What is a VPN kill switch and how does it work? (+ setup guide for different devices)
A VPN masks your IP address, encrypts your traffic, and conceals your activity from third parties and potential eavesdroppers—until the moment the connection drops.
That short gap is all it takes for apps to slip back to the open internet and expose your IP, location, or downloads. A VPN kill switch is the safety net that steps in to stop that from happening.
This guide unpacks what the feature does, why it matters, and how you can set it up on Windows, macOS, Android, and iOS. You’ll also see why ExpressVPN’s Network Lock sets the bar for leak protection.
VPN kill switch: Definition and purpose
What does a VPN kill switch do?
A VPN kill switch shields you from accidental leaks when your VPN connection drops. It constantly checks that your traffic is still passing through the encrypted VPN tunnel between your device and a VPN server. If the tunnel drops—even for a split second—the switch blocks all internet activity until the connection is safely restored.
Like a circuit breaker, it cuts power (data) the instant something slips outside the protected line, keeping your IP address, DNS requests, and downloads from exposure.
Why you might need one
If you need a VPN, you need a kill switch. There are moments when your VPN connection might fail. When this happens, your device could automatically switch back to an unsecured internet connection, risking exposure of your IP address and data transmissions. A kill switch prevents this.
Kill switch vs. no kill switch: What’s at risk?
A kill switch isn’t a luxury add-on; it’s the difference between a clean cut-off and an instant leak that can hamper your online privacy. Here’s what’s at risk without one:
| No kill switch (or disabled) | Kill switch (Network Lock) enabled | |
| IP address | Your real IP address is exposed to websites, online services, and your ISP. | All internet traffic is blocked, preventing IP exposure. |
| Data traffic | Data is transmitted unencrypted over your regular internet connection. Your ISP can see visited sites; data is vulnerable to snooping on public Wi-Fi. | All internet traffic is blocked. No data is transmitted, encrypted or otherwise, preventing exposure. |
| Security for sensitive activities | Activities become visible to your ISP or other parties if the VPN drops and your real IP is exposed. | Activities are halted along with all internet traffic, preventing accidental exposure during VPN disconnection. |
| User experience | Internet connection continues seamlessly, but unprotected. You might not immediately realize the VPN has disconnected. | Internet connection is completely blocked until the VPN reconnects or the kill switch is manually disengaged. |
| Primary risk/outcome | Significant privacy and security breach: exposure of real IP, browsing habits, and potentially sensitive data. | Maintained privacy and security: temporary loss of internet access in exchange for preventing data/IP leaks. |
How does a VPN kill switch work, and when does it activate?
What happens when your VPN disconnects
When the tunnel snaps—even for a second—your device falls back to its normal, unprotected path. Without a kill switch, here’s what can leak in that split-second window:
| What leaks | Why it matters |
| Real IP address | Every site and app sees your true location, undoing the anonymity the VPN provided. |
| DNS requests | Your device will revert to your ISP’s resolver, creating a clear log of every domain you’re trying to reach. |
| Unencrypted traffic | Anything sent over HTTP or app telemetry now travels in plaintext, readable by ISPs, hotspot owners, or snoops. |
| Active downloads/uploads | Cloud sync or large file transfers keep going, logging your IP address or server records. |
| Background app chatter | Email clients, messaging apps, IoT devices, and OS updates reconnect instantly, leaving time-stamped evidence of your activity and whereabouts. |
A system-level kill switch—like ExpressVPN’s Network Lock—plugs that hole. It slams the firewall shut the moment the VPN drops, so the worst you experience is a brief pause in connectivity, not a full-blown privacy breach.
How a kill switch prevents IP and DNS leaks
A leak is a leak, but IP leaks and DNS leaks happen through two different escape hatches—the route table (your OS’s internal map that decides where each data packet goes) and the DNS resolver (the service that turns domain names into IP addresses). A robust kill switch seals both.
| Leak type | How it normally happens when a VPN drops | What the kill switch does |
| IP address | The OS rewrites its route table in milliseconds, sending every packet back through your ISP’s default gateway, revealing your real IP. | Instantly blocks all outbound traffic on the physical interface, so no packet can leave until the VPN is active again. |
| DNS requests | Even if most apps pause, the OS still tries to resolve domain names using the ISP’s DNS server or endpoints, creating a clear log of what sites you’re about to visit. | Adds a firewall rule that drops any DNS traffic not bound to the VPN tunnel, forcing all lookups to wait and then travel inside the encrypted channel once it’s restored. |
ExpressVPN’s Network Lock takes this comprehensive approach, so neither your real IP nor a single domain request leaks during a drop.
Common scenarios that trigger a kill switch
1. Switching between VPN servers
There’s a brief hand-off between disconnecting from the old server and establishing a tunnel to the new one. If any of your apps push or pull data during that gap, your real IP could flash unless the kill switch—ExpressVPN’s Network Lock, for example—blocks traffic until the fresh connection is secured.
