Mullvad VPN has published an in-depth technical breakdown explaining why its iOS app still does not enable Apple's ‘includeAllNetworks' flag, a setting that could, in theory, prevent all network traffic from bypassing the VPN tunnel.
Despite the feature's apparent benefits, Mullvad warns that enabling it leads to critical system failures during app updates, resulting in complete network loss on the device — a problem with no clean workaround.
Mullvad VPN is a Swedish-based provider known for its no-logs policy and pioneering work in VPN transparency, supporting platforms like Windows, macOS, Linux, Android, and iOS, with a particular focus on open-source development and privacy-by-default. Its iOS client integrates WireGuard and supports advanced features such as multihop, DAITA, and now, experimental quantum-resistance protocols. Our in-depth review of the product is available here.
Losing the internet connection
Mullvad's post follows increasing pressure from privacy-conscious users who are aware of vulnerabilities like TunnelCrack, which exploit traffic routing behavior on iOS. The ‘includeAllNetworks' flag was introduced by Apple to tell the system that all traffic, including local and Apple-specific services, must pass through the VPN tunnel — making it an attractive option for VPN vendors concerned about leaks.
However, Mullvad's engineers found that enabling this flag breaks essential tunnel operations, such as internal health checks and connectivity verification, particularly ICMP and TCP traffic from within the VPN tunnel process itself. While the app can route user traffic correctly, it loses the ability to perform necessary internal checks that rely on sending packets to 10.64.0.1 or establishing ephemeral TCP sessions used in features like quantum-resistant tunneling (DAITA).
Mullvad, known for its strict privacy focus and open-source tooling, explains that iOS's Packet Tunnel Provider API separates the user-facing app from the network tunnel process, complicating how internal diagnostics are performed. When ‘includeAllNetworks' is set to true, the tunnel's own TCP and ICMP requests either fail silently or hang indefinitely, and these failures cannot be programmatically detected or handled.
To bypass these limitations, Mullvad has already implemented a userspace networking stack using gVisor's gonet package, which allows it to create TCP and ICMP traffic from within the tunnel process itself. This workaround enables internal traffic routing without leaks. However, the real blocker isn't technical — it's functional: enabling ‘includeAllNetworks' causes iOS devices to lose all internet access during automatic or manual app updates via the App Store.
When a VPN profile using ‘includeAllNetworks=true' is active, and the app is being updated:
- The existing VPN tunnel is terminated.
- The App Store cannot establish a connection to download the updated app.
- The new VPN process can't start because the app isn't fully installed.
As a result, the entire system is left without any connectivity, requiring a reboot or obscure manual recovery steps.
From the user's perspective, this manifests as an unexplainable loss of internet access — even push notifications fail — without any clear indicators of what went wrong. Mullvad reported this behavior to Apple in February 2025, but has not received a response.
This iOS problem shares thematic overlap with Mullvad's earlier findings on macOS Sequoia, where VPN tunnel leaks occurred due to Apple's own applications bypassing system firewalls and sending unencrypted traffic directly to the internet. In both cases, Mullvad attributes the leaks to opaque system behavior and Apple's lack of documentation or reliable developer feedback mechanisms.
Despite the frustration, Mullvad's engineers say they will enable ‘includeAllNetworks' as soon as it no longer results in critical usability issues. They also express a willingness to accept minor trade-offs in usability — but not if it means locking users out of their devices with no warning.
Until Apple addresses these limitations, Mullvad and other VPN vendors remain constrained in their ability to deliver airtight privacy protections on iOS without risking usability breakdowns.
Leave a Reply