What is a VPN Kill-Switch, and How do you use one?

A Kill-Switch is an essential security feature that is included in most VPN software. VPN kill switches are designed to protect against accidental disconnections, a potential privacy risk which could leak sensitive data.

In this article you’ll learn:

  1. What is a Kill-Switch?
  2. How a kill-switch works
  3. The two types of Kill-Switches (Application vs. System)
  4. VPNs that include a kill-switch
  5. How to create a your own kill-switch
  6. How to restore Internet Access after kill-switch activates

What is a Kill-Switch?

At its most basic level, a kill-switch is a simple program (or part of a program) designed specifically to monitor the connection status of a specific network adapter.

If it detects a change in connection status or IP address, the switch will activate and instantly kill your access to the internet.

Kill-switches are often built into VPN software, as a safety mechanism to prevent any personally identifiable information from leaking in the event of a dropped VPN connection.

Using a kill switch does two important things:

  1. Prevents your real IP address from being exposed
  2. Stop insecure (unencrypted) data from being transmitted.

Why use a kill-switch?

VPNs have multiple uses, but security is usually a primary factor. The VPN Kill Switch acts as a failsafe, to protect your privacy even when your VPN lets you down.

Even the most reliable VPN services will occasionally have a dropped connection. Failed connections can be caused by a poor internet connections, computer errors or crowded VPN servers.

Use cases for a kill-switch:

  1. Torrents/Filesharing
  2. Kodi / streaming
  3. Private browsing
  4. Unblocking geo-restricted sites (e.g. Netflix)
  5. Using public or untrusted wifi

How a VPN Kill Switch works

The kill-switch is a small background process that constantly monitors your internet connection so it can intervene if a change is detected.

Though there are a couple different kill-switch variations, the most commons is the internet kill switch.

Here’s a step-by-step breakdown of how they work:

  1. Initialize: The kill-switch is activated when a new VPN session starts. It stores your assigned IP address as the baseline to monitor.
  2. Monitor: The kill switch monitors your connection for changes in both the adapter status, connection with the VPN server and IP address.
  3. Trigger: If an event is detected (your connection drops) the kill-switch will trigger and immediately shut down internet connectivity for your device.
  4. Restore: You can restore connectivity by either 1) reconnecting to the VPN or 2) resetting your network adapter.

All of these steps take place nearly instantaneously and without your direct intervention. The VPN software does it for you.

FYI: Kill-switches are typically an addon feature that is custom created by each VPN provider. It’s not included in the VPN spec for common protocols like OpenVPN and Wireguard. As a result, they will function differently for each VPN service, and some implementations are better than others.

What triggers the kill-switch?

There are several events that can cause the kill-switch to engage. These are the most common:

  • Disconnect the VPN: Many providers configure the switch to activate any time you turn off the VPN. This can be an annoyance, but you may be able to disable the option in the settings menu.
  • Lost internet connection: If your internet connection goes down, so will the VPN tunnel, triggering the switch.
  • Poor connection: If you’re on a mobile network or public wifi with weak signal, dropped packets can cause the switch to activate
  • Close the VPN App: If you exit the VPN app (or it crashes) the kill-switch may still engage.

Platform & Protocol Support

The type and availability of the kill-switch may vary based on your device OS as well as your choice of VPN protocol.

Protocol

The VPN protocol with the best kill-switch support is OpenVPN (which is also the most common protocol). In fact, some VPNs only support OpenVPN in their client app. Other protocols like L2TP or PPTP require manual configuration.

Since the kill-switch is a software feature, not native to the VPN protocol, it typically isn’t available for manual connections.

OS

Kill switches work across a variety of OS’s, but support is not universal. For example, it’s hard to find a good kill-switch app for Android VPNs because of the permission level required to operate it.

Windows has the widest support, and kill-switches work on all versions since Windows XP, through Windows 10 and now 11.

Apple/Mac: Mac OS support used to be hit-or-miss but now most providers are adding this feature to their Mac client.

iOS: Support for kill-switches is extremely limited on iOS because it’s not possible with the OpenVPN protocol. It can only be implemented for apps that offer L2TP/IKEv2.

Types of kill-switch

Each VPN has a unique kill-switch implementation, but they all can be divided into two categories based on their functionality.

There are two primary kill-switch types:

  1. System level kill-switch / Internet kill-switch (most common): Shuts down all internet connectivity to your device until the switch is reset (e.g. reconnect to the VPN).
  2. App level kill-switch: This will close one or more apps (you specify) when the switch is triggered.

Most VPNs include a system level kill-switch that will cut internet access to your entire system if the VPN connection fails. Some VPNs include both for greater flexibility/power.

System Level Kill Switch

This is the most simple and most common kill-switch variety. When activated, a system kill switch will completely cut internet access to the entire computer until the VPN reconnects or you reset the network adapter.

This is a brute-force method with little finesse, but it is quite effective at preventing IP leaks. Activating a this type of kill-switch is usually as simple as flipping a setting in your VPN client software.

Enabling the kill switch in PIA software
Kill-switch enabled in Private Internet Access VPN

As you can see it’s quite simple to activate.

Supported VPNs

These days, all of the best VPN services include a kill switch feature to protect against VPN disconnection.

VPN Providers with System Level Kill-Switch

Application Kill-Switch

The App level kill switch lets you choose which specific programs will be closed when the kill-switch activates. In my opinion this is a more useful feature because it allows greater control of how the switch activates.

Common programs you may want kill :

  • Web browser: chrome, firefox, safari
  • Torrent Client: utorrent, Vuze, Deluge, qBittorrent
  • Skype
  • Kodi

Adding programs to the list is usually pretty simple. Below is an example from Torguard’s software .

