Documentation Index

Fetch the complete documentation index at: https://help.nordlayer.com/llms.txt

Use this file to discover all available pages before exploring further.

NordLayer application usage on Linux

Prev Next

The NordLayer application for Linux is controlled from the terminal with the nordlayer command. This guide covers logging in, connecting to gateways, and — in detail — every setting you can change.

Note

Do not run nordlayer with sudo or as root. During installation your user is added to the nordlayer group, which is what grants permission to use the application. If you see a warning asking you to add your user to the nordlayer group, complete the installation steps and re-login or reboot.

Command overview

Command Alias What it does
nordlayer login Authenticate with NordLayer
nordlayer logout Log out from NordLayer
nordlayer status s Show current login, VPN, and network status
nordlayer gateways List the private and shared gateways available to you
nordlayer connect <gateway-id> c Connect to a gateway
nordlayer disconnect d Disconnect and do not reconnect
nordlayer settings Manage application settings (see below)
nordlayer alwaysonvpn a Request Temporary Internet Access when Always On is enabled
nordlayer dps Check Device Posture Security status
nordlayer version Print the application version
nordlayer completion <shell> Generate shell auto-completion scripts

Press TAB for auto-complete (gateway IDs and setting IDs complete automatically), and run nordlayer help <command> or nordlayer <command> --help for details on any command.

Global options

These flags work with any command:

  • --silent — disable unnecessary stdout output (useful in scripts).
  • --assume-yes — answer "yes" to all prompts automatically.
  • --socket <path> — IPC socket of the NordLayer daemon (default /run/nordlayer/nordlayer.sock); you normally never need this.

Logging in

The NordLayer Linux application supports logging in with an email and password, as well as the following single sign-on (SSO) providers:

  • Google
  • Entra ID (formerly Azure AD)
  • Okta
  • OneLogin
  • JumpCloud

The methods available to you depend on what your organization owner has configured.

To start a login attempt, enter:

nordlayer login

You will be prompted for your organization ID. You can also provide values up front with flags:

  • -o, --organization — your organization ID
  • -e, --email — email (for email/password login)
  • -p, --password — password (for email/password login)

After entering your organization ID, you will be able to choose from the login methods enabled for your organization.

Email and password

If you select this method, you will be asked for your email and password. For security, the password characters are not shown as you type.

Select [number]: 1
Email *
Password *
Logged in.

Third-party SSO

If single sign-on is enabled, select the corresponding number to authenticate via your provider:

1: Email and password
2: Google
3: Entra ID
4: Okta

Select [number]: 2
[$$ Authenticating...
Follow link to login: https://auth.nordlayer.com/v1/<...>

Open the link in your web browser. Many terminals let you right-click the link to open it; otherwise, copy the URL manually. After authenticating with your SSO provider, you will be redirected back to the NordLayer application. If the redirect does not work, click the Continue link shown in the browser.

Two-factor authentication (2FA)

Depending on your organization's configuration, you may be asked for a two-factor authentication code after logging in. NordLayer supports:

  • Authenticator app (TOTP) — recommended
  • Recovery code

You can manage your own 2FA method with nordlayer settings 2fa (see below).

Note

SMS-based 2FA is being phased out. Depending on your organization, you may see a warning that SMS authentication "will not be supported soon," or SMS may already be unavailable, in which case you must set up an authenticator app instead. We recommend moving to an authenticator app as soon as possible.

Listing gateways

nordlayer gateways

Private gateways:
Name/Country    ID
HQ              office-hq
Back-office     back-office-vpn

Shared gateways:
Name/Country    ID
Czech Republic  cz
Denmark         dk
...
Singapore       sg

Use the ID column with the connect command. Advanced users can reshape the output with -f, --format (a custom Go template).

Connecting and disconnecting

Provide the gateway ID to the connect command:

nordlayer connect uk
Connected

You can override the protocol for a single connection with -p, --protocol (nordlynx, openvpn_tcp, or openvpn_udp):

nordlayer connect uk --protocol nordlynx

To disconnect:

nordlayer disconnect
Disconnected

The shortcuts c (connect) and d (disconnect) work too, and gateway IDs auto-complete with TAB.

Checking status and version

nordlayer status   # current login, VPN, and network status (alias: s)
nordlayer version  # application version

Settings

NordLayer exposes several settings. The settings command has these subcommands:

Subcommand Purpose
nordlayer settings list List the available settings and their IDs
nordlayer settings get [<id>] Show current setting value(s)
nordlayer settings set [<id>] [<value>] Change a setting
nordlayer settings networks Manage trusted Wi-Fi networks
nordlayer settings 2fa Configure two-factor authentication

Add --advanced to get and set to also include advanced settings (see below).

Settings that your organization has locked are shown as managed by your organisation and cannot be changed locally.

Changing a setting interactively

Run nordlayer settings set with no arguments to get a menu:

Select setting to change:
1: Preferred VPN Protocol
2: Auto-connect
3: Web Protection
4: Always On
5: Kill switch
6: Local network access

Select [number]: 1

The menu is dynamic: Always connect to appears only once Auto-connect is enabled, and Cloud LAN device name appears only when Cloud LAN is configured for your organization. Locked (org-managed) settings are hidden from this menu. Trusted networks and 2FA are managed by their own subcommands (settings networks / settings 2fa).

