Get insider access
Preferred store
Your browser is not supported or outdated so some features of the site might not be available.
We've just launched VPNs! If you want to learn more about their capabilities and limitations, check out our article about privacy. Or, if you want to find out why most VPN kill switches don't work, check out our R&D article. We're currently facing issues with our server provider, which may impact speed and latency test accuracy. Thanks for your patience!

Your VPN Kill Switch Won’t Stop All Leaks

Updated
Mosaic of Wireshark traces showing various VPNs leaking during a reboot.
Various VPNs during our kill switch robustness reboot test.

Online virtual private networks (VPNs) are often used to hide internet traffic, especially for downloading torrents. The goal is that the VPN provider doesn't retain or log any information that can be linked to you, so if they're forced to comply with legal orders, they can't provide anything that can be traced back to you. Internet service providers (ISPs), on the other hand, keep logs and may forward your contact information to those who seek legal avenues against you.

Diagram showing how you get exposed while downloading torrents.
How you get exposed while downloading torrent without a VPN.

Therefore, you place your trust in your VPN provider that no unencrypted information leaks outside of the tunnel. Failure to do so means your ISP or other middlemen can associate your traffic to your address. VPNs generally do a good job at this, and most don't leak data while connected.

Diagram showing how you get exposed while downloading torrents but how vpn makes the process more difficult
How VPNs add protection by making legal discovery difficult.

Many VPNs advertise a kill switch that blocks all unencrypted system traffic in case it disconnects, such as if your internet drops, your computer restarts, or the VPN client crashes. However, it may not always be called a "kill switch;" some call it firewall mode or lockdown mode, for example.

Reddit feedback about NordVPN’s kill switch failing
Reddit feedback about NordVPN’s kill switch failing and emphasis that VPN kill switches should not be relied on (Source: Reddit).

In our testing, we've found that kill switches almost always fail at doing the task they're designed for. While you can take steps to mitigate the shortcomings of a kill switch, they're either inconvenient or require a more advanced networking infrastructure. Thus, for the general VPN user, the reliability of the kill switch is of utmost importance.

We subscribed to and tested 20 popular VPN services to evaluate their performance, including the robustness of their kill switch features. In the end, we found one that didn't leak: Perfect Privacy.

Test results

Almost All VPNs Leak Unencrypted Traffic During a Loss of Connection

We conduct multiple tests to monitor for leaks. The simplest one looks at the network traffic while the VPN is connected. This is the most basic responsibility of VPNs, and thankfully, our results show they're largely successful. Still, four VPNs leak in this scenario, mostly because we took a cautious stance on what we consider a leak.

Table listing VPNs leaking under normally connected conditions.
VPNs leaking under normal connected conditions (table).

For the kill switch robustness, we force a loss of connection by either ending the software task, disconnecting and reconnecting the internet cable, or rebooting the computer. The latter is the tougher challenge for most VPNs. The results are interesting, as we frequently found full-blown leaks outside the VPN tunnel.

Table showing VPN Kill Switches leaking.
Tested VPN kill switches leaking (table).

Our methodology

We test for VPN kill switch leaks using a straightforward setup. We run the VPN on a Windows 11 computer, which is plugged into a network switch. The switch is configured to mirror all traffic from that port to another port which goes into a Linux computer. That computer runs Wireshark and monitors all the traffic, effectively capturing everything from the Windows computer.

What we consider a leak

We consider any traffic outside the tunnel a leak, even if it appears to be part of the protocol handling of the VPN. Since other VPNs manage to function without these calls outside the tunnel, it's reasonable to expect total encapsulation. Also, any unencrypted traffic that leaks can reveal information that could be collected, sold, and used for marketing purposes, such as targeted ads. If our Linux computer is able to identify where some of your traffic goes, then your router and ISP can see it as well.

