Disclosure: Top10VPN is editorially independent. We may earn commissions if you buy a VPN through links on our site.

What Is a VPN Kill Switch?

JP Jones - CTO @ Top10VPN

JP Jones is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process. Read full bio

Our Verdict

A VPN kill switch is a security feature that automatically disconnects your device from the internet if your VPN connection is lost, and reconnects when the VPN connection returns. This protects your public IP address from being accidentally exposed, and prevents any browsing data being sent over an unsecured internet connection.

Man acting as a VPN kill switch, cuts off the internet connection

When you disconnect from a VPN, your web traffic is no longer encrypted or routed via a secure server. This can leave personally-identifying information including your IP address and browsing activity exposed to the internet.

If your VPN connection drops unexpectedly, your VPN’s kill switch should activate and block your device from connecting to the internet altogether. This prevents any data from traveling outside the encrypted VPN tunnel. For this reason, VPN kill switches are an essential security feature of any top VPN service.

Unfortunately, not every service comes equipped with a VPN kill switch. It’s also a feature that can vary greatly depending on the device, VPN protocol, and VPN service you’re using.

Some VPN kill switches are more reliable than others, and some only activate under certain circumstances or on certain devices.

You can use our kill switch tool to test your VPN’s kill switch feature. It’s the only tool available that can test, timestamp, and record VPN kill switch failures.

In this guide, you’ll learn how a VPN kill switch works and why it’s vital for your VPN to have one. We’ll also cover how to test your kill switch if you suspect it’s not working properly, as well as which VPNs have the best kill switch.

EXPERT ADVICE: Private Internet Access performed best in our in-depth VPN kill switch testing. It’s easy to set up, compatible on a wide range of devices, and consistently works for all types of VPN disconnections.

What Is a VPN Kill Switch & Why Do You Need One?

VPN kill switches vary by VPN service and device. However, their basic purpose remains the same: to block your access to the internet when your VPN connection fails.

Without this safeguard, you run the risk of exposing your personal data to the internet if your connection drops unexpectedly.

To understand why kill switches are so important, you need to know how a VPN works to protect your traffic.

Here’s what happens when you connect to a VPN server:

  1. Once you’ve connected to a VPN server of your choice, you can access a website on your browser.
  2. The VPN client on your device encrypts your outgoing data, concealing it from your internet service provider (ISP).
  3. The encrypted traffic is sent to the VPN server where it is assigned a new IP address.
  4. The VPN decrypts your data and then communicates with the destination website on your behalf.
  5. The process then happens in reverse, ending with the website information appearing in your browser.

At any point during this process the VPN connection can suddenly stop, removing your data’s encryption and revealing your real IP address to the websites you’re visiting.

If you’ve been connected to the same VPN server for a while, all of your browsing activity using that server will now be traceable back to your public IP address. Similarly, your web traffic from this point onwards will be unencrypted and associated with your real IP.

Here are some ways your IP address can be used

  • To find your exact location: Your IP address broadcasts your country, city, ISP, and even your ZIP code.
  • Leave you vulnerable to malicious attacks: Distributed Denial of Service (DDoS), doxxing, and vishing attacks can be carried out simply by obtaining your IP address.
  • Subject you to personalized ads: Carefully curated advertising content can be sent to your specific IP by third-parties.

A VPN kill switch ensures that your IP address and location remain private. We strongly recommend installing a VPN with kill switch enabled if you are concerned about ISP surveillance or what someone can do with your IP address.

How Does a VPN Kill Switch Work?

Here’s what happens when your VPN connection fails without a kill switch enabled:

A demonstration of what happens when a kill switch fails

Your personal data travels, unencrypted, to the Internet.

Here’s what happens when your VPN connection fails with a kill switch enabled:

A diagram of a working VPN kill switch

Your personal data is kept safe and secure until a VPN connection is reestablished.

How a kill switch works to protect your data can be broken down into four stages:

  1. Monitoring

    The VPN kill switch constantly surveys your VPN connection, monitoring any changes in your network status or IP address.

