Need to give the article author a lot of slack! If you are here, please read some more about networking :-).
Networking is dynamic it takes many sequential steps to configure. There is no ZAP, it is done. I don't know of an OS that locks out "user programs" until configuration is complete. Yeah, since networking is dynamic that could never work -- "user programs" would be locked out forever!
At the start of the First Test there are packets going to non-tunnel locations at the same time the VPN is being set up, not a surprise. Packet ordering / routing at this time granularity is also not surprising.
Need to take a moment to review the "drop everything" when a VPN is up standpoint. OS Networking stacks don't really understand what a VPN is, it is just an endpoint to route packets. A TCP connection has internal state that is bound to the addresses that were used when it was set up - which is tied to the state of the routing table. A new point-to-point endpoint, like a VPN would invalidate that state. Most (many?) TCP/IP stacks keep a cache of the initial route on the socket. As long as that is still valid (or updated), that is where the packets go. Killing TCP connections for every (temporary) network flap would make a lot more people MAD.
The "DNS" to NextDNS with DoH connection is interesting. This 100% isn't coming from iOS itself. It doesn't support it. So it must be coming from an App. But what app and how? There is a NextDNS app which up front claims "Encrypt all DNS queries on all networks with the official NextDNS app for iOS". The author does appear to have configured the router to use NextDNS, perhaps they also have that App installed as well and it is also hijacking networking to do DNS? A dunno.
The "flood stuff" is interesting, but I think it might just be an attempt to perform STUN to make sure UPD traffic can be transported - to Apple endpoints. I think "second test" is the same thing happening again.
So what is left is the traffic being sent to apple endpoints. Now I wonder how the VPNs the author is using are implemented. The Big Sur VPN brouhaha was because apps were trying to implement a VPN using NEFilterDataProvider instead of a "tun" interface and routing. I wonder if this is just the same issue but on iOS.
Not related, but I do wonder what these VPN services offer in terms of "Firewall" protection or if when you use them ALL ports are forwarded to your device. This would make all of their endpoints a "great target" for continuous scanning for getting inside a network if the VPN user had something misconfigured, like say an experimental Apache, Nginx, PHP, Rails, Django, MySQL project. Doh. Methinks I should spend some currency and experiment. Sadly black-hats are probably already doing this.
Networking is dynamic it takes many sequential steps to configure. There is no ZAP, it is done. I don't know of an OS that locks out "user programs" until configuration is complete. Yeah, since networking is dynamic that could never work -- "user programs" would be locked out forever!
At the start of the First Test there are packets going to non-tunnel locations at the same time the VPN is being set up, not a surprise. Packet ordering / routing at this time granularity is also not surprising.
Need to take a moment to review the "drop everything" when a VPN is up standpoint. OS Networking stacks don't really understand what a VPN is, it is just an endpoint to route packets. A TCP connection has internal state that is bound to the addresses that were used when it was set up - which is tied to the state of the routing table. A new point-to-point endpoint, like a VPN would invalidate that state. Most (many?) TCP/IP stacks keep a cache of the initial route on the socket. As long as that is still valid (or updated), that is where the packets go. Killing TCP connections for every (temporary) network flap would make a lot more people MAD.
The "DNS" to NextDNS with DoH connection is interesting. This 100% isn't coming from iOS itself. It doesn't support it. So it must be coming from an App. But what app and how? There is a NextDNS app which up front claims "Encrypt all DNS queries on all networks with the official NextDNS app for iOS". The author does appear to have configured the router to use NextDNS, perhaps they also have that App installed as well and it is also hijacking networking to do DNS? A dunno.
The "flood stuff" is interesting, but I think it might just be an attempt to perform STUN to make sure UPD traffic can be transported - to Apple endpoints. I think "second test" is the same thing happening again.
So what is left is the traffic being sent to apple endpoints. Now I wonder how the VPNs the author is using are implemented. The Big Sur VPN brouhaha was because apps were trying to implement a VPN using NEFilterDataProvider instead of a "tun" interface and routing. I wonder if this is just the same issue but on iOS.
Not related, but I do wonder what these VPN services offer in terms of "Firewall" protection or if when you use them ALL ports are forwarded to your device. This would make all of their endpoints a "great target" for continuous scanning for getting inside a network if the VPN user had something misconfigured, like say an experimental Apache, Nginx, PHP, Rails, Django, MySQL project. Doh. Methinks I should spend some currency and experiment. Sadly black-hats are probably already doing this.