What is a Kill Switch?
A kill switch is a security feature that blocks internet traffic if the VPN connection drops unexpectedly. This prevents your real IP address and unencrypted traffic from leaking when the tunnel fails.How Mullvad’s Kill Switch Works
Mullvad’s kill switch is fundamentally different from traditional kill switches:Traditional Kill Switches
Traditional VPN kill switches are reactive:- A “red button” engaged when a problem arises
- Waits for tunnel failure to detect and respond
- May have a time window between failure and blocking
- Can be disabled by the user
Mullvad’s Proactive Approach
Mullvad’s kill switch is proactive and always active:The kill switch is not a separate feature—it’s built into the core security architecture through the tunnel state machine and firewall integration.
- Immediate activation: Strict firewall rules are applied the moment the app leaves the Disconnected state
- Maintained continuously: Rules stay active until the app returns to Disconnected via explicit user action
- Atomic transactions: Firewall rules are updated atomically with no vulnerable time windows
- Fail closed: If the tunnel fails, packets are blocked rather than allowed to leak
Kill Switch in Different States
The kill switch behavior depends on the tunnel state:Disconnected State
- Default: No firewall rules applied, traffic flows freely
- With lockdown mode: Kill switch active, all traffic blocked
- This state is only active when the user explicitly disconnects
The Disconnected state is NOT active during server changes, reconnections, or unexpected tunnel failures. Those use Connecting or Error states where the kill switch is active.
Connecting State
Kill switch is ACTIVE:- Blocks all traffic except connection to VPN server
- Only privileged processes can reach the VPN server IP
- Prevents leaks during tunnel establishment
- Active until tunnel is verified working
Connected State
Kill switch is ACTIVE:- All traffic must go through the tunnel
- Traffic not using the tunnel interface is blocked
- DNS requests to non-tunnel addresses are blocked
- Prevents leaks even if tunnel is active
Disconnecting State
Kill switch is ACTIVE:- Maintains security policy from previous state
- Short transition while tunnel closes cleanly
- Prevents leaks during shutdown process
Error State
Kill switch is ACTIVE:- Blocks all traffic (except always-allowed traffic)
- Active when tunnel cannot be established
- Requires explicit user disconnect to unlock
Atomic Firewall Transactions
A critical aspect of Mullvad’s kill switch is atomic rule updates:All firewall rule changes are applied as atomic transactions. There is no time window where rules are inconsistent, missing, or invalid during state transitions.
- All new rules are prepared before any old rules are removed
- The switch from old to new rules happens instantaneously
- No gap exists where traffic could leak
- True on all desktop platforms (Windows WFP, macOS PF, Linux nftables)
Scenarios Where Kill Switch Activates
The kill switch automatically protects you in these scenarios:Server Changes
When you change VPN servers:- App transitions to Connecting state
- Kill switch blocks all non-VPN traffic
- New tunnel is established
- Only then does traffic flow through new server
Unexpected Tunnel Loss
If the tunnel connection drops unexpectedly:- App detects tunnel is down
- Transitions to Connecting (to reconnect) or Error state
- Kill switch blocks all traffic
- Either reconnects or waits for user action
Network Changes
When you switch networks (WiFi → Ethernet, different WiFi, etc.):- Tunnel may need to reconnect
- Kill switch remains active during reconnection
- No traffic flows until new tunnel is established
Settings Changes
When you change settings that affect the tunnel:- Tunnel may need to restart
- Kill switch protects during the restart
- New settings applied only when tunnel is ready
System Sleep/Wake
When your device sleeps and wakes:- Tunnel may need to reconnect
- Kill switch blocks traffic until reconnected
- Offline monitor prevents wasted reconnection attempts
Lockdown Mode
Lockdown mode is often confused with the kill switch, but they are different features:What Lockdown Mode Does
Lockdown mode changes how the Disconnected state behaves: Without lockdown mode (default):- Disconnected state allows traffic to flow freely
- No firewall rules applied
- Normal internet access without VPN
- Disconnected state blocks all traffic (like Error state)
- Firewall rules remain active
- No internet access without VPN
When to Use Lockdown Mode
Enable lockdown mode if you want to:- Never communicate outside the VPN: Device can only access internet through VPN tunnel
- Eliminate Disconnected state risk: Ensures you can’t accidentally use internet without VPN
- Binary internet choice: Either VPN or no internet at all
Lockdown mode does NOT protect you during reconnections or server changes—the always-on kill switch already does that. Lockdown mode only prevents internet access when you’ve explicitly disconnected.
