 VPNs for iOS  are broken and Apple is aware of this.

According to a security researcher, VPNs for iOS are broken and Apple is aware of this.

After being activated, third-party VPNs designed for iPhones and iPads frequently fail to send all network traffic over a secure tunnel.

[{"selector":"#anim-b4ff65a3-1c3a-4b0d-a790-0dcea3121fca [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(-9.50000003458738%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-3d4d13e5-4ef0-4367-8191-e5ceee7c024a","keyframes":{"opacity":[0,1]},"delay":0,"duration":1500,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}]

An experienced security researcher claims that Apple has known about this issue for years (via ArsTechnica).

[{"selector":"#anim-37a34970-5f73-486a-9700-3fb2e142890a [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(0%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-ffd79446-ee3f-4cf4-a2ff-e2aad1faa7a4","keyframes":[{"offset":0,"transform":"translate3d(0, -335.68153%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.29,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.45,"transform":"translate3d(0, -94.39364623600001%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.61,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.71,"transform":"translate3d(0, -32.091154268000004%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.8,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.85,"transform":"translate3d(0, -12.050966927000001%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.92,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.96,"transform":"translate3d(0, -5.236631868%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":1,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"}],"delay":0,"duration":1600,"fill":"both"}]

According to Michael Horowitz, the majority of virtual private network (VPN) applications tested on iOS devices first seem to function as intended.

[{"selector":"#anim-2226ad9e-355d-4a10-a8e5-c54e598ba172 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(0%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]

assigning a new public IP address, new DNS servers, and transferring information to the VPN server to the device. The VPN tunnel does, however, eventually leak data.

[{"selector":"#anim-6530a495-b592-407e-8949-0b32ee119331 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(-3.5601902769943194%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]

The operating system shuts off all active internet connections when a user connects to a VPN before reestablishing them through the VPN tunnel.

[{"selector":"#anim-f289838d-e1fc-4b80-9ea4-1ad7f3cb7aed [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(12.71496527497971%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]

Horowitz hasn't seen that in his sophisticated router logging. Sessions and connections created prior to the VPN's activation do not end as one might anticipate.

[{"selector":"#anim-2229409c-e7ad-4e7d-80e6-861f77baa941 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(0%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]

while the VPN connection is open, and can still transport data beyond the VPN tunnel, potentially leaving it unencrypted and exposed to ISPs and other parties.

[{"selector":"#anim-33d692ce-f9b1-4998-ad3a-567118685259 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(0%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]

"Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak

[{"selector":"#anim-81df3715-5581-4d81-be7f-ec171498458d [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(-7.105427357601002e-15%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]

I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."

[{"selector":"#anim-6aa1c48f-6c77-43f5-8506-2d110778ff67 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(0%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}]