TL;DR: A VPN kill switch (emergency shutoff) instantly blocks all internet on your device the moment the encrypted tunnel drops. Without it, the instant a tunnel breaks your traffic and real IP leak onto the open network for a second or two — long enough for your ISP, a public Wi-Fi owner or a tracker to see what you were hiding. The logic is strict: either the protected tunnel, or no internet at all. Below: how it works at the firewall and routing level, how a system-wide kill switch differs from a per-app one, why it does not replace DNS and IPv6 leak protection, and how to enable and test it on Windows, macOS, iOS and Android. LiMP ships with a built-in kill switch, runs on iOS and Android over WireGuard, and costs from 100 RUB/month with no logs of your activity.
What a kill switch is and the problem it solves
A kill switch watches the state of the encrypted tunnel and, the instant it drops, cuts off internet access. If protection is gone, it is better to be offline for a fraction of a second than to keep sending data in the clear.
To appreciate the feature, recall what a VPN is for (if you need the basics, start with our guide on what a VPN is in simple terms). A VPN wraps traffic in an encrypted tunnel and swaps your visible IP: your ISP cannot see which sites you reach, and sites see the VPN server's address. This holds only while the tunnel is alive. The moment it breaks, the OS dislikes being offline and routes traffic back through the normal, unprotected path — via your ISP, with your real address. You may not notice: the VPN icon still says connected, your messenger keeps syncing, your torrent client keeps seeding, and your real address has already leaked. This is exactly the gap a kill switch closes: traffic is allowed only through the VPN interface; no interface means no internet.
Why VPN connections drop
Brief drops are inevitable — a property of networks, not a flaw in a service. The main causes:
- Network switching. Your phone leaves Wi-Fi range and switches to mobile data — the old connection breaks and a new one comes up.
- Waking from sleep. The network stack does not come back instantly; several seconds can pass before the tunnel is restored.
- Server overload or restart. Servers are restarted for updates, and at peak hours an overloaded node may drop some connections.
- Weak signal. On the subway, in an elevator or on the highway the link is interrupted and the tunnel goes with it.
- IP changes and timeouts. Your ISP changes your external IP and mobile networks switch base stations — both can force the tunnel to rebuild.
- OS power saving. Aggressive battery saving sometimes puts the VPN app to sleep in the background.
The modern WireGuard protocol reconnects almost instantly and survives network changes well, because it is not rigidly tied to a single session. But almost instantly is not without a pause: even a fraction of a second between a drop and a recovery is enough for a background app to send a packet around the tunnel. That is why a kill switch is needed even with the fastest protocol — it insures that short window.
How a kill switch works technically
Behind the phrase "blocks the internet when the tunnel drops" lies careful work with the OS network stack. Understanding the mechanics explains why a kill switch sometimes cuts off the local network and why its implementation differs across platforms.
Firewall and filtering rules
Most kill switches work through the system firewall. When the VPN connects, the app writes a rule: allow outbound traffic only through the virtual VPN interface and block it on every other one (Wi-Fi, Ethernet, the mobile modem). While the tunnel is alive, traffic flows through the VPN; the moment the interface disappears, the only effective rule left is "block everything else," and the network closes instantly. This is reliable because filtering happens at the OS kernel level and does not depend on whether the app managed to react in time.
Routing and the virtual adapter
The second mechanism is the routing table. When the VPN comes up, it creates a virtual network adapter and rewrites the default route so that all packets go into the tunnel. The kill switch makes sure the default route never falls back to the ISP's gateway until you disconnect deliberately. If the tunnel goes down, the kill switch prevents the system from restoring the direct route — and with no route, packets have nowhere to go.
Tunnel state monitoring
The third element is a watcher that constantly checks whether the tunnel is alive: is the server responding, is the virtual interface up, are packets passing. On detecting a drop, it holds the block until protection is restored. On mobile platforms the OS largely takes on this role through the system VPN API, which makes the block especially reliable.
An important consequence follows: a kill switch is by nature "dumb" in a good way — it does not reason about which traffic is safe, it simply closes everything not going through the tunnel. So a request to a home storage device or printer can get blocked too: to the kill switch that is "traffic not through the VPN." Good implementations let you separately allow the local network — more on that below.
