You are correct. I tested several of the normal ‘whole-system’ VPNs on Big Sur last week when this misleading headline came out and Apple traffic was correctly routed over the VPN in each case. (Both the built-in macOS VPN client and third-party tuns such as Viscosity, etc.)
My testing was not a comprehensive assessment of macOS-compatible VPN services and my selection was biased towards breadth of implementations disregarding all other criteria. It would be inappropriate for me to recommend any of them as I did not assess for quality of app, support, billing, or privacy.
If it adds a default route to your routing table when you connect, it's fine. If it offers fancy per-app traffic rules, it's probably not fine.
Ah, you're right, I missed something. None of my comments explain my testing method. I apologize; this was present in an earlier draft of the initial post and got lost along the way. The question asked was only "Which VPNs did you test?", not "What was your methodology", and I didn't catch the absence of the latter until you asked that in reply.
In summary, for each VPN app, I connected to the VPN and then wiretapped my computer to see if it originated unencrypted network traffic to any Internet destination other than the VPN while operating a variety of core macOS services on the exclusion list, such as Software Update and App Store.
In each case, I was able to witness Apple traffic on the VPN network interface but not on the Ethernet interface below it.
For anyone testing Mullvad, please keep in mind that they make use of the macOS packet firewall layer in addition to the usual VPN network interface, which may complicate my testing procedure if followed stringently as there might not be Apple traffic on any interface, VPN or not, in that scenario. Mullvad context is in another post: https://news.ycombinator.com/item?id=25116863
APPENDIX: Note that, as far as I can determine, existing TCP connections were not reset onto the VPN when it was connected. Since I was inspecting all traffic, not just Apple traffic, I ended up having to restart Slack a couple of times just to get it to switch over to the VPNs. I would imagine this should be studied more closely, since it was a surprise to me.
Their question could be confused by others as it's phrased. "my methods" includes both the VPNs I tested, and how I tested them. They correctly observe that I withheld all information about my methods, rather than only the component I intended to.
Someone else who didn't realize that I'd left out the methodology could possibly interpret their question as confused/misplaced/etc. I definitely wondered about that at first, but I took the good faith approach:
Because we are not owed anything by HN commenters. Floatingatoll posted what they wanted to post, and they have no responsibility to post anything more than that.
If you or I think there should be recommendations of which specific VPNs properly route Mac app traffic, then you or I can do our own tests and post our own comments with those results and recommendations.
I'm definitely frustrated that so many people (in top-level comments on HN, especially) are taking for granted some random Internet post without verifying it, but that's no excuse for the missing methodology.
