I'd like a bit more of an explanation of this, then. How is the "Envelope" information on the tethered device in any way relevant?



Here's an example, using a "normal" VPN instead of a "privacy" VPN.



Computer X sends a packet destined for internal.foo.com, a site behind a corporate firewall and not routable via the public internet. Computer X routes its traffic to Computer Y. Computer Y is running a VPN connection to foo.com. Computer Y encapsulates the packet within a VPN packet, routing it to vpn.foo.com. The packet traverses the internet, arrives at vpn.foo.com, and is unwrapped. vpn.foo.com sends the packet to internal.foo.com.



In what way would it be relevant for the routers between Y and vpn.foo.com to know that the packet is destined for internal.foo.com? They can't route to internal.foo.com; indeed, they may be unaware of the existence of internal.foo.com. There is no requirement that this "envelope" be exposed; it's relevant only to vpn.foo.com.



For another take on this, consider "privacy" VPN services; I'll give secure-tunnel.com as an example, since they support iPhones. The idea here is that your computer makes a connection to secure-tunnel.com's VPN server; all traffic is then routed over the VPN. The ENTIRE point of buying this service is that the systems between your computer and secure-tunnel.com's VPN server cannot tell to where your packets are being sent nor what is in them. Exposing "envelope" information for the packets routed through the VPN would largely compromise the value of the service.



VPNs are defined-endpoint services. Every packet sent through the VPN starts at one of the endpoints (e.g. your iPhone) and ends at the other (the VPN server), or vice versa of course. There is no need to expose any routing information about where the packets being sent through the VPN are going; no intervening routers can send those packets anywhere but to the endpoints and have them make any sense to the receiver.



Again, if you can provide a viable explanation as to why the VPN would need to expose envelope information, I'd be happy to revise this. But it needs to make sense in both the traditional and privacy senses and respect the defined-endpoint nature of the VPN.



Also: it makes an enormous difference where the VPN originates. If the VPN originates on the tethered system, all bets are off. At that point, the packets are just like any other packets originating on that system and will have the 65 TTL, etc. They're not subject to deep inspection, because they're encrypted, but the TTL value will still be different by default. However, if the VPN originates on the iPhone, in a networking sense the packet has originated on the iPhone, not the tethered node.