Force all app traffic into the tunnel

Lobsters Hottest Products

Summary

Mullvad VPN’s iOS app adds “Force all apps” toggle to block all traffic leaks by enabling includeAllNetworks, accepting Apple bugs that can brick updates.

<p><a href="https://lobste.rs/s/2jqoor/force_all_app_traffic_into_tunnel">Comments</a></p>
Original Article
View Cached Full Text

Cached at: 04/21/26, 05:07 PM

# Force all app traffic into the tunnel Source: [https://mullvad.net/en/blog/force-all-app-traffic-into-the-tunnel](https://mullvad.net/en/blog/force-all-app-traffic-into-the-tunnel) A year ago,[we wrote about](https://mullvad.net/blog/why-we-still-dont-use-includeallnetworks)how bugs in Apple's networking stack are preventing the iOS app from being as secure as possible\. The bugs are still there, but we have secured our app anyway\. ### The Problem Due to the intricacies of Apple's NetworkExtension framework, we have been stuck with a VPN app that we knew would leak traffic in some circumstances on iOS\. There is a known fix for this but it comes with significant downsides\. The biggest one being the way this breaks the app update and the user get stuck in a broken update loop\. - AppStore determines it should update our app - iOS bricks the networking stack whilst trying to update the app - User reboots phone - Phone can reach the internet again - AppStore determines it should update our app - iOS bricks the networking stack whilst trying to update the app ### The workaround We have decided that we are not going to wait anymore and we would like to offer our users the best possible privacy and security, even if it comes with major UX limitations\. With more users experiencing these limitations first hand we also increase the likelihood that the issue will be resolved upstream\. Thus, soon we will be releasing a new version of the iOS app that will contain a feature called*Force all apps*\. Under the hood, enabling this feature sets the*includeAllNetworks*configuration option to true\. We have tried to make sure that users who enable the feature do so deliberately, without making them jump through too many hoops\. The phone can still enter the broken update loop, but now users should receive a notification about a new version being available before the app gets auto\-updated\. ### Updating the app You must use one of these methods to avoid getting stuck in an update loop\. - **Disconnect the VPN**while the app is updated\. App will not reconnect automatically after it is updated, but*Force all apps*will remain enabled\. - **Disable Force all apps**while the app is updated\. App will reconnect automatically after it is updated, but*Force all apps*will have to be re\-enabled manually\. In both cases, your traffic will leak during the update process \- we do not believe there is a workaround for this\. We do however expect a minority of our users using this feature will end up with a broken networking stack, and unfortunately there is not much we can do\. If you've been affected by this, we can only encourage you to capture the anguish and express it as a feedback report to Apple\. As for the bug where, with*includeAllNetworks*enabled, our tunnel process cannot bind sockets to the tunnel device \- that is still there and it still is an issue\. As such, our workaround to use userspace networking will remain in place\.

Similar Articles

Exit IP VPN servers mitigation rollout

Hacker News Top

Mullvad VPN is rolling out a new mitigation to prevent exit IP fingerprinting between VPN servers, applied to several servers across multiple locations.

@q1ngyang: Just discovered that the 'Limit IP Address Tracking' setting in iPhone's Cellular Network is the culprit that prevents mihomo configuration from using Apple Intelligence over cellular... It seems to take precedence over ClashMi, directing traffic for its own services and unencrypted DNS requests to servers operated by Apple...

X AI KOLs Timeline

It was discovered that the 'Limit IP Address Tracking' setting in iPhone's cellular network causes mihomo configuration to fail to use Apple Intelligence properly, because this setting has higher priority than the proxy tool, sending unencrypted DNS requests and other traffic directly to Apple servers, thereby exposing the Chinese IP and being denied service.

Barflare

Product Hunt

Barflare is a macOS menu bar app for managing Cloudflare Tunnels.