  2. Detecting

    Any change or disruption to your VPN connection is immediately detected by the kill switch.

  3. Disconnecting

    The kill switch will respond by blocking your device’s connection to the internet or to specifically chosen applications.

    This response will vary by the type of kill switch your VPN provider offers.

  4. Reconnecting

    Once your VPN connection is restored, the VPN kill switch deactivates and allows your internet connection to reestablish.

The Different Types of VPN Kill Switch

Though all kill switches will broadly follow the process outlined above, exactly how they work will depend on the type of kill switch in use.

Most importantly, VPN kill switches can vary by when they are engaged and how they are applied.

VPN kill switches can activate in two different ways:

  1. Active kill switch: The kill switch engages when it detects a disconnection from the VPN server, blocking your device’s connection to the internet. This type of kill switch does not intervene until it receives the necessary information from the VPN server.
  2. Passive kill switch: Your device is blocked from the internet at the exact moment you lose connection to the VPN server. This type of kill switch does not rely on any information from the VPN server to activate.

Active kill switches aren’t as secure because there is a minor delay between the VPN disconnecting and the kill switch receiving this information. During this period your data will be decrypted, unprotected, and broadcasting your real IP.

Passive kill switches are more secure and reliable, responding immediately to any changes in your network status. Fortunately, the majority of VPN providers are equipped with a passive kill switch.

  1. System level: Your entire device is blocked from the internet until the kill switch is disengaged.
  2. Application level: Only selected apps are disconnected from the internet in the case of a VPN disconnection. The rest of your device continues to function as normal.

System level kill switches are more commonly used by VPN providers as they offer greater protection. Disconnecting your entire device’s connection makes IP leaks far less likely.

Application level kill switches can be useful if you have a specific use-case for your VPN. For example, if you’re using a VPN to torrent then you may want to only block your torrenting client.

This offers greater flexibility as you can continue to browse freely while keeping your torrenting traffic safe.

EXPERT ADVICE: If you need a VPN with an application level kill switch we recommend NordVPN. It’s easy to set up and activates without fail.

What Causes a VPN Kill Switch to Activate?

Any disruption or change to your VPN connection will cause a VPN kill switch to engage and block your internet connection.

Your connection to a VPN server can be affected by a number of factors. We’ve outlined the main causes of VPN disconnections and their solutions below:

1. Weak signal strength

Solution: Avoid using public WiFi.

If your device experiences weak signal strength or a loss of internet connection then your VPN kill switch will engage.

To prevent this, avoid using less reliable networks such as mobile data or public WiFi. A strong and consistent internet connection is necessary for maintaining a VPN connection.

2. Strict firewall settings

Solution: Whitelist your VPN service.

Windows Security's firewall settings

You can change your firewall settings within Windows Security.

Your operating system’s firewall may block or disrupt VPN connections causing the kill switch to activate.

Any system updates may also change your firewall settings and prevent VPN connections from being established.

To solve this, add your VPN service to the firewall’s list of permitted applications. This ensures that your VPN connection bypasses the firewall and future-proofs it for any further system updates.

Follow these steps to whitelist your VPN on Windows firewall:

  1. Click the Windows Start button and open your Settings.
  2. Go to Updates & Security > Windows Security > Firewall & network protection > Allow an app through firewall.
  3. Then, select Change Settings and add the VPN Provider.
  4. If you can’t find your VPN in this list then select Allow another app… > Browse. Search for your VPN and click add to confirm the change.
  5. Once you’re finished click OK to save the changes.

Follow these steps to whitelist your VPN on macOS firewall:

  1. Go to System Preferences > Security & Privacy > Firewall.
  2. If prompted, select the lock symbol in the bottom left corner and enter your password.
  3. Press unblock.
  4. Then click Firewall options and click +.
  5. Select your VPN and click add.
  6. Once you’re finished click OK to save the changes.

3. Unreliable VPN protocol

Solution: Change to OpenVPN (TCP)

Any lapse in your internet or VPN connection can cause a kill switch to activate.

