What Is a VPN Kill Switch?
A VPN kill switch is a security feature that immediately blocks all internet traffic if the VPN connection drops unexpectedly. Without it, your device falls back to your regular ISP connection the moment the VPN tunnel fails - Exposing your real IP address until you reconnect.
Why Kill Switches Matter
| Scenario | Without Kill Switch | With Kill Switch |
|---|---|---|
| VPN client crashes mid-session | All traffic immediately routes through ISP - Real IP exposed | All traffic blocked until VPN reconnects |
| Network change (Wi-Fi to mobile) | VPN may reconnect slowly; traffic leaks during gap | Traffic blocked during transition |
| VPN server overloaded, connection dropped | Fallback to ISP without warning | Internet cut until you reconnect to working server |
| OS wake from sleep | VPN may not reconnect immediately | No traffic until VPN is active |
Types of Kill Switch Implementations
| Type | How It Works | Pros | Cons |
|---|---|---|---|
| Application-level | The VPN client monitors the tunnel and blocks specific apps if VPN drops | Allows non-VPN traffic for selected apps | Does not protect traffic outside the blocked app list |
| System-level (firewall) | Adds firewall rules (iptables, Windows Firewall) that block all non-VPN traffic | Comprehensive - Protects all traffic including background apps | Cuts all internet when VPN is off; must be disabled to use internet without VPN |
| Always-on VPN (OS-level) | Operating system enforces VPN for all apps with no bypass (Android, iOS) | Strongest protection; cannot be bypassed by any app | Requires OS-level configuration, may not be user-friendly |
How to Verify Your Kill Switch Works
- Connect to your VPN and note the IP shown on our VPN Leak Test.
- In your VPN client, enable the kill switch option.
- With the VPN still connected, force-close the VPN client process (Task Manager on Windows, Activity Monitor on macOS, or
killon Linux). - Immediately try to load a website or refresh the leak test page.
- If the kill switch works, the page should fail to load. If your real IP appears, the kill switch is not functioning.
- Reopen your VPN client, reconnect, and verify the VPN IP is showing again.
See also: Does My VPN Work? | VPN Logging Policies | Hide My IP Guide.
Where to Find the Kill Switch on Each Platform
Naming and placement vary by provider, but as of our last review the patterns below hold across the major VPN clients:
| Platform | Typical Location | Notes |
|---|---|---|
| Windows | VPN app › Settings › Kill Switch (sometimes "Network Lock") | Some clients offer both an app-level and a system-wide option - Prefer system-wide |
| macOS | VPN app › Preferences › Kill Switch / Network Lock | App Store builds occasionally lack the feature due to sandboxing - Check the provider's direct download if missing |
| Android | System Settings › Network & Internet › VPN › gear icon › "Block connections without VPN" | The OS-level option is stronger than any in-app toggle and works with every VpnService-based app |
| iOS | VPN app settings; no user-facing OS toggle | iOS handles VPN at the system level; most major apps implement their own kill switch option |
| Linux | CLI flag or config (e.g., a "killswitch" or "lockdown" mode); otherwise firewall rules | An iptables/nftables rule set allowing traffic only via the VPN interface is the most robust approach |
Which Kill Switch Type Should You Use?
- Choose a system-level (firewall) kill switch if you torrent, handle sensitive work, or simply never want traffic outside the VPN - It covers every app, including background services.
- Choose an app-level kill switch if you only need specific applications protected and want the rest of your traffic to continue normally when the tunnel drops.
- Choose OS-enforced Always-on VPN (Android) if you want protection that survives reboots and app crashes - It is the hardest variant to bypass.
- Combine the kill switch with auto-connect on untrusted networks so there is no unprotected window between joining a Wi-Fi network and the tunnel coming up.
Kill Switch Limitations to Know About
- An app-level kill switch only acts once the VPN client is running - Traffic sent during boot, before the client starts, is unprotected unless the switch is firewall-based.
- Split tunnelling interacts with the kill switch: apps excluded from the tunnel usually keep working when the VPN drops, which may surprise you. See VPN split tunnelling.
- A kill switch prevents leaks during drops; it does nothing about DNS or WebRTC leaks while the tunnel is up - Test those separately with our VPN Leak Test.
- Some clients silently disable the kill switch after updates or crashes - Re-verify it occasionally using the force-close test described above.
Frequently Asked Questions
Do I always need the kill switch enabled?
If you use a VPN for privacy, torrenting, or on untrusted networks, yes - leave it on permanently. If you only use a VPN occasionally for geo-unblocking, it is a judgement call, but the safest default is enabled.
Why did my internet stop working after enabling the kill switch?
That is the feature working as designed: the VPN tunnel dropped and the kill switch blocked all traffic to prevent a leak. Reconnect the VPN to restore access, or temporarily disable the kill switch if you deliberately want to browse without the VPN.
Does a kill switch protect me before the VPN connects?
Only some implementations do. Firewall-based and always-on system-level kill switches can block traffic from boot until the tunnel is up. App-level kill switches typically only act after the VPN has connected once, leaving a gap at startup.
How do I test that my kill switch actually works?
Connect the VPN, force-close the VPN client process, and immediately try to load a web page. If pages still load and a leak test shows your real ISP address, the kill switch failed. If all traffic is blocked until you reconnect, it is working.
How We Evaluate VPNs
Every recommendation in our VPN guides is weighed against the same five criteria:
- No-logs policy and audits - We prioritise providers whose no-logs claims have been verified by independent auditing firms, and we note real-world events (subpoenas, server seizures) that tested those claims.
- Leak-test results - A VPN must not expose your real IP, DNS servers, or WebRTC addresses. You can run the same checks we use with our free VPN Leak Test.
- Speed impact - We favour providers supporting modern protocols (WireGuard, or equivalents like NordLynx and Lightway) that keep overhead low.
- Jurisdiction - Where a provider is incorporated determines which governments can compel it to hand over data.
- Price transparency - Clear renewal pricing and honest refund terms. We avoid quoting specific prices in guides because promotions change frequently - Always check current pricing on the provider's site.
Our assessments are based on published third-party audits, vendor documentation, and our own leak-testing tooling - We do not have insider access to any provider's infrastructure. These pages are reviewed periodically and updated when audits, ownership, or features change.
Once you have picked a provider, two practical checks matter more than any review: if your connection fails, see how to fix a VPN that won't connect; and to confirm you are actually protected, learn how to test if your VPN is working.
ⓘ Affiliate disclosure: Some links to VPN providers in these guides are affiliate links - We may earn a commission at no extra cost to you. This never affects rankings or evaluations.
Last updated: June 2026