Kill Switch

A VPN client feature that blocks all internet traffic the moment the encrypted VPN tunnel drops. It prevents your real IP address and DNS queries from leaking outside the protected connection.

A VPN kill switch is a safety feature in VPN clients. If the encrypted tunnel between your device and the VPN server drops unexpectedly, the kill switch immediately blocks all incoming and outgoing internet traffic until the connection is restored.

Why you need a VPN kill switch

Without a kill switch, your device silently falls back to the regular internet connection whenever the VPN tunnel briefly drops. In that short window, several types of traffic can leak out unprotected:

• IP address: Websites, trackers and peers in a torrent network see your ISP’s real IP address instead of the VPN server’s.
• DNS lookups: The queries your device uses to translate domain names like neoguard.ch into IP addresses. If these get answered outside the VPN tunnel, your ISP learns which domains you visit, even though it can’t see the content.
• IPv6 traffic: IPv6 is the newer internet protocol, the successor to IPv4. If the kill switch blocks only IPv4 traffic, IPv6 traffic can slip past the tunnel during the reconnect phase. Researchers have observed IPv6 leaks across nearly all providers, although it remains unclear how much of this is down to client misconfiguration, such as a disabled kill switch.

Browsers, mail clients, cloud sync and background services immediately reuse the ISP connection without you noticing.

For business use under nFADP obligations this matters: transmitting personal data outside the encrypted tunnel can be treated as an unintended disclosure to third parties, even if it lasts only seconds.

How a VPN kill switch works technically

A VPN kill switch is more than a feature inside the VPN client. It is a firewall rule that the VPN client anchors deep in the operating system:

• Proton VPN uses the Windows Filtering Platform (WFP) on Windows, a kernel-level packet filter.
• Mullvad uses pfctl on macOS, Apple’s native packet filter.
• NordVPN distinguishes explicitly between Internet Kill Switch (blocks all traffic) and App Kill Switch (terminates only selected applications).

This depth is necessary: if the VPN app itself crashes or hangs, traffic should stay blocked anyway. A kill switch that ran only inside the VPN app would be useless the moment that app fails.

System-wide or app-specific?

• System-wide kill switch: Blocks all traffic outside the VPN tunnel. This is the right default when you work from untrusted networks on the go (e.g. a coworking space).
• App-specific kill switch: Terminates or blocks only selected applications (e.g. browser, email client). Useful when you only need one specific workload protected.

Proton VPN also offers an Advanced Kill Switch. While a regular kill switch blocks traffic only during unexpected tunnel drops, the Advanced Kill Switch blocks all traffic without an active VPN tunnel. That also applies after a reboot, a shutdown or a deliberate disconnect. No connection is possible without VPN until you turn the setting off in the app.

Limitations to be aware of

• Often off by default: On most desktop clients the kill switch has to be enabled manually. Exception: with Mullvad the kill switch cannot be disabled by design.
• iOS and Android behave differently: Mobile operating systems manage VPNs themselves. On Android you also need the OS-level options “Always-on VPN” and “Block connections without VPN” on top of the app’s feature for real system-level protection.
• VPN clients use deep system hooks: That depth brings robustness but also occasional bugs after OS updates. German tech publication heise reported in April 2026 that the kill switch in a popular macOS client could not be disabled for a period until the vendor shipped a hotfix.
• IPv6 coverage isn’t universal: Some clients only block IPv4, or require explicit IPv6 configuration. After enabling the kill switch, you can verify with tools like ipleak.net whether IPv6 is also blocked.

When does a VPN kill switch make sense?

The moment you use a VPN for privacy or compliance reasons, enabling the kill switch is worthwhile. That applies in home offices, coworking spaces, hotel or airport Wi-Fi, and anywhere a short connection drop would expose your real IP address or unencrypted queries. If you only care about geo-unblocking (e.g. streaming services), the feature isn’t strictly required. In a business context the kill switch belongs to the set of reasonable technical safeguards.

Sources

• Proton VPN Support, How to use advanced kill switch
• NordVPN Help, NordVPN Kill Switch: how does it work?
• Mullvad, Install app on macOS
• ExpressVPN, How does the Internet Kill Switch work?
• heise online, Ärger mit aktueller NordVPN-App für macOS (17.04.2026, in German)
• Smoothing Rough Edges of IPv6 in VPNs (ACM IMC 2025 Poster), arXiv:2512.19698