Kill switches explained: what they do, when they fail
A kill switch is the difference between a dropped packet and a leaked IP. But not every implementation actually kills the connection when the tunnel dies.
What a kill switch is supposed to do
A VPN tunnel occasionally drops โ because your network flipped, because the server restarted, because your laptop went to sleep. Without a kill switch, your OS fails open: packets route via your real ISP until the tunnel reconnects. The kill switch's job is to block all non-VPN traffic for that window so you never leak. It sounds trivial. The implementation details are not.
Where implementations fail
We test kill switches by yanking the tunnel mid-connection on purpose. The failures we see most often: (1) app-level kill switches that only cover the VPN client process, so a background updater can still leak; (2) kill switches that close on tunnel drop but re-open the moment the app detects any network, not specifically the VPN server; (3) iOS kill switches that only work while the app is foregrounded. Only OS-level firewall rules (NordVPN Threat Protection Pro, Mullvad's firewall mode, WireGuard-native kill switches) pass our failure test end-to-end.
How to verify yours works
Connect to your VPN, open a curl loop hitting ifconfig.me every second, then disable your network interface and re-enable it. If you see a real IP between the disconnect and the reconnect, the kill switch failed. On Mullvad, Proton VPN, and NordVPN (with Threat Protection Pro on) we never saw a leak. On every other provider we tested, we saw at least one.