Checked for UK readers: 29 June 2026

Treat Android VPN reliability as a network-change problem

Android moves between UK mobile data, home Wi-Fi and public networks while battery rules, Private DNS, IPv6 and always-on settings affect the tunnel.

UK network and device context

Connection or deviceWhat to checkA good first step
EE5G/4G handover, IPv6 and CGNATCompare stationary mobile data with trusted Wi-Fi
ThreeCGNAT, signal and busy-cell variationTest one nearby UK endpoint and another protocol
O2Mobile handover, DNS and battery controlsDisable battery optimisation only for a trusted VPN app
VodafoneIPv6, data saver and app permissionsCheck always-on and block-without-VPN settings
Home Wi-FiRouter DNS, filtering and weak wireless signalTest close to the router and compare mobile data

Where to start

  1. Install the provider app from Google Play or its verified source.
  2. Check Private DNS, always-on VPN and block-without-VPN settings.
  3. Exclude the trusted app from battery optimisation only if reconnects fail.
  4. Test Wi-Fi to mobile handover and sleep or wake.
  5. Verify IPv4, IPv6 and DNS after each change.
  6. Remove old VPN profiles that you recognise and no longer use.

Common questions

Why does Android disconnect in the background?

Battery optimisation or vendor power management may suspend the VPN app.

Why does mobile data fail while Wi-Fi works?

Carrier IPv6, CGNAT, signal or protocol handling can differ from the home network.

Should I enable block connections without VPN?

It offers stronger leak protection but can leave the phone offline until the tunnel recovers.

This page covers the usual case; your device, provider or network may behave differently. Follow UK law, account rules, administrator policy and platform terms.

SmartAdvisorOnline logo SmartAdvisorOnline PROXY • VPN • Privacy
Updated: 2026-06-25

VPN on Android in the UK: EE, Three, O2, Vodafone and Wi-Fi fixes

By Denys Shchur • Updated • Engineering-grade Android privacy guide
Quick Answer
Always-on VPN on Android routes network traffic through a VPN tunnel created by the VpnService API (a virtual interface like tun0). To get real protection, you must enable Block connections without VPN and verify IPv6 is protected (many 5G networks are IPv6-first). Otherwise, you’re encrypted only part of the time.
CTO note: Android is “chatty”. Even with a VPN, your phone may still talk to system services (location assistance, captive portal checks, push services). A VPN is necessary, but your system settings decide whether traffic can leak outside the tunnel.
Android VPN architecture: Always-on VPN, kill switch and IPv6 protection

Why Android privacy is harder than desktop

On a laptop, a VPN is usually a clean story: one network adapter, one routing table, one DNS path. On Android, you have additional identity signals (Google Play Services, cellular network identifiers, Wi‑Fi scanning, GPS assistance) and a more aggressive power manager that can pause background tasks. A VPN protects IP-level traffic, but it cannot “turn off” how your phone is designed to identify networks.

The goal of this guide is not to list apps from Google Play. It’s to explain what Android actually does under the hood, and how to configure a VPN so it behaves like a system security feature, not a “sometimes-on” encryption layer.

The Android VPN framework (VpnService API)

What matters
Android VPN apps create a virtual network interface through VpnService. Your phone then routes selected traffic into that interface. If you do not enable the system-level Always-on and Block without VPN, Android can still send traffic outside the tunnel during reconnects, sleep, or crashes.

What is tun0 and why it matters

When you connect a VPN on Android, the OS creates a virtual interface (often visible as tun0) and gives the VPN app a controlled way to read and write packets. The VPN app encrypts those packets and sends them to the VPN server over UDP/TCP. This is user-space networking.

Kernel vs user-space: why WireGuard often feels “instant”

WireGuard was designed to be simple and fast. On Android it still runs through app-space components, but its protocol is lightweight and tends to reconnect faster than OpenVPN. That reduces the “reconnect window” where packets might escape if your setup isn’t strict. If you want to understand protocols in depth, see Types of VPN Protocols.

Android VPN stack: what the OS controls vs what the app controls
Layer Controlled by What can break What to configure
Always-on + Block without VPN Android system Traffic leaks on reconnect/crash Enable both toggles (system settings)
Routing into tun0 Android + VPN app Split tunneling mistakes Decide which apps bypass VPN
DNS handling Android + VPN app DNS leaks / captive portals Use private DNS or VPN DNS; test it
Transport protocol VPN app DPI blocking on mobile networks Try WireGuard, OpenVPN TCP, or obfuscation
Battery management Android system VPN killed in background Disable battery optimization for VPN app

Battery impact: WireGuard vs OpenVPN on 5G

What matters
VPN battery drain depends on encryption overhead, reconnect behaviour, and radio state changes. As a rule, WireGuard is usually more battery-friendly than OpenVPN during streaming on 5G, but your chipset (Snapdragon vs Exynos) and signal quality can flip the result.

Most guides ignore power. But on Android, battery is security: when the OS kills your VPN app, your tunnel drops. Below is a practical comparison you can use as a baseline. Treat it as a “typical” range - your device, server distance, and network congestion matter.

