A kill switch is a security feature that protects your privacy. It ensures that you don’t connect to the internet thinking you’re protected by a VPN when you aren’t.
When you use a virtual private network (VPN), your device connects to VPN server run by a VPN service such as Proton VPN. The connection between your device and VPN server is encrypted.
This means your internet service provider (ISP) can’t see what you do on the internet (only that you’ve connected to a VPN server), and anyone on the internet (such as websites and P2P peers) can’t see your real IP address (only that of the VPN server).
However, if your VPN connection fails for any reason, your ISP will be able to see any connections you make on internet, and websites, P2P peers, and anyone else you’re connected to on the internet, will be able to identify you through your unique internet protocol (IP) address.
A kill switch (if implemented correctly) prevents this. If you disconnect from a VPN server unexpectedly, a kill switch blocks all external network traffic to and from your device until either the VPN connection is reestablished or you disable the kill switch.
How does a kill switch work?
There are basically two kinds of kill switches:
Reactive kill switches
A reactive kill switch monitors your device’s internet connection to ensure it is connected to a VPN server. If it detects that it isn’t, the kill switch closes down your internet connection. Reactive kill switches are not well regarded by security professions for two main reasons:
1. There is an inevitable delay between the VPN connection dropping, the kill switch detecting the drop, and then terminating your internet connection. This delay might be only milliseconds, but that’s enough time for your real IP address to be exposed to the internet.
2. Reactive kill switches are usually not good at detecting connections that your operating might make outside the VPN interface. They might, for example, monitor your IPv4 connection to ensure the VPN connection is active, while being completely unaware that your device is connecting to a server via IPv6, and thus exposing its IPv6 address.
Fortunately, these limitations mean that reactive kill switches are rarely used these days.
System-level kill switches
A system-level kill switch uses firewall rules and other platform-specific mechanisms to ensure that no traffic can enter or exit your device outside the VPN interface.
On Windows, most VPN kill switches use the Windows Filtering Platform, while Android 8.0+ features a built-in Always-On VPN & Kill Switch setting. macOS and iOS devices have their own mechanisms, but these are flawed. We’ll discuss this later in this article.
Properly-configured, a system-level kill switch makes it impossible to connect to the internet without an active VPN connection. Since no connections can enter or leave your device outside its VPN interface, if the VPN interface isn’t active, then no connections are possible.
System-level kill switches are passive, and therefore much more reliable than reactive kill switches. There is no need to detect if a VPN connection is working, so no need to close the internet connection. If the VPN connection isn’t active, then no internet connection is possible.
The engineering required to build a good system-level kill switch also ensures that IPv6 leaks and DNS leaks are also impossible when the VPN is active. It also ensures that nothing is leaked during the connection process and when switching between VPN servers.
As noted above, system-level kill switches are built using platform-specific mechanisms. This means VPN services must develop separate kill switch solutions for each platform they support. The result is that some VPN services advertise that they offer a kill switch, but the feature is only available on some platforms.
Proton VPN offers a full system-level kill switch on all platforms that we support — Windows, macOS, iOS/iPadOS, Linux, Linux CLI (and, of course, Android).
Kill switch modes
Usually, a kill switch only engages when you start a VPN connection, and is disabled when you manually disconnect the VPN or shut down your device. When the VPN is disconnected, you can access the internet as normal.
It is also possible to run a kill switch so that all internet activity is disabled unless the VPN connection is active. This way of running a kill switch can be less convenient, as you can’t simply turn the VPN off without additional steps required to access the internet). However, it ensures that you never accidentally connect to the internet without the VPN enabled.
This is especially effective when you boot up a device, as it prevents apps that load before the VPN client (for example, a torrent client) from establishing an internet connection before the VPN tunnel is created.
At Proton VPN, we call this kill switch mode a permanent kill switch, which is available on our Windows and Linux apps.
Who needs a kill switch?
A kill switch helps to ensure you never access the internet thinking that you’re protected with a VPN, when you aren’t. As such, a kill switch is an invaluable privacy and security tool for activists, journalists, anyone who uses a VPN to stay private on the internet.
It’s worth noting that when simply surfing the web, your real IP address usually only becomes exposed when you actively click on a link or type in a URL. However, this is not true for P2P downloaders, who often leave their active connections to P2P peers unattended for long periods of time. This make using a kill switches particularly important for torrenters.
A note on kill switches and Apple
A number of vulnerabilities have been discovered in how Apple implements VPN connections on its macOS, iOS, and iPadOS platforms. This includes routing traffic from Apple apps directly to Apple, regardless of whether a kill switch is enabled.
This problem affects all VPN services, although Proton VPN has introduced a number of measures to mitigate against it.
A kill switch ensures that if a VPN connection fails, your real IP address isn’t exposed to websites you visit, and the websites you visit aren’t exposed to your ISP. If privacy is even a small part of why you use a VPN, you should enable a kill switch.