Why VPN Connections Drop
VPN connections can drop for multiple reasons: switching WiFi networks or moving between WiFi and cellular; sleep and wake cycles on laptops and phones (the network adapter is reset when the device wakes); ISP-side connectivity hiccups; VPN server overload or maintenance; router reconnections (your home IP changes when the modem reconnects); and software issues in the VPN client. Any of these can cause a VPN reconnection gap ranging from a fraction of a second to several seconds.
During this gap, your OS routes traffic directly over the regular internet connection. If you were in an activity where IP exposure matters — BitTorrent (seeding exposes your IP to peers and potentially copyright monitoring), accessing region-locked content (the service may log the real IP), or any activity where you relied on the VPN for anonymity — that brief exposure may be significant.
How Kill Switches Work
A kill switch operates at either the application level or the system level. Application-level kill switches are built into the VPN client software. When the VPN client detects that the tunnel has dropped, it sends a command to the OS firewall to block all outbound traffic except on the VPN tunnel interface. When the tunnel reconnects, the firewall rules are removed. This approach works for all traffic on the machine but depends on the VPN client remaining running and responsive.
System-level (firewall-based) kill switches configure the OS firewall directly to only allow traffic through the VPN tunnel interface. This is more robust — it does not depend on the VPN client being running, and a crashed VPN client does not leave traffic flowing unprotected. Setting this up manually requires configuring Windows Firewall, iptables (Linux), or macOS pf to block traffic on all interfaces except the VPN tun/wg interface and DNS.
Router-level kill switches configure the firewall on your router (pfSense, OPNsense, or Tomato) to only allow WAN-bound traffic through the VPN interface. If the VPN tunnel goes down, the firewall blocks all outbound traffic for the affected network segment. This protects every device on the network without any per-device software.
When Do You Need a Kill Switch
A kill switch is essential when VPN protection must be continuous and a gap is unacceptable. Use cases: privacy-sensitive browsing where any IP exposure defeats the purpose; accessing country-restricted content where your real IP would immediately fail access; or any scenario where you have explicitly selected a VPN for privacy and a fallback to your real IP would be a security failure.
For most casual VPN users (bypassing geographic restrictions to access streaming, general privacy from ISP tracking), brief reconnection gaps are acceptable and a kill switch is optional comfort. For users with high privacy requirements, a kill switch is a non-optional feature — evaluate any VPN service specifically on whether its kill switch is reliable and system-level rather than application-level only.
Kill Switch Implementation Types
| Type | How It Works | Reliability | Setup | Coverage |
|---|---|---|---|---|
| Application kill switch (VPN client) | VPN client software manages firewall rules | Good (client must stay running) | Toggle in VPN app settings | All traffic on the device |
| System firewall kill switch | OS firewall blocks non-VPN traffic | Very good (works if client crashes) | Manual firewall configuration | All traffic on the device |
| Router-level kill switch | Router firewall allows only VPN tunnel traffic | Excellent | pfSense/OPNsense firewall rules | All devices on the network |
| No kill switch | Traffic falls back to regular connection | N/A | N/A | VPN drops expose real IP |
Frequently Asked Questions
Do all VPNs have a kill switch?
No. Kill switch is an optional feature that not all VPN services implement. Even among those that include it, quality varies — some kill switches work reliably at the OS firewall level; others are application-level only and may fail if the VPN client crashes. When evaluating a VPN, specifically test the kill switch by simulating a connection drop (disable the VPN interface while connected) and verify that internet access is blocked during the reconnection period.
How do I test if my VPN kill switch works?
Connect to your VPN, note your IP address via a site like whatismyip.com. Then disable your network adapter temporarily (or put the device in airplane mode and back), check your IP again while the VPN is reconnecting. If the kill switch is working, you should see no internet connectivity during the gap (or your IP should remain the VPN IP throughout). If your real IP appears even briefly, the kill switch is not functioning correctly.
Does a kill switch slow down my VPN?
No. A kill switch is a firewall rule that is inactive during normal VPN operation — it only activates when the VPN drops. During normal operation, traffic flows through the VPN tunnel without any kill switch overhead. The only impact is the deliberate blocking of traffic during a reconnection gap, which is exactly what it is designed to do.
What is a split tunnel kill switch?
Split tunneling routes only some traffic through the VPN while other traffic goes directly to the internet. A split tunnel kill switch blocks only the traffic that was configured to go through the VPN if the VPN drops, while traffic on the direct internet path continues normally. This is more complex to implement correctly and not all VPN clients support it. Most kill switches apply to all traffic by default.