VPN-support.md

@@ -265,3 +265,28 @@ About which sajolida commented:
 
 Next step: spend another few hours checking how hard it would be to avoid
 routing tor nor the Unsafe Browser over the VPN.
+
+### VPN Browser + NetworkManager (tails#21189)
+
+The goal here is to have a VPN managed by NetworkManager, but which is only used by the VPN Browser. It's not
+a strict requirement that the UI is the "stock" one.
+
+The exploration of this option has not been conclusive: we could not make a working Proof of Concept, although
+this doesn't sound like an impossible task.  If we want to follow this route, it might be better to delegate
+this sort of work to someone who is better at policy routing. TPA might have the skills we are looking for.
+
+The exploration has been done on Wireguard only, on the idea that it is the more modern VPN option. Given the
+many differnces between Wireguard and OpenVPN, it's hard to generalize the findings. No analysis has been done
+on whether OpenVPN was ok.
+
+Having a constraint to use NetworkManager actually prevents us from using
+[some](https://www.wireguard.com/netns/) of the [otherwise
+available](https://www.procustodibus.com/blog/2023/04/wireguard-netns-for-specific-apps/#enable-selectively)
+and relevant techniques.
+
+The UI that enables the loading of a configuration file such as the one supplied to users by Mullvad is very
+good! But if we decide to use the NetworkManager UI, we need to consider that it exposes many possible
+settings, so a user might shoot themself in the foot. As an example, the _Use this connection only for
+resources on its network_ in the IPv4 panel is particularly important, and very visible to users. This would
+be solved by having our own UI.
+