
Summarise this article with:
A VPN kill switch blocks all internet traffic the moment your VPN tunnel drops, so your real IP address never leaks to websites, peers, or your ISP during a reconnect gap. Without one, a VPN is only as reliable as its worst moment.

How a VPN Kill Switch Works
A kill switch inserts firewall rules at the operating system level the moment your VPN connects. Two rules go in simultaneously: a broad "block everything on the physical interface" rule, and a narrower "allow only VPN-routed traffic" exception. When the tunnel drops, the exception disappears but the block stays. No application can send unprotected traffic regardless of what it tries to do. When the VPN reconnects, the exception rule is reinstated and traffic resumes normally.
The firewall-level approach is why a well-implemented kill switch can survive even an app crash. The rules are baked into the OS, not enforced by the VPN process. If the VPN client itself crashes, system-level rules still hold.
System-Level Kill Switch
A system-level kill switch applies those firewall rules globally. All traffic on the machine is cut until the VPN reconnects. This is the most thorough method and is what security-focused providers use by default.
Application-Level Kill Switch
Some VPN apps let you target specific applications instead of the whole system. You might cut a torrent client but let your browser keep a session alive. The flexibility is real, but so is the risk: any excluded app becomes a potential leak point, and misconfigured exclusions are easy to miss.
Why VPN Tunnels Drop More Often Than You Expect
Most people picture a VPN as something that either works or does not. In practice, tunnels are fragile in several ways:
- Sleep and wake cycles: Your laptop closes its lid, the tunnel drops. On wake, there is a window of several seconds before the VPN re-authenticates. Any app that tries to connect in that window uses your real IP.
- Network switching: Moving from Wi-Fi to mobile data, or switching between access points, triggers a full reconnect cycle.
- Router reboots: Brief ISP glitches or power fluctuations that restart your router kill the VPN session instantly.
- VPN server maintenance: Providers rotate or restart servers, which drops all active connections without warning.
- Packet loss spikes: Heavy congestion can cause the VPN client to declare the tunnel dead and attempt a reconnect, even when your physical link is up.
In each case, the exposure window is measured in seconds. But seconds are enough for a browser tab to phone home, for a torrent client to announce your real address, or for a logged-in session to reveal your location.
Trigger Types and Their Exposure Risk
| Trigger | What Causes It | Exposure Without Kill Switch |
|---|---|---|
| VPN server crash | Upstream server failure | Immediate leak on any active connection |
| Network change | Wi-Fi to mobile data switch | Full leak during reconnect window |
| ISP interruption | Brief packet loss or outage | Leak if app retries before VPN reconnects |
| App crash | VPN client itself crashes | System-level KS still blocks; app-level KS fails |
| Sleep or wake | Laptop lid closes or opens | Most common real-world leak scenario |
| Router reboot | Power glitch or firmware update | Full leak until VPN re-establishes |
The app crash row matters most. If your VPN client crashes, any kill switch that runs inside the client disappears with it. A system-level kill switch survives because the firewall rules live at the OS level, not inside the process.
Kill Switch Implementations: NordVPN, ProtonVPN, and Mullvad
| VPN Provider | Kill Switch Type | Always-On Option | Survives App Crash |
|---|---|---|---|
| NordVPN | System + App-level | Yes | System KS: yes |
| ProtonVPN | System + App-level (Windows/Linux); Standard only (macOS) | Yes | System KS: yes |
| Mullvad | Always-on firewall (cannot be disabled) + optional Lockdown mode | Yes | Yes |
Mullvad's approach is the most aggressive. Their kill switch is permanently active and cannot be turned off. An additional "Lockdown mode" blocks traffic even when you manually disconnect or quit the app, meaning your machine will not reach the internet at all without an active Mullvad connection. This is the right choice if your threat model demands zero tolerance for leaks.
How to Enable the Kill Switch
NordVPN on Windows
- Open NordVPN and click the settings cog
- Navigate to the Kill Switch section
- Toggle Internet Kill Switch on
- Choose between blocking internet only on accidental drops, or on both accidental and manual disconnects
- Optionally enable App Kill Switch to restrict specific applications instead of the whole system
Note: The exact placement of the Kill Switch menu has shifted slightly across app versions. If you do not see it as a top-level entry, check under General or Advanced settings.
On macOS, NordVPN enables the kill switch automatically whenever you connect to a server. No manual toggle is needed.
ProtonVPN on Windows
- Open ProtonVPN and select Kill switch from the quick settings bar on the right sidebar
- Alternatively: Settings (gear icon) then Connection then Kill switch
- Toggle kill switch on
- Choose Standard (activates only on unexpected drops, not when you manually disconnect) or Advanced (blocks all traffic unless you are actively connected to Proton VPN)
On macOS, Proton VPN offers the Standard kill switch only. Toggle it via the Kill switch button in the Countries tab.
On Linux GUI, go to Menu then Settings then Features and enable the kill switch toggle.
Mullvad on Desktop (Windows, macOS, Linux)
Mullvad's kill switch is always active by default. To enable the stronger Lockdown mode:
- Open the Mullvad VPN app
- Click the gear icon (settings) in the top-right corner
- Select VPN settings
- Toggle Lockdown mode on
You can also enable it from the command line before logging in:
mullvad lockdown-mode set onAndroid: Built-In OS Kill Switch
Android has a native kill switch that works across any VPN app:
- Go to Settings then Network and Internet then VPN
- Tap the gear icon next to your VPN app
- Enable Always-on VPN
- Enable Block connections without VPN
The second toggle only appears after Always-on VPN is active. This is a system-level block enforced by Android itself, independent of the VPN app.
iOS
iOS does not have a universal native kill switch like Android. Providers such as NordVPN and ProtonVPN implement their own via Apple's NetworkExtension framework, using on-demand rules to reconnect when the tunnel drops. The reliability varies by app and iOS version. In my testing, the gap between a drop and reconnect on iOS is often longer than on desktop, so treat mobile kill switch coverage as better-than-nothing rather than airtight.
