1 | initial version |
If someone can run packet capture directly on your machine, he can do other things as well, so the mere ability to capture on a virtual interface before the packets get encrypted for transport over the physical one cannot be considered a leak by itself. Or at least there is no effective way to prevent this - the very idea of VPN tunnels is that the data transmission over physical interfaces of a machine is encrypted while the applications running on that machine send and receive the data in plaintext as they always did, but do so over the virtual interface instead of a physical one. If this is not satisfactory for the purpose, end-to-end encryption must be handled by the application itself - https would be an example of such behaviour where the cipher negotiation and encryption is done by the browser.
Not providing the capturing tap to the virtual interface would just obfuscate the fact that a malware running on the machine could read the traffic anyway if it was there, albeit it would require more effort. Providing the tap allows you to diagnose communication problems even when VPN connection is used which is sometimes helpful.