VPNs on iOS

So you’ve got an iPhone or iPad and just signed up for a commercial VPN service. You head over to the App Store to download your provider’s client app. You sign in and connect to a VPN server. Now your traffic is secure and private, right? Kind of…

It turns out that VPNs on iOS don’t offer a “good seal,” to use an expression. In other words, even when your VPN client is connected, some traffic on your iOS device bypasses the VPN. What’s worse, this has been happening since the days of iOS 13. And worse yet, Apple states that some of these leaks are “by design.” Yikes.

There are three distinct issues affecting VPNs on iOS. They are:

  1. Network connections that were active before turning the VPN on may not close and remain outside of the VPN.
  2. Third-party applications may obtain the actual IP address of your mobile network and bypass the VPN.
  3. Apple traffic, such as push notifications, App Store traffic, and even Health app data, completely bypasses the VPN.

That’s not exactly what I would call a rosy picture. Thankfully, there are some ways to mitigate these issues, although there will still be gaps, and the workarounds can be somewhat hit-and-miss. Still, they’re worth the trouble. Simply knowing about these issues will at least prevent you from having a false sense of security and privacy when using a VPN on iOS.

We’re going to present an overview of each issue and recommend mitigations for each of them, where possible. But before we do that, let’s provide some background to this situation as it dates back to 2020 and iOS13.

In the beginning…

In 2020, the folks at ProtonVPN discovered the first issue in iOS13 – open network connections before you enable the VPN connection. In theory, enabling the VPN should close existing network connections and re-establish them once the VPN is active – sending them through the VPN tunnel. But, in practice, many of these network connections will remain open and active despite the VPN being enabled. That traffic will use your ISP or mobile provider gateway, instead of the VPN’s.

ProtonVPN alerted Apple, and initially, Apple didn’t react. Eventually, Apple told ProtonVPN that some traffic bypassing the VPN was “by design” and stated that setting up an “Always On VPN” (a configuration option that requires a mobile device management (MDM) solution was the only way to ensure that all traffic is sent through the VPN tunnel. But MDM solutions are only available to businesses, not regular users. This was, of course, not a satisfactory resolution.

By the time iOS14 rolled out, Apple claimed to have fixed the issue by providing a new API option to developers called includeAllNetworks. When set to ‘ON,’ this API option is meant to send all of the device’s traffic through the VPN and drop all network traffic if the VPN connection should ever drop unexpectedly – like a built-in kill switch.

But, as it turns out, this solution doesn’t work very reliably. In practice, it can make VPN connections a bit flaky, causing connection issues. So it was far from ideal.

Then, in 2022…

In 2022, another iOS VPN-related bug was discovered by Disconnect. This is issue number two in our above list. This issue revolves around the fact that Apple’s networking framework on iOS and iPadOS. It explicitly allows third-party apps to bypass the WiFi interface and use the user’s mobile connection to route traffic, regardless of whether or not the device is connected to a VPN. When it is, this forces the device to bypass the VPN and use the (unprotected) mobile connection instead, while providing the developer with your actual mobile network IP address. Oh, and this happens without notifying the user – your consent is not required. Ouch.

What was Apple’s solution to this one? The same (broken) fix that came with iOS 14: includeAllNetworks. Again, less than ideal.

Apple’s network buffet

In 2022, security researcher Michael Horowitz found a third issue concerning VPNs on iOS. Apple – by design – allows itself to surreptitiously bypass your VPN for its own traffic whenever it wants to. And this isn’t just for Apple’s push notifications. In September 2022, another security researcher, Tommy Mysk, found that Apple Store, Clips, Files, Find My, Maps, Settings, Wallet, and even the Health app send data outside the VPN tunnel.

This happens even when Apple’s new Lockdown Mode – an extreme opt-in feature that drastically limits your device’s functionality to significantly reduce its attack surface – is enabled. That’s kind of ridiculous.

While this might be ‘by design,’ it opens a severe security and privacy hole on Apple devices. Apple is likely doing this to ensure a proper customer experience when using its devices and services. But given its stance on privacy, Apple should fix these issues for both its users and its reputation. It appears that Apple’s tough talk on privacy is little more than a marketing gimmick.

Issue #1: Prior connections leak

When you connect to a VPN server, upon successful connection, your device should drop all network traffic that was active on the device and reroute that traffic through the VPN tunnel. When a commercial VPN is active, the default behavior is that it becomes your default gateway – meaning that all traffic should go through the VPN tunnel rather than using your ISP gateway (WiFi) or your mobile service provider’s network (mobile data).

This does not work as expected on iOS and iPadOS.

Connections that were open before you turn on the VPN can remain open and keep sending data outside the VPN tunnel. A common occurrence would be if connected to the VPN while downloading a file. The file download will continue outside the tunnel despite the VPN being active.

This is a problem because a malicious actor observing your traffic could correlate your real IP address to your VPN IP address, making you much easier to identify.

