The NordLayer application for Linux is controlled from the terminal with the nordlayer command. This guide covers logging in, connecting to gateways, and — in detail — every setting you can change.
Do not run nordlayer with sudo or as root. During installation your user is added to the nordlayer group, which is what grants permission to use the application. If you see a warning asking you to add your user to the nordlayer group, complete the installation steps and re-login or reboot.
Command overview
| Command | Alias | What it does |
|---|---|---|
nordlayer login |
Authenticate with NordLayer | |
nordlayer logout |
Log out from NordLayer | |
nordlayer status |
s |
Show current login, VPN, and network status |
nordlayer gateways |
List the private and shared gateways available to you | |
nordlayer connect <gateway-id> |
c |
Connect to a gateway |
nordlayer disconnect |
d |
Disconnect and do not reconnect |
nordlayer settings |
Manage application settings (see below) | |
nordlayer alwaysonvpn |
a |
Request Temporary Internet Access when Always On is enabled |
nordlayer dps |
Check Device Posture Security status | |
nordlayer version |
Print the application version | |
nordlayer completion <shell> |
Generate shell auto-completion scripts |
Press TAB for auto-complete (gateway IDs and setting IDs complete automatically), and run nordlayer help <command> or nordlayer <command> --help for details on any command.
Global options
These flags work with any command:
--silent— disable unnecessary stdout output (useful in scripts).--assume-yes— answer "yes" to all prompts automatically.--socket <path>— IPC socket of the NordLayer daemon (default/run/nordlayer/nordlayer.sock); you normally never need this.
Logging in
The NordLayer Linux application supports logging in with an email and password, as well as the following single sign-on (SSO) providers:
- Entra ID (formerly Azure AD)
- Okta
- OneLogin
- JumpCloud
The methods available to you depend on what your organization owner has configured.
To start a login attempt, enter:
nordlayer login
You will be prompted for your organization ID. You can also provide values up front with flags:
-o, --organization— your organization ID-e, --email— email (for email/password login)-p, --password— password (for email/password login)
After entering your organization ID, you will be able to choose from the login methods enabled for your organization.
Email and password
If you select this method, you will be asked for your email and password. For security, the password characters are not shown as you type.
Select [number]: 1
Email *
Password *
Logged in.
Third-party SSO
If single sign-on is enabled, select the corresponding number to authenticate via your provider:
1: Email and password
2: Google
3: Entra ID
4: Okta
Select [number]: 2
[$$ Authenticating...
Follow link to login: https://auth.nordlayer.com/v1/<...>
Open the link in your web browser. Many terminals let you right-click the link to open it; otherwise, copy the URL manually. After authenticating with your SSO provider, you will be redirected back to the NordLayer application. If the redirect does not work, click the Continue link shown in the browser.
Two-factor authentication (2FA)
Depending on your organization's configuration, you may be asked for a two-factor authentication code after logging in. NordLayer supports:
- Authenticator app (TOTP) — recommended
- Recovery code
You can manage your own 2FA method with nordlayer settings 2fa (see below).
SMS-based 2FA is being phased out. Depending on your organization, you may see a warning that SMS authentication "will not be supported soon," or SMS may already be unavailable, in which case you must set up an authenticator app instead. We recommend moving to an authenticator app as soon as possible.
Listing gateways
nordlayer gateways
Private gateways:
Name/Country ID
HQ office-hq
Back-office back-office-vpn
Shared gateways:
Name/Country ID
Czech Republic cz
Denmark dk
...
Singapore sg
Use the ID column with the connect command. Advanced users can reshape the output with -f, --format (a custom Go template).
Connecting and disconnecting
Provide the gateway ID to the connect command:
nordlayer connect uk
Connected
You can override the protocol for a single connection with -p, --protocol (nordlynx, openvpn_tcp, or openvpn_udp):
nordlayer connect uk --protocol nordlynx
To disconnect:
nordlayer disconnect
Disconnected
The shortcuts c (connect) and d (disconnect) work too, and gateway IDs auto-complete with TAB.
Checking status and version
nordlayer status # current login, VPN, and network status (alias: s)
nordlayer version # application version
Settings
NordLayer exposes several settings. The settings command has these subcommands:
| Subcommand | Purpose |
|---|---|
nordlayer settings list |
List the available settings and their IDs |
nordlayer settings get [<id>] |
Show current setting value(s) |
nordlayer settings set [<id>] [<value>] |
Change a setting |
nordlayer settings networks |
Manage trusted Wi-Fi networks |
nordlayer settings 2fa |
Configure two-factor authentication |
Add --advanced to get and set to also include advanced settings (see below).
Settings that your organization has locked are shown as managed by your organisation and cannot be changed locally.
Changing a setting interactively
Run nordlayer settings set with no arguments to get a menu:
Select setting to change:
1: Preferred VPN Protocol
2: Auto-connect
3: Web Protection
4: Always On
5: Kill switch
6: Local network access
Select [number]: 1
The menu is dynamic: Always connect to appears only once Auto-connect is enabled, and Cloud LAN device name appears only when Cloud LAN is configured for your organization. Locked (org-managed) settings are hidden from this menu. Trusted networks and 2FA are managed by their own subcommands (settings networks / settings 2fa).
