iOS App Randomly Reconnects to United States Servers instead of Country I Click On

I’ve been having this issue with ProtonVPN for the last month or so where, when I go to connect to a VPN server, even if I choose a specific server in another country, it has a random chance of quitting on that server while connecting and instead doing a Quick Connect to the United States, and it’s driving me BANANAS. I do not want to constantly be connected to America at all times.

I’m on the latest version of the app running the latest iPadOS, and I’m on the free plan.

Is anyone else experiencing this issue?

Hi! Could you let us know which exact servers (e.g. CH#10) you’re trying to connect to when this behavior occurs?

Was this behavior present with previous versions of the Proton VPN app, or did it begin after updating?

Are you using any other VPN, proxy, or custom DNS services on the same device? What about any antivirus, firewall, or networking monitoring applications?

Lastly, what type of internet connection are you using (home/work/school/public)?

Please reach out to us through the ‘Report an issue’ option in the app menu so we can assist you further. Meanwhile, please try switching between the available connection protocols to see if the behavior improves (https://protonvpn.com/support/how-to-change-vpn-protocols/).

Can you please try putting this other country that you choose instead of USA on the quickconnect option? So next time the app need to reconnect it will do with your preferred country…

I am using the free plan, so I only have access to free servers in the United States, the Netherlands, and Japan. It happens very inconsistently, but when it does happen, it does not matter what server or country I choose, as far as I can tell.

This began only after I updated to the latest version, and after I updated my iPad to the latest version.

Whenever I connect to a new Wi-Fi, I always manually set the DNS in the Wi-Fi settings to all 6 of Quad9’s server addresses, specifically their IPv4, IPv6, HTTPS, and TLS addresses.

I also use the AdGuard app with DNS protection enabled, though I often disable it so I can watch reward ads in some mobile games I have, and sometimes forget to re-enable it. The DNS protection makes use of a local VPN that just leads back into the device so AdGuard can process requests and block ad connections, and it allows for split-tunneling with apps like ProtonVPN which add “Personal VPN” profiles. I have the DNS in the app set to Quad9 DNS-Over-HTTPS, and the implementation mode is set to AdGuard.

I use my home Wi-Fi.

I usually use the IKEv2 protocol, as I have always found it to be the most reliable one to getting me past very tough internet filters whenever I’m in a place with such filters and VPN-blocking firewalls. It would take quite a while for me to figure out if switching protocols would help because of how inconsistent this is.

It took a few days without it happening, but when it finally glitched again today, I managed to catch it on video. I had just enabled AdGuard DNS protection, hence why the VPN icon is already visible in the status bar in the top-right. Here is the video: https://youtu.be/k6zHRnlUeYg

Note that it does not always happen after enabling AdGuard DNS, and sometimes it just happens out of the blue. Sometimes it can take multiple tries before it stops switching to the US, and sometimes it goes a long time without happening. I’ve got no clue why it happens.

Thank you for the additional details. We really appreciate it.

It’s worth noting that each Proton VPN server runs a DNS server as well, and our native apps have a default DNS leak protection feature that forces your internet connection to resolve DNS queries via our DNS servers. This means that when you are connected to Proton VPN, your DNS queries through our encrypted VPN tunnel.

If you’re using some custom DNS settings, they may override our own DNS servers and will utilize the DNS server that you have specified, which could lead to Proton VPN misbehaving. With that in mind, could we trouble you to try disabling any third-party DNS services and settings, solely for testing purposes so we can rule out the possibility of any interference? Also, if you’re using any other VPN services, make sure to temporarily disable them as well.

If the issue still persists, please contact us via the ‘Report an issue’ option in the app menu as previously mentioned so that our technical team can have a look at the connection logs. The logs would help us understand what exactly is happening.

Interesting, I didn’t know ProtonVPN provided their own DNS servers.

Since I have no idea the next time it’s going to happen, I decided to use Report an Issue now, while yesterday’s events still exist in the logs.

Since I use YouTube a lot, which bypasses adblockers on iOS anyways (screw Adsense it can burn in hell), and since ProtonVPN provides their own DNS, I suppose I could disable AdGuard and my custom DNS settings for the time being, to see if it changes anything. That would leave only ProtonVPN running.

Oh, and it seems that in the time since I reported this issue, there’s been a new update. Should I update now or would it make things more complicated to figure out?

We’ll probably ask you to update anyway during the troubleshooting process if you’re not on the latest version, so might as well do it

UM

I updated and they removed like half the protocols, including IKEv2 which I usually use!

Scratch that, they removed ALL the protocols except Smart, WireGuard, and Stealth!

After stressing out for some time, I did some research because I was concerned about the removal of some of these protocols, and I am finding that removing IKEv2 may interfere with apps such as AdGuard.

Apple does not like users having free reign to use their devices how they wish, and that extends to split-tunneling. They micro-manage how users can split-tunnel between different apps and using different VPNs. A screenshot linked below shows how that happens. One app has to add a “Personal VPN” configuration, and the other a “VPN Configuration” configuration, in order for both to be active.

