VPN Kill Switch
What is VPN Kill Switch?
VPN Kill SwitchA safeguard that automatically blocks all network traffic on the host whenever the VPN tunnel drops, preventing inadvertent leaks over an unencrypted connection.
A VPN kill switch is a host-level control that drops or denies traffic the moment the VPN session terminates abnormally, so that applications cannot fall back to the underlying physical network. It is typically implemented with host firewall rules that allow outgoing packets only on the VPN interface (utun, wg0, tun0), plus default-deny rules on the physical interface. WireGuard's PostUp/PostDown plus iptables/nftables, Windows Filtering Platform rules, Little Snitch profiles, and the kill-switch toggles in commercial VPN apps all implement the same concept. Variants include application-level kill switches that block only specific processes (BitTorrent client, browser) instead of the whole machine. The control matters for privacy, leak protection, and compliance with corporate full-tunnel policies.
● Examples
- 01
A journalist's WireGuard config that drops all non-VPN traffic via nftables when the tunnel goes down.
- 02
A commercial VPN client setting Windows firewall rules so the browser cannot send packets outside the tun interface.
● Frequently asked questions
What is VPN Kill Switch?
A safeguard that automatically blocks all network traffic on the host whenever the VPN tunnel drops, preventing inadvertent leaks over an unencrypted connection. It belongs to the Network Security category of cybersecurity.
What does VPN Kill Switch mean?
A safeguard that automatically blocks all network traffic on the host whenever the VPN tunnel drops, preventing inadvertent leaks over an unencrypted connection.
How does VPN Kill Switch work?
A VPN kill switch is a host-level control that drops or denies traffic the moment the VPN session terminates abnormally, so that applications cannot fall back to the underlying physical network. It is typically implemented with host firewall rules that allow outgoing packets only on the VPN interface (utun, wg0, tun0), plus default-deny rules on the physical interface. WireGuard's PostUp/PostDown plus iptables/nftables, Windows Filtering Platform rules, Little Snitch profiles, and the kill-switch toggles in commercial VPN apps all implement the same concept. Variants include application-level kill switches that block only specific processes (BitTorrent client, browser) instead of the whole machine. The control matters for privacy, leak protection, and compliance with corporate full-tunnel policies.
How do you defend against VPN Kill Switch?
Defences for VPN Kill Switch typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for VPN Kill Switch?
Common alternative names include: Network lock, Internet kill switch.
● Related terms
- network-security№ 042
Always-On VPN
A device-wide policy that establishes the VPN tunnel automatically as soon as the network is available and refuses non-tunnelled traffic, enforced by Windows, Apple, and Android profiles.
- network-security№ 1215
VPN Split Tunneling
A VPN configuration that routes only selected traffic (e.g. corporate subnets) through the encrypted tunnel while letting the rest reach the internet directly.
- privacy№ 339
DNS Leak
A privacy failure in which DNS queries bypass a VPN or Tor tunnel and are sent to the user's ISP or default resolver in cleartext.
- network-security№ 1244
WireGuard
A modern, minimal VPN protocol that uses a fixed set of state-of-the-art cryptographic primitives and runs as part of the Linux kernel.
- network-security№ 556
IPsec
A suite of IETF protocols that authenticates and encrypts IP packets to provide secure communications at the network layer.
- network-security№ 420
Firewall
A network security device or software that monitors and controls inbound and outbound traffic based on a defined ruleset, separating trusted from untrusted networks.