Mitigation for issue #1

To mitigate that issue, you can close your connections manually. Here’s how to do that:

  1. Enable the VPN connection
  2. Turn on Airplane mode
  3. Disable Airplane mode

The VPN should reconnect automatically, and your prior connections should be closed. If you re-establish the now-closed network connections, they should go through the VPN tunnel. I say “should” because these workarounds are not considered 100% effective. The real fix needs to come from Apple.

Issue #2: Third-party apps can access your real cellular IP address

The second issue is related to third-party apps and cellular data. It turns out that any third-party app can obtain your mobile carrier’s “real” IP address and bypass the VPN, even if you’re using WiFi (for this to occur, your cellular data connection must be active). In this scenario, the app uses your default cellular connection (outside the VPN).

A third-party app engaging in this practice can only bypass the VPN for its own data. Traffic outside the scope of that app will still go through the VPN tunnel. Nonetheless, it’s a serious issue.

Mitigation for issue #2

To mitigate this one, you should always turn off your cellular data connection when using WiFi. You should also make sure to turn off your cellular connection before enabling the VPN on WiFi. And you should choose WiFi over cellular whenever you can (with cellular turned off).

If you cannot use WiFi and must use your cellular connection, then you’re out of luck. But you can still improve your odds of avoiding this leak by only installing apps you trust.

Issue #3: Apple exempts its traffic from VPNs

Issue number three is Apple’s own traffic transiting outside the VPN – by design. It makes no difference whether or not you’re connected to a VPN. This affects traffic from the following Apple apps: Apple Store, Clips, Files, Find My, Maps, Settings, Wallet, and the very sensitive Health app.

This traffic nonetheless uses HTTPS, so it’s not being sent in the clear. It’s just difficult to understand why Apple would do this, particularly in light of the company’s stance on privacy. Apple did state this was expected behavior – it’s just not clear why.

Mitigation for issue #3

This is the hardest issue to mitigate. There are only two ways to avoid this behavior, and they won’t be available to all. You’ve got two options:

  1. Set up a VPN router
  2. Configure your iPhone with an always-on VPN connection

Setting up a VPN router is probably the easiest of the two options, but it’s still not going to have mass appeal. A VPN router is a router that’s configured to send its traffic through a VPN tunnel. The router acts as the VPN client; all devices connected to the router send their traffic through the VPN tunnel by default. Those devices don’t need a dedicated VPN app; simply connecting to the router does the job.

You can set up your own VPN router – we have guides for pfSense/WireGuard, pfSense/OpenVPN, OPNsense/WireGuard, and OPNsense/OpenVPN. Or you can purchase a pre-configured VPN router through your VPN provider (not all VPN providers offer pre-configured VPN routers).

If you run with this setup, as long as your cellular connection is disabled, your traffic has no other option than to go through the VPN tunnel. Apple cannot exempt itself from the VPN as the connection isn’t happening on the iOS device – it’s happening on the router, and the only way to the internet is through the VPN tunnel.

Again, while this works, it’s likely only a tiny minority of users that will have access to this solution.

The other solution – an always-on VPN connection – is even less accessible. It requires a mobile device management solution (or a pseudo-MDM solution, like Apple Configurator). The idea is that you set up your VPN connection to be “always-on” using a configuration profile. With an always-on VPN connection, the iPhone is configured to only send network traffic over the VPN tunnel and will block all network traffic unless it’s connected.

This sounds great in theory, but there are some serious downsides.

First, very few users will have access to a proper MDM solution (typically used by businesses with hundreds or thousands of devices to configure and manage). And very few users will have the know-how to use Apple Configurator to create their own configuration profile.

Another caveat is that you can only configure an always-on connection using the IKEv2 protocol. That means no OpenVPN or WireGuard and no third-party VPN apps. There’s nothing wrong with IKEv2 – it’s robust and secure. But not all VPNs support it.

Long story short: for the overwhelming majority of users, there is no practical mitigation for this issue. Until Apple fixes this (and I wouldn’t hold my breath, seeing as Apple has stated this is by design), most users will simply have to live with the fact that their Apple traffic will always bypass their VPN.

What about iOS17?

Apple released iOS17 on September 18 2023. As it stands right now, there’s no indication that any of these issues have received any of Apple’s attention or been fixed. If I hear otherwise in the coming weeks, I’ll be sure to update this post.

Wrap Up

So, that’s an overview of the state of VPNs on iOS in 2024. It’s not a rosy picture, but at least mitigations exist for some of the issues. And while the mitigations are partial, I should stress that using a VPN on iOS is still useful.

The protection may not be at the same level as what you’ll get on your laptop, but you’re still protecting more traffic than not, reducing your attack surface, and cutting your ISP out of the loop (most of the time).

So, should you keep using a VPN on iOS? By all means, yes. But you should use one while being aware of its limitations and avoid being lulled into a false sense of security.

So, be aware, and stay safe!