- Proton VPN Uniquely Blocks IP Tunnel Fingerprinting on iOS, Researchers Say
- Mullvad is among other vendors that remain vulnerable to the defect.
- The problem arises from iOS networking behavior.
Proton VPN is the only VPN that successfully bypasses internal tunnel IP fingerprinting on iOS, according to recent testing by Mysk security researchers.
Internal Tunnel IP Fingerprinting is the ability to correlate a VPN session using the “fingerprints” left by a recurring private IP address assigned within a VPN tunnel.
Many of the The best VPNs assign a unique, static IP address per session or device, leaving these traces behind.
The problem is that in the iOS ecosystem, apps can freely read the internal IP address of the VPN tunnel, meaning it can be used as an additional tracking signal between apps.
Instead, Proton VPN assigns the same reserved local internal IP address, specifically 10.2.0.2, to all users, removing individual fingerprints left by their own online activity.
What the researchers found
Imagine that you are a member of a private club and, while visiting the building, you leave your fingerprints everywhere.
Even if no one can identify who they belong to, the fact that they are found on specific objects can give insight into what a particular person has been up to.
This is indeed the problem with iOS. When you have a stable intern The IP address assigned by WireGuard (on any VPN) acts as a fingerprint and iOS allows any app to read it. This, in turn, can be used as a shared identifier, making it easier for those apps to deduce that they are running on the same device and within the same VPN session.
Proton VPN has decided to tackle this problem head-on. Using a novel approach, all users are assigned the exact same internal IP address. This appears identical to all other users connecting to the service using the WireGuard protocol.
Using Loupe, we found that Proton VPN is the only VPN that prevents internal tunnel IP fingerprinting by assigning 10.2.0.2 to all users. Other VPNs, like Mullvad, assign a unique, static IP per session. This allows iOS apps to track user sessions between apps. pic.twitter.com/zOyR8lZBWQJune 15, 2026
This week, Mysk security researchers used software they developed to definitively illustrate the problem. Using Loupe, they discovered that their iOS app reads a unique fingerprint while using Mullvad VPN, for example, but only reads a generic one while connected to Proton VPN.
While TechRadar confirms the findings about Proton, the team was unable to independently verify whether all other VPN services are affected.
However, Mullvad previously pointed out issues around having a static IP address and how this could lead to privacy issues, admitting that maintaining a static IP for each device could leak through technologies like WebRTC and help identify and track user activity.
On his blog, Mullvad reported that he was planning to introduce a dynamic GT task to help with the problem.
An iOS problem
The researchers seem to confirm that the problem is at the platform level, suggesting that Apple’s operating system needs updates to its VPN handling and not the other way around.
It’s still unclear if Apple is actually addressing these issues.
This is also not the first time that Apple’s platforms have clashed with VPNs. Both security researchers Mysk and Mullvad have also publicly complained about other iOS behavior that could cause traffic leaks during app updates.
In April, Mullvad decided to push an update to make its iOS app more secure, taking advantage of an iOS configuration option called include all networks to act as a watertight kill switch.
“Even if it comes with significant UX limitations,” Mullvad said in his blog post, although he admitted that traffic will still be filtered during the upgrade process.
Apple, however, does not seem to want to solve this problem. Even in the most recent beta version of iOS and iPad OS, Mysk found that the device’s real IP is still leaked during a VPN app update while it is active.
However, at least for this ‘leak’, Mullvad users will now be notified beforehand so they can choose the safest time to update. While for IP fingerprinting, non-Proton users may have to wait much longer for a fix.
