A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private network (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses.
While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel as ProtonVPN disclosed.
This VPN bypass vulnerability (rated with a 5.3 CVSS v3.1 base score) was discovered by a security consultant part of the Proton community and was disclosed by ProtonVPN to make users and other VPN providers aware of the issue.
Apple acknowledged the VPN bypass vulnerability after ProtonVPN's report and is currently looking into options on how to fully mitigate it.
Until a fix will be provided, Apple recommends using Always-on VPN to mitigate this problem. However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN.
ProtonVPN recommends the following this procedure if you are using a third-party VPN:
- Connect to a VPN server.
- Turn on airplane mode. This will kill all Internet connections and temporarily disconnect the VPN.
- Turn off airplane mode. The VPN will reconnect, and your other connections should also reconnect inside the VPN tunnel (not 100% reliable)