What Is a VPN Kill Switch and Why Does It Matter?
A VPN kill switch blocks all internet traffic if your VPN drops, preventing accidental IP exposure. Learn how app-level and system-level kill switches work, how WireGuard handles reconnection, and how Nexun keeps you protected.
What happens when your VPN disconnects
VPN connections can drop for many reasons: a flaky Wi-Fi signal, a server restart, a device waking from sleep, or a network change when you move between mobile data and Wi-Fi. When a VPN drops without protection, your device immediately falls back to its default routing -- sending traffic directly through your ISP with your real IP address exposed. This can happen in seconds, often without any visible notification, and any data sent during that window reveals your real identity and location.
What a kill switch does
A kill switch monitors the VPN connection and blocks all network traffic the instant the tunnel goes down. It acts as a failsafe: rather than letting traffic leak through your real connection, it cuts internet access entirely until the VPN reconnects or you manually restore it. For most users this means a brief interruption that is far preferable to an unnoticed IP leak. For journalists, activists, or anyone in a sensitive situation, it can be the difference between safety and exposure.
App-level vs system-level kill switches
An app-level kill switch only blocks traffic from the VPN application itself and specific apps you configure. If the VPN client crashes entirely rather than just disconnecting cleanly, some traffic may still escape through other processes. A system-level kill switch operates at the firewall or routing layer of your operating system -- it blocks all outbound connections that are not going through the VPN tunnel, regardless of which app is sending them. System-level kill switches are significantly more reliable and are the recommended choice for privacy-critical use.
How WireGuard handles dropped connections
WireGuard is stateless by design: it does not maintain a persistent connection in the same way as OpenVPN or IKEv2. Instead, it sends keepalive packets at configurable intervals and re-establishes the tunnel automatically when traffic needs to flow. This makes WireGuard more resilient to brief network interruptions -- it reconnects faster and with less overhead than older protocols. However, WireGuard alone does not implement a kill switch. The kill switch must be added at the OS or application layer, which is what Nexun's client does.
Nexun's always-on protection
Nexun implements a system-level kill switch that is enabled by default. When the VPN tunnel is active, all traffic is routed through the encrypted WireGuard interface. If the connection drops for any reason, the firewall rules immediately block all internet traffic -- no packets leave through your real network interface until the tunnel is restored. On mobile, Nexun uses the platform's Always-On VPN mode where available, which ensures the OS itself enforces that no traffic bypasses the VPN, even across app restarts or device reboots.
When to use and when to pause the kill switch
The kill switch is the right default for most users. The only situation where you might want to pause it is if you deliberately need to access local network resources -- a printer, a NAS, or a home router admin panel -- that are not reachable through the VPN tunnel. Nexun's split tunneling feature handles most of these cases without needing to disable the kill switch entirely. If you are in a situation where privacy matters most, always leave the kill switch enabled.
FAQ
Does the kill switch slow down my connection?
No. The kill switch is a passive firewall rule -- it does not inspect or process traffic during normal operation. It only activates when the VPN connection drops, and its only function at that point is to block traffic. When the VPN is connected and working normally, the kill switch has no measurable impact on speed or latency.
What if I want to access my local network while using Nexun?
Nexun's split tunneling feature lets you route specific apps or IP ranges outside the VPN tunnel while keeping everything else protected. For example, you can configure your local network subnet to bypass the tunnel so you can print or access a NAS, while all other traffic stays encrypted through Nexun. This avoids needing to disable the kill switch.
Does Nexun's kill switch work on mobile?
Yes. On Android, Nexun uses the built-in Always-On VPN setting, which tells the operating system to block all traffic that does not go through the VPN -- even if the app is restarted or the device reboots. On iOS, Nexun uses the on-demand VPN configuration to reconnect automatically and minimize exposure windows. Both platforms provide strong protection against accidental IP leaks on mobile networks.