VPN Kill Switch Test
Test whether your VPN's kill switch actually works: press Start with your VPN connected, then disconnect it mid-run. The monitor below checks your public IP every 2 seconds — if requests keep succeeding and a new IP appears, your kill switch failed; if requests are blocked until you reconnect, it's doing its job.
VPN kill switch monitor
Connect your VPN, then press Start
Start with your VPN on
Press Start while connected. The first IP logged is your baseline — your VPN server's address.
Disconnect the VPN mid-run
Hit disconnect in your VPN app (or force-quit it) while the monitor keeps polling every 2 seconds.
Watch what leaks
Blocked requests = kill switch working. A new IP appearing while requests still succeed = your real address leaked.
Ready to test your kill switch
The monitor requests your public IP every 2 seconds and timestamps each result. Nothing is stored — the log below lives only in your browser tab. Follow the three steps above, and give the run at least 30–60 seconds so the disconnect happens mid-monitoring.
Checks
0
Blocked
0
Exposures
0
Baseline IP
—
Live request log
newest first · one row every 2sPress Start to begin logging your public IP every 2 seconds.
What a Kill Switch Is — and the Gap It Closes
A VPN kill switch is a safety mechanism that blocks all internet traffic the moment your VPN connection drops. Without one, your device does something you never see: it silently falls back to the raw, unprotected connection and keeps transmitting. Every app with an open connection — your browser, your torrent client, your sync tools — carries on as if nothing happened, except now every packet carries your real IP address and your DNS queries go straight to your ISP.
VPN tunnels drop for completely ordinary reasons: your laptop wakes from sleep, your phone hops from WiFi to cellular, the WiFi signal dips for a few seconds, the VPN server undergoes maintenance, or a hotel network aggressively filters traffic. Each drop opens a gap that lasts anywhere from a couple of seconds to several minutes. The kill switch's entire job is to make sure that during that gap, nothing leaves your device outside the encrypted tunnel.
The problem is that a kill switch is a failure-mode feature: you only find out whether it works at the exact moment you need it. Most people enable the toggle, see nothing change, and assume they're covered. The tool above exists so you can trigger the failure deliberately — under controlled conditions, watching in real time — instead of discovering the answer during a real drop you never noticed.
How This Test Works
The monitor sends a request to our own IP endpoint every 2 seconds and timestamps the answer. The first successful response becomes your baseline — with your VPN connected, that should be your VPN server's address (you can confirm with our What Is My IP tool). When you disconnect the VPN mid-run, exactly one of two things happens, and the log makes it impossible to miss:
| Row in the log | What actually happened | Meaning |
|---|---|---|
| IP unchanged | The same address answered as before | Tunnel is up (or was never connected) |
| Blocked (good) | The request failed or timed out | The kill switch is blocking traffic — this is a pass |
| New IP after block | The address changed right after blocked rows | Verify it — usually your VPN reconnecting to a new server, but confirm the IP belongs to your VPN and not to you |
| New IP exposed | The address changed while requests kept succeeding | Traffic flowed outside the tunnel — the kill switch failed |
The distinction in the last two rows is the heart of the test. A working kill switch produces a clean sequence: same IP, same IP, blocked, blocked, blocked, then (after you reconnect) a new or identical VPN address. A failed kill switch produces the dangerous sequence: same IP, same IP, then a different IP with no blocked rows in between — meaning your device kept talking to the internet over the raw connection, and whatever address appeared is what every website, tracker, and peer saw. That row is highlighted in red because if the exposed address matches your real one, the VPN's core promise was broken.
Everything runs in your browser tab: we don't store the log, and stopping the monitor (or the 3-minute auto-stop) ends the polling entirely. Because requests time out after just under 2 seconds, even a "hanging" network state registers as blocked rather than freezing the test.
App-Level vs System-Level Kill Switches
Not all kill switches are built the same way, and the difference explains most real-world failures. There are two fundamental designs:
| Property | App-level ("soft") | System-level ("hard") |
|---|---|---|
| Enforced by | The VPN application itself | The OS firewall / network stack |
| How it works | Watches the tunnel; cuts traffic when it detects a drop | Only permits traffic through the VPN interface, period |
| Survives an app crash? | No — if the app dies, nothing enforces the block | Yes — the rule lives in the OS, not the app |
| Reaction time | Milliseconds to a few seconds (detection lag) | Instant — non-tunnel routes never exist |
| Typical use | Default mode in most VPN apps | "Advanced", "permanent", or "always-on" modes |
An app-level kill switch is a watchdog: the VPN app monitors its own tunnel and shuts off traffic when the tunnel fails. It handles the common case — a dropped server connection — well, but it depends on the app itself running correctly. If the app crashes or gets killed by the OS, the watchdog dies with it.
