1. Overview

In this tutorial, we’ll learn how to check for the connectivity status of a VPN (Virtual Private Network). First, we’ll briefly understand how VPN works on Linux. Then, we’ll move on to hands-on approaches to finding the status of the VPN connection.

For that purpose, we’ll use the nmcli and route utilities. In addition, we’ll also discuss client-specific commands.

2. How Does VPN Work on Linux?

When it comes it using VPN on Linux, we usually install a VPN client on our machine. There is a wide range of VPN clients available on the web, but Linux users usually prefer to use OpenVPN in combination with NetworkManager.

We configure the VPN via connection details, such as the VPN’s server IP or hostname, authentication details, certificates, and how we want to encrypt the connection.

Once the connection is set, the client establishes a secure tunnel to the VPN server through protocols like OpenVPN and IKEv2. In addition, the VPN server assigns an IP address to the Linux machine. Therefore, subsequent communication between the client and the VPN server is secure and encrypted.

In addition, the client might create its own interface for data isolation. Thereby, it prevents interference with the regular network traffic. Moreover, it also enables the VPN server to assign an IP address to the interface.

Finally, when we disconnect the VPN connection, the Linux system will revert to using the regular Internet connection.

In the next sections, we’ll learn how to check whether our Linux machine uses VPN.

3. Checking VPN Connectivity

For our example, we’ll use ProtonVPN because it has a free tier and a standalone client for Linux. We can download and install it from its official package repository. It comes with a GUI and a CLI front end. However, for our example, we’ll stick with the CLI version.

Once installed, we log in with our credentials with the login verb:

$ protonvpn-cli login

Next, we’ll connect to the fastest available server via tcp:

$ protonvpn-cli connect --fastest --protocol tcp
Setting up Proton VPN.
Connecting to Proton VPN on US-FREE#303054 with TCP.
Successfully connected to Proton VPN.

In the next sections, we’ll learn various methods to check for VPN connectivity.

3.1. nmcli

nmcli is a command-line front-end to the Network Manager, which is the networking maestro of Linux.

By default, it’s available on most Linux distributions, such as Ubuntu, Fedora, and RHEL. However, we can install it on other operating systems through a package manager under its canonical name, network-manager.

By default, running nmcli lists all the active connections on all devices. However, we’ll narrow down our list to the connected networks that use VPN:

$ nmcli connection show --active
NAME                       UUID                                  TYPE      DEVICE         
Proton VPN US-FREE#303054  e2aa6415-026f-47e0-9854-b3fdeb052509  vpn       enp0s1         
pvpn-ipv6leak-protection   61964a4d-b334-4e8a-a251-dc65541d5dea  dummy     ipv6leakintrf0 
Wired connection 1         e12542c3-cd2b-3b8d-8ca6-d79136d493ab  ethernet  enp0s1

Let’s break this down:

  • connection is an object that we can operate on
  • show enlists the Network Manager’s connections
  • –active signifies that we want to see the active connections only

Notably, the enp0s1 interface is using “Proton VPN US-FREE#303054“, which is what we connected to in the previous section. In addition, we can narrow down our list to VPN-only connections using grep:

$ nmcli con --active | grep vpn
Proton VPN US-FREE#303054  e2aa6415-026f-47e0-9854-b3fdeb052509  vpn       enp0s1         
pvpn-ipv6leak-protection   61964a4d-b334-4e8a-a251-dc65541d5dea  dummy     ipv6leakintrf0

Here, con is an alias for connection.

Notably, some VPN clients like Cisco AnyConnect have tun type instead of vpn. tun stands for tunnel, which usually indicates that the VPN is using a tunneling protocol like OpenVPN. OpenVPN sometimes associates with the tun interface.

Moreover, there are certain VPN clients that will have the type tap. Therefore, we need to keep an eye out for that too.

3.2. route

route manages how network traffic travels between different networks or hosts.

It’s pre-installed on most Linux distributions. So, we can readily use it:

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    50     0        0 proton0
default         _gateway        0.0.0.0         UG    100    0        0 enp0s1
10.98.0.0       0.0.0.0         255.255.0.0     U     50     0        0 proton0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp0s1
185.236.200.242 _gateway        255.255.255.255 UGH   50     0        0 enp0s1
192.168.64.0    0.0.0.0         255.255.255.0   U     100    0        0 enp0s1
_gateway        0.0.0.0         255.255.255.255 UH    50     0        0 enp0s1

In the table, we can observe that the data transmits between the proton0 and the enp0s1 interfaces. Usually, when we have multiple interfaces, it often suggests that we’re using some kind of VPN.

In contrast, when we turn off the VPN, the table consists of a single interface:

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    100    0        0 enp0s1
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp0s1
192.168.64.0    0.0.0.0         255.255.255.0   U     100    0        0 enp0s1

Notably, we only have the enp0s1 interface with our VPN turned off. Moreover, the presence of interfaces like tun and tap also signifies that the packets flow through a VPN.

Furthermore, for turning off ProtonVPN, we can use the disconnect verb:

$ protonvpn-cli disconnect
Attempting to disconnect from Proton VPN.
Successfully disconnected from Proton VPN.

3.3. Client-Specific Commands

Most of the time, well-developed VPN clients have a CLI front-end, which we can use to find out the status of the VPN connection. Often, they are the right tools for the job because they might provide a reliable way to check the VPN status.

Moreover, they can also provide more information. For instance, protonvpn-cli spits out useful connection info via the status option:

$ protonvpn-cli status
Proton VPN Connection Status
---------------------------
IP:          185.236.200.246
Server:      US-FREE#303054
Country:      United States
Protocol:      OpenVPN (TCP)
Server Load:      86%
Server Plan:      Free
Kill switch:      Off 
Connection time: 0:01:14

Additionally, for other VPN clients, we can refer to their respective documentation.

4. Conclusion

In this article, we discussed how the VPN works on Linux-based distros. Apart from that, we reviewed a few approaches to finding out the connectivity of a VPN on a Linux machine. For that use case, we used nmcli and route commands.

Finally, we briefly discussed why we should choose client-specific tools over built-in tools.