A kill switch blocks your internet if the VPN drops. Without one, your traffic reverts to your real IP the moment the tunnel fails. Here is what that means in practice and when it matters.
6 min read
A VPN kill switch monitors the state of your VPN tunnel. The moment the tunnel goes down, it cuts your internet connection entirely. Traffic is blocked until the VPN either reconnects or you manually disable the kill switch.
The name is slightly dramatic for what is, mechanically, a network firewall rule. When the VPN interface is active, traffic is allowed through the tunnel. When the interface disappears, the rule blocks everything else from leaving.
Without a kill switch, a VPN drop is invisible to your apps. Your operating system will just route traffic through your next-best network interface: your regular broadband or mobile connection. Everything continues working. Your real IP is now exposed, and you may not notice for minutes.
When a VPN tunnel drops without a kill switch active, the gap is typically brief, anywhere from a few hundred milliseconds during a reconnect to several seconds if the VPN app has to restart. In that window, all traffic flows unprotected:1
DNS queries: Your system immediately sends DNS requests through your ISP's resolver. The domains you are actively browsing become visible.
Active connections: Any open TCP connection that survives the tunnel failure (such as a file download, a streaming session, or an active API call) will continue over your real IP.
Background app traffic: Email clients, cloud sync services, messaging apps, and software update checks all phone home continuously. Any of these that fire during the gap will use your real IP.
This matters most if you are trying to prevent any correlation between your real IP and your activity, for example when using a VPN for legal but sensitive work, or in environments where IP logging is a genuine concern.
Not all kill switch implementations are the same. The distinction matters.
App-level kill switch: Implemented in the VPN application itself. When the app detects the tunnel is down, it applies firewall rules or disconnects the network adapter. Fast and reliable when the app is running, but if the VPN app crashes entirely, the kill switch logic goes with it and traffic can escape before any rules are applied.
System-level kill switch: Implemented as a persistent OS firewall rule. Traffic outside the VPN tunnel is blocked at the kernel level, independent of whether the VPN app is running. This survives app crashes and system restarts with the VPN set to auto-connect. It is the stronger implementation.
Most consumer VPN apps use an app-level implementation. Fewer use system-level rules. If this matters to you, it is worth checking the documentation of any VPN you use to understand which approach they have taken.
For most everyday VPN use, brief disconnects are a minor annoyance rather than a serious privacy failure. If you are using a VPN primarily to access geo-restricted content or to avoid broad ISP data collection, a moment of unprotected traffic is not a meaningful risk.
The kill switch becomes genuinely important in these situations:
Journalist or activist use cases: Any context where your real IP being associated with specific browsing activity carries real consequences. A brief leak can create a correlation that undermines everything else.
Torrenting or P2P: P2P traffic exposes your IP to every peer you connect to. A kill switch ensures your real IP never appears in those peer lists, even for a fraction of a second.
Unstable networks: Mobile connections, hotel WiFi, and networks that frequently switch between interfaces (such as WiFi to cellular handoffs) create more tunnel drops. The kill switch matters more on unreliable connectivity.
Auto-reconnect without monitoring: If you leave a VPN running in the background and do not actively watch the connection state, you may not notice a drop for a long time. A kill switch is the passive protection for this.
On WireGuard specifically, tunnel drops are less common than with OpenVPN because the protocol handles roaming better.2 But they still happen, especially when switching networks. The kill switch is a backstop for the cases WireGuard does not catch.
BuycatVPN includes a kill switch on Windows, macOS, and Android. When enabled, all traffic is blocked if the tunnel goes down until the connection is restored. It is available as an explicit toggle in Settings and works alongside auto-reconnect so that the tunnel re-establishes as quickly as possible before traffic is allowed through again.
If you are unsure whether to enable it, the practical default is on. The only cost is a brief connectivity gap if the tunnel drops. The benefit is that your real IP does not appear anywhere during that gap.
J. Postel, IETF, September 1981. The foundational IPv4 specification that describes how IP packets route independently of any tunnel.
Jason A. Donenfeld, 2017. Section on roaming and reconnection behaviour, relevant to why tunnels drop during network transitions.
Describes a class of vulnerability where traffic can be injected into a VPN session, illustrating why kill switch implementations matter beyond just the disconnect case.