A system-level kill switch inverts the logic: instead of reacting to failures, it configures the operating system so traffic is only ever allowed through the VPN interface. If the tunnel disappears — or the VPN app itself crashes — there is simply no route for packets to take. Mobile platforms ship their own version of this: on Android, the OS-native "Block connections without VPN" setting, and on iOS, always-on VPN behavior via Connect On Demand. This test exercises both designs the same way — from the outside, all that matters is whether traffic escaped.
If you want to stress the difference yourself: run the test once using your VPN app's disconnect button (the easy case — almost any kill switch catches a graceful disconnect), then run it again force-quitting the VPN app entirely. Only a system-level enforcement reliably passes the second run.
Kill Switch Support Across the 8 VPNs We Test
All eight VPNs in our rankings ship a kill switch on desktop — it's table stakes for any provider we'd recommend. Mobile support varies between app-level toggles and reliance on the OS-native enforcement described above, which is part of what we verify in our testing methodology. Here's where each provider stands, with notes from our reviews:
| VPN | Kill switch | Notes from our review |
|---|---|---|
| ExpressVPN | Yes | Branded "Network Lock" — blocks all internet traffic if the connection drops, with IPv6 and WebRTC leak protection built in across all apps |
| NordVPN | Yes | Kill switch plus a no-logs policy and Panama jurisdiction — the combination we highlight for P2P privacy |
| Surfshark | Yes | Part of a security suite that punches above its price point, alongside a strict no-logs policy and RAM-only servers |
| CyberGhost | Yes | Kill switch plus automatic WiFi protection that activates the VPN on untrusted networks before you forget to |
| PIA | Yes | Fully open-source apps — the kill switch implementation is publicly inspectable, backing a no-logs policy proven in court twice |
| IPVanish | Yes | Immediately blocks all internet traffic on a drop; runs its own DNS servers so queries don't leak to your ISP |
| TotalVPN | Yes | Included on the main apps and cuts your internet if the connection fails; no published independent audit yet, so verify with this test |
| Proton VPN | Yes | Open-source apps independently audited by Securitum — the kill switch code is verifiable, not a marketing claim |
Two practical notes. First, a kill switch existing is not the same as a kill switch being enabled — several apps ship with the toggle off by default, so check your settings before assuming you're protected. Second, whatever any provider claims, the test above is provider-agnostic: it observes actual traffic behavior from outside the app, which is exactly how a leak would manifest in the real world. Trust the log over the marketing page — including ours.
How to Run a More Rigorous Test
The basic run — start, disconnect via the app, watch — covers the most common failure. But real-world drops don't politely use the disconnect button. If you rely on your VPN for anything serious (torrenting, restrictive networks, sensitive work), repeat the test under these harsher conditions:
- Force-quit the VPN app instead of disconnecting gracefully. This is the scenario that separates app-level from system-level kill switches: if traffic keeps flowing with your real IP after the app dies, only an OS-enforced mode will save you.
- Toggle your network interface. Turn WiFi off for ten seconds and back on while the monitor runs. Many leaks happen during network transitions, when the tunnel is re-established a beat after the raw connection comes up.
- Sleep and wake your laptop mid-run. Waking from sleep is the single most common silent-drop moment for desktop VPN users — the OS restores connectivity before the VPN app finishes reconnecting.
- Switch VPN protocols between runs (for example WireGuard vs OpenVPN in your app's settings). Kill-switch behavior can differ per protocol because each uses a different tunnel interface.
- Check split tunneling. If you use split tunneling, make sure your browser is routed through the VPN — otherwise this test measures your raw connection by design and every run will look like a failure.
One repetition matters more than all of these: run the full scenario at least twice. Kill-switch failures are often intermittent — a race between the drop detection and the first escaping packets — and a single clean pass doesn't prove the race can't be lost. Two or three consistent passes under force-quit conditions is a result you can actually rely on.