Many VPNs offer OpenVPN (UDP) as the default VPN protocol, which does not provide the most stable connection.

To avoid any unwanted kill switch activations, change your VPN protocol to OpenVPN (TCP).

The TCP protocol maintains a more stable VPN connection at the cost of reduced download speed.

When Should You Use a VPN Kill Switch?

You should keep a kill switch on at all times to ensure your data is kept private and secure.

However, there are specific use-cases when a kill switch is especially important:

Accessing Public WiFi

You are far more vulnerable to malicious attacks when using public WiFi. On a public network it’s not clear who set it up, who else is connected to it, and if it’s being monitored.

Accessing a Public Wifi network leaves you vulnerable to:

  1. Man-in-the-Middle (MitM) Attacks: This refers to any situation in which a third party interferes in communications between your device and the network you’re connecting to.
  2. Fake hotspots: An attacker mimics a public WiFi network by using a legitimate name such as ‘Free_Airport_WiFi’. The attacker can easily access the sensitive data of anyone who connects to this network.
  3. Session hijacking: A third party can monitor your browsing activity to gain the necessary information to hijack your online accounts.

Installing a VPN on your device encrypts your traffic and routes it through a secure VPN server, concealing your real IP address and making it virtually impossible for your traffic to be monitored or altered.

Connecting to public WiFi without a kill switch undermines any protection your VPN offers. Enabling a kill switch ensures your sensitive data will remain safe on public WiFi, even in the event of a VPN disconnection.

Torrenting & P2P Activity

Torrenting should always be carried out with a VPN. It conceals your online activity and identity from any potential onlookers.

Without a safe torrenting VPN, your true IP address and identity will be visible to everyone else in the torrent swarm. This includes copyright trolls, your ISP, or even the content owners.

A VPN protects you when torrenting by:

  1. Concealing your identity: By connecting to a VPN your real IP address is replaced by that of the VPN server. All of your online activity is encrypted, preventing third-parties from monitoring your downloads.
  2. Protecting against legal action: Countries are increasingly enforcing copyright laws against torrenting. While we don’t condone copyright breaches, it’s easy to unknowingly slip up. Equipping a VPN encrypts your information making it much harder to track your torrented downloads.
  3. Bypassing throttling and blocks: Your ISP may restrict your P2P connection speeds and even block your access to torrenting websites. A top-rated VPN can encrypt your traffic making it impossible for your ISP to detect and throttle P2P activity.

A VPN kill switch is essential for torrenting or any form of file-sharing. Torrenting without a kill switch runs the risk of your real IP address being exposed to your ISP, copyright trolls, and content owners.

If your VPN connection drops, even for a second, then your online identity will be visible to everyone in the torrent swarm.

How to Turn on a VPN Kill Switch

You can find the option to enable a kill switch in your VPN’s settings. On Windows and macOS this generally only involves ticking a box or toggling a switch, but there can be exceptions.

On Android and iOS the process can be more complicated. Your VPN may not support a kill switch on mobile, or it may require access to your device’s settings to set one up.

Here’s a video demonstrating how to turn on a VPN kill switch. We’ve used ExpressVPN’s Windows app as an example:

ExpressVPN's kill switch is called 'Network Lock' on both desktop clients.

How to Turn on a Kill Switch on Windows

Enabling a kill switch is a simple process on your PC. The kill switch option can normally be found within the settings of the VPN client.

VPN services usually offer the most advanced features in their Windows applications, and this is true for kill switches, too.

For example, Private Internet Access (PIA) is equipped with two levels of kill switch on Windows. The standard kill switch operates as you would expect, disabling your PC’s internet connection as soon as your VPN drops.

The kill switch settings for Private Internet Access' Windows client

You can customize PIA’s Windows kill switch.

The advanced kill switch is far stricter, preventing any traffic from leaving your device. Your computer will not reconnect to the internet, even if your VPN client is closed.

Customizable kill switches are normally only found on Windows apps, and occasionally on macOS. You won’t find this level of customization from any VPN service on mobile.

