NordVPN is often associated with Windows and macOS, but the Linux client is just as capable. In 2024, Linux became the first platform to receive post-quantum encryption (PQ) support, and in 2025, the GUI app was open-sourced under GPLv3.
This guide covers installing and operating NordVPN on Linux entirely from the command line. From Kill Switch and Allowlist to PQ encryption and Docker integration, everything a developer needs to work with NordVPN in a Linux environment.
Installation and Initial Setup
Installing NordVPN
Use the official install script with curl or wget.
sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)
If you prefer Snap:
sudo snap install nordvpn
The Snap package includes the GUI since v4.2.0, but the CLI works the same either way.
Post-Install Configuration
You need to add your user to the nordvpn group. Without this, nordvpn connect will fail with a permission error.
sudo usermod -aG nordvpn $USER
Log out and back in (or reboot) for the group change to take effect.
Logging In
On a desktop environment, browser-based authentication works out of the box.
nordvpn login
This opens the NordVPN login page in your browser. Once authenticated, control returns to the CLI.
For headless servers (VPS, containers), use token authentication instead.
nordvpn login --token YOUR_TOKEN
Generate a token from the NordVPN web dashboard at my.nordaccount.com under "Access Token."
Testing the Connection
nordvpn connect
This connects to the fastest available server. Check the status with:
nordvpn status
Example output:
Status: Connected
Hostname: us456.nordvpn.com
IP: 198.51.100.22
Country: United States
City: New York
Current technology: NordLynx
Transfer: 1.2 MiB received, 0.5 MiB sent
Uptime: 5 minutes 32 seconds
CLI Command Reference
Everything in NordVPN Linux is controlled from the command line. Here are the commands you will use most often.
Connect and Disconnect
nordvpn connect # Connect to fastest server (alias: nordvpn c)
nordvpn connect us # Connect by country
nordvpn connect us new_york # Connect by country + city
nordvpn connect japan tokyo # Country names use snake_case
nordvpn disconnect # Disconnect (alias: nordvpn d)
nordvpn status # Check connection status
Server Groups
NordVPN offers specialized server groups for different use cases.
nordvpn groups # List available groups
nordvpn connect p2p # P2P-optimized servers
nordvpn connect double_vpn # Double encryption
nordvpn connect onion_over_vpn # Route through Tor
Server Information
nordvpn countries # List available countries
nordvpn cities us # List cities in a country
Settings
nordvpn settings # Display all current settings
nordvpn set technology nordlynx # Change protocol
nordvpn set autoconnect on # Enable auto-connect
nordvpn set autoconnect on us # Auto-connect to specific country
nordvpn set dns 1.1.1.1 1.0.0.1 # Set custom DNS
nordvpn set dns off # Reset to default DNS
Account
nordvpn account # Account information
nordvpn logout # Log out
nordvpn --version # Check version
NordLynx and Protocol Selection
NordLynx (WireGuard-based) is the default protocol on NordVPN Linux. It is the right choice for most situations, but certain network environments call for switching to OpenVPN.
Switching Protocols
nordvpn set technology nordlynx # NordLynx (WireGuard)
nordvpn set technology openvpn # OpenVPN
When using OpenVPN, you can choose between UDP and TCP.
nordvpn set protocol udp # OpenVPN UDP (default)
nordvpn set protocol tcp # OpenVPN TCP
Which Protocol to Choose
| Situation | Protocol | Reason |
|---|---|---|
| General use | NordLynx | Fastest, lowest latency |
| UDP is blocked | OpenVPN TCP | TCP fallback |
| Restrictive networks | OpenVPN + obfuscation | Bypasses DPI |
| PQ encryption needed | NordLynx | PQ is NordLynx-only |
To enable obfuscation with OpenVPN:
nordvpn set technology openvpn
nordvpn set obfuscate on
For a deeper look at protocol differences, see "VPN Protocols Compared: WireGuard vs OpenVPN vs IKEv2."
Kill Switch and Allowlist
Kill Switch
Kill Switch blocks all internet access if the VPN connection drops. On Linux, it is implemented using iptables rules.
nordvpn set killswitch on
With Kill Switch enabled, network traffic is immediately cut if the VPN disconnects. This prevents accidental IP leaks and should be turned on for any always-on VPN setup.
