Privacy Tools #VPN#kill switch#VPN security

VPN Kill Switch: What It Is and How to Configure It

Learn what a VPN kill switch does, why it matters for privacy, and how to configure it in Mullvad, ProtonVPN, WireGuard, OpenVPN, and Linux.

7 min read

What Is a VPN Kill Switch?

A VPN kill switch is a security feature that blocks all internet traffic if the VPN connection drops. Without a kill switch, a VPN disconnection — caused by a server outage, sleep/wake cycle, network change, or software crash — causes your device to immediately fall back to sending traffic over your regular unencrypted connection, exposing your real IP address and unencrypted activity to your ISP and network observers.

This fallback is called a VPN leak and defeats the purpose of using a VPN entirely, even briefly. If you use a VPN for privacy, a kill switch is not optional — it is essential.

How Kill Switches Work

Kill switches operate at two levels:

Application-level kill switch: Monitors the VPN connection and immediately terminates specified applications (browser, torrent client, etc.) if the VPN drops. Less reliable — there is a brief window between disconnection and app termination.

System-level (network-level) kill switch: Modifies firewall rules to block all non-VPN traffic at the OS level. More reliable — traffic simply cannot leave through the regular network interface while rules are active.

The best kill switches are always-on by default and use firewall rules, not application monitoring.

Configuring Kill Switches in VPN Clients

Mullvad VPN

Mullvad has the most reliable kill switch implementation of any consumer VPN. It is enabled by default after installation and uses nftables on Linux and the Windows Filtering Platform on Windows.

Verify it is enabled:

  • Open the Mullvad app
  • Go to Settings → VPN Settings
  • Ensure “Kill switch” is toggled on
  • Enable “Always require VPN” for the strongest protection — this blocks all traffic even when you are connected to the internet but before the VPN tunnel is established (covers the boot window)

Lockdown mode (Mullvad’s term for Always Require VPN): blocks all internet access if the VPN is disconnected regardless of reason, including intentional disconnection. This is the strongest option but inconvenient if you sometimes need to use the internet without the VPN.

ProtonVPN

ProtonVPN calls its kill switch “Kill Switch” and offers two modes:

  • Kill Switch: Blocks internet if the VPN connection drops unexpectedly
  • Permanent Kill Switch: Blocks internet whenever you are not connected to ProtonVPN, even if you manually disconnect

Enable via: Settings → Connection → Kill Switch → Enable

On Linux (CLI): ProtonVPN’s network lock is managed through protonvpn-cli:

protonvpn-cli netshield enable
protonvpn-cli killswitch enable

NordVPN

In NordVPN: Settings → Kill Switch → toggle on. NordVPN also offers an App Kill Switch that terminates specific apps rather than all traffic — useful if you only want to kill your browser and torrent client, not your system processes.

ExpressVPN

ExpressVPN calls this feature Network Lock. Enable it in Menu → Options → General → Network Lock: Stop all traffic if the VPN disconnects.

Manual Kill Switch Configuration (Platform-Level)

If your VPN client’s kill switch is unreliable or you use a VPN without a built-in kill switch (custom WireGuard or OpenVPN config), you can implement one at the OS firewall level.

Linux: iptables Kill Switch

This set of rules blocks all traffic except through the VPN tunnel interface (typically tun0 for OpenVPN or wg0 for WireGuard) and your VPN server’s IP:

#!/bin/bash
# Replace VPN_SERVER_IP with your VPN server's actual IP
# Replace VPN_IFACE with tun0 (OpenVPN) or wg0 (WireGuard)

VPN_SERVER_IP="203.0.113.1"
VPN_IFACE="tun0"

# Flush existing rules
iptables -F
iptables -X

# Default: block everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow traffic to/from VPN server (needed to establish tunnel)
iptables -A OUTPUT -d $VPN_SERVER_IP -j ACCEPT
iptables -A INPUT -s $VPN_SERVER_IP -j ACCEPT

# Allow all traffic through VPN tunnel
iptables -A INPUT -i $VPN_IFACE -j ACCEPT
iptables -A OUTPUT -o $VPN_IFACE -j ACCEPT

# Allow DNS only through VPN
iptables -A OUTPUT -o $VPN_IFACE -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o $VPN_IFACE -p tcp --dport 53 -j ACCEPT

echo "Kill switch rules applied"

Save as /usr/local/bin/vpn-killswitch.sh, make executable with chmod +x, and run before connecting to your VPN.

Linux: nftables Kill Switch (Modern Alternative)

# /etc/nftables-killswitch.conf
table inet killswitch {
  chain output {
    type filter hook output priority 0; policy drop;
    oif lo accept
    oif "wg0" accept
    ip daddr VPN_SERVER_IP accept
  }
  chain input {
    type filter hook input priority 0; policy drop;
    iif lo accept
    iif "wg0" accept
    ip saddr VPN_SERVER_IP accept
    ct state established,related accept
  }
}

Apply with: nft -f /etc/nftables-killswitch.conf

WireGuard Built-In Kill Switch

WireGuard has a kill switch mechanism built into its configuration via the PostUp, PreDown, and routing table directives.

Add to your WireGuard interface config (/etc/wireguard/wg0.conf):

[Interface]
Address = 10.0.0.2/32
DNS = 10.0.0.1
# Kill switch via routing table
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = YOURPUBLICKEY
Endpoint = VPN_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0

The AllowedIPs = 0.0.0.0/0, ::/0 routes all IPv4 and IPv6 traffic through the tunnel. Combined with the PostUp rules, any traffic that tries to leave outside the tunnel is rejected.

Windows: Kill Switch via Firewall Rules

On Windows, you can implement a kill switch using Windows Defender Firewall advanced rules. However, this is complex — most users should use the built-in kill switch from their VPN client. If you use a VPN without one, use WireGuard for Windows (which supports the PostUp method above) or switch to a VPN client with native kill switch support.

Testing Your Kill Switch

After enabling a kill switch, test it to confirm it works:

  1. Connect to your VPN
  2. Note your VPN IP at ipleak.net or ipinfo.io
  3. Kill the VPN process (not disconnect cleanly — force-kill it):
    • Windows: Task Manager → End Task on VPN process
    • Linux: sudo killall openvpn or sudo wg-quick down wg0
  4. Immediately try to load a webpage or check your IP at ipinfo.io
  5. Expected result: No connectivity at all, or a connection refused error
  6. Failure result: Your real IP appears — the kill switch failed

If the kill switch fails, your VPN client’s implementation may be application-level only. Switch to a VPN with firewall-level kill switch (Mullvad) or implement the iptables rules above manually.

Summary

A VPN kill switch is a non-negotiable feature for anyone using a VPN for privacy. Mullvad’s always-on implementation is the most reliable out-of-the-box option. For WireGuard and OpenVPN setups without client-level kill switches, the iptables or nftables rules above provide robust protection. Always test your kill switch by force-killing the VPN process — not just disconnecting cleanly — to verify it actually blocks traffic under failure conditions.

#ProtonVPN #Mullvad #network privacy #VPN security #kill switch #VPN

// related articles

privacy-tools VPN over Tor vs Tor over VPN: Which Setup Actually Protects You? 7 min read privacy-tools DNS Leak Test and Fix Guide 7 min read privacy-tools Mullvad VPN Setup & Privacy Review 2026 8 min read