A common leak is a DNS request to the API server of the VPN service. Of the four VPNs that leak under normal conditions, both Norton VPN and ExpressVPN only leaked to themselves. While these are relatively benign examples, they still reveal patterns about you. For example, a third party can conclude that you use Norton VPN because they monitor frequent calls to avast.com. Avast belongs to Gen Digital, Norton's parent company.

Wireshark trace of Norton VPN leaking DNS queries to their servers while connected.
Norton VPN leaking DNS queries to their servers while connected.

Norton VPN leaks to its own servers. We know this because we monitored DNS queries from our system to our ISP's DNS, something they could log. The DNS query shows that we are trying to find an IP address belonging to the Avast network.

Wireshark trace of ExpressVPN leaking DNS queries to their servers while connected.
ExpressVPN leaking DNS queries to their servers while connected.

In ExpressVPN's case, we saw a DNS query sent to a server that was most likely their own, which is expected. However, the request was not in the tunnel, so your ISP or other third parties would be able to inspect the packet and see that you're trying to connect to ExpressVPN's servers.

IPVanish and Bitdefender VPN, on the other hand, leaked DNS queries to Microsoft. This is more concerning because it demonstrates that the VPNs aren't able to contain traffic within the tunnel. We enabled any available kill switch features that aim to prevent leaks but didn't enable tracker blockers or other ad-blocking features.

Wireshark trace of IPVanish leaking Microsoft DNS leaks to our ISP DNS servers.
IPVanish leaking Microsoft DNS leaks to our ISP DNS servers.
Wireshark trace of Bitdefender VPN leaking Microsoft DNS leaks to our Router DNS Resolver.
Bitdefender VPN leaking Microsoft DNS leaks to our Router DNS Resolver.

Our strict testing criteria means that we consider any DNS queries outside the tunnel to be leaks. We don't capture the initial connection, so if the VPN needs to do an initial DNS query to connect, that will not fail our tests. However, since our kill switch tests do, if a VPN makes a non-tunneled DNS call to reconnect, we will consider it a leak. It would be better for VPNs to cache the server IP until the tunnel is reestablished so that it doesn't need to query its API servers on the open Internet every time to reconnect.

This seems strict, but because anyone between your device and the VPN server can inspect packets, they can see which addresses you're trying to reach and when. Interested parties can then use that information to reveal habits about your online activities. The example below shows a DNS query made to Cloudflare's DNS servers to resolve the address for api.totallycnd.com. This is almost certainly necessary for Windscribe Free to fetch the list of available servers and to verify if you've exceeded the monthly bandwidth limit. The paid version makes similar DNS queries to ensure the account is valid. Even if this is a necessary step to reconnect, interested parties can see that you're trying to reach out to "Totally a CDN."

Wireshark trace of Windscribe Free reconnection example, leaking information but only about itself.
Windscribe Free reconnection example, leaking information but only about itself.

On the subject of lighthearted server names, we noticed that Bitdefender VPN opted to have some fun with many of their DNS queries.

Wireshark trace of funny server names used by Bitdefender VPN.
Funny server names used by Bitdefender VPN.

Diving into these queries reveals some interesting information; they all point to the same IP addresses: 104.18.22.107 and 104.18.23.107 (hosted by Cloudflare).

Looking at wlvpn.com, another site that Bitdefender VPN makes calls to, reveals something important. From the wlvpn.com webpage, it sure looks like Bitdefender VPN is buying a white label VPN service from IPVanish, their apparent competitor.

wlvpn.com landing page, stating that it's using the IPVanish/VIPRE network.
wlvpn.com landing page, stating that it's using the IPVanish/VIPRE network.

In our testing, the two VPNs performed extremely similarly in all performance and security tests. While Bitdefender VPN has fewer features, it doesn't have anything that's not included with IPVanish, supporting the evidence that they're just purchasing the white label service.

Bitdefender and IPVanish comparison of security and performance aspects.
Bitdefender and IPVanish comparison of security and performance aspects.

