According to a security researcher, VPNs for iOS are broken and Apple is aware of this.
After being activated, third-party VPNs designed for iPhones and iPads frequently fail to send all network traffic over a secure tunnel.
An experienced security researcher claims that Apple has known about this issue for years (via ArsTechnica).
According to Michael Horowitz, the majority of virtual private network (VPN) applications tested on iOS devices first seem to function as intended.
assigning a new public IP address, new DNS servers, and transferring information to the VPN server to the device. The VPN tunnel does, however, eventually leak data.
The operating system shuts off all active internet connections when a user connects to a VPN before reestablishing them through the VPN tunnel.
Horowitz hasn't seen that in his sophisticated router logging. Sessions and connections created prior to the VPN's activation do not end as one might anticipate.
while the VPN connection is open, and can still transport data beyond the VPN tunnel, potentially leaving it unencrypted and exposed to ISPs and other parties.
"Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak
I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."