What images does the term “VPN kill switch” conjure in your mind? If you’re like me and spent your childhood watching movies instead of growing as a person, that image is probably a giant, red button that averts the VPN’s self-destruct sequence with one second left on the timer, Galaxy Quest-style.
There may be some real-life kill switches with that level of sex appeal. But when it comes to the virtual private network (VPN) you use to stay safe online, the truth is less flashy — though a lot more relevant to your actual life.
A VPN kill switch, sometimes called “network lock” or other names, is a feature included on the control apps for many VPNs. Compared to most VPN features, it’s easy to wrap your head around. Occasionally, your VPN connection drops unexpectedly and you’re cut off from its servers for a split second. If this happens when the kill switch is active, your internet connection will immediately drop as well.
Why bother with this? If you’re using a VPN, you’re presumably invested in keeping your real IP address and any other encrypted information away from public channels. If you’re ever online after your VPN connection fails, even for a second, you risk exposing yourself to your internet service provider or a hacker. A kill switch eliminates that risk.
That’s the elevator pitch. In practice, there’s more we need to consider. Which VPN services come with a kill switch? Does a VPN kill switch work instantaneously, and how does it pull that off? What are the different types of kill switches?
This article is your field guide to the VPN kill switch feature. By the end, you’ll be equipped with all the knowledge you’ll need to get a VPN with a kill switch that’s killin’ it.
How Does a VPN Kill Switch Work?
To understand how a VPN kill switch does its job, we first need a sense of what might cause a VPN connection to drop suddenly.
The best VPN providers (i.e., any that I recommend) have extremely good uptime rates for their servers. You won’t have to worry about losing your connection over 99 percent of the time. But internet security is all about mitigating the severe risks posed by that less than 1 percent.
There are a few reasons your VPN connection might drop during a browsing session:
- You’re using an unstable protocol. Some VPN protocols are developed for a stable connection, but others prioritize speed or stealth. Certain protocols, such as OpenVPN over UDP, focus on making fast connections without worrying about stability.
- There are problems with your local WiFi. We put a lot of emphasis on VPN speed, so it’s easy to forget that your local conditions still determine the lion’s share of your experience. If your signal is faint, your bandwidth is low or your connection is overcrowded, you may not be able to get through to the server.
- Other security settings are interfering. Antivirus programs, firewalls, router settings and other non-VPN security measures can keep you from connecting to a VPN server.
- There’s trouble on the server end. VPN servers fail from time to time for a variety of reasons. Virtual servers sometimes behave badly, and governments may seize servers. Data centers themselves may be vulnerable: they may be managed by unreliable third parties or swamped by natural disasters.
- All these disasters have something in common: if they cut your VPN connection, it’s possible — even likely — that you won’t notice right away.
A Kill Switch in Action
That’s where the kill switch comes in. While active, it constantly monitors your connection for telltale signs of a drop. For example, it’s a dead giveaway if your IP address changes from your VPN server to your home ISP.
When the kill switch detects an interruption, it leaps into action. Depending on the protocol, it will either limit your ability to browse the internet (active kill switch protocol) or cut your connection off entirely (passive kill switch protocol). More on that in a moment.
Different types of kill switches work at different scales. An app-level kill switch cuts internet access for certain apps, while a system-level kill switch cuts off the entire device. See the “types of VPN kill switches” section for details on that.
After cutting off your connection, the VPN kill switch has one final job. Just like an illusion is not complete without the prestige, a kill switch must also restore your internet connection after your connection to the VPN server is back online. You can always tell a poorly built VPN kill switch because you have to shut the app off entirely to get your internet back.
Active vs Passive Kill Switch Protocol
A VPN kill switch works with one of two broad sets of orders.
With an active kill switch protocol, losing your VPN connection “activates” the kill switch. The VPN app prevents you from accessing suspicious websites or networks until you’re back on the VPN. For me, this is the less desirable option because it’s just an extra layer of what your antivirus software should be doing already.
A passive kill switch protocol is stronger despite the weaker-sounding name. Instead of just keeping you from doing risky things online, this type of VPN kill switch cuts you off from the internet entirely. Many vpn kill switches are passive unless they explicitly say otherwise.
