While looking through the help pages of Mullvad VPN and ProtonVPN, I read that due to various reasons, such as the operating systems macOS, i(Pad)OS, Android, etc. and their limitations, the built in kill switch functions of the VPN clients and the operating system do not completely block traffic leaks during reboots, system updates, upgrades, etc.
Traffic related to many macOS services and applications can leak out, while other third party applications should be set not to auto start after a reboot, and those applications should be used after the VPN client is active.
I was able to personally test that some services leak traffic when first connecting to the wireless network, even with Android’s always on VPN and block connections without VPN settings enabled. There is a guide on how to configure connection check, but I suspect that the number of users who will deal with this will be very limited. Also, as reported in this forum last year, DNS traffic can leak out of the tunnel in Android.
As I understand it, Windows is one of the operating systems on which kill switch function works most effectively if a local user account is set up, the other being Linux.
Perhaps it would be useful for visitors to add a cautionary statement on the recommendations page about which operating systems the kill switch functions of the VPN clients may not provide complete protection, and that the internet traffic of some operating system services and applications may leak outside the tunnel.
@jordan : a video idea as an update to your VPN one? People should know about the best way to go about VPNs even after they choose the right one. For example, you can share and show the best to set it up on Linux is via the terminal with Wireguard with the config file where you can add just a couple lines of code to enable to kill switch before placing it in your etc directory in Wireguard folder.
Also, I say you should show that for Linux is because people don’t talk about it much. The more people see Linux desktop being used and shown online in their DIY or tutorial videos, the more likely they are going to want to use or try it if they’re at all on the edge.
Also, this update could go perfectly with your upcoming Secureblue review. Anyways, thought I’d add why I want it.
If the encrypted tunnel is established to prevent any leaks before the OS even connects to the internet and before even any of GUI loads, why and how is what I said necessarily inferior?
I personally do agree, I try to avoid the clients themselves and use Wireguard configurations instead. Less software is better in my opinion, especially if it’s an electron app.
Depending on the final cut for the review, there might also be a section in there about VPN clients. secureblue does have a cool CLI integration that allows for easily installing VPN clients.
I appreciate you sharing your thoughts on future videos, I’ll make note of your suggestion. Currently we also have a video about browser fingerprinting in production, so that will most likely be the next video. There might be an opportunity to revisit VPN’s in a future video though!
Sounds good. Yeah, I just wanted to let you know. It could be a nice value added practical info for people who are learning to become more tech savvy especially with Linux.
Regarding the vulnerability of i(Pad)OS, this statement was added 8 months ago.
Mullvad pointed out that this is an issue with no solution, but also mentioned a few issues that have solutions, such as enabling airplane mode or disabling cellular data.
Vulnerabilities
The following potential privacy issues exist in Apple’s iOS and iPadOS.
Traffic to Apple services can bypass the VPN tunnel. This includes iCloud, Maps, Siri and notifications.
Solution: None. Apple does not make it possible to send this traffic through a VPN.
Connections that were established before you connected to Mullvad can bypass the VPN tunnel.
Solution: Connect to Mullvad, enable Airplane mode, turn off Wi-Fi if it’s on, then disable Airplane Mode.
Apps on the device can be designed to bypass the VPN tunnel by routing traffic over cellular/mobile data.
Solution: Disable cellular/mobile data when you use Wi-Fi.
A malicious Wi-Fi network can instruct the device to send Internet traffic outside of the VPN tunnel. This is known as the TunnelCrack LocalNet attack.
Solution: None.
Linux seems to have vulnerability that is less known than others. So, it might be better to talk about vulnerabilities in other operating systems. Also, there’s already a network namespace solution for the WireGuard protocol and Linux, and it’s shared on the official site.