Remove ProtonVPN

I’m a network engineer, and I’m writing this because almost nobody here knows what they are saying. Two facts:

Non-controversial fact: There is no such thing as a kill switch on iOS/macOS.

It does not work, it cannot work, not for Proton or any other VPN. The operating system network stack does not support it. Apple knows the bug (reported by Proton many years ago) but decide not to fix it. It’s not the fault of the VPN providers, and it occurs when you connect/disconnect, there is no workaround.

Little controversial fact: There is no such thing as a kill switch on Linux.

I’m a Linux developer, and yes, you might get it working OK on some distros, but you won’t make it work on all distros, not even most distros. There is no possibility to do it, there are just too many distros with their own network quirks and problems.

I read here many bad solutions proposed. Let me give a good solution.

Do not remove Proton VPN or other VPNs. Do not separate services and clients. All will hit the two facts above.

Do put a general warning box in the VPN section that kill-switch is unreliable for iOS/macOS due to Apple bug for ALL VPNs, and use on kill-switch at your own risk in Linux based on distribution and always test it yourself first.

Last comment about Proton VPN because I checked it before when I was in country with censorship, just curious why it worked and other VPN did not. Usually when you check kill switch, you think you have a leak if you see non-VPN traffic while reconnecting. True for most VPN but not for Proton. Because Proton VPN is the anticensorship VPN, it probes the network during reconnect, and makes the probe traffic look like non-VPN network activity to hide it.

It’s not a leak, its how they obfuscate traffic to their hidden servers to test current network. I don’t say more to not make life easier for the censors

Have you actually read the thread? It doesn’t seem like it.

This is not true. There is no evidence that the issues related to Proton presented here are present with other VPN providers.

So? VPN providers have supported distros and unsupported distros. Just don’t use the unsupported distros if you’re worried about it.

I would like to see more evidence that Proton does a better job at obfuscation than Mullvad and iVPN because I have not heard this before. Regardless it’s unrelated to the leaks brought up here.

Many people are using Proton in Windows, Android etc so there is absolutely no sense to remove Proton for just kill switch not working on Intel-based Macs. There is now information about that in the page. If you need a kill swich (which you should) then just don’t use it on Intel-based Macs, just like they say on that info!

Is that the case what this is about?

No. The intel based mac issue is a separate issue.

Personally, I feel that kill switch are necessary, I’d not remove that criteria.

So far, the comments that I read were about changing the criteria or removing Proton. I’m not sure but I think there is a third via or another angle.

In the mobile browser section recommendation we have Brave and Cromite recommended for Android, and Safari for iOS. Maybe we could take that as an inspiration.

Proton still can be recommended to Windows and Linux users on PCs, but until they sort out this problem a big warning removing them from Mac OS should be added. It is a big disappointment because they are the only ones, from the three recommended, that still has port forwarding as a feature. Apologizes for not mentioning or considering some other OS, like FreeBSD or OpenBSD.

Offtopic, and probably will sound opportunistic since this was closed many times as a no need for a fourth VPN recommendation, but IMHO, like Rtings did we should also consider adding Windscribe.

I don’t think it is off topic. Kill switches do not work how the average person thinks they work. They will leak your IP at some point on almost all OSes when set up using the app provided by the VPN provider. For people with any threat model aside from surveillance capitalism, this means the way we currently talk about them on this site is dangerous. These issues are all related. There is no point to remove Proton because the kill switch doesn’t work in x scenario without also adding the additional disclaimers.

I have never seen anybody say wrong things with so much confidence it is astonishing. Before accusing others of not reading, you must research yourself first. The Apple bug is well-known, see this article: iOS VPNs have leaked traffic for years, researcher claims [Updated] - Ars Technica

Proton’s specialization in anticensorship and obfuscation is so famous the American press wrote about it in the New York Times: https://www.nytimes.com/2022/12/06/technology/russia-internet-proton-vpn.html

As I write in my original post, obfuscation techniques can look like leaks but they are not leaks. This is by design and how obfuscation works.

Please read the first post I made above where I explain the problem and propose also a solution. It is not a Proton VPN problem, it is a well-known problem that impacts all VPN on macOS. What some people are calling leak is not a real leak, it is how Proton anticensorship techniques work.

Honest, I’m not a MacOS user, I can’t test, the only thing that I can do is to rely on others since I care for those around me using it.

My comment was based on the inital understand that the problem was only affecting Proton VPN on MacOS. If this that you are saying is proved to be true then it changes significantly the discussion.

iOS ≠ macOS.

This is not evidence of Proton’s superiority over mullvad/ivpn.

Again this has nothing to do with the leaks as characterized by the original post.

Still seems pretty clear to me that you have not read this thread and do not understand the issues at hand.

This is why I feel I need to say something because I do not believe there are other network software engineers in this discussion. I know a network engineer at Apple and he confirmed to me they have a open ticket for this, and confirm it impact all VPNs still, even their own.

I think this thread should be locked, there are many people saying untrue things who have no idea what they are talking about and this is dangerous. Many people who do not understand saying something is true, does not mean it is true.

You asked me for evidences which I provide, but in response you make yourself claims without evidence, so I ask you now to submit your evidence. What evidence do you have to support this claim?

