1. Overview
In this tutorial, we’ll learn how to check for the connectivity status of a VPN (Virtual Private Network). First, we’ll briefly understand how VPN works on Linux. Then, we’ll move on to hands-on approaches to finding the status of the VPN connection.
For that purpose, we’ll use the nmcli and route utilities. In addition, we’ll also discuss client-specific commands.
2. How Does VPN Work on Linux?
When it comes it using VPN on Linux, we usually install a VPN client on our machine. There is a wide range of VPN clients available on the web, but Linux users usually prefer to use OpenVPN in combination with NetworkManager.
We configure the VPN via connection details, such as the VPN’s server IP or hostname, authentication details, certificates, and how we want to encrypt the connection.
Once the connection is set, the client establishes a secure tunnel to the VPN server through protocols like OpenVPN and IKEv2. In addition, the VPN server assigns an IP address to the Linux machine. Therefore, subsequent communication between the client and the VPN server is secure and encrypted.
In addition, the client might create its own interface for data isolation. Thereby, it prevents interference with the regular network traffic. Moreover, it also enables the VPN server to assign an IP address to the interface.
Finally, when we disconnect the VPN connection, the Linux system will revert to using the regular Internet connection.
In the next sections, we’ll learn how to check whether our Linux machine uses VPN.
3. Checking VPN Connectivity
For our example, we’ll use ProtonVPN because it has a free tier and a standalone client for Linux. We can download and install it from its official package repository. It comes with a GUI and a CLI front end. However, for our example, we’ll stick with the CLI version.
Once installed, we log in with our credentials with the login verb:
$ protonvpn-cli login
Next, we’ll connect to the fastest available server via tcp:
$ protonvpn-cli connect --fastest --protocol tcp
Setting up Proton VPN.
Connecting to Proton VPN on US-FREE#303054 with TCP.
Successfully connected to Proton VPN.
In the next sections, we’ll learn various methods to check for VPN connectivity.
3.1. nmcli
nmcli is a command-line front-end to the Network Manager, which is the networking maestro of Linux.
By default, it’s available on most Linux distributions, such as Ubuntu, Fedora, and RHEL. However, we can install it on other operating systems through a package manager under its canonical name, network-manager.
By default, running nmcli lists all the active connections on all devices. However, we’ll narrow down our list to the connected networks that use VPN:
$ nmcli connection show --active
NAME UUID TYPE DEVICE
Proton VPN US-FREE#303054 e2aa6415-026f-47e0-9854-b3fdeb052509 vpn enp0s1
pvpn-ipv6leak-protection 61964a4d-b334-4e8a-a251-dc65541d5dea dummy ipv6leakintrf0
Wired connection 1 e12542c3-cd2b-3b8d-8ca6-d79136d493ab ethernet enp0s1
Let’s break this down:
- connection is an object that we can operate on
- show enlists the Network Manager’s connections
- –active signifies that we want to see the active connections only
Notably, the enp0s1 interface is using “Proton VPN US-FREE#303054“, which is what we connected to in the previous section. In addition, we can narrow down our list to VPN-only connections using grep:
$ nmcli con --active | grep vpn
Proton VPN US-FREE#303054 e2aa6415-026f-47e0-9854-b3fdeb052509 vpn enp0s1
pvpn-ipv6leak-protection 61964a4d-b334-4e8a-a251-dc65541d5dea dummy ipv6leakintrf0
Here, con is an alias for connection.
Notably, some VPN clients like Cisco AnyConnect have tun type instead of vpn. tun stands for tunnel, which usually indicates that the VPN is using a tunneling protocol like OpenVPN. OpenVPN sometimes associates with the tun interface.
Moreover, there are certain VPN clients that will have the type tap. Therefore, we need to keep an eye out for that too.
3.2. route
route manages how network traffic travels between different networks or hosts.
It’s pre-installed on most Linux distributions. So, we can readily use it:
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 50 0 0 proton0
default _gateway 0.0.0.0 UG 100 0 0 enp0s1
10.98.0.0 0.0.0.0 255.255.0.0 U 50 0 0 proton0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s1
185.236.200.242 _gateway 255.255.255.255 UGH 50 0 0 enp0s1
192.168.64.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s1
_gateway 0.0.0.0 255.255.255.255 UH 50 0 0 enp0s1
In the table, we can observe that the data transmits between the proton0 and the enp0s1 interfaces. Usually, when we have multiple interfaces, it often suggests that we’re using some kind of VPN.
In contrast, when we turn off the VPN, the table consists of a single interface:
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 100 0 0 enp0s1
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s1
192.168.64.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s1
Notably, we only have the enp0s1 interface with our VPN turned off. Moreover, the presence of interfaces like tun and tap also signifies that the packets flow through a VPN.
Furthermore, for turning off ProtonVPN, we can use the disconnect verb:
$ protonvpn-cli disconnect
Attempting to disconnect from Proton VPN.
Successfully disconnected from Proton VPN.
3.3. Client-Specific Commands
Most of the time, well-developed VPN clients have a CLI front-end, which we can use to find out the status of the VPN connection. Often, they are the right tools for the job because they might provide a reliable way to check the VPN status.
Moreover, they can also provide more information. For instance, protonvpn-cli spits out useful connection info via the status option:
$ protonvpn-cli status
Proton VPN Connection Status
---------------------------
IP: 185.236.200.246
Server: US-FREE#303054
Country: United States
Protocol: OpenVPN (TCP)
Server Load: 86%
Server Plan: Free
Kill switch: Off
Connection time: 0:01:14
Additionally, for other VPN clients, we can refer to their respective documentation.
4. Conclusion
In this article, we discussed how the VPN works on Linux-based distros. Apart from that, we reviewed a few approaches to finding out the connectivity of a VPN on a Linux machine. For that use case, we used nmcli and route commands.
Finally, we briefly discussed why we should choose client-specific tools over built-in tools.