VPN leakage on lost connection and apps

You are perhaps likely to see conflicting advice concerning the use of VPN services. Providing that you understand both the benefits and potential limitations of a VPN, you can be your own judge as to suitability for your need. That said, INFOSEC professionals will recommend their use in many circumstances.

Not all VPN Apps are particularly secure, but some are better than others. How the VPN is configured is also critical to its security.

First, unless you are sufficiently skilled in configuring a VPN Gateway and client, you would be well advised to use a dedicated commercial VPN service and VPN client. You should avoid so-called free VPN Providers; only use a reputable paid VPN service.

Paid commercial VPN services make revenue through providing secure services - and have no ulterior motive (beyond legislation applicable in the hosting country/region) in monitoring your data. By contrast, free services have to be monetised somehow, if only to pay for the server infrastructure, power and running costs; if you a not paying for the service, then you (or your data) are the the product. At that, I will leave that area of the discussion.

When using a commercial VPN Provider, be aware that your traffic will only benefit from the additional protection of the VPN between the client the Provider’s VPN Gateway - at which point the tunnel terminates and your traffic is delivered to the Internet. Choosing the country within which your VPN Gateway is located can mitigate (or at least reduce) your exposure to malicious, commercial and nation-state monitoring beyond protection of the VPN tunnel.

Much of your traffic already benefits from SSL/TLS and will remain (at least in part) encrypted. Other cleartext protocols (such as DNS - that reveals at lot of information about your activity) can be monitored - although for DNS can be partially mitigated though use of DoH, DoT or ODoH with a trusted DNS provider; you simply need to select a provider that you least mistrust with access to this data.

When selecting and using a VPN client, you need to ensure that it is not configured to allow split-tunnelling - and is configured for a Persistent Connection. The latter may be identified by many titles and descriptions - and is often described as Connect On Demand, Kill Switch or similar. When properly configured, unless the VPN tunnel is established (or if it fails), no network traffic will leave your device. If the VPN connection VPN fails, so too will your network connectivity.

When using a VPN, you should always choose an appropriate type - IKEv2 (with at least a strong pre-shared key - Certificate preferred) being recommended over proprietary or other significantly weaker VPN standards.

Notwithstanding legal restrictions that may be enforced in some countries, using a VPN can be technically difficult - as VPN traffic can be blocked at international or other Internet Gateways. Depending upon configuration, VPN traffic can be obvious by port/protocol - or can be detected through skilled (or automated) traffic analysis.