VPN Support
Patronus is designed to preserve the active network policy instead of silently bypassing it. When a VPN or corporate proxy changes the protection path, the Desktop App reports the state and asks the user before changing modes.
Protection Modes
Section titled “Protection Modes”Patronus can operate through different protection modes:
- Extension Proxy uses the operating system’s traffic filtering capabilities.
- Regular Mode temporarily replaces the system proxy and restores the previous Proxy Baseline when protection stops.
Patronus does not automatically switch between these modes when VPN conditions make the current path unreliable. The Desktop App shows a notice and may offer an explicit mode switch.
Supported Upstream Proxy Boundary
Section titled “Supported Upstream Proxy Boundary”Patronus initially supports preserving explicit HTTP or HTTPS upstream proxies with a host and port. If a VPN sets one of these, Patronus can chain traffic through it after observation.
Unsupported upstream configurations currently include:
- PAC-based proxy configuration,
- SOCKS proxies,
- inconsistent split proxy settings,
- upstream proxy authentication Patronus cannot safely satisfy.
When Patronus sees an unsupported upstream proxy, it blocks protection startup instead of falling back to direct traffic. This is intentional: bypassing a configured corporate or VPN proxy would violate the local network policy.
Expected VPN Outcomes
Section titled “Expected VPN Outcomes”| VPN behavior | Expected Patronus behavior |
|---|---|
| Direct network path, no upstream proxy | Protection can start normally. |
| Explicit HTTP/HTTPS upstream proxy | Patronus chains the upstream proxy. |
| VPN blocks Extension Proxy | Desktop App reports degraded or unsupported protection and may offer a mode switch. |
| PAC or SOCKS upstream proxy | Protection startup is blocked until the configuration changes. |
| Proxy authentication required | Startup is blocked if Patronus cannot satisfy authentication safely. |
| Protection component unavailable | Patronus reports the protection path as unsupported and shows the next action. |
User-Visible States
Section titled “User-Visible States”- Degraded Protection means Patronus is still active, but the network path shows a detectable problem.
- Unsupported Protection Path means Patronus cannot trust the path enough to start or continue protection.
- Protection Restart Required means the network path changed while protection was running and Patronus needs a restart to apply it safely.
- Proxy Restore Warning means Patronus could not fully restore the previous Proxy Baseline after Regular Mode stopped.
Troubleshooting
Section titled “Troubleshooting”- Start the VPN first, then start Patronus protection.
- If startup is blocked, check whether the VPN uses PAC, SOCKS, or authenticated proxy settings.
- If the Desktop App offers a mode switch, review the Regular Mode consent text before continuing.
- If protection becomes degraded while running, stop and restart protection after the VPN state stabilizes.
- If the system proxy does not restore after Regular Mode, use the Desktop App warning as the source of truth and inspect the current macOS or Windows proxy settings.
Notes For Enterprise VPNs
Section titled “Notes For Enterprise VPNs”Patronus intentionally avoids direct fallback when an upstream proxy cannot be chained. This may create one extra user decision, but it prevents Patronus from silently changing network scope or routing AI traffic outside the VPN policy.
If Patronus reports an unsupported protection path, follow the action shown in the Desktop App or contact Patronus support.