WireGuard Manual Configuration (Linux)
For manually configured WireGuard interfaces, add these rules to your config:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECTThese block all traffic not routed through the WireGuard interface (%i), so no packets escape unencrypted.
How to Verify Your Kill Switch Is Actually Working
Enable it once and actually test it. Many users skip this step.
Test 1: Manual disconnect. Connect to your VPN, visit our VPN Leak Test tool and note the protected IP, then disconnect the VPN manually while keeping the kill switch enabled. Immediately try to load any site. If the kill switch works, nothing loads. If pages load and your real IP appears, something is misconfigured.
Test 2: Sleep and wake. Connect to your VPN, close your laptop lid, wait 30 seconds, then open it immediately. Navigate to our VPN Leak Test before the VPN indicator shows "Connected." If a real IP appears in that window, the kill switch is not covering the reconnect gap.
Test 3: DNS leak check. A kill switch that blocks traffic but not DNS queries still leaks. Run a DNS Leak Test with your VPN active. If the DNS servers shown belong to your ISP rather than your VPN provider, queries are bypassing the tunnel. See also: how to confirm your VPN is working end-to-end.
Kill Switch vs. Split Tunneling
Split tunneling routes some traffic through the VPN and some directly through your ISP. It is popular for streaming services that block VPN IPs, or for keeping local device traffic off the tunnel.
The tension is direct: if you configure split tunneling to route an app outside the VPN, the kill switch does not protect that app. Both features can coexist, but every excluded app is a potential leak point.
My rule: if your threat model is serious enough to require a kill switch, keep split tunneling off, or at minimum exclude only apps that carry no sensitive data and could not reveal your identity if seen by your ISP.
When You Might Not Want a Kill Switch
A kill switch is not the right choice for every situation:
- Unstable connections: On a shaky hotel Wi-Fi or rural LTE connection, a kill switch that fires frequently will drop video calls, break SSH sessions, and frustrate normal browsing. Use the Standard mode (accidental drops only) rather than Always-On in those cases.
- Mobile network switching: Frequent transitions between Wi-Fi and cellular trigger kill switch activations. Some providers offer a grace period before the block kicks in; check your app settings.
- IoT devices on a shared VPN router: Smart home devices that handle reconnects poorly may stop functioning when the tunnel drops.
For casual users who just want a privacy layer without hard blocks, Standard mode is enough. For journalists, activists, users in high-censorship regions, or anyone whose activity must never be associated with their real IP, system-level kill switch plus lockdown mode is the minimum acceptable configuration.
FAQ
What is a VPN kill switch and do I really need one?
A VPN kill switch blocks all internet access the moment your VPN connection drops, so your real IP address is never exposed during a reconnect gap. You need one if you use a VPN for genuine privacy rather than just casual geo-unblocking. For activities where a single IP leak matters, such as journalism, legal research, torrenting, or accessing content in restrictive regions, a kill switch is not optional.
What is the difference between a system-level and app-level kill switch?
A system-level kill switch applies firewall rules at the OS level and blocks all network traffic, including from apps that have nothing to do with your VPN. An app-level kill switch only shuts down the specific applications you designate. System-level is more reliable because it survives a VPN app crash; app-level is more flexible but easier to misconfigure.
Does a kill switch slow down my internet connection?
No. The kill switch only activates during a VPN drop. While the VPN is connected and the tunnel is up, the kill switch rules sit dormant and add no overhead to your traffic.
What is Mullvad lockdown mode and how is it different from a regular kill switch?
Mullvad's standard kill switch activates when the VPN drops unexpectedly. Lockdown mode goes further: it blocks all internet traffic even when you deliberately disconnect or quit the Mullvad app. Your machine cannot reach the internet at all without an active Mullvad connection. It is the most restrictive implementation available in a consumer VPN app, and it is the right choice if you cannot tolerate any unprotected traffic under any circumstance.
Why does my VPN kill switch not work on iOS?
iOS does not expose a universal native kill switch API to third-party VPN apps the way Android does. VPN providers work around this using Apple's NetworkExtension framework and on-demand connection rules, which reconnect the tunnel when it drops rather than blocking traffic in the gap. The coverage is less consistent than on desktop or Android, the reconnect window can be longer, and some edge cases, such as airplane mode toggles or network switches, may still produce brief unprotected moments. If iOS VPN reliability matters to you, verify behavior directly using our VPN Leak Test after each type of network transition.
Can I use a kill switch and split tunneling at the same time?
Yes, but the two features conflict in practice. Any application you route outside the VPN tunnel via split tunneling is not covered by the kill switch. If the VPN drops, that excluded app continues sending traffic through your real IP. If your threat model requires a kill switch, disable split tunneling entirely or limit exclusions to apps that carry no identifying information.
Sources
WhatIsMyLocation Team
Our team of network engineers and web developers builds and maintains 25+ free networking and location tools used by thousands of users every month. Every article is reviewed for technical accuracy using real-world testing with our own tools.
Related Articles
Try Our Location Tools
Find your IP address, GPS coordinates, and more with our free tools.