How to test your VPN kill switch: a beginner's guide

A red switch with the caption KILL
(Image credit: Shutterstock)

Using a VPN normally directs all your web traffic through a secure encrypted tunnel, protecting it from snoopers. But what if your VPN connection drops? Your device might switch to a less secure network, such as an insecure Wi-Fi hotspot, putting your data at risk - the same danger which persuaded you to sign up for a VPN in the first place.

A VPN kill switch detects a dropped VPN connection and immediately blocks your internet access, ensuring traffic never leaves your device unprotected. That's the theory, at least. But does your app really deliver? You can begin to find out in just a couple of minutes.


The PageRefresher.com website

(Image credit: PageRefresher.com)

1. Check your current internet connection

The first step in running a simple kill switch test is to check the details of your regular internet connection (whatever you'll use when the VPN is off).

Disconnect from your VPN and turn the kill switch off. If you don't know where to do that, check the Settings panel: NordVPN has a Kill Switch section, ExpressVPN has a Network Lock option under the General tab.

Head to the Page Refresher website , a handy site which can automatically refresh your chosen URL at regular intervals.

Copy and paste http://ip-api.com/csv into the Page Refresher address box, and set the 'Refresh page at every...' box to 1 second.

Click Start and Page Refresher opens a new browser tab with your current IP address and location, then refreshes it every second.

When you see these details in the Page Refresher window, you know your device is using your current unprotected internet connection. Use a VPN and its kill switch should prevent you from accidentally switching back to the connection, but is that what happens? Let's see.

Ivacy VPN apps include a kill switch

(Image credit: Ivacy)

2. Connect to your VPN

Turn your VPN kill switch back on, then choose a VPN location in another country (anywhere other than the country you're in now), hit the Connect button, and watch the Page Refresher window. 

You'll probably see error or 'No Internet' messages for a few seconds, but that often happens as network settings are updated. Once the VPN says it's connected, wait a few seconds more, and the window should display your VPN's IP address and location.

You're now ready for your first test. If your VPN kill switch disables internet access entirely when you're not connected to the VPN, then just hit your app's Disconnect button and watch the Page Refresher window. 

If you see the location of your regular connection, even briefly, that means the kill switch didn't block Page Refresher's traffic. That might not matter much if it was just a second or two, but it could be a problem if it lasts for longer.

But if the kill switch works as it should, you'll see the VPN IP address disappear, to be immediately replaced by a blank window, or maybe DNS or 'No Internet' error messages. And when you reconnect, the error messages should be replaced by the VPN's IP and location, without your ever seeing the details of your normal connection.

(If it looks like your VPN has failed, make sure you're very clear how the app's kill switch should work before you complain to your provider or ditch the service entirely. NordVPN's Windows Kill Switch blocks your internet unless you're connected to the VPN, so our test applies. But ExpressVPN's only kicks in if the connection drops unexpectedly: it won't activate if just hit Disconnect.)

The IP-API.com website can display details on your IP address and location

(Image credit: ip-api.com)

3. Change your VPN location

Next, connect to your VPN, then (if your app allows it) try switching to another location, while watching the Page Refresher window. 

Most apps now close your first connection, then begin establishing the next. 

If the kill switch works, it should kick in as soon as the first connection closes. The Page Refresher window should jump from your VPN IP and location, to 'no internet' or similar errors during the reconnection, then switch straight to the new VPN IP.

But if the kill switch isn't fully protecting you, there's a chance you'll see your real IP and location after the first VPN connection closes. This may only be for a few seconds, the time it takes to establish the second connection, but it still indicates the kill switch isn't properly doing its job.

4. Forcibly drop the VPN connection

The main purpose of a VPN kill switch is to protect you from a dropped connection. It's not easy to simulate that, but you can disrupt your VPN connection and see if the kill switch kicks in.

If you're on a mobile device and connected to Wi-Fi, for instance, move out of range of the router. If you've more than one network available, try switching from one to the other. Or if you're at home, just turn your router off and on again. 

The idea is to forcibly break your current connection, and see how the app behaves. Does it warn you that the connection has dropped, for example? Does it automatically reconnect? (If not, check your app settings, there may be an option to turn that on.) 

And, crucially, does the kill switch correctly block internet access, so the Page Refresher window only shows your VPN IP and location? Or, do you see your original location, at least briefly, until the app can reconnect to your VPN?

Whatever you try, keep in mind that kill switch effectiveness can vary by platform: just because your Android VPN app does well, doesn't mean it'll protect you on iPhone or desktops. Ideally, run at least some tests on every device type where you use the VPN.

The ExpressVPN Windows kill switch correctly blocks outgoing traffic

(Image credit: ExpressVPN)

Pass, or fail?

Let's be frank: this is probably just about as basic a kill switch test as you'll get. There are many important issues it won't catch. VPNs may not properly direct DNS traffic through the tunnel, for instance, but there's no way to spot that here.

That means you should be careful how you interpret the results. If an app seems to do well, only ever displays your VPN IP in the Page Refresher window, then it's better than many. But this doesn't guarantee its kill switch is bug free. There may be other issues we've just not spotted.

The real value of the test comes in finding apps which fail. You might not be able to tell for sure if a kill switch works in every situation, but identifying apps which don't deliver is still very useful - especially when a test is as quick and easy as this one.

TOPICS
Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.