VPN Kill Switch Explained: What It Does, Why It Matters, How to Verify Yours Works
A VPN kill switch blocks all non-VPN traffic when the tunnel drops, preventing your real IP from leaking mid-session. Here is what each major audited VPN ships, and how to test it yourself.
What a VPN kill switch is
A VPN kill switch is a feature that blocks all internet traffic on a device whenever the VPN tunnel is not active. The point is to prevent your real ISP-assigned IP from leaking to a destination service in the brief window between a tunnel drop and a reconnect. Tunnels drop for ordinary reasons — network change, server restart, laptop sleep — and without a kill switch the OS fails open, routing packets via the bare interface until the VPN reconnects. With a kill switch, those packets are dropped. The destination service either sees the VPN exit IP or it sees nothing.
Which audited VPNs ship a kill switch
All five major audited paid VPNs ship a kill switch in their official client apps: Mullvad (firewall mode is the kill-switch implementation; documented at mullvad.net), Proton VPN (kill switch + permanent kill switch options on every platform), NordVPN (system-wide kill switch on macOS / Windows / Linux; iOS uses Apple's Always-On VPN profile), ExpressVPN (Network Lock — branded kill switch), and Surfshark (kill switch documented in app settings). The implementation differs by platform: on macOS / Windows / Linux, an OS-level firewall rule is the strongest implementation; on iOS, kill-switch behavior depends on whether the configuration is installed as a Per-App VPN or an Always-On profile.
Kill-switch behavior is part of the audit scope
Kill-switch behavior is not just a feature — it is a standard test target in the published infrastructure audits. Cure53's Mullvad audit (June 2024) included white-box security testing covering 'anything impacting privacy' on production OpenVPN and WireGuard servers; failing to recover a dropped connection without leaking would be a finding. Praetorian and Cure53 reviewed ExpressVPN's Lightway Rust rewrite in Sep–Oct 2024; the post-retest result in December 2024 confirmed remediation of all reported issues. The kill switch's correctness is implicitly part of any 'no-logs / no-leak' claim — if a kill switch failure leaks the real IP, the no-logs property is moot for that connection.
How kill-switch implementations differ
Three patterns exist. (1) OS-level firewall rules — strongest. The VPN client installs PF/iptables/Windows Firewall rules that drop all non-tunnel traffic. Mullvad's firewall mode is this category. (2) App-level kill switches — weaker. The VPN client kills traffic only from a configured app list. Useful for selectively dropping a torrent client when the tunnel drops, but does not protect background traffic from other apps. (3) iOS Always-On VPN — strong but conditional. The OS-level Always-On configuration ensures no traffic flows without the VPN, but only works when configured as a managed profile, not as a one-tap consumer install. Always-On VPN documentation is on Apple's developer site (developer.apple.com).
How to verify your kill switch is working
Connect to your VPN, open a terminal, run `curl ifconfig.me` to confirm the VPN exit IP appears. Then disable your network interface (Wi-Fi off / Ethernet unplugged) and re-enable it. While the network is being re-established, run the same curl in a tight loop. If during the re-connect window you see your real ISP IP, the kill switch failed. If you see nothing (curl errors with 'no route to host' or similar) until the VPN reconnects, the kill switch worked. This test is destructive only to the running VPN session — it does not require any account or test rig. Repeat for each VPN protocol your client supports (WireGuard and OpenVPN behave differently when re-connecting).
When the kill switch is enough — and when it is not
A kill switch protects the brief tunnel-drop window. It does not protect against DNS leaks while the tunnel is up (those are a separate concern, covered by the VPN's DNS configuration), and it does not retroactively un-leak data that flowed before the tunnel went up. Always start the VPN before launching the activity that depends on the VPN — kill switches do not have a memory.
Sources
Mullvad audit (Cure53 June 2024): mullvad.net/en/blog/fourth-infrastructure-audit-completed-by-cure53. Proton VPN no-logs audits: protonvpn.com/blog/no-logs-audit. NordVPN audits: nordvpn.com/blog/nordvpn-no-logs-audit-2024. ExpressVPN Lightway audits: expressvpn.com/blog/lightway-audits-cure53-praetorian. Apple Always-On VPN: developer.apple.com (search 'Always-On VPN'). All URLs accessed 2026-04-30.