What Is a VPN Kill Switch

A VPN kill switch is a safety mechanism that automatically blocks all internet traffic when a VPN connection unexpectedly drops. When a VPN disconnects, the device reverts to its normal internet connection, and your real IP address and DNS queries are sent unprotected. A kill switch prevents this "vulnerable moment."

VPN connections can drop in everyday situations such as switching Wi-Fi networks, temporary network instability, VPN server overload, or waking from sleep. Without a kill switch, unprotected traffic could flow over the internet for seconds to minutes without the user noticing.

Kill Switch Implementation Methods

The VPN app monitors its own process and blocks network traffic when it detects a VPN disconnection. Easy to implement but does not function if the VPN app itself crashes.

Modifies OS firewall rules to block all traffic except through the VPN tunnel. Remains effective even if the VPN app crashes. More robust but can completely block internet access if rule restoration fails.

A kill switch built into the OS's VPN functionality. Examples include macOS's "On Demand VPN" and Android's "Always-on VPN + Block connections without VPN." The most reliable option.

Setup by Operating System

Here is how to set up a kill switch on major operating systems.

Windows: Most VPN apps have a "Kill Switch" setting. For manual setup, block outbound rules for all adapters except the VPN adapter in Windows Firewall.
macOS: In addition to VPN app settings, you can write firewall rules using pf (Packet Filter). Add rules to /etc/pf.conf to block traffic on all interfaces except the VPN interface.
Android: Settings → Network & Internet → VPN → Select the VPN → Enable "Always-on VPN" and "Block connections without VPN." The most reliable OS-native method.
iOS: No OS-level kill switch setting exists. Use the VPN app's "On Demand" connection feature as an alternative, enabling automatic reconnection when the VPN drops.

Enabling a kill switch means the internet becomes unavailable the moment the VPN connection drops. Enable it with an understanding of this convenience-security tradeoff.

When a Kill Switch Is Especially Important

A kill switch is recommended for all VPN users, but it is especially critical in the following situations.

Using public Wi-Fi: VPN disconnections are frequent on unstable networks. Without a kill switch, unencrypted traffic flows over the public network with each disconnection.
P2P file sharing: Your real IP address is exposed to peers the moment the VPN disconnects.
Sensitive communications: For journalists, activists, and whistleblowers where IP address exposure could have serious consequences.

Along with a kill switch, regularly run DNS leak tests and WebRTC leak tests to verify that VPN protection is functioning correctly. When using split tunneling, note that the kill switch scope may be limited to traffic within the VPN tunnel.

To learn more about this topic, see What Is a VPN Kill Switch? Preventing Data Leaks When Your Connection Drops.

Common Misconceptions

A kill switch is unnecessary if you're connected to a VPN: VPN connections can unexpectedly drop in everyday situations such as Wi-Fi switching, server overload, and OS sleep recovery. Even if the connection recovers in seconds, your real IP address and DNS queries can leak during those seconds.
Enabling a kill switch makes the internet unstable: A kill switch only blocks traffic when the VPN connection drops. It has no effect on traffic while the VPN is functioning normally. If your VPN connection drops frequently, consider changing the VPN server or protocol.

VPN Kill Switch