2. Malicious apps attempting to bypass the VPN
Some programs try to open their own direct sockets, ignoring system-wide VPN settings. A robust, system-level kill switch steps in before that traffic leaves the device, ensuring nothing slips past the encrypted tunnel.
3. Bandwidth throttling
Congested networks force ISPs to throttle users’ speeds. Those slowdowns can cause timeouts that drop the VPN handshake. A kill switch prevents any resulting leak by stopping traffic until the tunnel is rebuilt.
4. Unstable public Wi-Fi
A weak café signal can make devices hop between Wi-Fi and cellular, interrupting the VPN. The same scenario happens when you switch from one network to another, e.g., from your home Wi-Fi to mobile data. There are a few seconds when this happens where your connection will go unprotected by the VPN. The kill switch freezes packets during each hop, so your browsing session never spills onto the open network.
5. Other triggers
These include simply closing your laptop lid, a momentary ISP hiccup, or a manual quit of the VPN app—events that a continuous connection monitor catches and covers automatically.
Does the VPN reconnect automatically?
Quality VPN apps immediately try to re-establish the tunnel. Once reconnected, the kill switch lifts, and you’re back online, usually in under a second. ExpressVPN, for example, cycles through Lightway, OpenVPN, and IKEv2 VPN protocols in the background until a stable tunnel forms, then lifts the block in seconds—all without user input.
Types of VPN kill switches
Application-level kill switch
This kill switch offers granular control over which applications are affected by a VPN disconnection. It lets you choose specific applications to disconnect from the internet if your VPN connection drops. This targeted approach means you can safeguard critical activities like browsing and banking, while less sensitive applications, such as music streaming, continue uninterrupted.
However, the flexibility can come at the cost of comprehensive security, as non-selected applications remain unprotected.
System-level kill switch
This type is also known as a firewall-level or network-level kill switch and is generally considered the more secure type of kill switch. It offers the most robust protection by blocking all internet traffic if your VPN connection fails.
This comprehensive approach guarantees that no data escapes your device outside the secure VPN tunnel, effectively preventing any potential data leaks across all applications.
Advanced or persistent kill switch
This type of kill switch (sometimes also referred to as a permanent kill switch) takes the concept of a system-level kill switch a step further to offer an even more uncompromising level of protection. It’s a proactive, constant guard that makes unprotected internet access impossible by default, only allowing traffic when the VPN is securely connected.
These switches also survive app crashes or device reboots, blocking traffic until the VPN links up again.
How to enable a VPN kill switch on your device
Windows
- Open ExpressVPN and go to Options > General.
- Tick Stop all internet traffic if the VPN disconnects unexpectedly.
- The rule loads at boot and protects every process.
macOS
- Open ExpressVPN and go to Preferences.
- Tick Stop all internet traffic if the VPN disconnects unexpectedly.
- The packet filter enforces the block system-wide.
Android
- Inside the app, select Profile and toggle on Kill Switch.
- Your phone now blocks leaks, even while you move between networks.
You can also choose Always block all non-VPN internet traffic; it’s more secure, but it will also disable VPN features like split tunneling. Here’s how to do it:
- Under Internet Kill Switch, tap Learn more.
- In the prompt, tap ANDROID SETTINGS.
- Tap the gear icon next to ExpressVPN.
- Toggle Always-on VPN and Block connections without VPN on.
iOS
- In the ExpressVPN app, click the hamburger menu icon and go to Preferences. Toggle on Stop all internet traffic if the VPN disconnects unexpectedly.
- This keeps traffic blocked until the VPN is running.
ExpressVPN’s kill switch: Network Lock explained
How Network Lock works on desktop and mobile
ExpressVPN’s Network Lock inserts firewall rules on Windows, macOS, and Linux, and it taps into the always-on frameworks on Android and iOS. It begins with a “block everything” firewall rule on all desktop platforms.
A second rule then allows only VPN-routed traffic. These rules stay active through the entire connection cycle, including during reconnects and disruptions, ensuring consistent protection.
Network Lock covers both IPv4 and IPv6 network traffic to prevent any data from leaking outside the VPN tunnel. This total coverage ensures your personal information and activities remain private, even amid network instability or when switching Wi-Fi networks.
How it compares to other VPNs
Some providers have their kill switch disabled by default or limit it to desktop apps. Network Lock, on the other hand, is active on first launch and works perfectly on mobile and other platforms as well as desktop.
It can also protect every device in your home because it covers routers, too—you can use ExpressVPN’s dedicated Aircove router or install the ExpressVPN firmware onto any compatible router.
Security advantages of ExpressVPN’s implementation
- On by default—no extra clicks.
