Other
What should you know about Invisible on LAN and its limitations? What is Surfshark Email scam checker and how to use it? What is Surfshark public DNS? Surfshark Features How to use Product Ideas How do trusted networks work? How to log in with code How to add the Surfshark widget on Android How to add the Surfshark widget on iOS What is the GPS override feature and how to use it
  1. Surfshark Customer Support
  2. VPN Guides
  3. Surfschool
  4. Features
  5. Other

What should you know about Invisible on LAN and its limitations?

Updated:

At Surfshark, our priority is your digital privacy. However, maintaining the highest security standards on certain operating systems—specifically macOS and iOS—sometimes creates a "Catch-22." 

To protect users from sophisticated network attacks, we provide the Invisible on LAN feature, even though it can lead to a restrictive user experience.

 

The Problem: TunnelCrack and TunnelVision

These are industry-wide vulnerabilities that affect how VPNs handle traffic on local networks. While our Android, Linux, and Windows clients are immune due to firewall configurations that prevent traffic from exiting the device outside the tunnel, Apple's platforms require a different approach.

  • TunnelCrack: Causes VPN traffic to leak when a router uses specific non-RFC1918 (non-standard) IP addresses.
  • TunnelVision: A technique using DHCP configuration (including Option 121) to route traffic outside the secure VPN tunnel.

To mitigate these, a VPN must strictly control how the device interacts with the local network using Apple’s VPN APIs.

 

The Catch-22 on iOS and macOS

Apple has confirmed the existence of bugs within their VPN API implementation but has not provided a clear timeline for a resolution. This puts VPN providers in an impossible position:

  • Option A (Convenience): Allow local network discovery, which keeps features like AirPlay and printing working, but leaves you vulnerable to traffic leaks.
  • Option B (Security): Enable Invisible on LAN to block these leaks. On iOS 14.2 and above, this can cause internet connections to crash and prevents the app from receiving client updates.

 

Common Symptoms

When Invisible on LAN is enabled, you may notice:

  • Inability to use AirDrop, screen mirroring, or local network devices (printers, NAS, smart home hubs).
  • Internet connection "crashes" when the app attempts to receive an update or under specific network conditions (common on iOS 16.4+).
  • Complete loss of connectivity that requires a device restart to reset the network stack.

 

Troubleshooting and Recommendations

If you experience connectivity issues while using this feature:

  • Restart your device: This is currently the only solution if the OS "locks" the connection after a crash.
  • Toggle the feature: If you are on a trusted home network and need to access local devices, you can temporarily disable "Invisible on LAN" in Settings > VPN Settings > Advanced Settings.
  • Check OS Version: This feature and its associated protections are only available for iOS 16 and above.
  • Use the Kill Switch: For maximum data safety, ensure both Invisible on LAN and the Kill Switch are enabled.

 

We continue to pressure Apple to implement the necessary fixes to their VPN API so we can provide a smooth, bug-free experience without compromising your security.

Was this article helpful?
Thank you for your feedback!