Previously, I commented that I felt a warning should probably be added for users running Proton VPN on macOS. I think that point is still somewhat reasonable (maybe even for Linux as well, although Linux is a different discussion since systems there are extremely modular and users can harden things in many different ways).
However, I think we should also give attention to the following comment that was added earlier:
This is actually a very valuable contribution because it clarifies a lot of the context behind what we have been discussing.
If I understand it correctly, the situation roughly looks like this:
ProtonVPN’s stance:
“We follow Apple’s official networking frameworks because that is the supported and future-proof path, even if the APIs are sometimes less flexible. This may lead to limitations in how certain features (like a strict kill switch) can be implemented on macOS.”
Mullvad / IVPN’s stance:
“We are not fully comfortable relying on Apple’s framework for a guaranteed leak-proof kill switch, so we use the lower-level pf firewall to enforce stricter guarantees, even though this approach is not officially supported by Apple.”
This discussion changed my perspective a bit. Initially, I thought ProtonVPN was the problem because it was the only one of the three not promoting the stronger kill switch approach. But after understanding what is required to achieve that behavior on macOS, the situation seems more nuanced.
Seen from that perspective, ProtonVPN may actually be somewhat penalized for following Apple’s current guidance. That makes me wonder: should ProtonVPN really be removed from the recommendations for playing by Apple’s rules?
At least from where I stand now, and not taking sides, this looks less like a ProtonVPN issue and more like a limitation (or design choice) in Apple’s networking model.
Am I missing something?
<mod edit: removed off-topic section, DM’d details>