Glossary
What is a VPN kill switch
A feature that blocks all internet traffic if the VPN tunnel drops, so your real IP doesn't leak during reconnects.
A VPN kill switch blocks all internet traffic when the VPN tunnel drops. The point is that your real IP doesn't leak during the seconds (or longer) it takes to reconnect. Every VPN says it has one. Most don't, in the way that matters.
The difference is where the kill switch lives.
App-level kill switches: the fake kind
Most VPN kill switches live inside the VPN app. The app monitors the tunnel; when it sees the tunnel drop, it blocks traffic. Sounds reasonable.
The problem is timing. The app finds out the tunnel dropped after the OS has already routed packets. Heartbeats run every 10-60 seconds, depending on the protocol. There's a 200 ms to several-second window where the OS thinks the tunnel is still up — but it isn't, and packets fall back to the underlying interface and leak your real IP.
By the time the app reacts, your browser has already sent the next request. Streaming services have logged your IP. Your ISP has seen the cleartext DNS query that should have been tunneled.
Userland kill switches activate after the leak. That's most consumer VPN kill switches.
Kernel-level kill switches: the real kind
A kernel-level kill switch lives in the OS network stack. On Windows that's Windows Filtering Platform (WFP) — the same firewall API Windows Defender Firewall uses. On macOS it's Network Extension. On Linux it's nftables/iptables with PF_INET hooks.
Three properties make it work:
- Fires before the VPN handshake completes. When you click Connect, kill switch filters are installed first. Handshake passes through a hole opened specifically for the VPN endpoint. If the handshake fails, nothing else gets out.
- Survives app crashes. If the VPN process dies, the kill switch keeps blocking. Userland kill switches die with their app — and Windows happily restores normal routing as soon as the app exits.
- Survives sleep, resume, and network changes. Wi-Fi to ethernet, lid close, hibernate, hotspot switch — all are events an in-app kill switch must handle as separate state changes. WFP rules sit underneath.
Read the deep dive for the full mechanism.
What the kill switch doesn't fix
A kill switch closes the gap during tunnel transitions. It doesn't:
- Protect against compromised endpoints. Malware on your laptop sees traffic before the kernel does.
- Stop DNS leaks by itself — that's a separate layer (NRPT on Windows, force-DNS-through-tunnel in protocol config).
- Prevent WebRTC leaks. WebRTC operates above the network layer; the browser knows your real IP regardless of what the network sees.
These need separate fixes. Don't trust a VPN that rolls them all together under "kill switch protection."
How Fexyn handles it
Kernel-level via WFP. Fires before handshake. Survives crashes. Default-on, no toggle to forget. Allows loopback so local dev servers keep working. Read more in the support page or test it on the public Wi-Fi use case where it matters most.
Try Fexyn free for 7 days — the kill switch is on by default.
Related terms
Try Fexyn free for 7 days
Windows app available now in Beta. WireGuard, VLESS Reality, and OpenVPN with no browsing-history, DNS-query, or traffic-content logs.
See pricing