If you use Android daily and are concerned about privacy, you've probably wondered more than once if The entire connection actually goes through the VPN. or if Android is letting traffic through other sites. The reality is much more complex than it first appears: there are options like “Always-on VPN” and “Block connections without VPN”, extra features from providers (kill switch, network protection), and yet, Data leaks occur due to design decisions within the system itself..
This article is intended for IT administrators and advanced users who want Configure a VPN on Android and minimize the traffic leaving the tunnel as much as possible.We'll break down how VPNs work on the system, what third-party apps like ExpressVPN, NordVPN, Mullvad, or Rethink DNS + Firewall offer, what limitations Android has (including leaks detected in Android 14), and what you can practically do to get closer to the maximum possible privacy on your mobile phone.
What is a VPN on Android and what does it actually do?
On an Android phone, a VPN creates a encrypted tunnel between the device and a remote serverEverything the system sends through that virtual interface is encapsulated and travels encrypted to the VPN server, which is the one that goes out to the Internet with its own IP.
For the websites and services you connect to, the origin of the connection will be The IP address of the VPN server, not the IP address of your home network, office network, or WiFi.This makes tracking by IP address difficult and provides significant protection on open networks, but it doesn't mean absolute anonymity: the VPN provider can see your traffic as it exits the tunnel, and you still leave other traces (cookies, logged-in accounts, browser fingerprint, etc.).
It's important not to confuse concepts: your operator's APN defines How do you connect to the mobile network?While a VPN defines where your internet traffic goes. They share a section in Android settings, but they are different things. It's also important to remember that A VPN is not an antivirus or a complete firewallbut rather an encryption and encapsulation layer plus a public IP change.
VPN options built into Android and third-party apps
Android has incorporated a Native VPN client supporting PPTP, L2TP/IPSec and IPSecStarting with Android 4.0, it also allows third-party applications to implement their own VPNs using the system API, which has led to the entire ecosystem of commercial apps (NordVPN, ExpressVPN, X-VPN, etc.) and advanced tools like Rethink DNS + Firewall.
The built-in client is sufficient if you want connect to a corporate VPN or a simple server that you controlHowever, it falls short in modern features: it doesn't usually offer a configurable kill switch, advanced split tunneling, built-in ad or malware blocking, or centralized management from EMM beyond what Android Enterprise allows.
Therefore, many scenarios require a dedicated app. These types of applications allow Use more modern and efficient protocols such as OpenVPN or WireGuard, integrate DNS filtering (for example, with NextDNS), add application-level firewalls, and offer more user-friendly interfaces for end users who don't want to struggle with certificates and shared keys.
At the enterprise level, enterprise mobility management (EMM/MDM) solutions can Define VPN profiles, push them to devices, install certificates, and block configuration changes to prevent users from disabling protection or exiting the tunnel with unauthorized apps.
How to set up a VPN on Android: official app vs. manual setup
When using a VPN on an Android mobile, you have two main options: use the provider's official app o Configure the connection manually from the system settingsEach method has its advantages and limitations, and they do not affect the issue of "blocking traffic without a VPN" in the same way.
The easiest way is usually to install the official app from Google Play. You open the app, log in with your account, grant the necessary permissions, and You choose a server from a map or list.When you tap the connection button, the app requests Android to create a VPN interface and, after accepting the system confirmation window, Android itself routes traffic through that tunnel according to the rules defined by the app.
If you prefer to have low-level control, you can go to Settings → Network & Internet → VPN (the path may vary depending on the manufacturer) and Add a new VPN connection manuallyThere you enter a name, the VPN type (for example, L2TP/IPSec), the server address, the username and password, and any additional shared keys or certificates. Once the profile is saved, you can connect by tapping its name and selecting whether you want it to be the "always-on" VPN.