What I am finding, is that Apple only allows certain protocols into the “Personal VPN” section. IKEv2 is one of them, and removing support will put it into conflict with other apps. I will no longer be able to use AdGuard and ProtonVPN together if I cannot connect through IKEv2, and my lifetime Pro license with the app would take a severe hit. I paid for AdGuard. And other people using other apps that utilize split-tunneling will face the same problem.

Can you explain this to the development team, and ask them to reconsider and add IKEv2 back in?

Link to screenshot: https://imgur.com/a/niRBgLz

OpenVPN and IKEv2 were removed due to security issues.

https://www.reddit.com/r/ProtonVPN/comments/15lwgdi/please_respond_to_new_findings_on_vpn/jvqvb84/?context=3

I don’t think protocols with security issues are coming back. However in the future, there are customization improvements planned for Netshield:

6 - We do plan introducing per-user customization of block lists. However, this is a feature that is technically complex to implement at scale (it’s basically implementing a per-session completely custom firewall). So it’s indeed in our backlog.

Custom DNS has also been requested before.

https://www.reddit.com/r/ProtonVPN/comments/149nu60/netshield_how_can_the_community_help_questions/jo7xhp6/

That being said, I feel you, for I have used IKEv2 for additional customization as well, similar to you but with another app. IKEv2 was already for some time not recommended anymore, however in my use case, for me it was fine, as I deemed the customization + Proton VPN app more important.

Now that the only way forward would be to use IKEv2 externally (not via the Proton VPN app), I’d suggest to use WireGuard instead. I’ll be posting a WireGuard + NextDNS guide in the next days, to use Proton VPN with WireGuard & NextDNS on Apple Devices. This will allow further customizations again.

Is there any other protocol in that short list of “Personal VPN”-allowed protocols that can be added so that ProtonVPN still supports split-tunneling on iOS?

Over the last year, I’ve been having grievances with my current browser, the DuckDuckGo browser, building up. For some time I’ve been recognizing that it’s coming very close to that point where it’ll overcome my attachment and familiarity to the app, but I’m not yet ready to switch…

I’ve had my eye on the Brave browser for iOS, which offers pretty much as much adblocking and other protections as uBlock Origin does, and my initial snooping in the app, with this and other features, has blown me and all my expectations away. I’m not yet ready to switch, so I’ll keep using ProtonVPN IKEv2 with AdGuard Pro DNS Protection split-tunneling for the time being, but this new vulnerability in IKEv2 adds another item to the proverbial shelf – and a particularly big one, at that.

Once I switch browsers I’ll start using WireGuard, as I will have no more need for AdGuard’s DNS protection outside of blocking ads in mobile games, and only when the games are running.

Also, I’m curious – if, in the future, Apple patches their protocols or develops new ones which do not have these vulnerabilities, and they allow those protocols to be added as a Personal VPN, could ProtonVPN consider adding support for it?

If using the Personal VPN slot is a ‘must’ in your use case, it’s worth noting that you can still use IKEv2 as a manual configuration: https://protonvpn.com/support/protonvpn-ios-manual-ikev2-vpn-setup/

But we would discourage it due to the vulnerability referenced above.

Once I switch browsers I’ll start using WireGuard, as I will have no more need for AdGuard’s DNS protection outside of blocking ads in mobile games, and only when the games are running.

In an advanced use case, I think it always makes sense to have a system wide blocking solution active. There are even some iOS trackers or “metrics” itself that can be blocked in this way.

Also, I’m curious – if, in the future, Apple patches their protocols or develops new ones which do not have these vulnerabilities, and they allow those protocols to be added as a Personal VPN, could ProtonVPN consider adding support for it?

I’d not rule that out (personally speaking). However a new VPN protocol doesn’t pop out over night and the current IKEv2 issues have been reported to apple multiple times.

As promised in my comment above, the guide is now posted:

https://www.reddit.com/r/ProtonVPN/comments/15x7q1q/guide_nextdns_proton_vpn_wireguard_doh3_on_ios/?

It looks like my time to switch to the Brave browser is coming, that’s the only other effective way I can block ads on my iPad and still use ProtonVPN. But I’m not yet ready to make the transition, so I’ll use this method for the time being, assuming this method does add it to the Personal VPN slot.

I didn’t know all the protocols were compromised this badly!

If Apple patches their protocols, or creates new ones which are secure against these attacks, and are allowed to be added as a Personal VPN, could there be a possibility ProtonVPN adds support for it?

Does NextDNS provide such system-wide protections like AdGuard does (and do they offer a one-time-payment life license or offer the protection with a free plan)?

If not, would manually adding AdGuard’s DNS server to my Wi-Fi settings in addition to or in lieu of Quad9 provide me with that protection?

Yes, under such scenario, adding the secure protocols (or bringing them back) would certainly be taken into consideration by the team.

NextDNS is DNS level blocking service, so system wide. There’s a free version up to 300k queries / month, if you need more, there are paid subscriptions. No single time purchase.

With the upcoming guide, I do think Quad9 or AdGuards DNS servers could work as well using the same logic (mobile configuration profiles)(I didn’t test it), however you have zero control over these DNS settings compared to NextDNS. That would mean it is effectively the same as when using Netshield, where you don’t have control either.