data centers in Frankfurt that everybody offers. They only use RAM-disk servers and at less than $2 a month for a regular 24-month plan, usually with additional months thrown in at a sale, dirt cheap. Good at streaming and with better speed and no drops or sudden interruptions. Recommended because of the price/performance ratio. 

Debian and *buntu only.

4.) Private Internet Access (also known as PIA)

PIA have hands down the best GUI client in the Linux world and theirs should be the gold standard for other companies to aspire to. I like them because it's the only company that gives us a client equivalent to other desktops.  It comes with a gazillion options incl. Shadowsocks, Wireguard support, split tunneling, specifying your own socks proxy and DNS and of course the obligatory list of locations to choose from.

I would really hope all providers would offer a similar experience instead of the stripped down terminal apps they have that support only a sub set of the functions of their clients for the other platforms. Seems lazy, and quite often one cannot even get multi-hop, or only with using the browser extension on top which isn't true multi-hop as it only affects the browser. Their client also self-updates once installed and you get a handy system tray lock icon with light and dark themes or the original green man.

That said, there are other issues to consider.

PIA have some issues with streaming and geo-blocking unfortunately. They're easily detected as a VPN as their IP addresses are well known and they do not seem to have enough to rotate. Speed is decent enough (being in Europe with a node near you) for Kodi and unrestricted content but forget BBC, Netflix and Amazon Prime in other countries.

A guide with screenshots is here. That page also mentions that they are supporting OpenRC as well as Systemd and SysVinit. Mint, Ubuntu, Arch and Debian. No RPMs it seems.

5.) ProtonVPN

Proton is an interesting one. One of only a few they offer a downsized free plan with only a few locations. Based in Switzerland they offer what they call a Secure Core network by first passing user traffic through their own servers in privacy-friendly countries like Switzerland and Iceland and also full Tor network integration. They're also one of the more premium services at 8 Euros a month or 96 a year, no discounts, if you want all the features and more than two simultaneous connections.

ProtonVPN only offer a Linux terminal client which is still in beta and needs to be started with protonvpn-cli. At least they now have a DEB package repository as it used to require cloning from git.

There's also an unofficial GUi app out on github which requires the CLI client to be present. Looks promising and once this has all stabilized could be a serious contender.

6.) AirVPN

One of my favorites, AirVPN are somewhere in the middle price-wise, describing themselves as a Italy-based collective of hacktivists and activists. You can get a three day free trial by emailing support and asking nicely. 

They have two! GUI clients for Linux, Android and other platforms, Eddie and Hummingbird. I tested Eddie and it does the job well but may not be the most family friendly in its presentation that is probably more suited to seasoned tech freaks and computer nerds like us with its long list of details and built in monitoring.

Eddie also offers a CLI only version if you prefer. AirVPN support the widest choice of distributions and hardware of all services I've come across. They have packages for Debian and Ubuntu, SUSE, Fedora, Arch Linux (64 and 32-bit), generic tar packages of both clients for i686 and x64, an AppImage of Eddie, support for the Raspberry Pi and Hummingbird for Raspbian. This *should* be able to run on any Linux distro. Commendable really, you can tell these guys love Linux.

7.) Proxy.sh

Used to have a good graphical client called Zonehopper or similar but seems to have disappeared last year. Based in the Seychelles they only took anonymous payment methods.

8.) ExpressVPN

Outside of jurisdiction of EU and USA, but outside the zone of influence? This service has good graphical clients for Windows and Mac, Android and IOS but only offers the usual stripped-down command line options for Linux users where you pick locations in the terminal but more advanced features like multi-hop are missing. Looking at the different providers these CLI applications are all remarkably similar. Even their install instructions are the same, using Ubuntu as example.

ExpressVPN support a good array of distributions though, 32 and 64 bit.

  • Ubuntu
  • CentOS
  • Debian
  • Fedora
  • Raspbian (only 32-Bit)
  • Arch

9.) Mullvad

Based in Sweden. Have a Linux client in DEB and RPM for Fedora 31 and up. Unsure if graphical or terminal app. Not tried.

Has simple install instructions on the page, easy to follow. Mullvad is one of the more advanced, 'hackerish' VPNs.

10.) Ivacy

Typical command line client. On sale at the moment at $1 a month.

Compatible with Ubuntu, Debian, Fedora, CentOS and Arch Linux.

11.) OVPN

OVPN like several good VPN services are based in Sweden although since the Piratebay and issues surrounding Mr Assange I'm not sure how good that is. Nevertheless, this service gets extremely good ratings in reviews in pretty much every area. They run their own dedicated hardware that only their own employees have access to next to their offices. On-RAM-disk servers only. 

They have a range of clients for various Linux distributions, separate ones for OpenVPN and Wireguard, and offering both CLI as well as GUI clients for Ubuntu, a GUI only to Manjaro users, and CLI application to Debian, CentOS, Fedora, FreeBSD users and for the Raspberry Pi. Also a Wireguard app for OPNsense. Note to self: Will have to check this one out at some point.

12.) IVPN (Added 19-01-21)

Apparently founded by a team of academics and Information Security specialists. They are strong on the ethical side and offer a manifesto, transparency report and a cryptographically signed warrant canary issued monthly.

Like OVPN they use and are in charge of their own hardware, means no rented or virtual servers. This is a higher quality service and accordingly is more expensive but from what I can see here you get what you pay for. 

Linux CLI and GUi clients are in beta. If you wish to use the graphical app the CLI base package is required to be installed prior to installing the GUI app. IVPN supports the OpenVPN protocol as well as Wireguard.