Changing a setting non-interactively

You can pass a setting ID and a value directly — handy for scripts:

nordlayer settings set vpnprotocol nordlynx
nordlayer settings set webprotection on
nordlayer settings set autoconnect onlaunch
Setting ID Accepted values
Preferred VPN Protocol vpnprotocol automatic, nordlynx, openvpn_tcp, openvpn_udp
Auto-connect autoconnect off, onlaunch, onwifi (each toggles that option)
Always connect to alwaysconnectto a gateway ID, or "" for the nearest gateway
Web Protection webprotection on, off
Always On alwayson on, off
Kill switch killswitch on, off
Cloud LAN device name cloudlan a device name
Network access check (advanced) netaccesscheck on, off
Firewall mark (advanced) fwmark an integer between 1 and 1048575

(Use nordlayer settings set --advanced <id> <value> for the advanced settings, and nordlayer settings list to see all IDs.)

What each setting does

Each setting below lists its ID (for non-interactive use), its options, and any notes about dependencies or when it can be changed. Settings your organization has locked show a managed by your organisation note and cannot be changed locally.

Preferred VPN Protocol — vpnprotocol

The protocol used for connections. Changing it reconnects the VPN. Always editable.

Option Non-interactive value Notes
Automatic automatic Lets the app pick the best protocol
NordLynx nordlynx NordLayer's WireGuard®-based protocol; usually fastest
OpenVPN TCP openvpn_tcp Reliable, useful on restrictive networks
OpenVPN UDP openvpn_udp Faster than TCP in most cases

Auto-connect — autoconnect

Automatically connects the VPN. It is made up of two independent options, and each value below toggles that option on or off.

Option Non-interactive value Meaning
When app launches onlaunch Connect as soon as the app/daemon starts
When using untrusted Wi-Fi onwifi Connect whenever you join a Wi-Fi network that is not on your Trusted networks list
(disable both) off Turn auto-connect off

Always connect to — alwaysconnectto

The gateway that auto-connect should use. Only appears when Auto-connect is enabled.

  • Nearest Gateway (default) — non-interactive value "".
  • A specific private or shared gateway — non-interactive value is the gateway ID (see nordlayer gateways).

Web Protection — webprotection

Blocks malware, ads, and other threats at the DNS level. Changing it reconnects the VPN.

  • Options: on / off.

Always On — alwayson

Keeps the VPN permanently on; the device stays protected and reconnects automatically.

  • Options: on / off.
  • Dependency: while Always On is enabled, the Kill switch is required and cannot be turned off (it shows a "required for Always On" note). If you need temporary internet access — for example, a captive portal — use nordlayer alwaysonvpn (see below).

Kill switch — killswitch

Blocks all internet traffic if the VPN connection drops, preventing leaks.

  • Options: on / off.
  • Note: locked to on while Always On is enabled.

Local network access — lanaccess

Allows access to devices on your local network (printers, NAS, etc.) while connected to a gateway. Changed from the interactive menu only — there is no set <id> <value> form.

  • Options: Enabled / Disabled.
  • Note: ineffective while the Kill switch is disabled. It may also be managed by your organization.

Cloud LAN device name — cloudlan

The name your device advertises on Cloud LAN. Only appears when Cloud LAN is configured for your organization.

  • Options: a device name (must match the allowed-name pattern).

Trusted networks — trustednetworks

A list of Wi-Fi SSIDs that the "When using untrusted Wi-Fi" auto-connect option treats as safe. Managed with nordlayer settings networks (not the settings set menu) — see below.

Advanced settings

Shown only with --advanced (nordlayer settings get --advanced, nordlayer settings set --advanced):

Firewall mark — fwmark

The firewall mark (fwmark) the app applies to its traffic; for advanced networking/routing scenarios only. Changing it reconnects the VPN.

  • Options: an integer between 1 and 1048575 (0xfffff).

Network access check — netaccesscheck

Toggles the app's network-reachability check.

  • Options: on / off.

Setting a VPN protocol — example

Choosing Preferred VPN Protocol interactively:

Available values for VPN Protocol
1: Automatic
2: NordLynx
3: OpenVPN TCP
4: OpenVPN UDP

Select [number]: 2

Managing trusted networks

nordlayer settings networks

Lets you add or remove the Wi-Fi SSIDs that count as "trusted" for the When using untrusted Wi-Fi auto-connect option.

Configuring two-factor authentication

nordlayer settings 2fa

Lets you set up or change your 2FA method — Authenticator app (recommended) or a Recovery code.

Always On and temporary internet access

When Always On is enabled, the VPN stays connected and the Kill switch keeps traffic protected. If you need to reach a captive portal (for example, to accept Wi-Fi terms at a hotel or airport), request temporary internet access with:

nordlayer alwaysonvpn   # alias: a

Device Posture Security

nordlayer dps

Shows the current Device Posture Security status for your device (the checks your organization requires before allowing access).

Shell completion

Generate auto-completion scripts for your shell (bash, zsh, or fish):

nordlayer completion bash --output nordlayer.bash

Note: In case you have any questions or are experiencing any issues, please feel free to contact our 24/7 customer support team.

Can't find what you need?

Live chat

Contact our support to solve an issue live.

Chat functionality relies on cookies. By starting the chat, you agree to their use. Learn more in our Cookie Policy.