The discussion surrounding Remove ProtonVPN - #332 by ph00lt0 is so random and all over the place, that I am not even going to attempt to sort it out and try to move some posts over here. See:
I think the main question is: Should we require providers to use hacky workarounds like pfctl filters on macOS instead of standard tools the OS provides?
It feels like the answer is probably no, but if anyone wants to continue this discussion then this is a fine place to do so.
Another source with these conclusions earlier was here Remove ProtonVPN - #204 by 6sxbi
Previously, I commented that I felt a warning should probably be added for users running Proton VPN on macOS. I think that point is still somewhat reasonable (maybe even for Linux as well, although Linux is a different discussion since systems there are extremely modular and users can harden things in many different ways).
However, I think we should also give attention to the following comment that was added earlier:
This is actually a very valuable contribution because it clarifies a lot of the context behind what we have been discussing.
If I understand it correctly, the situation roughly looks like this:
ProtonVPNās stance:
āWe follow Appleās official networking frameworks because that is the supported and future-proof path, even if the APIs are sometimes less flexible. This may lead to limitations in how certain features (like a strict kill switch) can be implemented on macOS.ā
Mullvad / IVPNās stance:
āWe are not fully comfortable relying on Appleās framework for a guaranteed leak-proof kill switch, so we use the lower-level pf firewall to enforce stricter guarantees, even though this approach is not officially supported by Apple.ā
This discussion changed my perspective a bit. Initially, I thought ProtonVPN was the problem because it was the only one of the three not promoting the stronger kill switch approach. But after understanding what is required to achieve that behavior on macOS, the situation seems more nuanced.
Seen from that perspective, ProtonVPN may actually be somewhat penalized for following Appleās current guidance. That makes me wonder: should ProtonVPN really be removed from the recommendations for playing by Appleās rules?
At least from where I stand now, and not taking sides, this looks less like a ProtonVPN issue and more like a limitation (or design choice) in Appleās networking model.
Am I missing something?
<mod edit: removed off-topic section, DMād details>
I am glad it changed your perspective. You understand it correctly here.
What prompted you to say that a system firewall is a āhacky workaroundsā? This is a kernel subsystem and how people are doing packet filtering since as long as I know. macOS is not unique here and Network Extensions are a no way a replacement for a firewall as they suit different use cases.
Given how this thread is being started from a false premise, I donāt see this is going to achieve what itās supposed to achieve.
Trust me bro is not a source, and claims from this post were already refuted in the thread.
I understand this is a language issue. But source has a different meaning in this sentence. I find this one a bit funny so donāt worry.
Because you have to hack together a solution with unsupported features instead of a well-defined API, using pfctl in a consumer application is by definition a hacky workaround. Itās not a judgemental statement, it just is what it is when Apple says:
Do not use Packet Filter in a software product that you distribute to a wide audience.
The question in this thread is whether products should use Packet Filter anyways, regardless of Appleās advice, which I think is what youāre arguing, so I donāt understand why youād think thereās a false premise here.
I might recommend an alternative solution: explicitly recommend against Apple systems on the OS recommendation page, for threat models that include network surveillance
Proton is a symptom, not the cause: Apple does not support robust network proxies for privacy / anonymity:
Question I am trying to answer: is this issue specific to VPN clients? What about other proxies, like Tor?
I would imagine TorVPN would suffer from this issue. This is typically why youād want to use Tor Browser for browsing Tor, which can better control the network stack it uses internally, instead of offloading all networking to the OS.
I think I agree but I might instead place a warning about macOS on the VPN Overview page. I am not sure if there are any known issues of using Tor Browser on macOS, besides just the generic Tor Browser issues that Whonix solves, so there are some network surveillance use-cases where macOS would be good enough.
PF is well supported on macOS. Apple may have a lot of reasons to say what they are saying but this is not necessarily relevant to what VPN clients want to do. Not to sound rude but please do some research before claiming something.
If you read the links mostly @dngray posted you would have seen that apple is actively advertising that developers must move away from pf because they seem to want to remove support for it.
Once again, that is exactly what this thread is about. Since I think this is well established by both of us, letās move on.
Iām unsure this claim can be backed up by those docs tbh
Not really. I read that link and posted a reply in the original thread: Remove ProtonVPN - #337 by privacycarrot
If youāre currently shipping a product based on PF, plan to migrate it to a supported API.
Iām extremely unsure why you are 
confused reaction still, but anyways yes I agree with you lol
Generally, same page
If this packet filter / network extension issue impacts network proxies beyond commercial VPNs, such as Tor routing,
then I feel a warning on the VPN page is insufficient, and a warning needs to be placed at the OS level,
else your VPN-level warning addresses all issues
Im digging through the specs for Apple Tor proxy tools, probably wonāt have the time to find a conclusive answer tn, maybe some wayward network enthusiast picks up the torch & runs with it
Sorry, a misunderstanding on my part
I do think it still remains a valid question here whether we should say VPN clients should always use PF on macOS, even if Apple isnāt going to remove PF. Especially because, as you also noteā¦
ā¦such a requirement would mean we could never recommend a VPN distributed on the App Store. Iām not sure that makes sense for us.
I donāt get why this is no longer a technical issue?
From Appleās documentation, it seems that includeAllNetworks flag will prevent the traffic leak scenario on exit server changes that Proton is hitting on macOS?
Even then, it isnāt clear why Protonās macOS app should leak on exit server changes at all, without includeAllNetworks flag set. If Protonās using WireGuardā¦ nothing about the official implementation strikes me as requiring recreating the VPN tunnel (which is where I presume the leak comes from) on exit server changes.
(ā¦ with the caveat that Iām not an experienced iOS developer) It seems like enforceRoutes is another ākillswitchā like API that may work.
Iām aware of Mullvadās blog post that claims that the includeAllNetworks flag results in permanent connectivity loss on iOS when the VPN app that sets the flag is killed by the platformās app -updater.
I remain a little confused about this, because Proton is using includeAllNetworks (unlike Mullvad?) but we still see this behavior.
I also agree with this being possible, and have been meaning to test the actual WireGuard client to see if it has the same issue switching between servers.