In both cases, the key box for our topic is the combination of “Always-on VPN” and “Block connections without VPN”Available from Android 7.0/8.0 depending on the device. These options directly influence whether Android should allow traffic to leave the tunnel or not when the VPN is unavailable.
“Always-on VPN” and “Block connections without VPN” on Android
For several versions now, Android has included the option to set an "always-on VPN". This means that the system Try to keep that VPN service running permanently while the device or work profile is active.If you restart your phone, Android launches the VPN app and establishes the connection without you having to open it manually.
Alongside this function appears the critical checkbox “Block connections without VPN”. On paper, what Google promises in its documentation is simple: If this option is enabled, any network traffic that does not pass through the VPN is blocked.In other words, either the packet goes through the tunnel, or it isn't sent. It's the closest thing to an "absolute outbound firewall" that the system offers to users and administrators.
For users who are demanding about privacy (journalists, activists, staff who handle sensitive data, etc.), activating both boxes is almost mandatory, because You prevent your mobile from happily connecting without encryption if the VPN fails. or if it accidentally disconnects. Also for companies that want corporate traffic to always go through a managed VPN.
The problem is that, as providers like Mullvad have shown, Android does not fully deliver on the promise that "everything that doesn't go through the VPN is blocked"There are exceptions intentionally designed into the system, and that has privacy implications that are worth knowing about.
The traffic that Android lets through even if you block VPN connections
Mullvad VPN conducted a technical audit analyzing how Android behaves when "Always-on VPN" is combined with "Block connections without VPN." Their tests showed that every time the device connects to a Wi-Fi network, The system deliberately sends traffic outside the VPN tunneleven with both options active.
That traffic is no ordinary traffic: it includes connectivity check requests, DNS queries, HTTPS traffic with metadata, and probably NTP requests to synchronize the timeIn other words, it's not simply a neutral ping, but a set of communications that can leak information about your real IP address, the servers you're querying, and the Wi-Fi network you're connecting to.
Google has designed this behavior; it's not an accidental bug. The system needs to check for internet access, detect captive portals (like the typical hotel or airport networks that display a login form), and update network status. To do this, Android decides to send those checks outside the tunnelreducing the reliability of the total block promise.
From Mullvad's perspective, Google's description of "Block connections without VPN" is misleading, because It does not mention these exceptions.They have requested that the documentation be corrected to make it clear that connectivity check traffic is not affected by the block, and that an extra setting be offered to also disable these checks in profiles that require maximum privacy.
What data is being leaked and what can be inferred from it
The leaks associated with these checks may seem small, but the metadata that escapes the tunnel provides ample opportunity for an attacker with surveillance capabilities. Among other things, it can expose source IP addresses, queried domains, HTTPS destinations, and time synchronizations.
Source IP addresses allow Link your approximate physical location (home, work, specific coffee shop) to the deviceEven when the rest of your traffic is routed through a remote VPN server, DNS queries, even when made to encrypted servers, still provide clues about which services you're using, especially if they point to specific providers.
In the case of HTTPS traffic, the content is encrypted, but it can still be viewed. size patterns, times, SNI, and destination addressesThese patterns are useful for reconstructing which applications are communicating with which servers. NTP traffic, meanwhile, reveals time synchronizations and, combined with other data, helps correlate sessions and device appearances on different networks.
With all this, a powerful actor (for example, a network operator, a large platform, or an organization with access to the backbone) can correlate the real IP address and device behavior with the activity that was apparently protected by the VPNreducing your real anonymity even though the traffic content remains encrypted.
Additional leaks detected in Android 14 when changing VPN servers
Connectivity checks aren't the only problem. Mullvad has reported that in Android 14, when Change VPN server or reconfigure tunnelThe system may allow DNS queries to escape outside the VPN even when blocking non-VPN connections or the app's kill switch is enabled.
This occurs at the critical moment when the old tunnel is closing and the new one is not yet fully operational. In that window, The device can resolve domains using a direct connectionThis breaks the expectation of the user who has activated all the protections thinking that no package will leave without encryption.
