Security experts reveal Proton is the 'only VPN' to avoid internal tunnel IP fingerprinting on iOS

Proton VPN uniquely blocks IP tunnel fingerprinting on iOS, researchers say

Mullvad is among other porvider that remain vulnerable to the flaw

The issue stems from iOS networking behaviour

Proton VPN is the only VPN that successfully avoids internal tunnel IP fingerprinting on iOS, according to recent tests carried out by security researchers at Mysk.

Internal tunnel IP fingerprinting is the ability to correlate a VPN session using the 'fingerprints' left by a recurring private IP address assigned inside a VPN tunnel.

Many of the best VPNs assign a static and unique IP address per session or device, leaving these traces behind.

The issue is that in the iOS ecosystem, apps can freely read the VPN tunnel's internal IP address, meaning it can be used as an additional tracking signal across apps.

Instead, Proton VPN assigns the same reserved local internal IP address — specifically 10.2.0.2 — to all users, removing the individual fingerprints left by your own online activity.

What researchers found

Imagine you are a member of a private club and, whilst visiting the building, you leave your fingerprints everywhere.

Even if no one can identify who they belong to, the fact that they are found on specific objects might give an idea of what a particular person has been doing.

This is effectively the problem with iOS. When you have a stable internal IP address allocated by WireGuard — in any VPN — this acts as a digital fingerprint, and iOS allows any app to read it. This, in turn, can be used as a shared identifier, making it easier for those apps to deduce that they are running on the same device and within the same VPN session.

Proton VPN has chosen to address this problem head-on. Using a novel approach, users are all assigned the exact same internal IP address. This appears identical to those of all other users connecting to the service using the WireGuard protocol.

Using Loupe, we found out that Proton VPN is the only VPN that prevents internal tunnel IP fingerprinting by assigning 10.2.0.2 to all users. Other VPNs, such as Mullvad, assign a static and unique IP per session. This allows iOS apps to track user sessions across apps. https://t.co/2yUxMaPjpD pic.twitter.com/zOyR8lZBWQJune 15, 2026

This week, security researchers at Mysk used software they have developed to illustrate the issue definitively. Using Loupe, they found that their iOS app reads a unique fingerprint while using Mullvad VPN, for example, but only reads a generic one while connected to Proton VPN.

While TechRadar confirms the findings regarding Proton, the team could not independently verify whether every other VPN service is affected.

However, Mullvad previously pointed out issues related to having a static IP address and how this could bring privacy concerns, admitting that keeping a static IP for each device could be leaked via technologies like WebRTC, and help identify and track user activity.

In its blog, Mullvad advised that it was planning to introduce WG-dynamic assignment to help with the issue.

An iOS issue

Researchers appear to confirm that the issue is on the platform level, suggesting that Apple's operating system needs updates in its VPN handling rather than the other way around.

It is not yet clear whether Apple is actually addressing these issues.

This isn't the first time Apple's platforms clash with VPNs, either. Both security researchers at Mysk and Mullvad have also been publicly complaining about another iOS behaviour that could lead to a traffic leak during the app's updates.

In April, Mullvad decided to push an update to make its iOS app more secure, leveraging an iOS configuration option called includeAllNetworks to act as an airtight kill switch.

"Even if it comes with major UX limitations," Mullvad said in its blog post, while admitting that traffic will keep leaking during the update process.

Apple, however, doesn't seem to be aiming to fix this issue. Even in the newest iOS and iPad OS beta, Mysk found that the device's real IP still leaks during updating a VPN app while it is active.

At least for this 'leak,' though, Mullvad users will now receive a notification beforehand so they can choose the safest moment to update. While for IP fingerprinting, non-Proton users may need to wait a big longer for a fix.