Changing a setting non-interactively
You can pass a setting ID and a value directly — handy for scripts:
nordlayer settings set vpnprotocol nordlynx
nordlayer settings set webprotection on
nordlayer settings set autoconnect onlaunch
| Setting | ID | Accepted values |
|---|---|---|
| Preferred VPN Protocol | vpnprotocol |
automatic, nordlynx, openvpn_tcp, openvpn_udp |
| Auto-connect | autoconnect |
off, onlaunch, onwifi (each toggles that option) |
| Always connect to | alwaysconnectto |
a gateway ID, or "" for the nearest gateway |
| Web Protection | webprotection |
on, off |
| Always On | alwayson |
on, off |
| Kill switch | killswitch |
on, off |
| Cloud LAN device name | cloudlan |
a device name |
| Network access check (advanced) | netaccesscheck |
on, off |
| Firewall mark (advanced) | fwmark |
an integer between 1 and 1048575 |
(Use nordlayer settings set --advanced <id> <value> for the advanced settings, and nordlayer settings list to see all IDs.)
What each setting does
Each setting below lists its ID (for non-interactive use), its options, and any notes about dependencies or when it can be changed. Settings your organization has locked show a managed by your organisation note and cannot be changed locally.
Preferred VPN Protocol — vpnprotocol
The protocol used for connections. Changing it reconnects the VPN. Always editable.
| Option | Non-interactive value | Notes |
|---|---|---|
| Automatic | automatic |
Lets the app pick the best protocol |
| NordLynx | nordlynx |
NordLayer's WireGuard®-based protocol; usually fastest |
| OpenVPN TCP | openvpn_tcp |
Reliable, useful on restrictive networks |
| OpenVPN UDP | openvpn_udp |
Faster than TCP in most cases |
Auto-connect — autoconnect
Automatically connects the VPN. It is made up of two independent options, and each value below toggles that option on or off.
| Option | Non-interactive value | Meaning |
|---|---|---|
| When app launches | onlaunch |
Connect as soon as the app/daemon starts |
| When using untrusted Wi-Fi | onwifi |
Connect whenever you join a Wi-Fi network that is not on your Trusted networks list |
| (disable both) | off |
Turn auto-connect off |
Always connect to — alwaysconnectto
The gateway that auto-connect should use. Only appears when Auto-connect is enabled.
- Nearest Gateway (default) — non-interactive value
"". - A specific private or shared gateway — non-interactive value is the gateway ID (see
nordlayer gateways).
Web Protection — webprotection
Blocks malware, ads, and other threats at the DNS level. Changing it reconnects the VPN.
- Options:
on/off.
Always On — alwayson
Keeps the VPN permanently on; the device stays protected and reconnects automatically.
- Options:
on/off. - Dependency: while Always On is enabled, the Kill switch is required and cannot be turned off (it shows a "required for Always On" note). If you need temporary internet access — for example, a captive portal — use
nordlayer alwaysonvpn(see below).
Kill switch — killswitch
Blocks all internet traffic if the VPN connection drops, preventing leaks.
- Options:
on/off. - Note: locked to
onwhile Always On is enabled.
Local network access — lanaccess
Allows access to devices on your local network (printers, NAS, etc.) while connected to a gateway. Changed from the interactive menu only — there is no set <id> <value> form.
- Options: Enabled / Disabled.
- Note: ineffective while the Kill switch is disabled. It may also be managed by your organization.
Cloud LAN device name — cloudlan
The name your device advertises on Cloud LAN. Only appears when Cloud LAN is configured for your organization.
- Options: a device name (must match the allowed-name pattern).
Trusted networks — trustednetworks
A list of Wi-Fi SSIDs that the "When using untrusted Wi-Fi" auto-connect option treats as safe. Managed with nordlayer settings networks (not the settings set menu) — see below.
Advanced settings
Shown only with --advanced (nordlayer settings get --advanced, nordlayer settings set --advanced):
Firewall mark — fwmark
The firewall mark (fwmark) the app applies to its traffic; for advanced networking/routing scenarios only. Changing it reconnects the VPN.
- Options: an integer between 1 and 1048575 (0xfffff).
Network access check — netaccesscheck
Toggles the app's network-reachability check.
- Options:
on/off.
Setting a VPN protocol — example
Choosing Preferred VPN Protocol interactively:
Available values for VPN Protocol
1: Automatic
2: NordLynx
3: OpenVPN TCP
4: OpenVPN UDP
Select [number]: 2
Managing trusted networks
nordlayer settings networks
Lets you add or remove the Wi-Fi SSIDs that count as "trusted" for the When using untrusted Wi-Fi auto-connect option.
Configuring two-factor authentication
nordlayer settings 2fa
Lets you set up or change your 2FA method — Authenticator app (recommended) or a Recovery code.
Always On and temporary internet access
When Always On is enabled, the VPN stays connected and the Kill switch keeps traffic protected. If you need to reach a captive portal (for example, to accept Wi-Fi terms at a hotel or airport), request temporary internet access with:
nordlayer alwaysonvpn # alias: a
Device Posture Security
nordlayer dps
Shows the current Device Posture Security status for your device (the checks your organization requires before allowing access).
Shell completion
Generate auto-completion scripts for your shell (bash, zsh, or fish):
nordlayer completion bash --output nordlayer.bash
Note: In case you have any questions or are experiencing any issues, please feel free to contact our 24/7 customer support team.