Perfect Privacy is the only VPN that did not leak at all

Most VPN kill switches leak during system reboot. Perfect Privacy was the only service that didn't leak at all in our testing.

Wireshark trace of perfect privacy traffic during a reboot showing no leaks.
Perfect Privacy doesn't leak after a reboot.
Powershell output of the windows firewall rules showing the rules set by perfect privacy.
Windows firewall (advfirewall) rules set by Perfect Privacy kill switch in “Permanent” mode.

Looking at the network traffic captured during a system reboot, we often observed full exchanges between our computer and Microsoft's servers. This occurs because Windows initializes its network interface before the VPN service has a chance to activate. This is concerning because the purpose of the kill switch is to prevent this behavior.

Wireshark trace of Tunnelbear's kill switch failing to block traffic during a reboot.
Communication directly with Microsoft servers after a reboot while Tunnelbear's kill switch is enabled.
Wireshark trace of MEGA VPN's kill switch failing to block traffic during a reboot.
Communication directly with Microsoft servers after a reboot while MEGA VPN's kill switch is enabled.
Wireshark trace of AirVPN's kill switch failing to block traffic during a reboot.
Communication directly with Microsoft servers after a reboot while AirVPN's kill switch is enabled.

While the observed leaks were limited to communications with Microsoft, they reveal a race condition. This means that we can't predict if the VPN will reconnect before your downloads resume. Even if you test and confirm that the VPN reconnects before your downloads, it's risky to assume that behavior won't change in the future. Frequent and automatic software updates mean that a single update could change the startup delay of your VPN and leave you vulnerable to leaks.

Reddit post about the Mullvad kill switch not working as expected.
Reddit feedback about a kill switch failing (Mullvad) and emphasis that VPN kill switches should not be relied on. (Source: Reddit)

We recommend that you don't solely rely on your VPN's kill switch. While you should still enable it, you should also configure your VPN client to launch at startup (even if it doesn't auto-connect) so that its kill switch can turn on as soon as possible. You can also consider using split tunneling to bind your download apps to use the VPN only to minimize the risk of leaks.

Don't Let Your Downloads Automatically Resume at Startup

Unpredictable system startup behavior and the ineffectiveness of VPN kill switches could leave your torrent downloads exposed.

If we exclude the reboot scenario, five VPNs perform as expected and don't leak data:

  • Perfect Privacy
  • Mullvad
  • Proton VPN (Plus and Free)
  • IVPN
  • AirVPN
Table of the VPNs that do not leak in any scenario beside possible leaks in reboot.
VPNs that don't leak in any situation other than a system restart. (Table)

These are the best choices if you want to remain protected in most scenarios. They ensure all traffic remains in the encrypted tunnel, prevent leaks if you lose your connection, and block traffic if the VPN app crashes. Keep in mind that for these to fully protect you, you will have to ensure your downloads don't automatically start at startup.

What You Can Do to Ensure No VPN Leaks

The concept of a basic kill switch is straightforward: it typically involves using firewall rules to block all internet addresses to and from the physical interface (wired or Wi-Fi).

VPNs manage and actively update their server addresses in case they change or go offline. While convenient, this leads to the VPN requiring internet access and leaking your computer's DNS queries or IP address in the process. A properly implemented kill switch shouldn't require an internet connection, as that defeats their core purpose.

If you're willing to occasionally manually update the IP address of the VPN server you want to connect to, you can make a robust kill switch. It may work with the software client, but a headless setup ensures a connection to the same single server. It's challenging to create your own custom kill switch in Windows. We struggled to achieve this after two days of trying, so if you've managed to do it, let us know in the comments. That said, it's much easier to create one in Linux. There are many examples and guides online on how to do so.

Reddit screenshot of Linux ufw commands to setup your own VPN kill switch.
Linux kill switch rules example we took inspiration from. (Source: Reddit)

We set up IPVanish on Linux (Wireguard), as this was the VPN that leaked the most on Windows. We added the above firewall rules, retested the same reboot scenario and voila—no more leaks. Turn off the VPN and your internet connection is blocked. It's simple and restrictive, but it works.