You may also come across VPNs on Windows that allow you to enable an application level kill switch. This is far more bespoke than an ordinary kill switch as it allows you to designate specific programs on your desktop to be disconnected from the internet.

How to Turn on a Kill Switch on macOS

Activating a kill switch on macOS is just a case of finding the right option in the application’s settings.

You won’t notice much difference in the functionality of a macOS or Windows kill switch. Depending on the VPN service, the macOS kill switch may have slightly less features than the Windows equivalent.

The kill switch settings for Private Internet Access' macOS client

PIA’s kill switch operates in exactly the same way as its Windows counterpart.

The difference is less noticeable with top-rated providers such as ExpressVPN, NordVPN, and PIA where the kill switch is identical on Windows and macOS.

In the example above, the kill switch is found within the Privacy tab of PIA’s settings.

Just like its Windows app, PIA allows you to choose between a standard and advanced VPN kill switch on macOS.

How to Turn on a Kill Switch on Android

Activating a kill switch on Android can be an invasive process as the VPN may require access to your device’s permissions.

Typically, the VPN’s app will not support kill switch software and will instead make use of Android’s Always-on VPN and Block connection without VPN features. These are both found within your device’s system settings.

The kill switch settings on Private Internet Access' android app

PIA allows you to choose between an ordinary kill switch and the native Android feature.

We’ve also tested VPN services with kill switches that cannot be toggled on and off on Android. The kill switch will automatically trigger in the event of a VPN disconnection and prevent any traffic from leaving your Android device.

ExpressVPN’s Android kill switch is an exception – you can find it within the app’s settings. Similarly, Surfshark and PrivateVPN both have kill switches that can easily be toggled on and off without redirecting you to your device’s settings.

Alternatively, some VPN services do not provide a kill switch on their Android apps at all.

How to Turn on a Kill Switch on iOS

Apple only implemented a native VPN kill switch feature in the iOS 14 update of September 2020.

The native feature is called VPN On Demand. Apple’s Platform Deployment guide explains that it allows developers to create rules for your VPN connection. This includes instructions for your device when responding to a loss in VPN connection.

As a result, not every VPN service has adopted this new software. Some notable examples of this include CyberGhost, PrivateVPN, and HMA.

If your VPN does support an iOS kill switch, you can expect it to be limited in both its function and customization.

For example, PIA does offer a kill switch on its iOS app, but the option to select the advanced tier has been removed.

The kill switch settings for Private Internet Access' iOS app

PIA only offers the standard kill switch on iOS.

Alternatively, your VPN may have an iOS kill switch automatically enabled by default despite not referencing the feature anywhere on the app itself.

Two of the best VPNs we’ve reviewed – ExpressVPN and NordVPN – both implement an automatic kill switch on iOS without any accompanying information.

Why Is My Kill Switch Not Working?

If your VPN kill switch isn’t working then there’s usually an issue with the VPN service, your device, or both.

Faulty or outdated VPN software can prevent your kill switch from triggering during an unexpected VPN disconnection.

Even some top-rated providers, such as ExpressVPN and PrivateVPN, do not protect your traffic when switching VPN servers.

ExpressVPN's warning message when switching VPN servers

ExpressVPN warns you before switching online locations.

Equally, your device’s firewall or system settings may prevent the VPN client itself from functioning properly.

We’ve outlined some possible solutions for both types of faults below:

1. Change the VPN Protocol

Chance of Success: High
Difficulty: Easy
Time: 1 Minute

Every VPN service functions differently depending on the protocol in use. This can include variations in the number of servers, advanced tunneling features, and the availability of a kill switch.

If your kill switch isn’t working, it may be due to the VPN protocol you’re using. Either the current protocol doesn’t support a kill switch or its kill switch doesn’t work properly.

From our testing, we found OpenVPN protocols to be the most compatible with a VPN kill switch – particularly OpenVPN TCP.

Some providers, such as Astrill and FastestVPN, only offer a VPN kill switch on OpenVPN protocols.