Types of VPN Kill Switches
In addition to the two types of protocols named above, VPN kill switches can work at two levels: system-level and app-level (sometimes called “app kill”).
System-Level VPN Kill Switch
A system-level kill switch applies equal coverage to your entire device. When you get booted from your VPN connection, it doesn’t matter whose fault it was. None of your apps can get online until the VPN is back. It’s like your teacher punishing the entire class for one person’s actions, except, you know, it’s a good thing.
App-Level VPN Kill Switch
You might see this type of kill switch called an “app kill” on VPNs. Instead of blocking your entire computer when you lose your VPN, an app kill switch only blocks a list of apps you named ahead of time.
It’s like a fusion of a kill switch and split tunneling. You can set the kill switch to apply only to apps that exchange sensitive information while leaving the innocuous ones untouched.
Risks of Using a VPN Without a Kill Switch
A VPN kill switch is more than just a helpful extra doodad. Given that no VPN server network works perfectly 100 percent of the time, the kill switch is almost as important a security feature as the VPN itself.
If you use a VPN without a kill switch, you’re taking on the following risks.
- Your IP address will automatically revert back to your home ISP. Without a kill switch, dropping your VPN connection does nothing to your internet connection. Your router and modem don’t know anything is amiss, so they’ll keep you online by reestablishing a direct connection between your home and destination servers. At that point, anyone who happens to be snooping can see your real IP address, and your online anonymity is over. Anything you do can be traced back to you.
- Your traffic will no longer be encrypted. Remember that a VPN doesn’t just hide your IP address. It also encrypts your internet traffic so that third parties see nothing but nonsense characters. If you lose your VPN connection while sending a deeply personal email or your credit card number, everything is suddenly exposed.
- Your exposure to hackers only increases on unsecured Wifi. Coffee shops, hotel lobbies, airports — anywhere you can get online without a password is a hacker’s paradise. VPNs are a great way to use public free WiFi safely, but if you lose your connection without a kill switch, anybody could swoop in.
- A VPN without a kill switch can expose you to the authorities. Whether you’re using torrenting to innocently archive a web page, access a banned web page in China, or obtain copyrighted content, a drop in your VPN connection is very bad news. A kill switch is your last line of defense.
The 3 Best VPNs With Kill Switches
ExpressVPN, my favorite VPN overall, comes with a kill switch it calls “network lock.” Network lock adds the convenient option to exempt local connections, like your scanner or printer, from the kill switch. Read my full ExpressVPN review here.
NordVPN is a high-performing, feature-rich VPN that offers both system-level and app-level kill switches. In leak tests, it didn’t leak a single IP address or DNS request. However, its kill switch can be aggressive, sometimes requiring you to reboot the app in order to reconnect. Read my full NordVPN review here.
Surfshark VPN has a basic kill switch that works very well. Like the other two VPNs on this list, it’s reliably secure against leaks. Read my full Surfshark review here.
Are There Free VPNs With a Kill Switch Feature?
Yes, there are a few. Windscribe VPN has a free plan that comes with a kill switch, which it refers to as a “firewall” (sort of the same thing). TunnelBear VPN also has a kill switch, though it’s not available on iOS. Hide.me VPN comes with a free kill switch as well.
As usual, though, I advise you to pay for a VPN. All three services above are steady and privacy-focused but work a lot better when you can access their entire server networks and use them without monthly data limits.
A kill switch is a small feature with a huge impact on the ability of your VPN app to keep you safe. It may have seemed optional at one point, but the truth is now clear: kill switches may be the most important feature of any VPN outside the server network itself.
What does this mean for you? If you’re shopping for a VPN, and your favorite solution doesn’t have a kill switch, think very hard about whether you have a good reason for choosing it.
A VPN kill switch isn’t just a vital security measure. It’s also a good proxy for the amount of thought the developers put into the VPN service. If you see a kill switch, you can be sure you’re in the hands of people who are careful and sincere about keeping you safe.
Got a favorite VPN with a kill switch that I didn’t mention? Has a kill switch ever saved you from airing sensitive information online? Tell me all about it in the comments!