VPN Kill Switch & Split Tunneling Explained
Understand how kill switches prevent data leaks when your VPN drops and how split tunneling lets you route only selected traffic through the VPN.
What Is a VPN Kill Switch?
A kill switch is a safety mechanism that immediately cuts your internet connection if the VPN tunnel drops unexpectedly. Without it, your device falls back to the unencrypted ISP connection, potentially exposing your real IP address and traffic.
Kill switches operate at two levels:
- Application-level — Only blocks traffic from specific apps (e.g., your browser) when the VPN disconnects.
- System-level — Blocks all network traffic on the device until the VPN reconnects. This is the more secure option.
How Kill Switches Work
Most VPN kill switches use firewall rules to enforce traffic routing:
# Simplified Linux iptables kill switch concept
# Block all outbound traffic except through the VPN interface
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A OUTPUT -o eth0 -d VPN_SERVER_IP -j ACCEPT
iptables -A OUTPUT -o eth0 -j DROP
On Windows and macOS, VPN clients modify the system firewall or routing table to achieve the same effect.
What Is Split Tunneling?
Split tunneling allows you to choose which traffic goes through the VPN and which uses your regular connection. This is useful when you want to:
- Access local network devices (printers, NAS) while connected to a VPN.
- Stream region-locked content through the VPN while keeping low-latency gaming on the direct connection.
- Reduce VPN bandwidth usage by only routing sensitive traffic.
Types of Split Tunneling
| Type | Description |
|---|---|
| App-based | Route specific applications through VPN (e.g., browser yes, Spotify no) |
| URL/IP-based | Route traffic to specific destinations through VPN |
| Inverse split | Route everything through VPN except specified apps/sites |
Security Considerations
Split tunneling introduces a trade-off between convenience and security:
- Traffic outside the tunnel is not encrypted by the VPN.
- DNS requests may leak if the non-VPN connection uses your ISP's DNS.
- On untrusted networks (public Wi-Fi), always use full tunnel mode.
Recommendations
- Always enable the kill switch — there is no downside for privacy-focused users.
- Use split tunneling selectively — only on trusted networks where you need local access.
- Test your setup — disconnect the VPN manually and verify no traffic leaks using a tool like IPFYI's IP checker.