- Works with the Lightway protocol, so reconnections can finish in milliseconds.
- Can cover every device behind a router, including smart home gadgets that can’t install apps.
- Independent audits confirm zero leaks during stress tests.
Should you ever disable a VPN kill switch?
Pros and cons of manual deactivation
| Pros | Cons |
| Local LAN tasks (e.g., printer sharing) work instantly (though many VPN clients, including ExpressVPN, allow local tasks with kill switch enabled anyway) | Your IP can flash during every reconnect |
| Avoids outages if an unreliable network keeps dropping | DNS queries revert to your ISP |
| Faster server switching for power users | Any background app can expose your location |
When it might make sense to disconnect
While it’s advisable to keep the kill switch enabled to secure your data continuously, there may be specific scenarios where you need to disable it temporarily. Here are a few reasons that make sense:
- If you’re on a trusted home network and need short-term access to sites that block VPN addresses.
- For troubleshooting connection issues or adjusting network settings, e.g., a hotel Wi-Fi portal or public hotspot that won’t load its sign-in page until the device briefly connects without the VPN/kill-switch firewall in place.
- When gaming on LAN, where brief IP exposure doesn’t matter.
- On metered data, where failed uploads cost money.
Otherwise, leave it on.
How to choose a VPN with a kill switch
A kill switch is an important part of maintaining your online privacy and security. So, before choosing a VPN, check whether a kill switch is offered and how it functions across different devices and operating systems. Here are key factors to consider:
- Supported platforms: Pick a service that brings the feature to every operating system you use. ExpressVPN supports desktop, mobile, and routers.
- Default activation and user control: A default-on switch protects newcomers; a visible toggle satisfies power users. ExpressVPN’s Network Lock balances both.
- Level of protection offered: System-level and persistent modes beat app-only shutdowns. Look for wording that promises device-wide blocking, not just application control.
- Transparency and privacy policies: Independent audits, open-source modules, and clear documentation build trust. ExpressVPN publishes annual assessments and hosts Lightway’s code on GitHub.
FAQ: Common question about VPN kill switch
What happens if my VPN disconnects without a kill switch?
If your VPN drops and you have no kill-switch protection, your device instantly reverts to its normal, unencrypted internet path. That means every app, browser tab, or background process begins talking directly to your ISP again. Your real IP address and location become visible to every site you contact, DNS queries expose which domains you’re visiting, and downloads or streams continue in the clear.
How do I enable a VPN kill switch on Android?
For Android, open ExpressVPN and go to ‘Other settings.’ You can then choose ‘Network protection’ and toggle on the option to block the internet when unable to connect or reconnect to the VPN.
Is there a VPN kill switch for iPhone?
Yes, but iOS doesn’t have a system toggle like Android. Instead, quality VPN apps use Apple’s “always-on” framework. In ExpressVPN, open the iOS app’s Preferences and just make sure ‘Stop all internet traffic if the VPN disconnects unexpectedly’ is checked.
Are there any alternatives to using a kill switch?
You could try custom firewall rules, proxy auto-configuration scripts, or split-tunneling hacks, but each workaround carries risk. Manual firewall policies are easy to mis-type, leaving gaps; proxies fail open more often than they fail closed; and advanced routing tricks break every time you update the OS. Nothing beats an automatic, system-level block.
Can I still use the internet if the kill switch activates?
While the kill switch is active, internet traffic stops, but local tasks keep working. Quality VPNs reconnect within seconds. If they don’t, you can change servers or disable the switch—though that briefly exposes your real IP.
Do all VPN kill switches work the same way?
No, they don’t. Some providers implement only an application-level switch that closes whitelisted apps while leaving the rest of the OS online. Others cover IPv4 traffic but forget IPv6, leading to partial leaks.
The strongest designs are system-level, block every protocol—including IPv6—and “fail closed” if the VPN client crashes. Always test your provider with a leak-detection tool: disconnect the VPN mid-session and confirm that nothing, not even a DNS query, escapes before the tunnel is restored.
Are VPN kill switches enabled by default?
It depends on the service. ExpressVPN, for instance, has Network Lock enabled by default on Windows, macOS, Linux, and routers, so new users are protected from their first connection.
Many other brands hide the switch behind an “Advanced” tab or leave it off to avoid support questions. Before relying on any VPN, open its settings panel, look for terms like kill switch, network protection, or secure LAN blocking, and make sure the feature is switched on.
Which VPNs offer built-in kill switches?
Most reputable VPN providers do. That said, each provider differs in default state, leak coverage, and device support, so verify the feature meets your needs before you commit.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
Get ExpressVPN
Comments
I'm curious as to whether or not a manual killswitch would be a good idea. I was surprised to be able to browse with no trouble after disconnecting via the Windows application. I would like to be able to "lock down" my network overnight while local processes are running.