Return to protonvpn.com Facebook   Twitter   Reddit   ProtonMail

Introducing Kill Switch for macOS VPN

Posted on March 12th, 2019 by in Service Updates.

protonvpn macos vpn kill switch

 

The latest update for our macOS app implements a firewall-based Kill Switch to keep your data safe even if you are disconnected from your VPN server.

What is a Kill Switch?

The new, firewall-based Kill Switch prevents your IP address and DNS queries from being exposed in the event you are disconnected from a VPN server for any reason. When you enable Kill Switch, if you lose connection to the VPN service, the Kill Switch will block all external network traffic until it automatically re-establishes a connection to a VPN server.

protonvpn killswitch macos

Technical background and implementation

ProtonVPN’s macOS app utilizes the IKEv2 protocol, which allows for theoretically higher speeds and connection stability (when switching networks or on the go) than the OpenVPN protocol. It also has the benefit of being natively supported by Apple at the OS level. While this has certain benefits in terms of native integration into the OS, it also imposes certain constraints. In general, a kill switch, as defined above, is not possible for IKEv2 VPNs on macOS, which is why in the past, we have provided Always-on VPN, which automatically reconnects users to a VPN server if the connection is broken, as an alternative. The Always-on VPN will remain, and will now be complemented by the improved Kill Switch feature we are introducing today. (As of version 1.5.3, the Always-On VPN setting is no longer visible in Settings. The feature is always enabled by default for security, and it is not possible to turn off Always-On VPN.)

Implementing a Kill Switch (as defined above) required us to work around certain limitations within Apple’s native VPN infrastructure, specifically that it does not allow an app to fully block network traffic outside of the VPN connection on an Apple device. To resolve this, we have created a helper application to generate a packet filter. Now, whenever you connect to a VPN server with Kill Switch enabled, the packet filter blocks all external network communications except for those routed through the VPN server you are currently connected to. Since all your network traffic is restricted to the VPN server, if connection to the VPN server is lost, all Internet traffic is stopped immediately and your data is never exposed. This workaround of Apple’s network stack allows us to achieve what was previously impossible on macOS.

It is important to note that as of today, a Kill Switch, as we have defined it, is still not possible on iOS. This is because Apple’s network level restrictions on iOS are even more stringent than they are for macOS, so we cannot replicate the workaround we designed for macOS on iOS. Thus, from a technical standpoint, Always-on VPN is the best that can be achieved on iOS today. However, in the process of designing our Kill Switch workaround for macOS, we were in close communication with Apple engineers who expressed a willingness to reconsider their native VPN infrastructure’s restrictions. Those discussions have continued and we are currently working with Apple to find a way to implement a Kill Switch on iOS.

The addition of this new Kill Switch to ProtonVPN for macOS will help you stay secure no matter how unstable your connection is. If you already use ProtonVPN, your app will either update automatically or prompt you to update. Please join us on Facebook, Twitter, and Reddit and let us know what you think!

Best Regards,
The ProtonVPN Team

You can get a free ProtonVPN account here.

Follow us on social media to stay up to date on the latest ProtonVPN releases:  Twitter Facebook | Reddit

To get a free ProtonMail encrypted email account, visit: protonmail.com

Prior to joining ProtonVPN, Richie spent several years working on tech solutions in the developing world. As a senior editor and writer at Latterly, he covered and commented on international human rights stories. He joined ProtonVPN to advance the rights of online privacy and freedom.

Post Comment

5 comments

  1. N. Lee

    Hello,
    Does “lose connection to the VPN service” includes a manual disconnection from it? By this I mean, if I manually disconnect from the VPN or if I have not yet connected to the VPN, or if the ProtonVPN app is not open.
    Will this block the network traffic as well, or only in the case of a connection failure?
    Thank you.

  2. ProtonVPN Admin

    Hello! If you have the KillSwitch feature enabled, it will be activated when there is an unexpected interruption in your connection and will block the internet on your device to prevent leakage of your public IP. The feature will automatically reconnect to the server upon which your internet will be restored. If you manually disconnect from the ProtonVPN app, the KillSwitch will not be activated as that’s not the designed behavior.

  3. Kerstin

    Way cool! Some extremely valid points! I appreciate you penning this post and also the rest of the website is very good.

  4. Ruedi

    Hello, are you planning on implementing a Kill Switch for android as well?

  5. ProtonVPN Admin

    Hello! The Kill Switch feature is planned for all of our applications, but we are not able to provide any specific time-frame regarding the implementation. For now, you can activate Always-on or Block connections without VPN: https://protonvpn.com/support/always-on-vpn/. We appreciate your interest!

Leave a Reply

Your email address will not be published. Required fields are marked *

Knowledge base

 

Secure Your Internet Today

Get ProtonVPN