VPN on Ubuntu: Setup and Diagnostics in 2026

In 2026, a VPN on Ubuntu is rarely needed just "for show" — it has to be a stable working setup: the browser, Telegram, YouTube, Discord, cloud services and terminal utilities should all behave predictably. This article is a practical breakdown of which option to choose on Linux, how to connect a profile and what to check when the VPN connects but some apps still don't work. For a home scenario, you can start with FoliVPN and then pick the connection method that suits your laptop, PC or mini-server.

Why this topic matters for Ubuntu in 2026

Ubuntu remains a popular system for developers, remote work, home servers and laptops. At the same time, VPN on Linux often breaks not in one place, but at the boundary of several layers: NetworkManager, DNS via systemd-resolved, routes, MTU, firewall, browser proxies, containers and corporate profiles.

A fresh trend is the shift from "one VPN for everything" to more careful setups: a separate profile for the laptop, separate routing for the router, split tunneling for apps and checking DNS before blaming the VPN service itself. This is especially noticeable when websites open in the browser but native apps like Telegram, YouTube Music, Discord, Steam or package managers behave differently.

Important: there are no instructions below for illegally bypassing restrictions or abusing platforms. This material is about secure setup, privacy of your home connection and diagnosing common network issues.

Primary keyword and secondary queries

Primary keyword: VPN on Ubuntu.

Secondary keywords: Ubuntu VPN setup, WireGuard Ubuntu, OpenVPN Ubuntu, VPN connected but no internet Ubuntu, DNS Ubuntu VPN, NetworkManager VPN, split tunneling Linux, MTU WireGuard Linux.

Which connection method to choose

Ubuntu generally offers three working approaches.

For a beginner, the safest start is graphical NetworkManager: it stores the connection in the system, shows status and doesn't require keeping a terminal open all the time. For advanced setups, WireGuard is convenient because the config is short, but precisely because of its brevity a single AllowedIPs line can change the entire traffic route.

If your goal is to protect a Smart TV, a console and several phones at once, it's better not to turn your Ubuntu laptop into a "main gateway" but to consider a separate router-based setup. Related FoliVPN articles that are useful here: VPN on a home router and VPN split tunneling.

Setting up a VPN through the Ubuntu interface

The official Ubuntu documentation describes a VPN as a connection to a remote network over the internet, usually with encryption. On desktop Ubuntu, it's done via the network settings: open the Network section, add a VPN and choose the profile type. In practice the steps look like this:

1. Get a profile from your service or administrator: a WireGuard config, an OpenVPN .ovpn file, or manual connection parameters.
2. Make sure the required NetworkManager plugin is installed. For OpenVPN you often need the NetworkManager integration package, otherwise profile import won't appear in the UI.
3. Open "Settings" → "Network" → "VPN" → "Add".
4. Import the file or enter the parameters manually.
5. Connect and check the external IP, DNS and the apps you need.
6. If the profile works, save it as a separate scheme: for example, "FoliVPN Work", "FoliVPN Browser", "FoliVPN Router test".

Don't mix several VPN clients at once. If a browser extension, the system VPN, a corporate client and an in-app proxy are all enabled in parallel, diagnostics becomes almost meaningless: you don't know which layer is actually changing the route.

WireGuard on Ubuntu: what matters in the config

WireGuard is often chosen for its simplicity: an interface, a private key, the server's public key, an endpoint and a list of allowed routes. But errors are usually hidden in exactly those lines.

Check four parameters:

• AllowedIPs. A value of 0.0.0.0/0, ::/0 usually means all IPv4 and IPv6 traffic should go through the tunnel. If only a private subnet is specified, only that selected network — not the whole internet — will go through the VPN.
• DNS. If DNS isn't set or conflicts with systemd-resolved, sites may fail to open by name even though ping by IP works.
• Endpoint. If the server is unreachable over UDP from a specific network, the profile may "hang" without proper traffic exchange.
• MTU. An MTU that's too large sometimes produces a strange symptom: messengers connect, but media, calls or heavy sites freeze.

For safe diagnostics, don't edit your main profile right away. Copy the config, change one parameter, connect and test. That way it's easier to understand what actually affected the problem.

OpenVPN on Ubuntu: importing a profile without chaos

OpenVPN profiles often come as an .ovpn file. Inside you may find routes, the server address, TLS settings, certificates and DNS instructions. The official OpenVPN documentation emphasizes that OpenVPN is a full SSL/TLS VPN with various authentication and routing methods. That's powerful, but it creates two typical problems for beginners.

The first: the profile is imported, but the certificates aren't pulled in. The connection then fails at the TLS or authentication stage. The second: the profile connects but doesn't change the default route — traffic stays on the regular network while the user thinks "the VPN is working". After import, check not only the green indicator but also the actual route.

If Ubuntu shows an import error, try opening the .ovpn as text and check whether it references local certificate files you don't have. In a correct profile, certificates can be embedded as blocks or come as separate files next to the config.

If VPN is connected but there's no internet

The most common complaint sounds like this: "VPN is connected, but browser/Telegram/Discord/YouTube won't open". Don't start by reinstalling the system. Go layer by layer.

1. Check whether there's a route through the VPN

The connection can be active while the default route hasn't changed. This is especially important for corporate profiles, where only the internal network should go through the tunnel. If you need a full VPN for your home internet, the profile must explicitly send general traffic through the tunnel.

2. Separate a DNS problem from a routing problem

A simple test: does an IP address open while a domain doesn't? If yes, a DNS conflict is likely. On Ubuntu this is often related to systemd-resolved, the local stub resolver and which DNS servers the VPN profile assigned. We covered similar logic in the article Private DNS and VPN: the VPN session itself may be alive, but domain names are resolved somewhere other than you expect.

3. Remove extra proxies and extensions

If Firefox or Chrome has a VPN extension while a separate VPN is enabled in the system, the browser may behave differently from Telegram or Discord. For diagnostics, keep one layer only: either the system VPN or the extension, but not both at once.

4. Check IPv6

Sometimes IPv4 goes through the tunnel while IPv6 stays on the regular network or breaks. This produces "floating" symptoms: some sites open, others don't, some apps wait a long time for a timeout. If your VPN profile doesn't support IPv6, the configuration should be explicit, not accidental.

5. Account for firewall and containers

On Linux, local firewall rules, Docker, Podman, virtual machines and dev services can change the routing tables. If the problem started after launching a container environment, check not only the VPN client but also any new network interfaces.

A 10-minute diagnostic checklist

• Disable all extra VPN extensions, proxies and any second VPN client.
• Connect only one profile and check the external IP.
• Test whether domains and direct IP addresses work: this separates DNS from routing.
• Compare browser behavior with native apps: Telegram, Discord, YouTube, package manager.
• Check AllowedIPs or OpenVPN route parameters.
• See whether the VPN assigned its own DNS servers.
• If calls and media freeze, test another protocol/server or a smaller MTU.
• If the local network breaks, use split tunneling or a separate scheme for it.