To mitigate this behavior, Mullvad proposes a trick: during these internal changes, the app could maintain a “fictitious” or transitional VPN This tricks Android into thinking the tunnel is still active and prevents it from routing traffic through the normal channel. It's an ingenious workaround, but it doesn't address the root of the problem, which lies in Android's internal logic.
Ultimately, the real fix must come from Google at the operating system level. Until that happens, VPN apps are tied to the limitations of the VPNService framework and to the behavior that Android itself decides for network verification and tunnel management.
Structural limitations: what VPN apps can't control
One point that often goes unnoticed is that VPN apps on Android, however good they may be, They do not have absolute control over all system traffic.They rely on the API offered by Android: they create a virtual interface, define routes, request that the system deliver packages to them… but there are system components that can continue using their own paths.
Connectivity verification, captive portal detection, and other internal services may bypass the tunnel without the app being able to intercept themIt is also not trivial for an app to rewrite how the framework behaves when the network changes from WiFi to mobile data or when a new network profile appears.
Therefore, even though providers add sophisticated features (kill switch, firewall, DNS leak protection, split tunneling, etc.), there is a hard limit: If the operating system decides to send something externally, the app can't completely prevent it.The most you can do is try to circumvent those decisions with artifice, be transparent with the user, and pressure Google to improve the API.
These types of limitations are not exclusive to Android. On iOS, for example, providers like NordVPN have also described serious problems with the behavior of Apple's VPN APITo the point that new features designed to prevent certain leaks have ended up causing internet outages and errors in client updates. The operating system always dictates the terms of the game.
The role of kill switches and ExpressVPN's "network protection"
To partially compensate for these system shortcomings, many services include their own emergency shutdown mechanism or kill switch. In the case of ExpressVPN, this feature is called “Network protection” in the Android app and it comes enabled by default on compatible mobile phones and tablets.
The idea is simple: if the VPN drops unexpectedly (due to a network failure, a sudden change in connection, a bug, etc.), the app It immediately blocks internet traffic from applications that rely on the tunnel.This way, you prevent that data from leaving the normal network unencrypted while the client tries to reconnect.
An important point is that, with this network protection, The apps you've excluded from the split-tunnel VPN still have a connection Even if the tunnel breaks, apps using the VPN will lose internet access. Furthermore, ExpressVPN clarifies that if you manually disconnect the VPN, network protection will not be activated; the system assumes you chose to browse unprotected.
Beyond its own protection, ExpressVPN also recommends enabling the following Android system settings: “Always on VPN” and “Block connections without VPN” for the app. In that scenario, Android blocks all traffic when the VPN is not runningEven if you manually disconnect it, split tunneling and access to local devices (printers, PCs, TVs, etc.) are disabled. From a privacy standpoint, this is a rather restrictive approach.
NordVPN, tunnel vulnerabilities, and measures in other systems
Other providers have addressed leak issues from different perspectives. NordVPN has documented vulnerabilities such as TunnelCrack and TunnelVisionThese attacks affect the VPN industry as a whole. They rely on network tricks (for example, using IP addresses outside of standard private ranges or manipulating DHCP) to force some user traffic out of the tunnel.
On systems like macOS and iOS, NordVPN has introduced features such as “Stay invisible on a local network,” which Adjust the VPN interface parameters to reduce the device's exposure on the LAN. and blocks potential bypass paths. It also provides warnings when you connect to potentially dangerous networks and detects suspicious IP ranges.
However, on iOS they have encountered significant limitations and Apple bugs that cause connection blocks or client update failures When this feature is active, NordVPN acknowledges that, until Apple fixes its own API, its room for maneuver is limited, which again shows that the operating system is in charge.
However, on Linux and Windows, NordVPN and other services have more room to maneuver. Modify the system firewall and create rules that block any traffic outside the VPNThere, it's more feasible to achieve an "all or nothing" tunnel solution, because you can program iptables, nftables, or Windows firewall rules in a much more granular way than in Android.