System-wide kill switch versus per-app
A system-wide (full) kill switch blocks all internet on the device when the tunnel drops. A per-app kill switch closes the network only for selected apps, leaving the rest to work directly.
| Parameter | System-wide kill switch | Per-app |
|---|---|---|
| What it blocks on a drop | All internet on the device | Only the selected apps |
| Level of protection | Maximum — nothing leaves the device | Only the listed apps are protected |
| Leak risk | Practically zero | Unprotected apps can leak |
| Convenience | On a drop the device is fully offline | Other apps keep working |
| Who it suits | Privacy as priority, torrents, sensitive tasks | Protect a couple of apps without losing all network |
The system-wide mode is the choice for those who value privacy over uninterrupted connectivity: on any failure the whole device goes offline, and there is physically nothing to leak. The price is losing all internet during a drop, including harmless apps. The per-app one is gentler but takes discipline: it is on you to make sure every sensitive app made it into the list — forget one and, on a drop, that is the one that leaks. In practice many per-app implementations overlap with split tunneling, where part of the traffic is deliberately routed around the VPN.
How a kill switch differs from DNS and IPv6 leak protection
A kill switch insures against a full tunnel drop. Leak protection covers situations where the tunnel is formally alive but part of the traffic still goes around it. These are different layers, and a mature VPN uses both.
A DNS leak happens when your DNS requests (turning a site name into an IP) go not into the tunnel but straight to your ISP's DNS servers. The tunnel works, traffic is encrypted, but from the DNS requests your ISP can still see the list of sites. A kill switch does not help here — there is no drop. Separate DNS leak protection saves the day: the VPN intercepts all DNS requests and pushes them through the tunnel. How to check this is in our guide on testing and fixing a DNS leak. An IPv6 leak is related: if a VPN closes only IPv4 and your ISP has IPv6 enabled, requests over the new protocol can go around the tunnel, exposing your real IPv6 address. A mature service either routes IPv6 through the tunnel or disables it for the session.
- Kill switch — reacts to a tunnel drop: no tunnel, no internet.
- DNS leak protection — guarantees that DNS requests go inside a live tunnel.
- IPv6 leak protection — makes sure IPv6 traffic also goes through the tunnel or is disabled.
- WebRTC leak protection — closes a browser hole through which a site can learn your real IP.
A good VPN enables all these by default, and when choosing a service it is worth checking for each — more in our guide on how to choose a VPN in 2026.
Kill switch on Windows, macOS, iOS and Android
The implementation differs from platform to platform — because of how the OS lets apps control the network.
Windows
Usually built on the Windows firewall (WFP): the client adds rules that block all outbound traffic around the VPN adapter. Some clients offer a "soft" kill switch (closing the network only while the app runs) and a "hard" one at the system level (the block persists even if the client crashes). The hard one is more reliable, but if it is on while the client fails to start, you can end up with no internet at all — fixed by turning off the rule.
macOS
Built on the system network framework and the packet filter; the principle is the same — block traffic around the VPN interface. On recent versions the block is stable and survives sleep and wake well. Watch whether local network access is allowed, otherwise network printers and NAS devices stop responding.
iOS
A VPN works only through the system API (NetworkExtension), which is a plus for reliability. When "Connect On Demand" is enabled, the system itself does not let the selected traffic out until the tunnel comes up — in effect behavior close to a kill switch at the OS level.
Android
Has built-in "Always-on VPN" and "Block connections without VPN" — that is a system-level kill switch. It is enabled in the network settings and does not depend on a specific app. Android also supports split tunneling for per-app scenarios.
Drawbacks and pitfalls
You pay for the extra strictness with convenience. The main drawback follows from the all-or-nothing logic: no VPN means no internet. If the tunnel drops and cannot recover, you stay offline until the VPN comes back or you turn the kill switch off yourself.
- Local network, NAS and printers. A strict kill switch can block home devices. Fixed by an "allow local network access" option.
- Captive portals. In hotels and cafes the Wi-Fi requires authorization through a splash page, but the VPN cannot connect until you pass the portal. You temporarily disable the kill switch, sign in, then turn it back on.
- Background tasks. If protection fired overnight, photo sync, backups and updates may not have run.
- Status confusion. You might decide the "internet is broken" and reboot your router, when in reality the VPN just dropped.
Most of the inconvenience is removed by two settings: allowing the local network and understanding that a captive portal requires temporarily disabling the feature.
