A VPN only protects you while the encrypted tunnel is actually up. The problem is that tunnels drop — briefly, silently, and more often than you’d think. A kill switch is the safety net that makes sure a dropped connection doesn’t turn into an exposed one. Here’s exactly what it does and why it belongs on by default.
The problem a kill switch solves
Picture this: you’re connected to a VPN, your real IP hidden, your traffic encrypted. Then your Wi-Fi flickers for a second, or the VPN server restarts, or your laptop wakes from sleep. The VPN tunnel drops.
Without a kill switch, your device does the natural thing — it falls back to your normal, unprotected connection and keeps sending traffic. For those few seconds (or minutes, if you don’t notice), your real IP address, your location and your DNS lookups are exposed to every site and app you’re using. Your ISP sees your activity again. If you were downloading a large file or on a video call, your true identity is now attached to it.
The worst part is that it’s invisible. Everything keeps working, so you have no reason to suspect anything leaked.
The analogy: an airlock
Think of a kill switch like an airlock on a spacecraft. You only move through the outer door once the inner door is sealed. If the seal fails, the airlock doesn’t just let the air rush out — it locks everything down until the seal is restored.
A VPN kill switch works the same way. Your traffic is only allowed onto the internet through the sealed VPN tunnel. If that seal breaks, the kill switch slams the door shut rather than letting your data spill out through the open connection. Nothing leaves until the tunnel is safely re-established.
How it works, technically
Under the hood, a kill switch enforces a simple rule at the network level: allow traffic through the VPN interface, block it everywhere else.
When the VPN is up, packets flow through the encrypted tunnel as normal. The moment the VPN’s status changes to “disconnected” — or the tunnel interface disappears — the kill switch’s firewall rules take over and drop any packet that would otherwise escape through your default network adapter. When the VPN reconnects, the rules relax and traffic flows again.
This is often called failing closed: the safe default when something goes wrong is no connectivity, not unprotected connectivity. A well-built kill switch also handles the tricky edge cases — the tunnel coming up at boot before apps start, or the network changing underneath you — so there’s never a gap.
System-wide vs app-level
There are two common flavors:
- System-wide kill switch. Blocks all internet traffic on the device when the VPN drops. This is the safest, most complete option — nothing gets out unprotected, full stop.
- App-level kill switch. Blocks only specific apps you nominate (say, a torrent client or a browser) while letting the rest of your device stay online. Handy when you only need certain apps guarded, but it leaves everything else exposed during a drop.
For most privacy-focused users, system-wide is the right default. App-level makes sense in narrower cases — for instance, if you keep a torrent client permanently guarded but don’t want your whole device to go offline whenever the VPN blips. The trade-off is that everything you didn’t nominate stays exposed during a drop, so it demands more attention than the set-and-forget system-wide option.
Why it pairs with DNS and IP protection
A kill switch is one layer in a larger leak-prevention picture. During a drop, the biggest risks are your real IP becoming visible and your DNS lookups falling back to your ISP’s resolver. The kill switch stops both by cutting traffic entirely — but it works best alongside proper DNS protection so lookups never leak even during normal use. Our DNS-over-HTTPS explainer covers that side.
It also complements split tunneling, which deliberately routes some apps outside the VPN. If you use split tunneling, your kill switch should still protect the apps you’ve chosen to keep inside the tunnel. See our split tunneling guide for how the two work together.
How Veilock implements it
Veilock ships with a kill switch designed to fail closed:
- Instant network lock. If the encrypted tunnel drops for any reason, Veilock immediately blocks outbound traffic at the network level — no packets escape while you’re unprotected.
- Automatic recovery. The client reconnects to the fastest available server and lifts the block only once the tunnel is verified up again, so protection resumes without you lifting a finger.
- No leaks in the gap. Combined with Veilock’s forced DNS-over-HTTPS resolution and a strict no-logs policy, there’s no window where your real IP or lookups slip out — and nothing logged even if there were.
The net effect: your privacy doesn’t depend on the connection being perfect. It depends on the safe default being “no traffic without protection.”
The bottom line
A VPN kill switch is the difference between “my VPN protects me when it’s working” and “my VPN protects me, period.” Connections drop — that’s normal — and without a kill switch, those drops silently expose your real IP and DNS. A kill switch that fails closed turns every drop into a harmless pause instead of a leak. If you rely on a VPN for genuine privacy, keep the kill switch on. Veilock’s is built to lock down instantly and recover on its own, so a flickering connection never becomes an exposed one. To go further on hiding your identity, read how to hide your IP address.
With a kill switch vs without one
| When the VPN drops | Without kill switch | With kill switch |
|---|---|---|
| Internet traffic | Continues over normal connection | Blocked instantly |
| Your real IP | Exposed to sites & apps | Stays hidden |
| DNS lookups | Leak to your ISP | Blocked until reconnect |
| Torrents / downloads | Reveal true IP mid-transfer | Paused, no leak |
| Recovery | You may never notice | Auto-restores when tunnel returns |