Kill Switch (VPN)

A kill switch is a VPN feature that blocks all internet traffic if the VPN connection drops. Without it, when the VPN reconnects (which happens routinely on mobile and on flaky home networks), traffic briefly traverses the unencrypted local network, leaking the real IP and the destination of any active connection. With it, traffic stops the moment the tunnel breaks and resumes only when the tunnel is re-established.

What it means in practice

The kill switch is the difference between a VPN that works on a test page and a VPN that protects you over a long session. Mobile networks are particularly leaky: handing off between cell towers, switching from cellular to Wi-Fi, brief network blackouts in tunnels or elevators all cause VPN reconnects. Each reconnect is a window where leakage can happen. The implementations vary by client. Mullvad: enabled by default with no option to disable for the always-on profile, with a separate “Local network sharing” toggle for printer access. Proton VPN: kill switch is opt-in, “Permanent Kill Switch” is the always-on variant. Most consumer VPNs: kill switch is opt-in, often poorly implemented, sometimes leaks during the first 100ms of a reconnect even with the feature enabled.

Where it shows up

Critical for: anyone whose VPN is the structural defense against IP linkage (journalists, activists, divorce clients, anyone whose threat model includes adversarial discovery of IP-mapped activity). Less critical for: users whose VPN is for streaming geo-bypass and casual privacy hygiene; a brief leak does not change the threat picture. The kill switch is one of the highest-leverage settings on a VPN client because the marginal cost is zero (slight inconvenience when the VPN is misconfigured) and the marginal protection is large (no leak under normal failure modes). Why every audited VPN now ships it as a default-on or default-recommended feature, and why the audit reports specifically test the leak behavior under network disruption.

What you can change today

Enable kill switch on your current VPN client. Mullvad: already on by default (verify in Settings, VPN Settings, Lockdown Mode for the always-on variant). Proton VPN: Settings, Connection, Kill Switch, then enable Permanent Kill Switch for the version that survives reboot. NordVPN: Settings, Kill Switch on. Test the kill switch by manually disconnecting the VPN while a video stream or a download is active; the connection should die within a second. If it does not, the kill switch is misconfigured or your client does not implement it correctly. Add DNS leak protection at the same time (typically same settings panel) to defend against the parallel leak vector where DNS queries bypass the tunnel.

Related articles