From time to time we may encounter vulnerabilities in third-party software, which in the future will be disclosed after 90 days in accordance with our responsible disclosure program. We are disclosing this “VPN bypass” vulnerability publicly because it’s important that our community and other VPN providers and their users are aware of this issue. Below we explain the nature of the security flaw, how we investigated it, and what users can do to mitigate their risk until Apple fixes the vulnerability. Typically, when you connect to a virtual private network (VPN), the operating system of your device closes all existing Internet connections and then re-establishes them through the VPN tunnel. A member of the Proton community discovered that in iOS version 13.3.1, the operating system does not close existing connections. (The issue also persists in the latest version, 13.4.) Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel. One prominent example is Apple’s push notification service, which maintains a long-running connection between the device and Apple’s servers. But the problem could impact any app or service, such as instant messaging applications or web beacons. The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays). The more common problem is IP leaks. An attacker could see the users’ IP address and the IP address of the servers they’re connecting to. Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server. When you connect a device to VPN, you should only be able to see traffic between the device’s IP and the VPN server or local IP addresses (other devices on your local network). As the capture below shows, there is also direct traffic between the iOS device’s IP and an external IP address that is not the VPN server (in this case it’s an Apple server). For more and a workaround please visit OUR FORUM.