VPNs on iOS are a scam (opens in new tab)

I think Apple is transparent about Always on VPN (blocking traffic except over the tunnel) requiring provisioning using MDM tools. Apple Configurator is free and allows anyone to set this up.

Any other VPN is just best effort.

https://support.apple.com/guide/deployment/vpn-overview-depa...

I don’t care for VPNs but I do want an adblocker. What are my options aside from using a public pihole dns or a vpn to a private dns server?

It's also worth pointing out that tethered/hotspot data shared to the iPhone with a VPN enabled at the iPhone level will not travel through the VPN, but will rather leak your phone's IP: https://apple.stackexchange.com/questions/266871/is-there-a-...

I remember recently using Cloudflare Warp and using one of those webpages that tell you your IP address and it showed my real IP address. It was a bit weird.

Title should be: "VPNs on iOS are a scam", but a less sensationalist title might be: "VPNs on iOS leak traffic".

This should trend to the top of HN. Apple bills themselves as a privacy-centric company. I hope they clean this up asap.

"Data is leaving my iPad and not traveling through the VPN tunnel."

It is is interesting how the iPad purchaser refers to "my iPad". He owns the computer. But how much control does he have over it. He runs an OS controlled by a HW manufacturer turned trillion dollar tracking and data collection company. (Apple computers are extremely chatty on any network and phone home 24/7. Apple is fervent about its need to collect and store data from purchasers.^1) As such, he cannot find the problem in the iOS source code, remove the phone home "features", re-compile and reinstall it. The best he can do is complain to the internet.

I have owned various Apple computers over the years, including an iPad. However I never used any Apple computer with an Apple OS for internet use.^1 I only connect them to the LAN. I just think there are better OS, namely ones I can edit, to use for internet-facing computers. For internet usage, I like OS where I can control the routing table. Since I started keeping these computers running "consumer OS" off the internet in the 2000s, the internet has become a vector for pervasive surveillance. I treat computers running Windows the same way. No direct internet access.

In the 1990s/2000s I can recall the "experts" advising against leaving computers connected to the internet when not in use. Today, "tech" companies try to compel people to leave their computers connected 24/7. Not to mention "experts" who believe this is justified because "automatic updates". Granting 24h remote access to unknown people to install software on computers that do not belong to them. Some people call this a "botnet". I do not care for broken software that continually needs fixing. But as the author alludes to when he quotes Steve Gibson, iOS is never broken, it just has not been fixed yet.

1. Today's Apple computers require some connection in the beginning to "sign-up", "register", download "approved" software, etc.

2. Apple computers owned by employers excluded. Also excluded are older Apple computers on which I ran NetBSD.

Airplane Mode used to be a true “all wireless disabled” mode, but Apple have relaxed it a bit over time, possibly because it's so frequently used and there are so many services provided by WiFi and Bluetooth now that aren't related to the Internet (e.g. connecting to AirPods or an Apple Watch). They also relaxed what turning off WiFi and Bluetooth in the Control Center (separately from Airplane Mode) do, so that things like AirDrop still work. But I think the options in the Settings app are still meant to truly turn off wireless, rather than just mostly?

Also: if Settings says you're connected to a WiFi network, but you don't see a WiFi icon at the top of the screen, I think that means there's no working Internet connection.

I was developing VPN client for one of the popular VPN provider in the past for iOS and the solution was quite simple - enable on-demand VPN for 0.0.0.0/0

In this case, iOS will always wait until connection to VPN is established before sending any packets out.

Without on-demand, VPN may leak.

If I remember correctly, leaks occurred mostly after waking from sleep but before the tunnel had chance to be set up. Or in similar situations. Anyway, on-demand option solved all of them.

I think that the value of this article is perfectly summarized by the sentence “Not sure what SYN is.”

I wonder if the author tried using an On Demand VPN rule for the default route. That's always what I've done when setting this stuff up. Correct me if I'm wrong, but you don't need a device management profile to enable an on-demand VPN for all traffic. Then, reboot your phone and all application traffic, or traffic that isn't something system (APNS) or management/link-local (dhcp, mdns, etc.) will use the tunnel.

Device-level VPNs are very useful for bypassing geographic restrictions, but I wouldn’t rely on them for hiding traffic from ISPs, unless you are in control of 100% of what your device does.