Lockdown Mode Settings
To enable lockdown mode:- Open Mullvad VPN app
- Go to Settings
- Enable “Lockdown mode” or “Block when disconnected”
- Disconnected state will block all traffic
- You must connect to VPN to access the internet
- Kill switch remains active in all other states as usual
Boot-Time and Shutdown Protection
The kill switch also protects during system boot and shutdown:Boot-Time Protection
Windows: Persistent WFP filters block traffic beforemullvad-daemon starts:
- Active before Base Filtering Engine (BFE) starts
- Applied when lockdown mode or auto-connect is enabled
- Prevents leaks during system boot
- Removed once
mullvad-daemontakes over
- Starts before network initialization
- Blocks all traffic until
mullvad-daemonstarts - Applied when lockdown mode or auto-connect is enabled
- Prevents leaks during boot process
Shutdown Protection
When the daemon exits, it maintains blocking firewall rules if:- Lockdown mode is enabled, OR
- User didn’t explicitly request shutdown AND either:
- Daemon is currently in blocking state (Connected, Connecting, Error), OR
- Auto-connect is enabled
What Kill Switch Allows
Even with the kill switch active, certain traffic is always allowed:Required System Traffic
- Loopback traffic:
127.0.0.1,::1 - DHCP: For network configuration (IPv4 and IPv6)
- NDP: IPv6 Neighbor Discovery Protocol subset
VPN-Related Traffic
- VPN server connection: Traffic to establish and maintain tunnel
- Mullvad API: For key rotation, account checks, relay list updates
Optional Traffic
- Allow LAN traffic: If enabled, local network communication is allowed
- Split tunneling: If configured, excluded apps bypass the tunnel
Testing the Kill Switch
You can test that the kill switch is working:Test 1: Disable VPN in Connecting State
- Disconnect from VPN
- Configure an invalid VPN server (if possible via config)
- Try to connect
- While in Connecting state, try to access the internet
- Expected: No internet access, all connections fail
Test 2: Kill VPN Process
- Connect to VPN
- Verify you have internet access and VPN IP
- Kill the VPN tunnel process (varies by platform)
- Immediately try to access the internet
- Expected: No internet access until tunnel reconnects
Test 3: Network Change
- Connect to VPN on WiFi
- Switch to Ethernet or different WiFi
- Monitor for any traffic leaks during the switch
- Expected: No leaks, tunnel reconnects automatically
Kill Switch Failure Scenarios
In rare cases, the kill switch could fail:Firewall Integration Failure
If the firewall integration fails (e.g., unable to apply rules):- App will inform the user of the serious situation
- Without functioning firewall rules, the app cannot prevent leaks
- User should investigate the issue or reinstall the app
Platform Limitations
Some platforms have inherent limitations:- macOS boot-time leaks: Service start order cannot be controlled
- Android system exemptions: Connectivity checks, NTP, hotspot traffic bypass VPN
- Mobile platform limitations: No direct firewall access, rely on VPN Service APIs
Comparison with Other VPNs
How Mullvad’s kill switch compares:| Feature | Mullvad | Typical VPN |
|---|---|---|
| Always on | ✅ Yes, cannot disable | ❌ Optional, can disable |
| Proactive | ✅ Active before connection | ❌ Reactive after failure |
| Atomic updates | ✅ No vulnerable time windows | ⚠️ Varies by implementation |
| Built into architecture | ✅ Core security feature | ⚠️ Often separate add-on |
| Boot-time protection | ✅ Yes (Windows/Linux) | ❌ Rarely implemented |
Related Documentation
- Leak Protection - Comprehensive leak prevention mechanisms
- Tunnel States - State machine and when kill switch is active
- Firewall Integration - How firewall rules are implemented
- Security Overview - High-level security architecture