I just don’t think that a leak proof VPN ever exists. VPN is just not designed for such thing.
Moreover in my use cases most of my VPNs are not even providing a default route, so those are needs the ‘leaked’ by purpose.
Sure, there is a guide by community effort called Qubes VPN, but that is trying to provide features that a pure VPN solution does not have at all.
I surely not really understand that warning - maybe because of the ‘too smart’ vpn clients that are messing up with your packetfilter… but that’s simply not apply for my use cases.
My vpn’s are only addig routes, and do not messing up the packetfilter I have set up.
Even it’s not match with my threat model and use case, but at least now I understand the reasons, thanks.