What to Do If Your Kill Switch Failed
A red "New IP exposed" row means traffic left your device outside the tunnel. Work through these steps in order:
- Confirm the kill switch is actually enabled. Open your VPN app's settings and find the kill switch toggle. This fixes the majority of "failures" — the feature was never on.
- Switch to the strictest mode available. If your app offers levels (often named "advanced", "permanent", or "always-on"), pick the system-level option, then re-run the test.
- On Android, enable the OS enforcement. Settings → Network & internet → VPN → your app → turn on "Always-on VPN" and "Block connections without VPN". This works regardless of what the app itself does.
- Disable split tunneling (or verify its rules) — an exclusion rule for your browser looks identical to a kill-switch failure in this test.
- Re-test after every change — one variable at a time, so you know which setting fixed it.
- If it still leaks, change providers. A kill switch that fails a controlled test will fail an uncontrolled drop. Our best VPNs for privacy ranking weighs exactly this kind of failure-mode behavior, and every provider on it offers a 30-day money-back guarantee — so you can run this same test risk-free before committing.
And once your kill switch passes, finish the job: run our WebRTC leak test and the combined Is My VPN Working? check. A kill switch guards the drop; WebRTC and DNS leaks can expose you while the tunnel is up and healthy.
Kill Switch Questions, Answered
Is it safe to run this test? My real IP appears when the VPN is off.
Yes. Disconnecting your VPN for a few seconds exposes your IP to the sites you're actively connected to — the same exposure as browsing without a VPN, which is most people's default state. If your threat model makes even seconds of exposure unacceptable, close every other app and tab first, run the test on a network you trust, and treat a pass as the requirement before doing anything sensitive.
The log shows "New IP after block" — did I fail?
Usually not — blocked rows followed by a different address is most often the kill switch holding traffic while the tunnel was down, and your VPN then reconnecting to a different server, hence the new IP. But a VPN dropping without a working kill switch can also produce a couple of timed-out polls before your real address surfaces, which looks identical in the log. That's why the monitor flags this pattern amber instead of green: confirm the new IP belongs to your VPN (check the app, or look the address up) before calling it a pass. The unambiguous failure signature is a new IP appearing with no blocked rows before it.
My internet stayed blocked after the test. Is something broken?
That's the kill switch continuing to do its job: it blocks all traffic until the tunnel is re-established. Reconnect your VPN and connectivity returns. If you need the internet without the VPN, disable the kill switch first — deliberately, knowing you're unprotected.
Every check says "IP unchanged" even after I disconnected. Why?
Three common causes: the baseline was your real IP because the VPN was never connected when you pressed Start (verify with the baseline tile); your VPN app auto-reconnected faster than the 2-second polling could catch; or a browser extension VPN is routing this tab while you disconnected a different app. Check the baseline address, then try again force-quitting the VPN instead of toggling it.
Does a kill switch slow down my connection?
No. A kill switch is a firewall or routing rule, not traffic processing — while the tunnel is up it does nothing at all, and it has zero impact on throughput or latency. There is no performance reason to leave it off; see our speed test data for what actually affects VPN performance.
Should I keep the kill switch on all the time?
If you use a VPN for privacy rather than only streaming convenience, yes. The cost is occasional blocked connectivity during reconnects; the benefit is that your protection can't silently fail. For torrenting or use on restrictive networks it's non-negotiable — a single leaked IP defeats the entire purpose.
Can I test my kill switch on a phone?
Yes — this page works the same in a mobile browser. Start the monitor, switch to your VPN app, disconnect, and switch back to watch the log (keep the browser in the foreground on iOS, which pauses background tabs aggressively). On Android, also test with "Block connections without VPN" enabled — the OS-enforced block is stronger than most in-app toggles.
Kill Switch Failed the Test?
A kill switch that leaks under pressure defeats the point of paying for a VPN. Every provider we rank ships a kill switch, and we verify leak protection as part of our testing — see the VPNs that actually held the line.
See Our Top-Rated VPNs8 VPNs benchmarked on real hardware — see how we test.
More Free Tools
Every tool on vpnrank.io is free, runs instantly, and never requires an account.
What Is My IP
See the IP address websites see
WebRTC Leak Test
Check if your browser leaks your real IP
Is My VPN Working?
One-click check that your VPN actually protects you
IP Address Lookup
Look up any IP's location, ISP, and hostname
Password Generator
Create strong random passwords locally
Password Strength Checker
Test how fast a password would crack
Password Leak Checker
Check if a password appears in known breaches