Advanced options for businesses: Always-on VPN, per-application VPN, and EMM
In corporate environments, Android offers a range of tools designed to enable IT administrators to Enforce work traffic through a VPN and reduce user errorsThese tools are normally managed from an EMM (Enterprise Mobility Management) or MDM console.
The administrator can define a VPN always enabled at the device or job profile levelThis allows Android to automatically establish a connection as soon as the profile starts. Additionally, you can disable system VPN settings to prevent employees from adding, modifying, or disabling connections on their own.
Another useful feature is application-based VPN. With it, the administrator defines a a list of apps that will use the VPN or a list of apps that will be excludedYou can't have both lists at the same time: you must have either whitelists or blacklists. If neither is defined, all traffic is routed through the VPN. This allows, for example, only corporate apps to use the VPN, while the user's personal apps continue to use the normal connection.
System restrictions also vary depending on the Android version. In 5.0 and 6.0, if VPN settings are blocked, VPN applications fail to launchOn Android 7.0 and higher, on fully managed devices, the app designated as always-on VPN by the policy controller can start, but no other app can. This gives companies a reasonable degree of control over VPN access. What traffic can escape the VPN on work devices?.
Rethink DNS + Firewall, NextDNS, and VPN-free traffic blocking
Beyond traditional providers, there are tools like Rethink DNS + Firewall, which leverage the Android VPN API to create a kind of local firewall with advanced DNS filteringIt is common to combine it with services like NextDNS to block ads, trackers, certain ports (like 80) or protocols (like UDP except for DNS and NTP) and to prevent DNS leaks.
A typical advanced user configuration would be: Rethink as a local VPN, NextDNS as a custom DNS provider, blocking critical portsDNS leak prevention is enabled, and custom blocklists are in place. On top of this, you can add per-app firewall rules, for example, blocking the Gboard keyboard from accessing the network or excluding a browser to use a different NextDNS profile as a sandbox with ads and trackers allowed.
The behavior that many users have observed is that, when only “VPN always on” is enabled, everything seems to work reasonably well, but when “VPN always on” is also enabled, the problem arises. “Blocking connections without VPN” starts connection problems in certain appsSome stop loading content, others only partially load resources such as images or scripts.
This doesn't necessarily mean that these applications are maliciously trying to bypass Rethink. In many cases, what happens is that They use network mechanisms that conflict with the strict firewall and the total blocking policy.For example, services that need to discover local devices, check direct connectivity for streaming, or use protocols that are not allowed by the VPN or firewall.
Why some apps fail when you block VPN connections
From an app's perspective, the system typically offers a relatively transparent network stack. But when you have an always-on VPN that also blocks non-tunneled connections and a Rethink-type firewall filtering by application and protocol, Any slightly different network behavior can clash with that hard configuration.
Many modern apps rely on auxiliary services from Google (e.g., Play Services) or from manufacturers to Check network status, perform DNS fallback, use QUIC/HTTP3 over UDP, or discover local devicesIf your VPN/firewall blocks UDP, filters NTP, limits DNS to a specific provider, and on top of that, Android doesn't allow exits outside the tunnel, some of those alternative routes will stop working.
The visible result for you is that certain applications seem to lose internet access or only manage to load parts of their interface. This isn't always because they're actively trying to bypass the VPN; often it's simply that They expect to have access to channels that you have decided to close for security reasons.The conflict between functionality and extreme privacy is unavoidable here.
The reality is that, even with this combination of settings, you'll still have the exceptions that Android reserves for itself (connectivity, specific DNS settings, etc.), but some user apps will have legitimate paths they were trying to use blocked. Fine-tuning firewall rules, reviewing which ports and protocols you're blocking, and adjusting lists of apps that can use the VPN can mitigate these problems without completely sacrificing a high level of protection.
How to disable and manage your VPN on Android when something goes wrong
Sometimes, to diagnose problems or restore functionality in a specific app, there is no other option than to Temporarily disable the VPN or ease restrictionsAndroid allows you to do this in several ways: from the VPN app, from the quick settings in the status bar, or from the network settings section.
The most common way is to open the VPN app itself (for example, X-VPN, ExpressVPN, NordVPN) and press the large on/off buttonIn most interfaces, the status changes from "connected" to "disconnected," and the VPN icon disappears from the status bar. If the button is unresponsive, you can force close the app, restart your phone, or, as a last resort, uninstall it.
Another quick option is to use the VPN icon in the quick settings of the status bar. Depending on the brand (Samsung, Pixel, OnePlus, Xiaomi, Motorola, etc.), That icon will allow you to disconnect with one tap or simply open the app.In some models, it only appears when there is an active VPN connection, and disappears when it is disconnected.
Finally, you can always go to Settings → Network & Internet → VPN (the path varies) and disable the connection from there.If you see the switch turning itself back on, check the "Always on VPN" settings: when enabled, Android automatically tries to reconnect the VPN, so you'll need to uncheck that box in each profile to truly disconnect it.
When does it make sense to disable the VPN or relax the blocking?
Although the goal here is to prevent traffic from leaving the VPN, there are real-world situations where It might make sense to disconnect the VPN or temporarily disable tunnelless connection blocking.It's not about sacrificing security, but about balancing it with usability.
Some banking and streaming services use very aggressive VPN detection systems. If they detect that you're connecting from behind a shared server or in a suspicious location, They can block access or display errorsIn such cases, if you are performing a specific and controlled management, it may be reasonable to connect directly, provided you do so on a trusted network and for the shortest possible time.
When traveling, there are countries where The use of VPNs is highly restricted or outright prohibitedTo comply with local regulations, you may need to turn off your VPN at certain times or use only approved services. Again, the important thing is to be aware of the risks and take extra precautions (avoid accessing critical accounts, sensitive transactions, etc.).
Another common situation is when you notice sudden drops in speed or latency spikesFor example, when playing online games or streaming in high quality. Sometimes simply changing servers or protocols is enough (WireGuard is usually faster than OpenVPN), but on very demanding connections, some users choose to disable the VPN for that specific task, especially if they are not on a public network.
Alternatives to turning off the VPN: protocols, split tunneling, and a good provider
Before giving up and sailing unprotected, it's worth exploring less drastic alternatives. One of the most effective is change VPN protocolSwitching from a heavier one like OpenVPN to a lighter one like WireGuard or IKEv2 usually improves speed and stability without sacrificing too much security.
Another key option is split tunneling. This feature allows you to Choose which apps go through the VPN and which ones go directly.For example, you can configure your sensitive apps (email, messaging, main browser) to use the VPN tunnel, while games or services that are particularly sensitive to VPNs use the normal connection. Some services, like X-VPN, even allow rules per URL, granting even more precise control.
Choosing a reputable provider is also essential. A good VPN service cares about Minimize leaks, keep clients updated, document limits, and avoid overloading serversIn contrast, many free VPNs rely on aggressive advertising, telemetry, or unclear business models, which directly contradicts the goal of privacy.
If you combine a good provider with modern protocols, well-configured system settings (always-on VPN + blocking), and additional tools like Rethink or NextDNS when needed, you can significantly reduce the amount of traffic leaving the VPN without having to constantly disconnect and reconnect..
Ultimately, understanding how Android handles VPNs, what exceptions it applies, and the true extent of the "Always On VPN" and "Block Connections Without VPN" options allows you to make more informed decisions: configuring your phone so that almost everything goes through the VPN, accepting that there are some design flaws that can't be completely eliminated today, and combining apps, protocols, and good habits to ensure your privacy is as well protected as possible within the system's actual limitations.