VPN kill switches explained, why you need one and how to use them

A button with the caption VPN
(Image credit: Shutterstock)

Install a VPN and you might think your internet activities are fully protected from snoopers. With every site you access, all the data you transfer is sent through the VPN's secure encrypted tunnel and so keeping it safe from prying eyes.

Unfortunately, if the VPN connection fails (e.g. server problem, weak Wi-Fi signal, overloaded network, etc) then your device may switch to your regular unprotected connection. Sites then get your real IP address, Wi-Fi hotspots might see the websites you're accessing, and the VPN won’t be encrypting any of your data.

Most VPN providers handle this situation by offering a kill switch - although some give it a different name, like ExpressVPN's Network Lock or Windscribe's Firewall. But is this an effective solution?

In this article we'll explain what a kill switch does, the different types of kill switches available, and how you can make sure your VPN kill switch is set up correctly.


What does a VPN kill switch do?

The idea behind a kill switch is simple. Essentially, if the VPN connection drops, the kill switch activates and blocks your device's internet access. This prevents you accidentally sending data outside of the secure VPN tunnel, because if the tunnel fails then you won't be able to send any data at all.

Every platform has its own tools for making this happen. An Android VPN app might use Android's built-in 'Always-on VPN' setting, for instance (Settings, Connections, More Connection Settings, VPN.) But Windows VPNs often use the Windows Filtering Platform (the technology behind Windows Firewall), and Mac and iPhone VPN apps have further techniques of their own.

If the VPN drops, then however the kill switch kicks in, your VPN app usually tries to reconnect. Once the tunnel is up again, your internet access is automatically restored.

As an aside, all this cross-platform complexity makes it challenging for VPN providers to offer a kill switch on every device type. Keep that in mind if you visit a provider's website and it boasts about having a great kill switch, but doesn't list the supported platforms. Check the rest of the site, maybe in the Support pages, to find out if there's a kill switch on all apps.

Graphic of a laptop losing network connectivity

(Image credit: ExpressVPN)

Kill switch modes

Although the concept of a kill switch is simple, the reality is more complicated, because every provider and app has its own way of working. There are two common approaches.

The most popular type, such as ExpressVPN's Network Lock on Windows, only blocks your internet access if the VPN drops unexpectedly. If you manually disconnect, or close the VPN app, the kill switch is disabled and you're free to browse as usual.

But others (including NordVPN's Windows app) don't allow any internet access at all unless you're connected to the VPN. If you manually disconnect, or close the app, you won't be able to get online until the VPN connection is re-established.

Which is best depends on your needs.

NordVPN's guarantees security but can be a hassle, if you need to use your browser, find the VPN is down and have to wait to reconnect. 

ExpressVPN's approach is more convenient, but also increases the potential security risk, as it's possible you might forget to connect to the VPN before you use the web for something sensitive.

If you can't decide, look out for a provider who supports both. For example, Windscribe's Firewall defaults to an Automatic mode which works like ExpressVPN's Network Lock, but an Always On option works more like NordVPN, blocking all internet access unless the VPN is up.

NordVPN's application-level kill switch closes your chosen apps if the VPN drops

(Image credit: Future)

What is an application-level kill switch?

NordVPN and a handful of other providers also include an application-level kill switch.

This technology monitors your system, and if it detects a dropped connection, closes the apps you specify. You might tell the VPN app to shut down your browser and torrent client, for instance, ensuring they won't use an unprotected connection.

Application-level kill switches don't offer much security. But they're also less likely to get in your way than the usual type, as they only affect the apps you specify and won't block anything else.

If you only need the most basic protection for one or two apps, an application-level kill switch might be useful. But if you're looking for something more comprehensive, we'd stick with a system-wide kill switch.

Should I use a kill switch?

A kill switch is a last line of defense if your VPN fails, a way to guarantee that your online actions remain hidden from others.

But as we've discussed, some kill switches can be a usability hassle, especially if they don't allow you to access the internet unless the VPN is up.

If you're an activist who must protect your identity, accessing business resources or sensitive sites via public Wi-Fi, downloading torrents, or other sensitive operations, then it's important to stay safe and we'd recommend you turn your kill switch on.

If your VPN use isn't so privacy-critical, and you're mostly just using the service to unblock streaming websites, then a kill switch is less important. There's no harm in at least trying it, though, so we'd trying a kill switch when you first install an app, and only disabling it if you run into problems.

Graphic representing a kill switch

(Image credit: NordVPN)

How do I turn on a kill switch?

A kill switch is so important that you might every VPN app would turn it on by default, but that isn't always true. If you think you need a kill switch, or you're just curious to see what your app offers, head off to your VPN Settings and look for relevant options.

Sometimes it's easy to find the right page (NordVPN has a 'Kill Switch' section), but often you'll have to look more closely. ExpressVPN's Windows app has Network Lock settings on its General page; CyberGhost has an Automatic Kill-Switch option in its Privacy Settings, and Surfshark's setting is in its Connectivity menu. 

If your app has separate settings per Protocol then check those, too. For example, IPVanish's Mac app has a Kill Switch option on its OpenVPN settings page.

How do I configure a kill switch?

Many apps only have a simple On/Off kill switch option, but some give you more. For example, Private Internet Access' Windows kill switch can be set to Always (block all internet traffic unless the VPN is connected) or Automatic (block internet traffic if the VPN connection drops unexpectedly, but allow it when you manually disconnect.)

Look for other settings which might help. If the connection drops, for instance, you'll probably want to know about it, so make sure any Notification option is enabled. And if there's an Automatic Reconnect setting, turn that on, too, and the app should reconnect to the VPN in a very few seconds.

Once you're fully set up, test your VPN kill switch to get a general idea of whether it's working as you expect.

Now repeat the process for the VPN apps on each of your other devices. As we've mentioned above, keep in mind that each platform may have its own kill switch settings. Menu names and options might vary between platforms, so be sure to browse all the available options, and look out for anything relevant.

TOPICS
Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.