What Is a Kill Switch
A VPN kill switch is a safety mechanism that cuts your internet connection if the VPN connection drops unexpectedly. Without a kill switch: if your VPN disconnects mid-session, your traffic continues over your regular internet connection -- briefly exposing your real IP address and any data you're transmitting. With a kill switch: if the VPN drops, all internet access is blocked until the VPN reconnects or you manually disable the kill switch. It prevents accidental IP leaks during VPN disconnections.
When VPN Connections Drop
VPN connections drop more often than most people realize: when switching between WiFi and mobile data, when waking a device from sleep, when the VPN server has a momentary issue, when your router assigns a new IP address, or during network congestion. In a typical day of use, a VPN connection may disconnect and reconnect several times -- usually fast enough that you don't notice. Without a kill switch, each reconnection briefly exposes your traffic.
Types of Kill Switches
System-level kill switch (also called network lock): blocks all internet traffic at the OS level when VPN is down. Most secure -- even applications that bypass the VPN app itself can't send unprotected traffic. Application-level kill switch: only kills specific applications (e.g., your torrent client) when VPN drops, while allowing general browsing to continue. Less common in consumer VPNs but useful for specific use cases.
Which VPNs Have Reliable Kill Switches
Mullvad: widely considered to have the most reliable kill switch implementation. Network lock works at the firewall level and is difficult to bypass even by system-level events. ProtonVPN: strong kill switch, includes a 'Always-on VPN' mode that reconnects automatically and maintains the lock. ExpressVPN: 'Network Lock' kill switch available on all platforms including Mac and Windows. NordVPN: kill switch available on all platforms, has had some reliability issues in past versions but improved in 2024+. Important: VPN kill switch on iOS and macOS works differently due to Apple's VPN framework restrictions -- test it on your specific platform.
How to Test Your Kill Switch
Step 1: connect to your VPN. Step 2: visit whatismyip.com and note the VPN IP address. Step 3: manually disable your network adapter (or disconnect WiFi). Step 4: re-enable the adapter. Step 5: before the VPN reconnects, quickly check if any traffic is flowing. Step 6: check whatismyip.com again -- if kill switch worked, either no connection or still the VPN IP. A simpler test: visit an IP-checking site, then force-quit the VPN application (not just disconnect -- kill the process). Your browser should freeze or show an error, not load a page showing your real IP.