To disable it:
nordvpn set killswitch off
Allowlist (formerly Whitelist)
Even with Kill Switch on, you may need certain ports or subnets to bypass the VPN. Local development servers and SSH connections are common examples.
nordvpn allowlist add port 22 # SSH
nordvpn allowlist add port 3000 protocol TCP # Dev server
nordvpn allowlist add subnet 192.168.1.0/24 # Entire LAN
To check and manage allowlist entries:
nordvpn settings # Shows all settings including allowlist
nordvpn allowlist remove port 22 # Remove specific entry
nordvpn allowlist remove all # Clear all entries
LAN Device Access
With Kill Switch enabled, devices on your local network (printers, NAS) become unreachable. To allow LAN traffic:
nordvpn set lan-discovery on
Enabling Post-Quantum Encryption
Why PQ Encryption Matters
Current VPN encryption is secure today. But once quantum computers become practical, they could break the cryptographic algorithms (RSA, elliptic curve) that protect VPN tunnels.
The real threat is Harvest Now, Decrypt Later — adversaries capture encrypted traffic today and store it until quantum computers can decrypt it. This makes post-quantum encryption relevant now, not just when quantum computers arrive.
NordVPN's PQ encryption adds the ML-KEM (formerly CRYSTALS-Kyber) algorithm to the NordLynx handshake, providing resistance against quantum-capable attackers. Linux was the first platform to receive this feature in September 2024.
How to Enable
nordvpn set pq on
That is all it takes. PQ encryption applies from the next connection onward.
PQ encryption only works with NordLynx (WireGuard). If you have OpenVPN selected, you will see this error:
Post-quantum encryption is unavailable with OpenVPN.
Switch to NordLynx to activate post-quantum protection.
Verifying
Check whether PQ is active with nordvpn settings.
nordvpn settings
Look for Post-quantum VPN: enabled in the output.
The performance impact is negligible. An additional key exchange occurs during the handshake, but throughput after connection is the same as without PQ. Unless you have a specific reason not to, leave it enabled.
Using NordVPN in Docker Containers
When you need to route development or self-hosted service traffic through a VPN, running NordVPN inside a Docker container is a clean solution.
Building the Official Docker Image
NordVPN provides official Docker build instructions.
The basic flow:
docker build -t nordvpn-client .
Running the container requires the NET_ADMIN capability:
docker run -it \
--cap-add=NET_ADMIN \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
--name vpn \
nordvpn-client
Inside the container, authenticate with a token and connect:
nordvpn login --token YOUR_TOKEN
nordvpn connect
Routing Other Containers Through VPN
Use the NordVPN container as a network gateway so other containers send all traffic through the VPN.
docker run -it \
--net=container:vpn \
curlimages/curl curl ifconfig.me
The --net=container:vpn flag shares the VPN container's network stack. No VPN configuration is needed in the application container.
Using gluetun
If building your own Docker image is overkill, gluetun is a lightweight VPN client container that supports NordVPN and many other providers. It includes a built-in Kill Switch and is configured entirely through environment variables.
services:
gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
environment:
- VPN_SERVICE_PROVIDER=nordvpn
- VPN_TYPE=openvpn
- OPENVPN_USER=your_service_username
- OPENVPN_PASSWORD=your_service_password
- SERVER_COUNTRIES=Netherlands
ports:
- "8080:8080"
app:
image: your-app
network_mode: "service:gluetun"
Get your NordVPN service credentials (not your email) from the manual configuration page.
Wrapping Up
A recap of the key NordVPN Linux features covered in this guide:
- Installation: One-liner script. Token authentication for headless environments
- Protocols: NordLynx (WireGuard) is the default. Switch to OpenVPN TCP for restrictive networks
- Kill Switch + Allowlist: Block leaks while keeping dev ports and LAN accessible
- PQ Encryption: A single command (
nordvpn set pq on) adds quantum resistance. Linux was the first platform to support this - Docker: Route entire container networks through VPN with
--net=container
On Linux, the CLI is all you need. It is easier to automate and script than any GUI.
For the technical details behind VPN protocols, see "VPN Protocols Compared: WireGuard vs OpenVPN vs IKEv2 Under the Hood."
Related articles:
- NordVPN Review: Pricing, Security, and Performance Tested
- How to Use NordVPN: Setup, Settings, and Troubleshooting
- Is NordVPN Safe? A Technical Security Analysis
- VPN Protocols Compared: WireGuard vs OpenVPN vs IKEv2 Under the Hood
- VPN for Developers: SSH, WireGuard, and Commercial VPN Compared
- NordVPN vs ExpressVPN vs Surfshark: An Honest Comparison
Official resources:
- NordVPN Linux Download — installation instructions
- NordVPN Linux GitHub — source code and release notes
- NordVPN PQ Encryption — post-quantum encryption details