Disclosure: TheBestVPN is reader-supported. When you buy a VPN through links on our site, we may earn commissions. Learn more.

What Is a VPN Kill Switch and Why You Need One

Valdas Bertašavičius

Valdas Bertašavičius

Tech reviewer and editor of TheBestVPN.com

Article Summary

  • What it is: a kill switch cuts your internet if the VPN connection drops, so your real IP and traffic aren’t exposed in the gap before you reconnect.
  • Two types: application-level (blocks only the apps you designate) and firewall-based (blocks all traffic outside the tunnel at the system level). The firewall type is more thorough.
  • Who needs it most: anyone on public Wi-Fi, torrenting, or relying on a VPN to avoid surveillance. Less critical if you only use a VPN for streaming.
  • Worth knowing: we tested 30 VPN kill switches and half showed some kind of leak, so the feature existing isn’t the same as it working well.

A kill switch is a core VPN security feature that prevents data leaks when the connection to the VPN server drops. It protects your information if the VPN cuts out on public Wi-Fi, or even if you disconnect by mistake.

We tested 30 VPN kill switches, and half of them demonstrated some kind of leak. If you care about your online privacy, it’s worth understanding how they work, because it helps you choose a VPN that actually protects your data rather than one that just lists the feature on a spec sheet.

How Does a VPN Kill Switch Work?

The simple version: a kill switch terminates your internet access whenever the connection to the VPN server drops. Most consumer VPNs use one of two methods, an application-level kill switch or a firewall-based one. I’ll explain both shortly.

Normally, if the VPN tunnel drops, your operating system falls straight back to your regular internet service provider (ISP) connection. In that moment, your IP address and DNS queries become visible to your ISP, or to anyone monitoring your local network.

Keep in mind that the initial connection from your device to the ISP isn’t encrypted by default. It simply creates a path to the internet. If someone is monitoring your local network, that brief window is when they can see which sites you’re connecting to and when.

With a kill switch on, that window closes. Even though HTTPS encrypts the contents of the pages you load, it doesn’t hide your IP address or which sites you’re visiting, and that’s exactly the exposure a kill switch is there to prevent.

Why a VPN Kill Switch Is Essential (and Why VPNs Disconnect)

A kill switch protects your device at its most vulnerable moment. Without one, you may not even notice the VPN connection has dropped, and your traffic quietly reverts to the standard ISP connection while you carry on as normal.

This matters most on public Wi-Fi, which drops connections far more often than a home network. Every time the Wi-Fi stutters, the VPN connection drops with it. Attackers know this, and some go further with a Wi-Fi deauthentication attack, which forcibly knocks your device off the network. When your device reconnects, it may latch onto a malicious lookalike hotspot (an “evil twin”) set up nearby.

Here’s where the kill switch earns its place: in the seconds between the VPN dropping and reconnecting, it blocks all internet access instead of letting your device communicate unprotected. Once the VPN tunnel is back up, your traffic is encrypted again and shielded from anyone watching the network.

Types of VPN Kill Switches: System-Level vs. Application-Level

There are two types of VPN kill switch, and the difference between them is how much they actually block.

The first, an application-level kill switch, only shuts down the specific apps you’ve designated if the VPN drops. The VPN app monitors the connection and closes those chosen apps when it detects a drop. The limitation is that anything you haven’t added to the list keeps talking to the internet over your unprotected ISP connection.

The second, a firewall-based kill switch, is the more thorough method. It creates operating-system network rules that force all traffic through the VPN tunnel and block everything else. Nothing reaches the internet outside the encrypted tunnel, full stop.

With the firewall-based type, internet access stays blocked even if you disconnect from the VPN server yourself. For political activists, torrenting, or getting around censorship in authoritarian countries, that’s the option worth choosing, because it leaves no gap for traffic to slip through.

How To Enable a VPN Kill Switch (and Its Downsides)

Turning on a VPN kill switch is easy. VPNs that offer the feature include it in their settings, though the exact steps differ from app to app.

For this example, I’ll use Surfshark. To reach it, first open the Surfshark VPN settings.

Surfshark settings

At the top, choose the VPN settings option. Locate the Kill Switch feature and turn it on.

Surfshark kill switch settings

Surfshark offers both options. It can block internet access only when it notices an unexpected disconnect (the application-wide kill switch), or whenever the connection is terminated in any way, even by you (the firewall-based kill switch).

This VPN also has a Bypasser feature. It lets you select an app, a website, or an IP address that always keeps internet access. So even with Surfshark’s strict kill switch on, you can keep a few chosen apps or sites working while everything else stays blocked.

Surfshark bypasser

As for downsides, there aren’t many, and they’re mostly inconvenience rather than risk. If you’re on a Zoom call and the VPN drops, you’ll be cut off from the call until it reconnects. Your system also won’t download updates or sync in the background during that gap.

To summarize, this is more of a minor annoyance than a real technical drawback. Whether you’re torrenting or browsing on public Wi-Fi, a VPN kill switch keeps you protected even when the network hiccups.

FAQs

+ Should I always keep my VPN kill switch turned on?
+ Do all VPNs have a kill switch feature?
+ Does a VPN kill switch slow down my internet connection?