So much info about VPNs turn out to be ads, or resellers ratings.
The best thing is to ask here because the VPN that works best with Pure OS.
I have found that using built in free VPN from Anti-virus companies and browsers, get hung up on Google’s chamber of horrors/puzzles.
~s
Librem Tunnel?
I will not recommend a VPN, but I will relate my experiences.
The first company I used–I will not mention the name–had no Linux client. It relied on the native VPN support on Linux. It seemed rather ridiculous for it to advertise more than a hundred servers, but I could only use the handful I could, or was willing to, set up. (When I started I was also using that unnameable OS.)
I used ExpressVPN for a time. My subscription ran out just after it was acquired by Kane, so I did not renew. I was also continouly suspicious of its possible relationship to Google. When I first started, it used Google captchas, and I had to enable Google on my systems just to get to my account. It finally fixed that, possibly after my complaining. 
However, in the last inquiry I made to its Help(less) Desk before leaving, the very first instruction was to “Login to your Google account.” What?! To be fair, it used ZenDesk for support like most, but, in my opinion, ZenDesk still represented ExpressVPN in that context.
Look at the scripts when going to ExpressVPN’s websites-- and not just on the Home page.
I am now using ProtonVPN. The Linux client works fine on PureOS, except for one thing. Occasionally, the “Permanent Kill Switch” causes an issue where I have to disconnect the VPN via the command line, disable the “Permanent Kill Switch,” and then reenable everything. I have not debugged this problem, because it is infrequent. But, I do not see this on my Debian system at all.
Do your research. I thought I did well enough, but I still got burned. In any case, do not use a “free” VPN. As the adage goes, if it is free, you are the product. I think you have figured that out.
PS. Proton allows one to set up 2FA.
I use Librem Tunnel on my Librem Mini (running PureOS).
My daughter uses ProtonVPN, but that is on PopOS.
I have been using Mullvad and paying with Monero, and love it.
Another vote for mullvad. Pay with crypto.
I just found out that AirVPN added a new option (back in 2021! 
) to add various tracker/ad/etc (including within mobile apps) block-lists directly to your account so that when you connect any of your devices, it provides protection while still using AirVPN’s privacy-respecting DNS servers. That’s really cool.
It’ll come in handy when I absolutely have to use a browser that can’t use uBO or NoScript, or in the unlikely event that I need to use a “bad” Android app.
Another advantage: Will provide protection on Android when turning off Blokada in order to use the VPN slot for AirVPN.
I use Mullvad and protonvpn both are nice, and have their pros and cons. Overall I prefer mullvad though. the app is really nice and works well on the L5.
I’ve relied on ProtonVPN for all of my devices, it’s up there. It’s great I can use it through OpenVPN and use multiple vpn’s at the same time.
I still need to learn how to use DNS services since a VPN won’t protect you enough. Preferably through OpenVPN config files