Mullvad to add feature that forces all iOS traffic through the VPN tunnel

Mullvad has announced a new feature that forces all iOS app traffic through its VPN tunnel, accepting significant usability trade-offs to close long-standing traffic leak risks caused by Apple’s networking limitations.

The VPN provider explained that unresolved issues in Apple’s NetworkExtension framework have prevented it from fully securing its iOS app for over a year. Despite previously holding back on enabling Apple’s includeAllNetworks flag due to severe side effects, Mullvad now says it has implemented safeguards that allow it to roll out the feature in a controlled manner. The new option, called “Force all apps,” will soon be available in its iOS client and is designed to ensure that all device traffic is routed exclusively through the VPN tunnel.

Mullvad’s engineers had earlier documented how enabling includeAllNetworks=true could cause critical failures during app updates, effectively breaking the device’s networking stack. When triggered, the issue causes the VPN to disconnect while simultaneously preventing the App Store from downloading updates, leaving users without internet access until a reboot. This behavior creates a loop in which the system repeatedly attempts to update the app and fails, locking users into a cycle of connectivity loss.

Mullvad is a Swedish VPN provider known for its strict no-logs policy and transparency-focused approach, offering open-source clients across major platforms. The company has built a reputation for prioritizing privacy over convenience, often implementing experimental defenses such as quantum-resistant tunneling and advanced traffic obfuscation techniques.

Mullvad says it is no longer willing to delay stronger protections, even if the user experience suffers. The upcoming “Force all apps” feature deliberately enables the problematic includeAllNetworks configuration, ensuring that even system-level and Apple-specific traffic cannot bypass the VPN. To mitigate the update-loop issue, the app will now notify users before automatic updates occur, allowing them to take preventive action.

However, the workaround introduces friction. Users must either disconnect the VPN before updating the app or temporarily disable the “Force all apps” feature. In both cases, Mullvad warns that traffic may leak during the update process, as no reliable workaround exists to maintain full tunnel enforcement during updates. Additionally, a subset of users may still encounter a broken networking stack, requiring manual recovery steps such as rebooting the device.

Another unresolved limitation involves the VPN tunnel process itself. With includeAllNetworks enabled, Mullvad’s tunnel cannot properly bind sockets to the tunnel interface due to iOS restrictions. To address this, the company continues to rely on a userspace networking implementation, allowing it to generate TCP and ICMP traffic internally without depending on the system’s networking stack.

Mullvad acknowledges that its decision may expose more users to Apple’s underlying bugs, but hopes that increased visibility and user feedback will pressure Apple to address the issues at the platform level. The company explicitly encourages affected users to submit feedback reports to Apple to help drive a resolution.