A kill switch is a VPN feature that blocks all internet traffic on your device if the VPN connection drops unexpectedly. It prevents your real IP and traffic from leaking during the gap between disconnect and reconnect.
What it does
VPN connections drop sometimes — network switches, server restarts, sleep/wake transitions. Without a kill switch, your device falls back to your normal unprotected internet during the drop, briefly exposing any active connections.
The kill switch closes that gap. When it detects the VPN tunnel is down, it activates a firewall rule that blocks all outbound traffic until the tunnel reconnects. Apps see "no internet" briefly instead of leaking through your regular connection.
Types of kill switches
- App-level: implemented inside the VPN client. Activates when the client detects a disconnect. Vulnerable to the VPN app itself crashing.
- System-level: configured at the OS level. Stronger because it survives VPN-app crashes. On Android, this is the "Block connections without VPN" setting.
- Per-app: kill switch behavior applied to specific apps only. Less common, niche use cases.
When you should enable it
- On public WiFi or any untrusted network — kill switch on.
- For privacy-sensitive activity — kill switch on.
- On mobile devices with frequent network changes — kill switch on (drops happen often).
- Routine home use on trusted networks — optional.
Common gotchas
- Captive portals: kill switch can block you from reaching the captive portal page when first joining public WiFi. Most clients pause the kill switch briefly to let you authenticate; some don't.
- Local network access: kill switch usually blocks local IPs too — your home printer becomes unreachable while VPN is down. Look for "allow local network access" settings.