I will not recommend a VPN, but I will relate my experiences.
The first company I used–I will not mention the name–had no Linux client. It relied on the native VPN support on Linux. It seemed rather ridiculous for it to advertise more than a hundred servers, but I could only use the handful I could, or was willing to, set up. (When I started I was also using that unnameable OS.)
I used ExpressVPN for a time. My subscription ran out just after it was acquired by Kane, so I did not renew. I was also continouly suspicious of its possible relationship to Google. When I first started, it used Google captchas, and I had to enable Google on my systems just to get to my account. It finally fixed that, possibly after my complaining. However, in the last inquiry I made to its Help(less) Desk before leaving, the very first instruction was to “Login to your Google account.” What?! To be fair, it used ZenDesk for support like most, but, in my opinion, ZenDesk still represented ExpressVPN in that context.
Look at the scripts when going to ExpressVPN’s websites-- and not just on the Home page.
I am now using ProtonVPN. The Linux client works fine on PureOS, except for one thing. Occasionally, the “Permanent Kill Switch” causes an issue where I have to disconnect the VPN via the command line, disable the “Permanent Kill Switch,” and then reenable everything. I have not debugged this problem, because it is infrequent. But, I do not see this on my Debian system at all.
Do your research. I thought I did well enough, but I still got burned. In any case, do not use a “free” VPN. As the adage goes, if it is free, you are the product. I think you have figured that out.
PS. Proton allows one to set up 2FA.