I have asked the staff at Windscribe that it is impossible to run a VPN without root because it needs root to create an interface for the VPN.
IVPN does run as root unfortunately. I did test it, and the servers also seemed to be pretty slow for me unfortunately. But custom DoH did work perfectly.
Thanks for asking them. It’s definitely possible without root, since for instance, ProtonVPN runs not only without root, but also fully sandboxed, and works perfectly.
What you want isn’t possible without doing it yourself.
For a VPN app to have an effective firewall/killswitch on Mac, it needs to run as root because pfctl requires sudo.
The network extension API property available to sandboxed VPN apps, includeAllNetworks is not a true firewall/killswitch because it leaks.
You can see that apple says it only sends most traffic over the tunnel:
What you can do is use a sandboxed VPN app (official wireguard client or passepartout should do the trick) and configure pfctl manually or with Murus.
How did the setup with NextDNS work for you? I’ve been having DNS setting issues with my Mac, and am looking for a good privacy oriented option for DNS together with ProtonVPN as well.
Once you made an account you can create a configuration profile here: https://apple.nextdns.io/
This is is cleanest way to do it on the mac, no software/extensions needed.
I’ve been pretty happy with PiHole + Unbound and running a Wireguard config from Mullvad directly on my Unifi Dream Machine Pro. Even setup Tailscale so I can use my PiHole on the go on my S24 Ultra and my laptop, runs beautifully. I have my upstream DNS server set to dns0.eu/zero.
1 Like