Android VPN Traffic Leaks Outside VPN Tunnels Even with Always-on VPN Enabled

Security experts from Mullvad VPN have discovered that on Android devices, network traffic can leak outside of VPN tunnels when connecting to a Wi-Fi network. This occurs even if the “Block connections without VPN” or “Always-on VPN” features are enabled.

In practice, information such as source IP addresses, DNS requests, HTTPS traffic, and possibly NTP traffic can escape the VPN tunnel. While this behavior is technically normal for Android, few users are aware of it due to the unclear description of VPN Lockdown functionality in the official documentation.

Why Does This Happen?

Mullvad VPN analysts explain that Android settings include an option to block network connections if the user is not connected to a VPN. This feature is designed to prevent accidental leaks of the user’s real IP address if the VPN connection drops or is interrupted. However, this protection is often bypassed in special cases, such as authentication on captive portals (like hotel Wi-Fi), or checks that must be completed before the user can access the network, as well as when using split tunneling features.

As a result, Android leaks some data when connecting to a new Wi-Fi network, regardless of whether “Block connections without VPN” is enabled.

Google’s Response

The experts reported the issue to Google developers and asked if it could be fixed by disabling these connection checks. Unfortunately, Google responded that the problem cannot be resolved for the following reasons:

• Many VPNs rely on the results of such connection checks.
• The checks are not the only, nor the most risky, exceptions.
• The impact on user privacy is minimal or insignificant, since the leaked information is already available at the L2 connection level.

Privacy Concerns Remain

Researchers argue that traffic leaking outside the VPN connection contains metadata that can be used to obtain sensitive information, such as the location of Wi-Fi access points.

“Connection check traffic can be monitored and analyzed by the party controlling the connection check server, as well as by anyone observing the network traffic. Even if the message reveals nothing more than ‘some Android device connected,’ metadata (including the source IP address) can be used to gather additional information, especially when combined with data like Wi-Fi access point locations,” the researchers note in their blog.

Mullvad VPN experts believe that even if these leaks are not fixed, Google engineers should at least update the documentation to clarify that the “Block connections without VPN” protection does not apply to connection checks.