Wireshark trace of IPVanish during a reboot using manual kill switch configuration under Linux without any leaks.
IPVanish kill switch reboot leak test under Linux with a manual firewall ruleset.

While undoing firewall rules is inconvenient, you could create a Linux virtual machine (VM) exclusively for downloads on your Windows computer, install your VPN with a custom kill switch on it, and have a very effective solution. We don't think there is a single, convenient kill switch that's also secure.

Unfortunately, a robust kill switch configuration likely means forgoing the ability to change servers easily or split tunnels based on apps. That kind of flexibility involves a more complex and dynamic kill switch. While it's figuring out the new rules to apply, it likely needs to make a DNS call, which means internet access without the VPN connected. The software can try to block the other apps, but this is only effective if the VPN software is the first one to run, and our results have shown that Windows is always first by a long shot.

There's No Correlation Between a Good Kill Switch and Privacy

A good kill switch doesn't guarantee privacy. This is a delicate subject, and sadly, we cannot confidently evaluate it with our testing.

Privacy mostly relies on the VPN provider's internal policies and how they handle their infrastructure and your data. If a provider mishandles your data or doesn't have responsible privacy policies, even the most secure and robust VPN client is pointless.

Evaluating data and infrastructure practices would require us to have access to the production environment, the physical hardware, and the software code. That level of access would pose a security risk because it would give us the ability to tamper with the connections. Most of it is beyond our technical knowledge anyway; this is why VPN providers hire specialized auditing firms.

We currently don't validate the content of the encrypted traffic. It should be possible using mitmproxy, but it would require a lot of analysis to decrypt and analyze every packet. It may be something we consider for a one-off investigation and a write-up in the future.

We don't have the information to suggest if any of these VPNs are sending unnecessary telemetry back and used to sell statistics about customer habits. Some VPNs do have telemetry options turned on by default, but they state it's only used internally.

Screenshot of IPVanish settings page showing the telemetry is enabled by default.
IPVanish has telemetry turned ON by default.

We also found some outdated information for Bitdefender VPN, which means that reading the privacy policy or other legal documents to assess privacy is not a guaranteed way to ensure that they reflect their current practices. The OpenVPN files for Tunnelbear were also so old that the certificate expired during testing.

We wrote an article that covers privacy risks more broadly that we encourage you to read and share with those who are considering a VPN.

Conclusion

Be careful which VPN you choose to hide your activity online, as most don't provide the level of security you'd expect. Even if a VPN doesn't leak your browsing activity directly, many still leak information that can be used to identify you. Also, if your system restarts for any reason, you are left very vulnerable. If you don't want your traffic to leak, put in place your own safeguards and keep it simple, even if it appears redundant.

VPNs are intended to be one part of a layered approach to security, and you shouldn't rely on a single layer to offer complete protection. Instead, look for additional layers of security, like redundant safeguards and separate security measures. One simple but effective method is to move the VPN off your primary computer, as your PC contains sensitive personal information about you.

If you have a more advanced router (such as Unifi, pfSense, OPNsense, OpenWrt, etc.), you can configure your VPN on it instead. These routers should also allow you to set custom routes to your preferred VPN servers, acting as an effective kill switch for your whole network. This approach requires a bit more knowledge and much bigger headaches if the VPN service is down, resulting in your entire network going down. Fortunately, the risk isn't as high nowadays because you can use mobile data on your phone to check the VPN's service status or find troubleshooting advice.

Recommended Articles

Comments

  1. Article

Your VPN Kill Switch Won’t Stop All Leaks: Main Discussion

What do you think of our article? Let us know below.


Want to learn more? Check out our complete list of articles and tests on the R&D page.

PreviewBack to editorFormat guide
No comments yet, refresh to see new ones