Most VPN "connections" do not actually capture all your traffic. Browser extension VPNs only cover the browser. SOCKS proxies only cover applications configured to use them. System proxy settings are ignored by many applications entirely. TUN mode is the only approach that captures all traffic at the operating system level, and understanding why matters if you are routing sensitive data through a VPN.
How Traffic Normally Flows
When an application (your browser, Claude Code, a Zoom call) wants to send data, it creates a network socket and sends packets through the operating system's network stack. Those packets go to your network adapter (Wi-Fi or Ethernet), through your router, to your ISP, and out to the internet.
A VPN needs to intercept these packets before they reach your physical network adapter and route them through an encrypted tunnel instead.
Three Approaches to Traffic Capture
1. Browser Extension (HTTP Proxy)
A browser extension VPN intercepts traffic from the browser only. It works by setting a proxy within the browser's network settings. The browser sends its HTTP/HTTPS traffic through the proxy, which encrypts and tunnels it.
What it misses: Everything outside the browser. Terminal commands (Claude Code, npm, git, curl). Desktop applications (Zoom, Slack, Discord). Background services (file sync, update checks). System-level connections. If you use Claude Code in your terminal while your browser VPN is active, Claude Code's API calls go direct through your ISP.
2. SOCKS Proxy
A SOCKS proxy operates at a lower level than HTTP proxies. Applications can be configured to route traffic through a SOCKS proxy, which supports more protocols than just HTTP.
What it misses: Any application not explicitly configured to use the proxy. Most CLI tools, system services, and many desktop applications do not respect system proxy settings. You must manually configure each application, and many do not support SOCKS configuration at all.
3. TUN Mode (Virtual Network Adapter)
TUN mode creates a virtual network adapter at the operating system level. The OS is configured to route all traffic through this virtual adapter. Every application, every process, every network request -- regardless of the application -- goes through the VPN tunnel.
What it misses: Nothing. All IP traffic is captured at the OS level. There is no application that can bypass it (short of directly interacting with the physical network adapter, which standard applications do not do).
Why TUN Mode Matters for Security
If you are using a VPN to protect your identity from AI companies (Anthropic, OpenAI, Google), browser-only or SOCKS proxy VPNs leave your terminal traffic exposed. Every claude code command, every npm install, every git push goes direct through your ISP -- exposing your China IP to every service you connect to.
TUN mode is not optional for AI developers in China. It is the minimum viable security configuration.
How TUN Mode Works Technically
TUN (network TUNnel) creates a virtual point-to-point network device. The VPN client:
- Creates a TUN device (virtual network adapter)
- Assigns it an IP address on a virtual subnet
- Modifies the OS routing table to send all traffic through the TUN device
- Reads packets from the TUN device, encrypts them, and sends them to the VPN server
- Receives encrypted packets from the VPN server and writes them back to the TUN device
On Windows, this typically requires a driver like Wintun to create the virtual adapter. Administrative privileges are needed to install the driver and modify routing tables.
Bottom line: If your VPN does not offer TUN mode, it is not protecting all your traffic. For anyone using CLI tools, desktop applications, or AI development tools from China, TUN mode is essential.