Choose any active program/process for torguard's kill switch
Torguard’s App Kill-Switch

There are only a few VPN providers that feature an application kill-switch…

When to use a Kill Switch?

Whether to use a kill switch is a personal decision that comes down to your risk tolerance and what you intend to use the VPN for. If the activity would be risky without a VPN, then it’s recommended to leave the kill switch enabled.

Here are some of the most commons situations where they are useful:

Untrusted Wi-fi

Public wi-fi can be a significant security risk if it it’s an open network without encryption. This lets anyone intercept your internet traffic which could include sensitive data like emails, messages, and even login credentials.

Torrents/p2p

These days, most users protect themselves with a VPN when downloading torrents. That’s because torrent activity is monitored by scraping public IP addresses from torrent swarms. Your ISP may also use Deep-Packet-Inspection to check your traffic for torrent activity. A kill switch helps ensure peers can never see your real IP address and your ISP will be none the wiser.

Streaming / Netflix

If you’re travelling and trying to access your home Netflix library, or exploring global streaming catalogs from around the world, you need a VPN. But you probably don’t want Netflix to see your IP address suddenly change to your real location which would be a dead giveaway you’re connecting with a VPN (which could result in account termination). Kill switch for the win.

VPN Providers with a Kill-Switch

Here’s a non-exhaustive list of top-rated VPN services that offer a network lock or kill-switch feature in their software. There is even a free vpn service included.

IPVanish

IPVanish offers a kill-switch in their VPN software for virtually every platform, including Windows, Mac and Android. It is easily activated by ticking the kill-switch checkbox in your software.

IPvanish also includes other security features including a stealth protocol and IPv6 leak protection.

Type: system-level
OS: Windows, Mac, Android
Protocol: OpenVPN

NordVPN

NordVPN offers a dual-mode killswitch (app & internet) on Windows and MacOS. You can enable either, both, or none.

The killswitch settings are found in NordVPNs software settings > kill switch.

The app-level option lets you choose from installed programs or manually select any executable file on your device.

Pro Tip: NordVPN is one of the only apps that offers a kill-switch on iOS, though it only works with the L2TP/IKEv2 protocol, not OpenVPN.

Type: Dual (app-level, system-level)
OS: Windows, Mac, iOS
Protocol: OpenVPN, Wireguard (lynx), L2TP/IKEv2

Try it: Try NordVPN risk-free for 30 days.

Private Internet Access

Private Internet Access has had an integrated killswitch in their software for nearly a decade, and it keeps getting better. The trigger is fast and accurate and restoring internet access afterwards is seamless.

Activated with a simple checkbox, there are two versions. One functions only when the client is open, and the ‘advanced kill switch’ protects your device even when the app isn’t running.

Private Internet Access kill switch & advanced kill switch.

Type: System-level (two versions)
OS: Windows, Mac, Android
Protocol: OpenVPN, Wireguard

Hide.me (free)

HideMe is one of the few high-quality providers with a free vpn subscription that includes kill-switch security. It’s easily toggled with a switch and functions well in our testing.

Hide.me kill switch settings

How to create your own Kill-Switch

Even if your VPN provider doesn’t offer a kill switch, you can still build your own with the help of some free software. You can create either a system or app-level kill switch based on the method you use.

Create a system kill switch with Comodo free firewall

Comodo Firewall is the best free firewall software anywhere. It’s great for getting maximum control of your network, because by default it assumes every connection is a threat until you grant access to that program (it’s as simple as clicking the ‘allow connection’ button).

With a little creativity, you can use custom rules in Comodo to make it a great kill-switch. This tutorial from nvpn will show you how to do it step-by-step .

Create an app-level switch

There are two free programs that will give you the ability to kill specific applications if your VPN connection drops.

First up is VPNetmon which is completely free and extremely easy to use. Just add your preferred programs to the list. Vpnetmon can autodetect your true IPaddress and VPN IP, so and it will activate it your IP switches. It has two modes, standard or paranoid which determines how often it checks for ip changes (as low as 1/10th second).

VPNCheck is offered either as freeware or a paid pro version. The free version will be enough for most users and can operate in either app-level or internet-level kill switch mode, giving you the best of both worlds.

How to reset a kill switch

I bet ‘your VPN broke my internet’ is one of the biggest complaints VPN tech support faces. Many users don’t realize how powerful the kill-switch actually is. In order to restore internet access you either have to do one of two things:

  1. reconnect to the VPN
  2. Reset your DCHP settings for you network adapter

Resetting DCHP is easy, just rightclick the network/wifi icon in your system tray and run the troubleshooter.

Troubleshoot network settings (reset kill switch)

When you run the troubleshooter you’ll get a message like “Cannot reach DCHP gateway”. All you have to do is click the ‘fix’ button and it will reset your network adapter and automatically restore internet access.

For additional info and resources, check out the ‘Help! My killswitch broke my internet’ thread on Reddit .

Conclusion

Now that you know how a kill-switch works (and how to build your own if your VPN doesn’t offer one) you should be well on your way to optimal online security.

Just be aware that dropped VPN connections are not the only source of IP leaks. The other most common leaks (for OpenVPN) are DNS Leaks , where your website lookup requests are accidentally routed to the wrong DNS server (outside the VPN tunnel).

Make sure to check out our VPN reviews for the most up to date and in-depth info on our favorite VPN providers.

2 thoughts on “What is a VPN Kill-Switch, and How do you use one?”

Leave a Comment