This is a misleading statement. NetworkExtension docs do mention that for VPNs using includeAllNetworks (a form of a ‘killswitch’) will prevent traffic from bypassing the VPN for advertised routes, for example, when apps may “scope” their traffic to a particular network interface.
If programs can bypass a VPN tunnel by merely binding to a specific interface, then that’s a leak, and definitely a ‘killswitch’ that’s horribly broken.
I linked to @xe3 reply for that reason. And there’s 2 or 3 other TLDRs similar to xe3’s.
Also see:
Btw, I encourage the mods to remove spam, and ‘the team’, who retain the ultimate responsibility for the content, read the thread if they want to arrive at an informed conclusion.
Agree. This is the thread where the community has been having that discussion: Mention kill switch leaks caused by OS limitations
I am of the same opinion, btw. I find this refreshing coming from a “team member”. PG should consider posting this on its VPN pages.
What I meant to say was, one doesn’t need a VM to accomplish this. Up thread, @lyricism pointed this out, if you’d care enough to read the replies.
OS’ killswitch limitations must be addressed by OS developers. VPN client’s limitations must be addressed by the client developers:
- Some OSes (ex: Android, iOS/macOS) require VPN clients to be compatible with their (OS-provided) killswitch.
- If there are leaks, the OS developers are on the hook to fix these.
- Some OSes (ex: Linux-based, macOS) provide mechanisms to setup (OS-assisted) killswitch which the VPN clients may use (these may require privileged APIs).
- If there are leaks, the client developers may be need to use different APIs.
Only if there ever was a slippery slope not this slippery…
Believe those “P2P” VPN servers exist in a separate pool plagued with bad IP reputation, no?
Why do you say so? The earliest mention of this thread on r/privacy I see is 3 days ago?
(funny that mods who admit they can’t be bothered to read the thread can reply immediately while those who have the context have to wait for 3h).
I’m sorry but this reply reeks of total disrespect to folks who have been making the effort and taking the time to contribute here.
Wrong question. There’s folks here who care about PG and would be more than happy to volunteer as team members or mods. How these folks get appointed or elected isn’t clear, however.
Think the expectation is, if there’s substantial discussion, the team weighs in more proactively. Especially when the team is very eager to make claims like…
Some of us do.
- On Android, "OS files are left unencrypted" · Issue #3179 · privacyguides/privacyguides.org · GitHub (open since Dec 2025)
- style: encrypted DNS prevents manipulation not spoofing by ignoramous · Pull Request #3166 · privacyguides/privacyguides.org · GitHub (open since Nov 2025)
- docs/os: AVB does not prevent evil maid by ignoramous · Pull Request #3183 · privacyguides/privacyguides.org · GitHub (closed because … “think with the input of GOS I’m going to go ahead and close this” with zero proof for that justification @fria made
)
What’s the SLA, if any? It takes time and effort from volunteers, too, to engage with the team.
This is an astonishing statement. Though, I have seen this movie before with NextDNS.
Hear back from them?
And, just who does PG prioritise building credibility with? Its readers or the corps?
No.