Would be nice if someone who actually knows what he’s doing looked into this. This guy might be on to something or he might be creating a whole lot of drama about nothing.

Is Android better in this regard?

There's lots of reasons to use a VPN besides 'privacy'.

The vast majority of people use them for IP spoofing.

I think the analysis has some good points, but the author is lacking a bit of networking skills, so I’m not sure how trustworthy this can be. Two yellow flags:

* vpn gateway address can be different from public vpn exit address. What is the surprising part?

* I don’t know what pings your “uncloaked” public ip address, but still, when using a vpn, you’re using your own ip address to connect to the gateway. So, there’s no real leak - it would be a leak if some packets went _through the vpn_ to 99.99.99.99, because an observer could spot the strange ip and determine it’s the uncloaked source address.

Anyway: who can tell what an iphone or ipad can do? You probably have an associated apple account, et cetera. If you trust such a device for total anonymity, you’re doing it wrong from the start. Pick a Linux laptop for that.

This how routing behavior has been on Mac OS for about 15 years now.

Mac OS route selection always takes into account the source address of the IP packet in addition to the routes in the routing table.

If a socket binds to a particular address, the Mac OS kernel will choose routes associated with the interface that address is on and ignore the others.

If only you could easily print out the routing table and/or modify it so you could direct the traffic exactly where you want it (i.e. stuff it all through the VPN tunnel)...

...and that's when you realise that trying to configure a device to which you do not actually have full control of is a futile endeavour.

As such, in agreement with many of the others here, I don't consider this much of a bug nor a "scam". It's merely an effect of what VPNs are (an additional network interface) and how routing works, combined with a device whose manufacturer deliberately does not want to put users in full control of the routing table.

VPNs in general are a scam.

To be clear, I mean the big VPNs that advertise themselves as helping with privacy are actually a scam.

There are obviously some situations and use-cases where using a VPN makes sense (e.g. geo-shifting), but as a general solution for privacy on the internet they make no sense.

Can someone clarify this better than the author?

Trying to read through the whole thing, I can't tell if if this is claiming:

a) When a VPN is activated, pre-existing connections will continue communicating outside the VPN, but all new connections happen via the VPN

b) Apple services like the app store and/or certain other apps leak outside the VPN because of a) more than you would expect

c) Apple services like the app store and/or certain other apps leak outside the VPN for other reasons totally unrelated to a)

The author's tl;dr just says "data leaks" but I really just can't follow what that actually means.

It seems like a) is not entirely unexpected or necessarily a problem -- you probably turn on a VPN before initiating activities/apps you want routed through the VPN, so not usually problematic? But b) means it might be more serious than that, while c) would be even scarier?

I'm on a VPN... and can't read that article.

Technically imperfect and “a scam” are very different things

The article is really good and informative, but that title man.. I almost didn't click and read it because of it

mac/iOS still needs to do subnet local stuff like renew the DHCP lease and discover other link-local devices using mDNS/Bonjour. The system also periodically makes sure interfaces are “up” so it can seamlessly route traffic between cell and wifi. I would not assume that the presence of traffic where DST != VPN tunnel endpoint means that application traffic is leaking over the VPN. I only skimmed the article so someone correct me if there was a case of that observed. The “bug” where existing connections aren't terminated when you bring a VPN up sounds annoying but I can also see why the system wouldn't force terminate existing connections. The connection to the router’s public IP sounds like a hairpin. I also wouldn't be surprised if user-space VPN is outside of the scope of the APNS connection that the system maintains through sleep states.

Most of what you see is probably Apple bypassing all VPNs to talk to their own servers.

There are more serious problems though, with any app being able to bypass VPN simply by prohibiting Wi-Fi interface and iOS gladly letting all traffic via LTE, unfiltered. That's been described in https://blog.disconnect.me/ios-vpn-leak-advisory/.

It's well known and pretty sad that these issues go unaddressed for years. VPN developers have little power to change that given that VPN apps run in a walled garden of Apple in a sandboxed environment. Hence the the best effort at this point with a hope that this can addressed in the coming updates.

It would be great if more of these pop up on Apple forums and Apple Feedback with people demanding improvements on transparency and privacy from the company.

So far reading your blog post looks like a recollection of what's been going on.

I really wanna throw an analogy of a bear waking up from hibernation. This is not sensational and just reiterates what's been said before you, yet the title throws a shadow at VPNs just to sound like it.