When to keep the kill switch on
Torrents and P2P
A torrent client runs in the background for hours and actively seeds, and on any drop your real IP becomes instantly visible to everyone in the swarm. A system-wide kill switch guarantees the client simply goes silent on a VPN failure.
Public Wi-Fi
The network is untrusted by definition, and switching plus a weak signal provoke frequent drops. A kill switch stops a single packet from going onto someone else's network unencrypted at the moment of failure. Read more in our guide on public Wi-Fi security.
Unblocking resources
A tunnel drop without a kill switch not only exposes your address but can reveal the very fact that you accessed a restricted resource. The topic is covered in our article on unblocking websites with a VPN.
Banking and sensitive data
On someone else's network the cost of even a one-second leak is higher than usual — the strictest system-wide mode makes sense. This matters especially when logging into a banking app from a hotel or airport, where drops happen most often because of weak Wi-Fi.
There are reverse scenarios too: if you use a VPN only to occasionally change region for video and transmit nothing sensitive, constant blocking on micro-drops will annoy you. Then a per-app option, or enabling the kill switch only for specific tasks, is wiser. On changing your visible address, read our guide on how to hide your IP address.
How to enable and test a kill switch: a checklist
- Find the setting. In the app's security settings — an item called "Kill Switch," "Emergency Shutoff," "Block connections without VPN" or "Network Lock."
- Choose the type. System-wide (all traffic) for maximum protection, or per-app if it matters to keep some apps working.
- Allow the local network if you need a printer, NAS or media server at home.
- On Android enable the system "Always-on VPN" and "Block connections without VPN."
- Connect to the VPN and make sure the tunnel is up and the internet works.
- Test that it fires. Without disconnecting the VPN in the app, force the tunnel to break: change the server or put the phone into airplane mode for a couple of seconds. The internet should disappear until the VPN recovers.
- Check for the absence of leaks. After reconnecting, open an IP and DNS check service and make sure only the VPN server's address is visible.
- Remember captive portals. If a network will not let you past the sign-in page, temporarily disable the feature, pass the portal and turn it back on.
If the internet disappears on a drop and returns when the VPN recovers, the kill switch is configured correctly. If traffic keeps flowing during a drop, check that the feature is enabled in system-wide mode and not just "while the app is running."
Do you need a kill switch and where to get one
Almost everyone who uses a VPN for privacy, rather than just to change region, needs a kill switch. It costs zero extra, has almost no effect on speed, and closes a real, regularly occurring hole. The only price is occasionally being offline for a second.
When choosing a service, check that a kill switch is there and works on your devices, especially on your phone. In LiMP the emergency shutoff is built in and works on iOS and Android over WireGuard: the tunnel reconnects quickly, and at the moment of a drop the kill switch stops traffic from leaking. The service keeps no logs of your activity, and the plan is 100 RUB/month with no long contracts. Terms are on the pricing page.
FAQ
Is a kill switch the same as just turning off the VPN?
No, they are opposites. When you manually turn off the VPN, traffic goes straight through your ISP in the clear — which is exactly what a kill switch prevents. Turning off the VPN exposes you, while a kill switch protects you at the moment of failure.
Does a kill switch slow down internet speed?
Practically not. It is a set of firewall rules that watches the tunnel's state and does not process the traffic itself. Any speed drop comes from the VPN encryption and the distance to the server, not from the emergency shutoff feature.
Why does the internet sometimes disappear with the kill switch on?
This is the feature's normal operation. If the tunnel drops, the kill switch blocks the internet until protection is restored — which is why the network disappears for a second or two. As soon as the VPN reconnects, the internet returns; if it does not, check whether the server is down and switch it.
Does a kill switch protect against DNS leaks?
No. A kill switch reacts only to a full tunnel drop, while a DNS leak happens with a live tunnel, when requests go around it to the ISP's servers. Separate DNS leak protection saves you here. A mature VPN enables both layers at once.
Does a kill switch work if I only use mobile data without Wi-Fi?
Yes. Mobile networks break the tunnel no less than Wi-Fi — when base stations switch, in poor-reception areas, or when the carrier changes your external IP. On Android the system "Block connections without VPN" works the same for any connection type.
Can a kill switch drain the phone battery?
No, on its own it barely uses resources: on modern clients it is tied to the presence of the virtual adapter and a correct route, not to constant polling. Battery use comes from the VPN itself, not from the emergency shutoff feature.
