On another episode of “It’s Working Just Fine, so let us Screw This Up”, I’m testing IVPN + NextDNS.

Works fine, until the iPhone sleeps, and then the connection is gone, and I have to reboot. Hmmmm…

@maique I never had to reboot when I had this setup, but I did notice a lag sometimes before the VPN reconnected. The bigger issue for me is that VPNs on iOS are essentially useless, due to the bug that not all data is secured. It’s a long-standing iOS bug that Apple still hasn’t fixed (at least not that I’m aware).

@pimoore @maique As I understood this, it will be done as a part of the end-to-end encryption work at the start of 2023, but I’m not sure. @rom might know.

@pimoore The setup works flawlessly with Mullvad, but somehow IVPN seems to struggle. It should be easier, since I can even add the appropriate NextDNS URL in the settings.

@pimoore Sorry to get back to this one, but what was your setup at the time, if you still remember? Using NextDNS app, or profile? IVPN app, or WireGuard with downloaded profiles? Thanks.

@maique I was using the iVPN app with the custom DNS profile pointing to NextDNS. There was a setting to enable it to utilize something in the background to reconnect quicker, but I never used it as I assumed it would be a battery hit.

@pimoore Thanks. Trying again. I believe that’s what I was doing, but starting from scratch.

@odd @pimoore @maique this remains to be seen - if the Advanced Data Protections for iCloud will render the data that leaks useless, but then again, these are telemetry that aren't saved on user's iCloud, so I'd say it is still a bug (wonder if iOS 16.2 fixed it).

@pimoore @maique @odd the thing is - there is no CVE attached to it. Not sure if Apple acknowledged it as a bug. LOL

@rom @maique @odd That makes this whole thing even worse, seeing this is the entire point of a VPN. Any leak is — I’d assume — a potential exposure to be MITM’d. This is beyond a bug, it’s a gaping security issue at worst. Things like this make me question whether it’s time to switch back to a Mac.

@pimoore @maique @odd I know. The thing is, it needs to be validated and acknowledged by Apple if it is indeed a bug for it to be fixed. It may be similar to the WiFi SSID scanning that devices do (which isn't a bug, but is a privacy concern). Also, was there a formal bug report filed? Frankly, I do not know.

@rom Considering how long the bug has existed for — and being pointed out by security researchers — I can’t see there not being a report.

@jasonekratz @rom @odd @maique I hadn’t heard of the airplane mode trick, why/how exactly does that work?

@pimoore like security bugs, researchers report it and not just rely on blogging about it or talking to the press. There SHOULD be an official report with ALL the findings. In fairness, Apple can't just go all over the internet and take on "reports". The thing is - I have not seen any of these reports saying that the researchers have contacted Apple directly (I might have missed it).

@jasonekratz @pimoore @odd @maique if it was reported, then Apple has no excuse EXCEPT to prioritize more serious data leaks. I wonder, was there any update from the researchers with respect to iOS 16.2?

@pimoore @jasonekratz @odd @maique I think it resets the connections (turns it off), otherwise, whatever connections established prior to enabling the VPN tunnel might have been made persistent by iOS - hence the bug.

@jasonekratz @rom @odd @maique Nope, it hasn’t; I first did a search for “VPN” in the security release notes, and then a visual scan for data leak or anything similar. One shouldn’t have to toggle airplane mode to get proper security, it should just work. The fact it does on the Mac but not on iOS is inexcusable.

@rom @jasonekratz @odd @maique Hypothetically when you turn the radios back on, if your wifi connects before the VPN does would you not be in the same scenario?

@pimoore @jasonekratz @odd @maique well, the Mac is an entirely different beast, so can't compare the two.

Also, personally, I'd wait for the researchers to test it again on iOS 16.2, rather than relying on the release notes (Apple has this habit of NOT including all details OR it might have been related to another network-related security bug that was fixed), but better to err on the safe side and assume it has not been fixed. :)

@rom @jasonekratz @odd @maique Didn’t know that about the release notes, I think I’ll be watching this space to see if anything comes up.

This isn’t the only reason I’ve given thought to moving back to a Mac, but it certainly is a big one.

@pimoore @rom @jasonekratz @odd Late, sorry sleeping. I did read about the Airplane mode to go around that issue. As far as I could tell, it is works as you said: connections made after turning it on are ok, the other will not.

I've been using Mullvad for years now, when I feel I need it, but getting it to work with NextDNS involves letting go of their app, and using WireGuard's app, then deleting the DNS on every single server I might use,...

IVPN allows me to input my NextDNS URL on their app, and everything seems to be working fine.

Anyway, just testing, added a couple of months to the account, and I still have the other one going. Another one of those "I'm slightly bored, let's move things around a bit".

Thank you for all your input on this one.

@pimoore @jasonekratz @rom Thank you for the updates in your discussuon.

@odd @jasonekratz @rom @maique Ditto, thanks everyone for a great discussion around this!

@odd @pimoore @jasonekratz @maique hope to get it re-started once we get more information. :)