Try switching your VPN protocol to OpenVPN TCP and then test the kill switch again.

2. Run as Administrator

Chance of Success: High
Difficulty: Easy
Time: 1 Minute

A VPN kill switch requires access to your device’s internet connection so that it can be disabled in the event of a VPN disconnection.

This is an intrusive action which could be blocked by your PC. If that’s the case, you will need to manually upgrade your VPN’s permissions.

Here’s how to upgrade your VPN’s privileges:

  1. Navigate to the VPN’s app on your desktop.
  2. Right-click the app and select Run as administrator.
  3. A prompt will appear asking if the app can make changes to your device.

    Click Yes.

  4. The VPN should now have the necessary permissions to disable your internet connection.

EXPERT ADVICE: This solution is limited to Windows applications only. It isn’t possible to upgrade your VPN’s permissions in this way on Android, iOS, or macOS.

3. Update and Restart the App

Chance of Success: Medium
Difficulty: Easy
Time: 5 Minutes

NordVPN's Windows Client requesting an update to its software

Your VPN may prompt you to update the application.

You may be using an older version of a VPN app that doesn’t support a VPN kill switch or has a bug in its software preventing the kill switch from working correctly.

To determine whether your app is outdated, go to the VPN’s website and find the VPN apps page. This is normally labeled VPN Apps, Apps, or Download.

From here make a note of the current version of the VPN software and see if it matches the app installed on your device.

By installing the latest version of the app any known technical bugs should now be fixed, including a faulty kill switch.

4. Change Your Firewall Settings

Chance of Success: High
Difficulty: Hard
Time: 5 Minutes

As mentioned previously, your computer’s firewall may prevent any VPN connections from being established.

Even if you’re able to initially connect to a VPN server, your firewall may prevent the kill switch from reestablishing the VPN connection. This would leave your real IP address exposed without you ever realizing.

To fix this go into your device’s settings and add the VPN client to the list of apps that are allowed to pass through the firewall.

5. Contact Customer Support

Chance of Success: Medium
Difficulty: Easy
Time: 5 Minutes

If none of the solutions above work, contact the VPN’s customer support.

The quality of support can vary by provider but most VPNs will have an email or ticket system to answer queries.

At the very least the support agent can eliminate the possibility that your VPN is at fault for any kill switch issues

Which VPN Has the Best Kill Switch?

The majority of VPNs are equipped with a working kill switch – this is the absolute minimum we expect when it comes to security. However, not all VPN kill switches are effective or reliable.

We’ve tested dozens of VPN services to find the best VPN kill switches. Our criteria takes into account the number of compatible platforms, whether the kill switch can be turned on and off, and the level of kill switch customization available.

Every VPN we recommend on this page consistently passes our regular kill switch testing. That means the kill switch always activates immediately following a VPN disconnection and our real IP address does not leak.

We also expect the best VPNs to include an option for a permanent kill switch. This means your internet traffic is permanently blocked from leaving your device, even if your VPN client is turned off. You won’t be able to connect to the internet unless the VPN connection is reestablished first.

Here’s a table outlining the VPN kill switches that performed best in our testing:

1. Private Internet Access: The Best VPN Kill Switch

Pros
Cons
  • Kill switch available on Windows, macOS, Android, and iOS
  • Can alternate between a standard and permanent kill switch
  • Permanent kill switch ensures maximum privacy and security
  • Uses best-in-class protocols and encryption
  • Does not offer an application level kill switch

 

Private Internet Access (PIA) provides a secure, reliable, and customizable VPN kill switch across all of its applications.

You can choose between a standard and advanced kill switch with the latter permanently blocking all traffic from leaving your computer, even if the VPN is off and the client is closed.

This offers the highest level of security and privacy possible as it ensures any IP leaks are virtually impossible.

This feature is uniquely available on both PIA’s Windows and macOS apps. Typically, permanent kill switches are restricted to Windows.

It’s also rare to have the options to toggle a permanent kill switch off and choose a less restrictive alternative. This is a great level of customization and allows you to tailor the VPN to your privacy needs.