Does the property "includeAllNetworks" [1] provided by Apple's VPN API not work, or do all VPNs currently rely on the default value (false)?

[1] https://developer.apple.com/documentation/networkextension/n...

Agreed with most comments here, the implementation is leaky as heck. It’s a ‘best efforts’ VPN service at best and you can tell this especially when in a mall and there’s a walled garden in place. I use iVPN and regularly have to disable wireguard to pass the walled garden to then also regenerate a certificate. Enabling VPN through the iVPN app is hit and miss, likely because Apple have decided to do their own thing and implement ‘Private relay’ instead.

Yeh… Apple, Five Eyes, Privacy is all pretty much an illusion when you have this many devices in this many pockets. Whatever it is, vpn’s or end to end encryption, it’s all really only as secure as the touch screen controller telemetry logs.

Not to be pedantic, but UDP is connectionless.

Also, regarding the UDP datagrams seen after the IKE exchange, maybe relayed to NAT-T?

https://en.wikipedia.org/wiki/NAT_traversal#IPsec

I use VPNs to access region-restricted content (mostly to pretend I’m in the USA) and not for the privacy aspects, so VPNs aren’t really a ‘scam’.

Modern oses/devices are so complex and out of specs nowdays that my only solution is to use a vpned gateway, router, access point.

The real lesson is here:

> I am not a fan of making a VPN connection on your only router, but suggest having a second router dedicated to VPN connections. When you need a VPN, connect to the second router (Wi-Fi or Ethernet), when you don't need a VPN, connect to your main router.

Aka, don't use a device with two network sockets if it is critically important to avoid using one of them.

...and then there is the Apple Watch which doesn't support VPN's as far as i know.

So, when apps can communicate from iPhone->Watch, even with a perfectly functioning VPN on the iPhone your public IP can leak via the Watch (if the app is also installed on the Watch.)

The author put together "A Defensive Computing Checklist"

Site: https://defensivecomputingchecklist.com/

Discussion: https://news.ycombinator.com/item?id=32490866

Need to give the article author a lot of slack! If you are here, please read some more about networking :-).

Networking is dynamic it takes many sequential steps to configure. There is no ZAP, it is done. I don't know of an OS that locks out "user programs" until configuration is complete. Yeah, since networking is dynamic that could never work -- "user programs" would be locked out forever!

At the start of the First Test there are packets going to non-tunnel locations at the same time the VPN is being set up, not a surprise. Packet ordering / routing at this time granularity is also not surprising.

Need to take a moment to review the "drop everything" when a VPN is up standpoint. OS Networking stacks don't really understand what a VPN is, it is just an endpoint to route packets. A TCP connection has internal state that is bound to the addresses that were used when it was set up - which is tied to the state of the routing table. A new point-to-point endpoint, like a VPN would invalidate that state. Most (many?) TCP/IP stacks keep a cache of the initial route on the socket. As long as that is still valid (or updated), that is where the packets go. Killing TCP connections for every (temporary) network flap would make a lot more people MAD.

The "DNS" to NextDNS with DoH connection is interesting. This 100% isn't coming from iOS itself. It doesn't support it. So it must be coming from an App. But what app and how? There is a NextDNS app which up front claims "Encrypt all DNS queries on all networks with the official NextDNS app for iOS". The author does appear to have configured the router to use NextDNS, perhaps they also have that App installed as well and it is also hijacking networking to do DNS? A dunno.

The "flood stuff" is interesting, but I think it might just be an attempt to perform STUN to make sure UPD traffic can be transported - to Apple endpoints. I think "second test" is the same thing happening again.

So what is left is the traffic being sent to apple endpoints. Now I wonder how the VPNs the author is using are implemented. The Big Sur VPN brouhaha was because apps were trying to implement a VPN using NEFilterDataProvider instead of a "tun" interface and routing. I wonder if this is just the same issue but on iOS.

Not related, but I do wonder what these VPN services offer in terms of "Firewall" protection or if when you use them ALL ports are forwarded to your device. This would make all of their endpoints a "great target" for continuous scanning for getting inside a network if the VPN user had something misconfigured, like say an experimental Apache, Nginx, PHP, Rails, Django, MySQL project. Doh. Methinks I should spend some currency and experiment. Sadly black-hats are probably already doing this.

The iPhone was never made to be truly secure, so this is to be expected I suppose.