Introducing Kill Switch for macOS VPN

Posted on March 12th, 2019 by in Service Updates.

protonvpn macos vpn kill switch


The latest update for our macOS app implements a firewall-based Kill Switch to keep your data safe even if you are disconnected from your VPN server.

What is a Kill Switch?

The new, firewall-based Kill Switch prevents your IP address and DNS queries from being exposed in the event you are disconnected from a VPN server for any reason. When you enable Kill Switch, if you lose connection to the VPN service, the Kill Switch will block all external network traffic until it automatically re-establishes a connection to a VPN server.

protonvpn killswitch macos

Technical background and implementation

Proton VPN’s macOS app utilizes the IKEv2 protocol, which allows for theoretically higher speeds and connection stability (when switching networks or on the go) than the OpenVPN protocol. It also has the benefit of being natively supported by Apple at the OS level. While this has certain benefits in terms of native integration into the OS, it also imposes certain constraints. In general, a kill switch, as defined above, is not possible for IKEv2 VPNs on macOS, which is why in the past, we have provided Always-on VPN, which automatically reconnects users to a VPN server if the connection is broken, as an alternative. The Always-on VPN will remain, and will now be complemented by the improved Kill Switch feature we are introducing today. (As of version 1.5.3, the Always-On VPN setting is no longer visible in Settings. The feature is always enabled by default for security, and it is not possible to turn off Always-On VPN.)

Implementing a Kill Switch (as defined above) required us to work around certain limitations within Apple’s native VPN infrastructure, specifically that it does not allow an app to fully block network traffic outside of the VPN connection on an Apple device. To resolve this, we have created a helper application to generate a packet filter. Now, whenever you connect to a VPN server with Kill Switch enabled, the packet filter blocks all external network communications except for those routed through the VPN server you are currently connected to. Since all your network traffic is restricted to the VPN server, if connection to the VPN server is lost, all Internet traffic is stopped immediately and your data is never exposed. This workaround of Apple’s network stack allows us to achieve what was previously impossible on macOS.

It is important to note that as of today, a Kill Switch, as we have defined it, is still not possible on iOS. This is because Apple’s network level restrictions on iOS are even more stringent than they are for macOS, so we cannot replicate the workaround we designed for macOS on iOS. Thus, from a technical standpoint, Always-on VPN is the best that can be achieved on iOS today. However, in the process of designing our Kill Switch workaround for macOS, we were in close communication with Apple engineers who expressed a willingness to reconsider their native VPN infrastructure’s restrictions. Those discussions have continued and we are currently working with Apple to find a way to implement a Kill Switch on iOS.

The addition of this new Kill Switch to Proton VPN for macOS will help you stay secure no matter how unstable your connection is. If you already use Proton VPN, your app will either update automatically or prompt you to update. Please join us on Facebook, Twitter, and Reddit and let us know what you think!

Best Regards,
The Proton VPN Team

You can get a free Proton VPN account here.

Follow us on social media to stay up to date on the latest Proton VPN releases:  Twitter Facebook | Reddit

To get a free Proton Mail encrypted email account, visit:

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.


  1. Federico

    please what about kill switch implementation for IOS?

  2. Roxana Zega

    Hi! The Kill Switch feature is planned for all of our applications, but we are not able to provide any specific time-frame regarding the implementation. A Kill Switch, as we have defined it, is still not possible on iOS because of Apple’s network-level restrictions.

  3. Guillaume


    I’ve noticed that Kill Switch completely prevent from using Handoff, Continuity, Airdrop between an iPhone and an Mac. If I want to transfer a photo taken with my phone to the Mac using Airdrop, the Mac does not appear in the Airdrop list on my iPhone. As soon as I deactivate Kill Switch (no need to disconnect/reconnect to a VPN Server, just deactivate the Kill Switch option) and suddenly my Mac reappears in the Airdrop list.

    Why ?

    You wrote that Kill Switch is a feature that only enables itself when connection to the VPN server is lost. It seems that this function is permanently impacting the connection, not only when the connection is lost.

  4. Adam

    Please provide an option to kill network activity after a network connection is manually terminated. Other vpn providers are doing this as default.

  5. Jakub

    would it be possible to enable kill switch when manually disconnecting? I sometimes forgot that I disconnected manually and I don’t want that. Maybe have Kill switch and Aggressive Kill Switch?

  6. ProtonVPN Admin

    Hello! The KillSwitch will block your internet to prevent leaks only if there is a sudden interruption in the VPN connection. If you manually disconnect from the ProtonVPN app, the Kill Switch will not be engaged as that is considered as an intentional disconnect in order to continue using your internet connection without the VPN protection. If you want to have an active ProtonVPN protection you should not disconnect from the application manually. However, we appreciate your suggestion and we may take this under advisement for the future.

  7. N. Lee

    Does “lose connection to the VPN service” includes a manual disconnection from it? By this I mean, if I manually disconnect from the VPN or if I have not yet connected to the VPN, or if the ProtonVPN app is not open.
    Will this block the network traffic as well, or only in the case of a connection failure?
    Thank you.

  8. ProtonVPN Admin

    Hello! If you have the KillSwitch feature enabled, it will be activated when there is an unexpected interruption in your connection and will block the internet on your device to prevent leakage of your public IP. The feature will automatically reconnect to the server upon which your internet will be restored. If you manually disconnect from the ProtonVPN app, the KillSwitch will not be activated as that’s not the designed behavior.

  9. Kerstin

    Way cool! Some extremely valid points! I appreciate you penning this post and also the rest of the website is very good.

  10. Ruedi

    Hello, are you planning on implementing a Kill Switch for android as well?

  11. ProtonVPN Admin

    Hello! The Kill Switch feature is planned for all of our applications, but we are not able to provide any specific time-frame regarding the implementation. For now, you can activate Always-on or Block connections without VPN: We appreciate your interest!

Comments are closed.

your internet

Get Proton VPN
Get Proton VPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:

Version: OpenPGP.js v4.10.10


You can also Tweet to us: