A kill switch is a safety net. When your VPN connection drops unexpectedly, a kill switch cuts your internet access entirely rather than letting your traffic revert to your unprotected connection.
Without a kill switch, a momentary VPN disconnection (server issue, network change, device sleep) exposes your real IP address and unencrypted traffic to your ISP and any websites you’re visiting. This can happen in seconds, silently, with no indication that anything changed.
Why VPNs disconnect
VPN connections are not guaranteed to stay up indefinitely. Common causes of disconnection:
- Server-side issues (the VPN server restarts or experiences a failure)
- Network changes on your end (switching from WiFi to cellular, or between networks)
- Your device going to sleep and waking up
- ISP-level disruptions
- Protocol negotiation failures
Most of these are brief. But brief is enough to expose your real IP to whatever you were doing at that moment.
How a kill switch works
A kill switch monitors your VPN connection continuously. When it detects the tunnel has dropped, it applies a firewall rule that blocks all internet traffic at the network level. Your apps stop working, your browser returns an error, and no data leaves your device until the VPN connection is restored and the kill switch is released.
There are two types:
App-level kill switch: Only blocks traffic from specific apps you configure (for example, your torrent client). Other apps continue to use your regular connection if the VPN drops. Useful if you want some apps protected and others not.
System-level kill switch: Blocks all internet traffic from all apps when the VPN drops. More complete protection, but means nothing works until the VPN reconnects.
Who needs a kill switch
Torrenters: Your IP address is visible to everyone in the torrent swarm. A VPN drop exposes your real IP to all connected peers. A kill switch ensures this never happens.
Privacy-conscious users: If you’re using a VPN specifically to hide your activity from your ISP, a drop without a kill switch completely undermines the reason you have a VPN.
Users in restrictive countries: If your VPN drops while you’re accessing blocked content, you want the connection to fail closed rather than expose what you were accessing.
For everyday users who use a VPN mainly for streaming or general browsing from home, the kill switch is less critical. Netflix shows an error, the VPN reconnects, and you resume. But for anyone using a VPN for genuine privacy purposes, a kill switch is not optional.
How to enable the kill switch
NordVPN: Settings > Kill Switch. Two options: “Internet Kill Switch” (blocks all traffic) and “App Kill Switch” (block specific apps). Recommend enabling Internet Kill Switch.
Surfshark: Settings > Connectivity > Kill Switch. Toggle on.
ProtonVPN: Settings > Kill Switch. Available on Windows, macOS, Linux, and Android.
Android OS-level: Settings > Network & Internet > VPN > your VPN > gear icon > “Block connections without VPN.” This is a system-level kill switch independent of the VPN app.
Testing your kill switch
Connect to your VPN, note your current IP at a site like whatismyip.com, then disconnect the VPN manually while running a network test. If the kill switch works, the network test will fail or time out rather than showing your real IP.
Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.
Enable the kill switch. It costs nothing, requires one setting change, and prevents the most common way VPNs fail in practice: a brief disconnection that exposes your real IP. If your VPN doesn't have a kill switch, that's a reason to switch providers.
App-level vs system-level kill switches
The label hides two different mechanisms. App-level kill switches close specified applications when the tunnel drops: the torrent client dies, the browser dies, whatever you listed dies, while the rest of the system reconnects normally. System-level (or firewall-level) switches block all network traffic until the tunnel returns, implemented as firewall rules that simply have no route outside the VPN. The system level is the stronger guarantee and the modern default in serious apps; NordVPN, Proton and Surfshark all implement it, with app-level as an optional refinement.
The distinction matters most on platforms with weaker implementations: some TV and mobile apps offer only partial protection, and a few budget providers still ship kill switches that miss the brief reconnection window where packets escape. Testing yours (the section above) beats trusting the checkbox, whatever the platform.
Always-on VPN: the kill switch’s bigger sibling
Modern operating systems offer a complementary control. Android’s system settings include Always-on VPN with Block connections without VPN, which enforces the tunnel at OS level regardless of what the app does; iOS achieves similar behavior through provider apps’ on-demand rules. Windows and macOS rely on the providers’ firewall-based switches, which the major apps implement well.
Belt-and-suspenders configuration for anyone whose threat model justifies it: provider kill switch on, OS-level always-on where available, and auto-connect on untrusted networks. Configured once, the stack means there is simply no boot state or crash state in which your traffic walks naked; the laptop in the café can fail any way it likes and the firewall rules hold.
When the kill switch annoys you, and what that’s telling you
The complaints are predictable: downloads die overnight when a server hiccups, smart home apps lose connectivity mid-update, video calls drop instead of degrading. Each annoyance is the feature working; the question is whether the protection fits the activity. The graceful answer is split tunneling, covered in our dedicated guide: route the privacy-sensitive apps through the tunnel under kill switch protection, and let the genuinely indifferent traffic (the printer, the speaker) live outside it. Disabling the switch globally because one app complained is the wrong fix in almost every case; the inconvenience is usually one split-tunnel rule away from gone.
The five-minute setup, provider by provider
NordVPN: Settings, Kill Switch, choose Internet Kill Switch (system-wide) and optionally App Kill Switch with your list; both persist across reconnects. Surfshark: Settings, VPN settings, Kill Switch toggle, with its stricter Strict Mode for the always-on behavior. Proton VPN: Settings, Kill Switch, choose Standard or Permanent, the latter blocking traffic even when the app is closed, the strongest consumer implementation of the idea.
Whichever provider, finish with the test from the section above: force-kill the VPN process mid-download and watch traffic stop. Thirty seconds of theater, lifelong calibration of trust in the checkbox. And revisit after major app updates; kill switch implementations are exactly the kind of plumbing that regressions occasionally visit.
The mental model to leave with: a VPN without a kill switch is a promise that holds except at the worst moments, since disconnections cluster exactly when networks are flaky, which is exactly when you’re on networks you trust least. The switch converts “encrypted most of the time” into “encrypted or silent,” and the second formulation is the only one a privacy tool should offer.
(Practical postscript: when shopping, search a provider’s support pages for “kill switch” before buying; implementation detail and platform coverage vary, and the support article tells you more truth than the feature grid.)
Keep reading: VPN Split Tunneling Explained: What It Is and When to Use It and How to Check if Your VPN Is Leaking Your IP Address.