Packages exist for Debian, *buntu and Mint, Fedora, CentOS and Arch Linux. One can either install from repository or download the binaries directly. An AppImage (which did not execute for me despite setting permissions) and the source code to compile on other distributions are also provided.

--------------

Companies I'ld like to see a VPN client for Linux from, preferably a graphical implementation on par with the ones for the other platforms they support:

1.) VyprVPN 

Good, innovative and inexpensive service located in neutral Switzerland that is offering their own Chamaleon protocol. Promises no logs and worldwide streaming.

The only other way for Linuxers to use it would be to install it on a router or use it on Android or IOS.

2.) Perfect Privacy

This one seems like a great provider that has a lot to offer, for instance its so-called Neuro-Routing - dynamic cascading. At the time of writing they only support Windows 10, MacOS and Android. As one of the most expensive services they should be able to afford or obtain/licence at least a basic CLI app.

Also based in Switzerland the service promises to guarantee maximum anonymity, sending data exclusively over their own protected network where users have complete control over which locations they use for multiple hops. Ram-disk servers only.

--------------

Most if not all other providers offer the download of configuration files to use with the native Linux applications or set up manually but that is not part of the exercise. Mainly because of lack of kill switch in Networkmanager and lack of more advanced functions if set up this way that even the more basic CLI programs offer. Due to the exhausting need to import many config files if wanting to often switch locations and retyping passwords a provider side client is much better and keeps the complete list of locations updated. Credentials only need to be entered once.

If you got any others to add please do so in the comments.

No comments:

Post a Comment

Please leave your comment here. Spam will be deleted.

Note: only a member of this blog may post a comment.

12.04 LTS (1) 1280x1024 (2) 14.1 (1) absolute (6) accessibility (6) ad-blocking (2) administration (2) afterstep (1) android (3) announcements (15) anonymity (5) anonymous (1) anonymous browsing (1) anti-malware (1) anti-virus (1) antiX (4) applications (1) arch (11) archbang (11) archone (1) artix (2) authentication (1) backports (1) base (1) bash (2) bittorrent (2) block-this (1) bluestar (1) bodhi (1) books (1) brave (1) brave-browser (1) browsers (8) browsing (1) bsd (4) bug (2) bugs (3) calculate (1) centos (1) certification (1) chakra (2) changelog (22) chat (1) chatzilla (1) chromebook (1) chromium (2) click (1) commodore 64 (1) ControlD (1) critique (1) crunchbang (5) crux (1) ctkarch (1) cyber war (1) debian (29) desktop (62) devuan (6) digital certificates (1) digital memories (1) distributions (75) DNS (1) documentaries (1) documentation (2) dr. web (1) drivers (1) duo (1) e17 (1) email (1) encryption (3) enlightenment (1) events (1) exit nodes (1) ext4 (1) fake (1) fallout (1) fallout 4 (1) fedora (6) file server (2) file systems (1) firefox (3) flash (1) flush (1) fluxbox (7) fluxflux (1) FPS (2) free software (3) frugalware (1) FSF (1) ftp (2) furybsd (1) fusion (1) fvwm (1) fvwm-crystal (1) games (11) gaming (10) gentoo (3) gnome (9) gnome shell (4) gnu/linux (4) google (2) google-chrome (3) graphics (1) grml (1) gtk+ (1) hangouts (1) hardcore punk (1) hardware (3) how-to (23) humor (2) i3 (1) icewm (6) init (3) init freedom (5) interview (1) introduction (1) jibbed (1) jwm (2) kanotix (4) kde (21) KDE neon (1) kde3 (2) kernel (6) knoppix (1) kodi (2) kongoni (2) kubuntu (3) LAS (1) libtorrent-rasterbar (1) linux (20) linux light (16) Linux Mint (6) live (50) live medium (28) live system (13) liveslak (3) LMDE 4 (3) localisation (1) LTS (1) lxde (12) lxqt (1) mageia (1) mandriva (2) manjaro (1) marine life (1) mate (1) media center (6) mepis (2) mint (5) mobile (2) mobile security (1) movies (6) mozilla (3) music (1) MX Linux (1) netbook (2) netrunner (1) networking (5) news (3) nvidia (1) open source (1) openbox (15) openSUSE (4) opinion (13) other (5) overclockix (1) packages (1) pclinuxos (4) perl (1) plasma (5) poll (2) porteus (3) privacy (5) privoxy (1) programming (1) proxy (2) puppy (3) qbittorrent (1) qt (1) quick look (10) ratpoison (1) red hat (7) redcore linux (1) relax (1) release (2) rescue (3) reviews (57) rhythmbox (1) rolling (1) RPG (2) rpm (1) sabayon (5) salix (15) scientific (7) screenshots (2) scripts (3) seamonkey (1) security (4) semplice (1) server (5) shell (1) shooter (4) siduction (1) slackel (1) slackware (68) slackware 14.2 (2) slackware 15.0 (8) slackware-current (34) slax (7) slitaz (1) smart phones (2) sms (1) south africa (2) specialist (1) spoof (1) ssh (1) surfing (1) systemd (2) table mountain (1) TDE (1) tegra k1 (1) The Walking Dead (1) themes (1) tinyme (2) tips (1) tor (3) torrenting (1) torrents (1) traffic analysis (2) trinity (2) trisquel (1) TV shows (2) TWD (1) ubuntu (6) unity (2) unity linux (4) unix (1) upgrade (6) vector (2) video (4) vinux (2) virtualbsd (1) visual impairment (5) voip (1) vpn (5) VSIDO (1) wallpapers (3) window maker (4) window managers (1) windscribe (1) wireless (10) xfce (16) youtube (1) zenwalk (3) zombies (1) zoo (1)