One-to-One IP Targeting

Apple doesn't encrypt iCloud backups, including all the messages you send to someone who uses iCloud Backup, which leaves them able to be subpoenaed by law enforcement. Why would anyone trust they'd operate a VPN any differently?

Apple is too big, and to vulnerable to regulatory leverage, to be able to operate a properly secure VPN service. The best they'd be able to offer is some sort of "differential privacy" proxy, that's still getting *some* advertising information, but just not your name. In fact, knowing Apple, their "VPN" would be an exquisitely accurate tracking system, to which they can be forced to hand over access when some 3 letter goon squad arrives with a court order.

I don't think Apple actually cares, since it's such a hassle to prevent leaking network traffic. They opted for convenience over privacy and safety, to automatically connect to wifi networks, even unsecured, just by name and not providing any mechanism to easily prevent leaks. As soon as you connect all kinds of apps and services start to send traffic even if you do your best to activate the VPN as soon as you can.

I've been struggling for years with Little Snitch to create a environment that doesn't do any extra network requests unless you're connected to the VPN, but that is such a hassle to set up properly. It should have been a built in switch in both iOS and macOS that took care of it completely and safely.

macOS has a VPN client implemented (IPSEC only, though). What you're probably asking for is a VPN service (server), right?

Those, however, due to the fact that most users are using Routers with NAT, will have difficulty working on a local Mac behind a NAT router. Here, Apple's recently abandoned BackToMyMac service would have helped, but only somewhat.

My DSL routers (FritzBox by AVM, very popular in Germany) offer their own VPN server. And I've been using them for years. Setup is fairly easy (good guidance in UI provided) on the router. It requires me to sign up with a DynDNS service, though.

Also, macOS lacks built-in support for the protocol the router offers, which is OpenVPN.

Here's what Apple could do to mitigate this:

1. Add an OpenVPN client (I suspect they won't because it's again due to some open source licensing restriction) to their Network VPN settings.
2. Bring back BTMM so that we do not have to use a separate DynDNS service.
3. Optionally provide an API so that Router manufacturers can talk to BTMM to update the public IP address, just like other DynDNS services do.
4. Offer a tunneling service, based on iMsg or iCloud so that BTMM works even through NAT, without the need to set up a VPN service on the router. I'd even pay for it, just like I already pay for the extra iCloud storage.

Ohh...

Maybe I got this wrong. What Gruber asks for is not a VPN connction to his home Mac while being on the road with a laptop, but to be routed thru an "anonymous" portal that hides his true IP address.

Meh, totally different thing than what I wrote about above.

And yes, Apple could totally offer that along with their paid iCloud service. Will slow down internet access though. So there's potential for it working not as well, and then people will openly complain about it without understanding the reasons, and Apple will then be looking bad, which they want to avoid - then rather not offer it at all.

I, BTW, have set up my own $5/month virtual server at DigitalOcean. See https://www.digitalocean.com/solutions/vpn/

@someone A VPN doesn’t inherently need store anything. But, yes, if you’re trying to hide from three-letter agencies you probably shouldn’t rely on Apple services. The mainstream doesn’t worry about that, though.

"macOS has a VPN client implemented (IPSEC only, though). What you're probably asking for is a VPN service (server), right?"

macOS Server had a VPN server, too, up through 2018 (5.7).

VPNs strike me as shady racket. Running a clean legit VPN is probably too much work w/ little upside for Apple. 95% of the VPN traffic hitting our websites is hacker & spammer requests. VPNs predominantly use shady ASN/ network / data-centers.