Typical battery drain during 60 minutes of HD streaming on 5G (screen on, brightness ~60%)
Protocol Approx. drain Reconnect behaviour Best use case
WireGuard 6 - 10% / hour Fast handshake, short reconnects Everyday browsing, streaming, travel
NordLynx (WireGuard-based) 6 - 9% / hour Fast + stable roaming Best “set and forget” on Android
OpenVPN UDP 9 - 14% / hour Stable, but heavier Older networks, compatibility
OpenVPN TCP 11 - 16% / hour More resilient through DPI Restricted networks, hotel Wi‑Fi
IKEv2 7 - 12% / hour Good mobility, varies by implementation Quick reconnects, mixed networks

Battery Decay Calculator (quick estimate)

This is a simple estimator to compare protocols. It does not read your battery; it helps you reason about trade-offs.

Pick your protocol and time, then press “Estimate drain”.

Android Security Hardening Checklist (interactive)

What matters
The strongest Android VPN setup is system-level: Always-on + Block without VPN, correct DNS, and battery optimization disabled for the VPN app. The “app” matters, but the OS toggles decide whether leaks are possible.

Choose your Android version

You’ll get the exact toggles to check (names can vary slightly by vendor skins).

Select your Android version, then press “Show checklist”.

The 5G & IPv6 challenge

Many mobile operators run IPv6-first or IPv6-only infrastructure, then translate traffic for legacy IPv4 services. If your VPN only tunnels IPv4, your phone can keep using IPv6 “outside” the tunnel. That’s why Android VPNs must be tested specifically for IPv6.

Practical next step: run a leak test and verify both DNS and IPv6 are protected. If you want the baseline theory, see DNS Leak Protection.

IPv6 leakage on Android: common patterns and fixes
Symptom What it usually means Fix
VPN “connected”, but IPv6 address still visible VPN tunnels IPv4 only Enable IPv6 in VPN settings or switch provider/protocol
Some apps bypass VPN while browser is protected Split tunneling or vendor “optimised routing” Disable split tunneling and retest; add app-level rules carefully
Leaks after sleep / roaming VPN app paused by battery manager Disable battery optimization for VPN app; use Always-on

Split tunneling: power move (and the easiest way to leak)

What matters
Split tunneling can keep banking apps stable (some rely on local GPS or local IP reputation), while routing your browser and streaming apps through VPN. But misconfigured split tunneling can create “false safety” where only some traffic is protected.

The safest approach is to start with no split tunneling. Verify your tunnel is strict. Only then decide which apps may bypass VPN (for example, a bank app that flags VPN usage). For a deeper explanation of terms, see the VPN Glossary.

Tip: If you use split tunneling, re-check your system kill switch after every app update. Some Android skins reset VPN permission dialogs silently after major OS upgrades.

Restrictive networks and approved protocol fallback

On mobile networks, throttling and blocking is often DPI-driven (Deep Packet Inspection). If UDP-based tunnels keep dropping, try a TCP-based mode or an obfuscation/stealth option in your VPN app. It’s slower, but it can survive hostile networks. For encryption basics and why algorithms matter on phones, see VPN Encryption.

Where Android hides the real kill switch

Many users enable a “kill switch” inside the VPN app, but the OS-level control is what matters most. In Android settings, the kill switch is effectively Block connections without VPN. It prevents traffic from leaving your phone if the tunnel drops.

If you want a dedicated deep dive on this topic, read VPN Kill Switch.

Practical conclusion

Verdict (Denys Shchur): Using a VPN on Android isn’t just about an app from the Play Store. It’s about taking control of the VpnService API and plugging the IPv6 leaks that your mobile carrier relies on. If you aren’t using the system-level “Always-on” toggle with “Block without VPN”, you aren’t truly protected - you’re just encrypted occasionally.

FAQ

Does Android VPN protect all apps automatically?
Not always. Without system-level Always-on and “Block without VPN”, reconnect windows and vendor battery rules can allow some traffic outside the tunnel. Also, split tunneling can intentionally bypass the VPN for specific apps.
Why does my VPN disconnect on Android when the screen is off?
Battery optimization can pause background networking and stop the VPN service. Disable battery optimization for your VPN app, and enable Always-on VPN to force persistence.
How do I know if my Android VPN leaks IPv6?
Run a leak test and check both IPv4 and IPv6 addresses as well as DNS. If IPv6 remains visible while VPN is on, your tunnel likely protects IPv4 only. Switch protocol/provider or enable IPv6 support.
Is WireGuard always best on Android?
WireGuard is often faster and more battery-friendly, but network restrictions can break UDP tunnels. If your carrier or Wi‑Fi blocks UDP, OpenVPN TCP or a stealth mode may be more reliable.
Last verified by SmartAdvisorOnline Lab:
Leak Test (IP / DNS / IPv6 / WebRTC)
Verification date:

Related guides

  1. Start withVPN on Windows 10 and 11 in the UK: adapters, DNS and connection recovery
  2. Then readVPN on Mac in the UK: profiles, DNS, Private Relay and network extensions
  3. Related caseVPN on iPhone and iPad in the UK: mobile handover, profiles and Private Relay
  4. If something failsVPN troubleshooting on UK broadband and mobile networks