My evidence is that I took a packet capture directly off the network adapter from my MacBook Pro and I can see the requests pretending not to be VPN traffic (so it looks like a leak), but I know are actually initiated by Proton VPN because I have firewalled off all other processes running on the device. This means it is actually Proton VPN trying to reach their hidden servers, APIs, and/or network probes. The connection process is also completely different depending on how I try to “censor” my own network.

What actual technical research have you done into this to be the basis of your claim?

I appreciate your claim of being a network engineer, but it’s understandable that we might be skeptical about credentials shared under a pseudonym. Nevertheless, your points are worth discussing.

You’re right here, and I think it resolves the whole point of this thread: iOS and macOS do not support a fully reliable, leak‑proof kill‑switch for any VPN, including Proton VPN. The operating‑system network stack lacks an API that can guarantee all traffic is blocked when the VPN disconnects, so the kill‑switch cannot function perfectly. This limitation has been reported to Apple (including by Proton) but has not been addressed.

I haven’t tested this personally because I don’t use Apple devices, so my answer is based on reports from multiple users and security researchers.

They sometimes work, but they don’t behave the same way on every Linux distro or VPN client. In my own experience (Mullvad on Arch and Debian works fine, but I had issues with Proton in the past), you can’t just set it and forget it.

If you really want to be sure nothing leaks when the tunnel drops, add a few custom firewall rules (iptables, nftables, or whatever you prefer). That gives you a solid “no‑traffic‑without‑VPN” safety net that works regardless of the distro you’re using.

I agree with this suggestion. A warning about the limitations of kill switches on certain platforms and distros would be helpful for users. Yes, even though I don’t like Proton for many reasons (political, usability, lack of Linux support, better options), it was the gate to my privacy journey and I believe it is a good option for most people who wants to avoid Big Techs.

Suggestion for Privacy Guides: Add a warning such as “Don’t put all your trust in the built‑in kill‑switch,” and link to a short tutorial on configuring those firewall rules on Linux.

Some useful links I found about Android leaks and macOS leaks on Mullvad’s blog:

Android leaks connectivity check traffic
DNS traffic can leak outside the VPN tunnel on Android
macOS sometimes leaks traffic after system updates

I want to point out that we already discussed issues with VPN on Linux here:

ProtonVPN IP Leakage on Linux and Workaround
Your VPN Kill Switch Won’t Stop All Leaks
Auto sleep + vpn (mullvad, not in lockdown mode) = leak?

[IVPN] (Do you offer a kill switch or VPN firewall? - IVPN Help) says that

IVPN has implemented a secure and robust mechanism called the IVPN firewall. Once enabled the IVPN Firewall integrates deep into the operating system (using Microsoft’s own WFP API on Windows, pf on macOS, and iptables on Linux) and filters all network packets

Is that not sufficient? What’s the downsides of using those APIs

The evidence is higher in the thread, where Proton essentially admits that even simple actions like switching VPN servers causes your true IP to leak to websites and services in macOS. If you have tested this yourself and found something different, I’m all ears, but the way you speak about this issue makes it sound like you do not understand the initial concern.

Daily logged in site views/vote probably dismisses this opinion. Also votes on this forum only represent a fraction of the people really visiting PGs website.

This is a slippery slope: One can say, Sandboxing also doesn’t work the way average person thinks they work since there’s escapes found all the time. Do you recommend Chrome and Firefox and Firejail stop using it?

To make it clear, if an OS provides or assists with a killswitch, the client must use it; otherwise, there’s no client-side guarantee whatsoever that can be made in the favour of “almost certainly” using public VPNs to “hide traffic from ISPs”, like PG does today.

As for the OS “leaking” despite activated killswitch… that’s for the OS makers to fix, provided it fits their security model (ie, what’s reported as a “leak” is considered a leak by the OS developers).

I meant to say, the points you make fit another dedicated topic on this. Also, the points you’re making are all over the place (as in, imo, goal posts have shifted with each reply).

What a weird thing to say when it is clear PG is a community run website.

Wait till you find out how much of PG’s knowledge base is authored & discussed by folks who don’t probably have appropriate technical credentials. Want to nuke all of it & call it a day?

That’s something Apple should fix. And that bug specifically happens only when a VPN process doesn’t start before other userspace processes do. Presence of OS bugs triggered in a specific scenario doesn’t mean a feature is useless for all scenarios for userspace / under-privileged apps.

Not really. Lantern & Psiphon are what I’d call specialized anti-censorship public VPN/proxy providers. In fact, none of the public VPN providers PG recommends today specialize in anti-censorship as those two.

if an OS provides or assists with a killswitch, the client must use it; otherwise, there’s no client-side guarantee whatsoever that can be made in the favour of “almost certainly” using public VPNs to “hide traffic from ISPs”, like PG does today

the problem with this is, if you would state it the same way if there were known downsides with the OS’s implementation of a kill switch, so for the long run I wouldn’t want this to become a VPN category criterion at privacy guides.

This only indicates Proton is honest, it does not indicate it is a Proton specific issue.

Proton know that Apple kill switch implementations are broken due to technical limitations on the Apple side, because they were the ones who discovered and reported the bug. Therefore, they correctly pointed out that you cannot get the same robust level of kill switch as on Windows. Just because other VPNs do not admit this does not mean they are not impacted by the same issue. We just need to wait for Apple to fix it.