Visit PIA or read our Private Internet Access review to find out more.

2. NordVPN: Great for Customization

Pros
Cons
  • Kill switch available on Windows, macOS, Android, and iOS
  • Offers an application level kill switch for greater flexibility
  • Permanent kill switch ensures maximum privacy and security
  • Uses best-in-class protocols and encryption
  • Offers no alternatives to the permanent kill switch
  • Kill switch cannot be disabled on iOS

NordVPN is one of the most secure and trustworthy VPNs we’ve reviewed and this is reflected in its excellent kill switch feature.

Its Windows kill switch is the one of the best we’ve tested, offering both system and application level functionality. Enabling the system level kill switch permanently blocks all traffic from leaving the PC, even if the VPN is off and the client is closed.

The kill switch settings for NordVPN's Windows client

You can choose between a system and application level kill switch on NordVPN.

The option to enable an application level kill switch is a welcome layer of customization which is rare among VPN services.

We would, however, like the option to change the permanent kill switch to a less restrictive setting.

You can learn more about its suite of features, easy to use apps, and fast connection speeds in our NordVPN review.

Visit NordVPN or read our full NordVPN review

3. Surfshark: Best VPN Kill Switch for Mobile

Pros
Cons
  • Kill switch available on Windows, macOS, Android, and iOS
  • Kill switch can be enabled on iOS and Android without changing device settings
  • Does not offer a permanent kill switch option
  • Does not offer an application level kill switch

Surfshark’s mobile apps are equipped with reliable and easy to use VPN kill switches.

It’s one of a select few VPNs that supports its own in-built kill switch on Android and iOS, without the need to customize your device’s settings.

Enabling the Kill Switch in Surfshark's Windows client

Enabling the kill switch in Surfshark’s Windows client.

Surfshark’s apps are easy to use for beginners who may not be familiar with VPN software or network security.

For example, if you disconnect from a VPN server on Windows, a prompt will appear explaining that the kill switch will not trigger from a manual disconnection. This is a helpful inclusion as kill switches can be quite opaque in how they operate.

The kill switch itself is quite basic, lacking any customization. We recommend using NordVPN or PIA if you’re looking for more advanced kill switch features.

Visit Surfshark or read our full Surfshark review.

4. Proton VPN Free: Best Free VPN Kill Switch

Pros
Cons
  • Kill switch available on Windows, macOS, Android, and iOS
  • Permanent kill switch ensures maximum privacy and security
  • Free to use
  • Does not offer an application level kill switch
  • Limited server network

Proton VPN Free is the best free VPN with a kill switch. Its secure, permanent kill switch is not hidden behind a paywall so you don’t need to compromise on your online security or privacy.

It’s also available on multiple platforms, including: Windows, macOS, Android, and iOS

Enabling Proton VPN's kill switch in the app

Proton VPN Free includes a kill switch.

Unlike most free VPNs, Proton VPN Free does not set a monthly data cap meaning you don’t have to worry about your kill switch unexpectedly turning off once you’ve reached your limit.

Proton VPN Free does come with the expected limitations of a free VPN service. This includes a poor server network of just 3 countries and underwhelming long-distance connection speeds.

Is it Bad to Leave the Kill Switch on All the Time?

There’s no downside to leaving a kill switch on permanently, but you may find it disruptive to your online activity.

If you play online video games you might want to use an application level kill switch. This ensures that your connection to the game won’t be severed if the kill switch activates.

Leaving a kill switch on won’t affect your device’s performance, the VPN’s effectiveness, or your internet connection speeds.

Are All Kill Switches on by Default?

Every VPN kill switch functions differently depending on the provider and platform. You may need to manually enable the VPN kill switch or it could be active automatically.

You should always check the VPN’s settings to make sure the kill switch is enabled before connecting to a VPN server.

If you’re not sure your kill switch is on, use our kill switch testing tool to verify that your data is protected.

About the Author


  • JP Jones - CTO @ Top10VPN

    JP Jones

    JP Jones is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process. Read full bio