Choosing the Right VPN for NixOS

As an IT specialist based in London, I’ve spent countless hours fine-tuning NixOS installations—whether it’s on a workstation running GNOME, a privacy-focused i3 setup or a lightweight Xfce rig. NixOS stands out thanks to its purely declarative configuration.nix, atomic rollbacks and the nix package manager (or flakes, for the avant-garde). But these very strengths demand VPN clients that integrate cleanly into a declarative workflow, play nicely with systemd, and support both WireGuard and OpenVPN without manual dependency wrangling.

Here are the VPNs that fit best into the NixOS philosophy:

• Mullvad VPN (mullvad.net)
  • Official WireGuard and OpenVPN configs
  • Packaged in nixpkgs as mullvad-app (GUI) and mullvad-cli
  • Perfect for the privacy-obsessed, with reproducible wg configs
• NordVPN (nordvpn.com)
  • Native CLI in nixpkgs (nordvpn)
  • Official NixOS module (services.nordvpn.enable)
  • Supports “NordLynx” (WireGuard) and OpenVPN
• ProtonVPN (protonvpn.com)
  • Top-tier security, audited OpenVPN configs
  • No native NixOS module—but easily deployed via services.openvpn
  • Ideal for those already in the Proton ecosystem
• IVPN (ivpn.net)
  • WireGuard and OpenVPN, CLI scripts available
  • Community packages (NUR) or manual OpenVPN integration
  • Appeals to users wanting audited code
• Private Internet Access (privateinternetaccess.com)
  • WireGuard and OpenVPN configs that drop cleanly into NixOS
  • Community nixpkgs/NUR recipes or manual OpenVPN/WireGuard setup
  • Great for users who want a huge server fleet with simple CLI workflows

Comparison Table

Installing Configuring Your Top VPNs

Mullvad VPN

Mullvad’s straightforward WireGuard support works brilliantly with NixOS’s networking.wireguard module. Whether you prefer its minimalist GUI or the CLI, you’ll get consistent, reproducible results.

1. Download your WireGuard config from the Mullvad website and save it as /etc/wireguard/mullvad.conf.

2. Edit configuration.nix:

{ config, pkgs, ... }:

{
networking.wireguard.enable = true
networking.wireguard.interfaces.wg0 = {
settingsFile = /etc/wireguard/mullvad.conf
}

environment.systemPackages = with pkgs [
mullvad-app
mullvad-cli
]
} 

3. Rebuild and start:

sudo nixos-rebuild switch
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

If you prefer the CLI:

mullvad-cli login
mullvad-cli connect

NordVPN

NordVPN provides an official NixOS module and CLI that integrate seamlessly with systemd. You’ll benefit from “NordLynx” (their WireGuard fork) by default.

1. Edit configuration.nix to include the module and package:

{ config, pkgs, ... }:

{
services.nordvpn.enable = true

environment.systemPackages = with pkgs [
nordvpn
]
} 

2. Rebuild your system:

sudo nixos-rebuild switch

3. Authenticate and connect:

sudo nordvpn login
sudo systemctl restart nordvpn
sudo nordvpn connect

ProtonVPN via OpenVPN

ProtonVPN doesn’t ship a native NixOS module, but its OpenVPN configs are rock-solid. You can slot them right into services.openvpn.

1. Download your .ovpn file (e.g. protonvpn.ovpn) and place it under /etc/openvpn/protonvpn.ovpn.

2. Update configuration.nix:

{ config, pkgs, ... }:

{
services.openvpn.servers.protonvpn = {
config = /etc/openvpn/protonvpn.ovpn
enable = true
}

environment.systemPackages = with pkgs [
openvpn
]
} 

3. Rebuild and start the service:

sudo nixos-rebuild switch
sudo systemctl enable openvpn-client@protonvpn
sudo systemctl start openvpn-client@protonvpn

Each of these solutions leverages NixOS’s declarative strengths. Whether you’re at the desk in Shoreditch or the server room in Slough, you’ll enjoy consistent, reproducible VPN connections that survive rollbacks, updates and configuration tweaks—just as NixOS intended.