πŸŒ™ LATE NIGHT MODE ACTIVATED β€” THE CLOWN IS WATCHING πŸŒ™
Home β†’ Resources β†’ Protocols β†’ Kill Switch

Kill Switch
Explained.

A safety net. When the VPN drops unexpectedly, the kill switch blocks all traffic until the tunnel reconnects. Stops leaks during the gap.

⚑ The one-paragraph version

VPN connections drop sometimes β€” network switches, server restarts, sleep/wake transitions. Without a kill switch, during that gap your device falls back to your normal unprotected internet. Any active connections (streaming, calls, downloads) briefly leak your real IP and traffic. A kill switch closes the gap by blocking all traffic until the VPN is back.

Why VPN drops happen

Even reliable VPN setups disconnect periodically:

  • Network changes. Mobile devices switch between WiFi networks, between WiFi and cellular, between cell towers. Each transition can cause a brief disconnect.
  • Server-side events. VPN servers restart for maintenance, get rebooted under load, or briefly fail.
  • Sleep / wake transitions. When your device sleeps, the VPN tunnel may need to re-establish on wake.
  • OS-level VPN service issues. Android and iOS VPN services occasionally need to restart.
  • Connectivity hiccups. Brief internet outages, packet loss, ISP routing changes.

Most drops are short β€” sub-second to a few seconds. But short drops are still drops, and during them your traffic flows unprotected.

What leaks during a drop

Without a kill switch, during the disconnected window:

  • Your real IP is visible to whatever sites your active apps are talking to.
  • Your DNS queries go to your normal (probably ISP's) DNS resolver, not the VPN's.
  • Background syncs (email, cloud, messaging apps) reveal who you're connected to, even without showing content.
  • Any active streams or calls briefly transmit unprotected.

For most users on most networks, this is annoying but not catastrophic. On hostile WiFi or in sensitive use cases, it's a real problem β€” the entire reason for using a VPN gets undermined.

How a kill switch works

The kill switch is essentially a firewall rule. When the VPN client detects the tunnel is down:

  1. It activates a system-level rule that blocks all outbound traffic except to the VPN server itself (so it can reconnect).
  2. Apps trying to send traffic get connection errors β€” "no internet" from their perspective.
  3. When the tunnel re-establishes, the rule is removed and normal traffic resumes.

The implementation varies by platform β€” Linux uses iptables, Windows uses WFP (Windows Filtering Platform), macOS uses pf, Android uses its VPN service framework. The user experience is similar across all of them.

Types of kill switches

App-level kill switch

Most common. The VPN client monitors its own tunnel and activates the kill switch when it detects disconnection. Limitations:

  • If the VPN app itself crashes, the kill switch may not activate (no one's watching).
  • Briefly delayed activation β€” there's a gap between actual drop and detection.

Good for normal use. Most reputable VPN apps implement this reliably.

System-level kill switch

Stronger. Configured at the OS level so traffic is blocked by the operating system itself, not the VPN app.

On Android, this is "Block connections without VPN" (Settings β†’ Network & Internet β†’ VPN β†’ ClownVPN β†’ gear icon β†’ Always-on VPN + Block connections without VPN). When enabled, Android refuses to route any traffic if the configured VPN isn't active β€” even if the VPN app crashes or is killed.

On Windows, you can configure firewall rules manually (or use VPN clients that set them up for you).

Per-app kill switch

Some VPN clients let you configure the kill switch per application. Example: kill switch blocks Firefox traffic if VPN drops, but allows Spotify traffic to fall back to normal internet.

Use case: you want strict protection for browsing but don't want music playback to stop. Niche but supported by some clients.

Configuration recommendations

  1. Hostile networks (public WiFi): kill switch on, ideally system-level.
  2. Privacy-sensitive use: kill switch on, ideally system-level.
  3. Routine home use: optional. If your home network is trusted and VPN drops aren't a concern, you can leave it off.
  4. Mobile devices in general: kill switch on, because mobile devices have frequent network changes that cause drops.

Gotchas to know about

  • Captive portal pain. If kill switch is on, you can't access the captive portal page when you first connect to public WiFi (because the VPN can't connect through the captive portal, and the kill switch blocks everything else). Most clients detect captive portals and pause briefly to let you authenticate; some don't. Be ready to disable the kill switch temporarily.
  • Local network access. A kill switch usually blocks local network access too β€” meaning your home printer becomes unreachable while VPN is down. Some clients let you whitelist local network IPs to avoid this.
  • Streaming buffer issues. If the kill switch fires during streaming, the streaming app gets confused. Usually recovers but sometimes requires restart.

Kill switch at ClownVPN

Our Android app has both:

  • App kill switch. Settings β†’ Kill Switch β†’ On. Default is off because we don't want to surprise new users.
  • Android system kill switch. Configure via Android Settings β†’ Network β†’ VPN β†’ ClownVPN β†’ gear icon. Enable both "Always-on VPN" and "Block connections without VPN."

For maximum protection on hostile networks, enable both. For routine home use, neither is strictly necessary.

Related reading

πŸŽͺ FAQ

How often does my VPN actually drop?
More often than you'd think. Background causes include: network switching (WiFi to cellular), brief network outages, VPN server overload or restart, OS-level VPN service hiccups, sleep/wake transitions, and roaming between APs. Most drops are <1 second and you don't notice β€” but during that window, traffic leaks. On mobile in particular, drops happen frequently enough that a kill switch is genuinely useful.
Is a kill switch the same as auto-reconnect?
No, they're complementary. Auto-reconnect tries to re-establish the VPN tunnel quickly after a drop. The kill switch blocks all traffic during the gap between drop and reconnect. Together they handle the drop scenario completely. Some VPNs offer both as one feature; some let you configure them independently.
Does Android's 'Always-on VPN' do the same thing as a kill switch?
Almost. Android's 'Always-on VPN' system setting (Settings β†’ Network β†’ VPN β†’ app β†’ gear icon) automatically reconnects the VPN, and the related 'Block connections without VPN' setting blocks traffic when the VPN is down. Together they're equivalent to a kill switch. Many VPN providers (us included) also have an in-app kill switch that does the same thing β€” slight redundancy but useful for users who don't enable the system setting.
Will a kill switch block me from using the internet when I disconnect the VPN intentionally?
Depends on the implementation. App-level kill switches typically only activate when there's a connection drop, not when you intentionally disconnect. System-level kill switches (like Android's 'Block connections without VPN') block traffic any time the VPN isn't active, including intentional disconnects. The latter is more strict but can be inconvenient if you regularly toggle the VPN off.
Does ClownVPN have a kill switch?
Yes. Settings β†’ Kill Switch β†’ On. Recommended for use on public WiFi and untrusted networks. Default is off because some users prefer the simpler 'connection drops mean you go back to normal internet' model β€” but if you're using the VPN for privacy/security reasons rather than just convenience, enable it.

πŸŽͺ Safety Net

Free, included, just toggle it on. No upsell.

πŸ€– Get The Free App