Download Pivot VPN for Linux

Pivot VPN brings a fast, modern WireGuard-based tunnel to your Linux desktop and server. Whether you are running Ubuntu on a daily-driver laptop, Fedora on a workstation, Debian on a home server, or Arch on a tiling-WM rig, the Linux client gives you the same private network you already use on your phone, macOS, Windows machine and Android TV. One subscription. One identity. Every device on the list.

This page walks you through who the Linux build is for, what your system needs, how to install it from the command line and from official packages, what happens on the first launch, and how to lock everything down after install. No tracking, no telemetry on by default, no console-only compromises.

Who the Linux Client Is For

The Linux build of Pivot VPN is aimed at people who actually live in a terminal — developers, sysadmins, privacy-focused power users, journalists working on hardened workstations, and anyone running a self-hosted home lab. If you have ever wanted a VPN that respects your shell, integrates with systemd, exposes a clean CLI, and does not try to install a graphical bloat stack just to flip a switch, this client is for you.

It also fits more casual desktop users. If you have moved from another OS to a beginner-friendly distribution like Ubuntu, Linux Mint or Pop!_OS and you simply want a working tray icon, a country picker, a kill switch, and the same account that powers your phone and TV — the GUI flavor of the Linux client gives you exactly that. Headless server users get a CLI-only build, GNOME and KDE desktop users get the full graphical experience.

System Requirements

Pivot VPN for Linux is intentionally lightweight, but there is a small baseline to keep the tunnel stable and fast.

• A 64-bit x86_64 or ARM64 (aarch64) processor.
• A modern kernel — Linux 5.6 or newer is recommended for native in-kernel WireGuard support. Older kernels fall back to the userspace implementation, which still works but is slightly slower.
• glibc 2.31 or newer (Ubuntu 20.04, Debian 11, Fedora 34, RHEL 9, Arch and openSUSE Tumbleweed all qualify).
• About 80 MB of free disk space for the package, plus a few MB for cached configuration and logs.
• An active internet connection during installation to pull the package and on first launch to provision your keys.
• systemd for the background service on most desktop distros. Runit, OpenRC and s6 are supported through manual unit files documented in the help center.

You do not need a beefy machine. Pivot VPN runs comfortably on a Raspberry Pi 4, on a low-power mini PC used as a home router, and on an old ThinkPad reborn as a Linux laptop.

Install Pivot VPN on Linux

Pick the path that matches your distribution. All packages are signed with our release key — verify the signature if you want belt-and-braces assurance.

1. Add the Pivot VPN repository to your system. On Debian and Ubuntu, run curl -fsSL https://pivotvpn.app/linux/pubkey.gpg | sudo gpg --dearmor -o /usr/share/keyrings/pivotvpn.gpg, then add the source list pointing to the stable channel.
2. Update your package index. sudo apt update on Debian-based systems, sudo dnf check-update on Fedora/RHEL, sudo zypper refresh on openSUSE, or sudo pacman -Sy on Arch.
3. Install the client. Debian/Ubuntu: sudo apt install pivotvpn. Fedora/RHEL: sudo dnf install pivotvpn. openSUSE: sudo zypper install pivotvpn. Arch: install pivotvpn from the AUR with your favorite helper, or grab the official .pkg.tar.zst from the downloads page.
4. Enable and start the background service. sudo systemctl enable --now pivotvpn.service. This brings up the local daemon that manages the WireGuard interface, routing rules and the kill switch.
5. Add your user to the pivotvpn group so you can run the CLI without sudo. sudo usermod -aG pivotvpn $USER, then log out and back in.
6. Confirm the install. Run pivotvpn --version in a fresh terminal. You should see the version string and a green “daemon connected” line.

Prefer a self-contained binary? A statically linked tarball and a Flatpak are available on the official downloads page for distributions that do not have a native repository entry. AppImage builds are produced for every release for users who refuse to touch package managers at all.

First Launch and Sign-In

Once the daemon is running, open the Pivot VPN application from your app menu, or type pivotvpn login in a terminal. The client opens a one-time secure browser window where you sign in with the same Pivot VPN account you use on your phone, laptop and TV. There is no separate Linux license, no extra activation code, and no clunky license file to copy around.

After sign-in, the client provisions a fresh WireGuard key locally, pairs it to your account, and downloads the latest server list. Pick a country or city from the GUI dropdown, or run pivotvpn connect <location> from the shell — for example pivotvpn connect de-fra for Frankfurt. The connection comes up in under a second on most networks.

If you have already used Pivot VPN on Android, iOS, Windows or macOS, your device count, favorite locations and split-tunneling preferences all sync automatically. The Linux machine simply appears as a new device in your dashboard.

Linux-Specific Settings Worth Turning On

The Linux client is built to take advantage of features that other operating systems do not expose. Spend two minutes in Preferences (or pivotvpn config) after install.

• Kill switch. Enabled by default. It installs strict nftables rules that drop every packet outside the tunnel if the VPN disconnects. No leaks, even during suspend or kernel updates.
• Always-on at boot. Add --autoconnect <location> to the systemd unit, or toggle “Connect on startup” in the GUI. Your laptop will be inside the tunnel before the login manager even appears.
• Split tunneling by binary or cgroup. Exclude transmission, steam or a specific Docker network from the tunnel with pivotvpn split add /usr/bin/steam. Useful for LAN gaming or self-hosted services.
• Custom DNS. Point the tunnel at our hardened DoH resolver, your Pi-hole, or any resolver of your choice. IPv6 leak protection is on by default; disable it only if you understand the consequences.
• MTU tuning. If you are on a flaky DSL or LTE uplink, lower the MTU to 1380 in the GUI. The CLI exposes the same setting as pivotvpn config set mtu 1380.

Troubleshooting Common Issues

Most Linux problems boil down to four root causes. Walk through them in order.

• Daemon not running. Check systemctl status pivotvpn. If it failed, run journalctl -u pivotvpn -e for the last error.
• DNS not resolving inside the tunnel. Make sure systemd-resolved is enabled, or switch the client to “managed resolv.conf” mode in Preferences.
• Conflicts with another WireGuard interface. If you already have wg0, rename it or let Pivot VPN use pvpn0 (default).
• Firewall blocking the handshake. Confirm UDP 51820 is allowed outbound. Corporate networks sometimes need our TCP-over-TLS fallback — enable “Obfuscation” in Preferences.

If none of those help, run pivotvpn diagnose to generate a sanitized log bundle you can attach to a support ticket. No personal data, no browsing history — just kernel module versions, interface state and timestamps.

Post-Install Security Checklist

Before you call the setup done, run through this short list. Five minutes here saves you from the most common mistakes.

• Confirm your public IP changed at our leak-test page after connecting.
• Verify the kill switch by toggling the tunnel off mid-download — the transfer must stop immediately.
• Enable two-factor authentication on your Pivot VPN account from any device.
• Update the package weekly. unattended-upgrades on Debian-based systems or a dnf-automatic timer keeps you patched without thinking.
• Review the device list in your dashboard. Revoke any old key from a machine you no longer use.

That is everything you need. Your Linux box is now part of the same private network as your phone, your laptop, your desktop and your living-room TV — protected by one account, one kill switch policy, and one set of preferences that follow you everywhere.