What Is a VPN Kill Switch?

A VPN kill switch is a feature that blocks network traffic if the VPN tunnel disconnects unexpectedly. This article explains what a kill switch actually does, how it is implemented at the operating system level, and how to verify that the feature is working correctly.

Definition

A kill switch is a network-level control that prevents traffic from leaving the device through an unprotected interface while the VPN is nominally active. If the VPN tunnel disconnects — whether due to network changes, server failure, or any other reason — the kill switch ensures that traffic does not silently fall back to the default network interface.

The feature is sometimes also referred to as “network lock,” “always-on protection,” or “internet kill switch.” The behavior is the same regardless of the name.

Why Kill Switches Exist

VPN tunnels are not always perfectly stable. Network changes — switching from Wi-Fi to cellular, moving between access points, passing through tunnels — can briefly interrupt the connection. Server maintenance, intermittent peering issues, or rare protocol errors can also cause disconnections.

Without a kill switch, the operating system will route traffic through whatever interface remains available. From the user's perspective, the device appears to continue functioning normally — web pages load, applications connect — but the traffic is now traversing the local network and ISP rather than the VPN.

For users who rely on the VPN for privacy or for accessing location-specific services, this silent fallback defeats the purpose of using a VPN. The kill switch ensures that connectivity is suspended rather than silently redirected.

How It Is Implemented

Kill switch implementations vary by platform. Two general approaches exist.

System-Level Implementation

On platforms with built-in VPN support, the kill switch is enforced by the operating system. On iOS, the Network Extension framework provides an “includeAllNetworks” option that, when combined with appropriate routing rules, prevents traffic from leaving the device through any interface other than the tunnel. This is enforced at the kernel level and applies to all applications, including those running in the background.

On Linux, kill switches are typically implemented using firewall rules — iptables or nftables — that block all traffic except packets destined for the VPN server's address. The rules are added when the tunnel is established and removed when it is intentionally disconnected.

Application-Level Implementation

Some VPN applications implement the kill switch within the application itself, monitoring the tunnel and adjusting routing or firewall rules in response to disconnection. Application-level implementations are more flexible but depend on the application remaining active to enforce the policy.

System-level enforcement is generally more reliable because it continues to operate even if the VPN application crashes or is terminated.

Types of Kill Switches

Kill switches can be configured in several modes that differ in how aggressive they are about blocking traffic.

• Permanent kill switch. Traffic is blocked whenever the VPN is not actively connected, including when the application has not been launched. This provides the strongest guarantee but requires explicit action to disable.
• Session kill switch. Traffic is blocked only during an active VPN session. If the user disconnects manually, the kill switch deactivates and normal traffic resumes.
• Application-specific kill switch. Available on some desktop platforms, this mode blocks specific applications when the VPN is down while allowing others to continue normally. The configuration is useful for tools that handle sensitive data, but the granularity adds complexity.

When the Kill Switch Triggers

The kill switch is designed to handle conditions that the operating system would not normally treat as failures. Common triggers include:

• The VPN server becomes unreachable due to network outages or server-side maintenance.
• The device network interface changes — for example, transitioning from Wi-Fi to cellular — and the tunnel does not re-establish quickly.
• A protocol-level error causes the tunnel to terminate.
• The local network drops packets to or from the VPN server, including in certain captive portal scenarios.

During each of these conditions, the kill switch suspends traffic until either the tunnel is re-established or the user explicitly disables the kill switch.

Limitations

A kill switch is a defensive feature, not a complete solution. Two limitations are worth noting.

The transition is not always instantaneous. Between the moment the tunnel fails and the moment the kill switch fully engages, a small window may exist during which traffic could theoretically leak. On well-designed systems, this window is short enough to be practically negligible — typically a few milliseconds — but it is not always zero. System-level implementations close this window more reliably than application-level ones.

DNS leaks are a separate concern. A kill switch prevents IP traffic from leaving through unprotected interfaces, but DNS requests can sometimes route around the tunnel through system defaults. A complete configuration uses both a kill switch and DNS routing through the tunnel. Snap VPN configures both by default.

Verification

A kill switch can be verified by simulating a tunnel failure and confirming that traffic is blocked.

1. Connect the VPN and confirm that an IP-reporting service shows the server's address.
2. Without disconnecting through the application, disable the network interface that the VPN is using — for example, by turning Wi-Fi off while the tunnel is active.
3. Attempt to load a web page. With a working kill switch, the page should fail to load until the tunnel is re-established or the kill switch is intentionally disabled.

On iOS, the kill switch is enforced at the system level when the VPN profile is configured with the appropriate options. Snap VPN enables the kill switch by default and does not expose it as an optional setting — the feature is part of the standard configuration rather than a setting that can be inadvertently disabled.

For more on VPN configuration and what a VPN can be expected to do, see our introduction to VPNs and the iPhone setup guide.