The latest update for our macOS app implements a firewall-based Kill Switch to keep your data safe even if you are disconnected from your VPN server.
What is a Kill Switch?
The new, firewall-based Kill Switch prevents your IP address
and DNS queries from being exposed in the event you are disconnected from a VPN
server for any reason. When you enable Kill Switch, if you lose connection to
the VPN service, the Kill Switch will block all external network traffic until
it automatically re-establishes a connection to a VPN server.
background and implementation
ProtonVPN’s macOS app utilizes the IKEv2 protocol, which allows for theoretically higher speeds and connection stability (when switching networks or on the go) than the OpenVPN protocol. It also has the benefit of being natively supported by Apple at the OS level. While this has certain benefits in terms of native integration into the OS, it also imposes certain constraints. In general, a kill switch, as defined above, is not possible for IKEv2 VPNs on macOS, which is why in the past, we have provided Always-on VPN, which automatically reconnects users to a VPN server if the connection is broken, as an alternative. The Always-on VPN will remain, and will now be complemented by the improved Kill Switch feature we are introducing today.
Implementing a Kill Switch (as defined above) required us to
work around certain limitations within Apple’s native VPN infrastructure,
specifically that it does not allow an app to fully block network traffic
outside of the VPN connection on an Apple device. To resolve this, we have
created a helper application to generate a packet filter. Now, whenever you
connect to a VPN server with Kill Switch enabled, the packet filter blocks all
external network communications except for those routed through the VPN server
you are currently connected to. Since all your network traffic is restricted to
the VPN server, if connection to the VPN server is lost, all Internet traffic
is stopped immediately and your data is never exposed. This workaround of
Apple’s network stack allows us to achieve what was previously impossible on
It is important to note that as of today, a Kill Switch, as we have defined it, is still not possible on iOS. This is because Apple’s network level restrictions on iOS are even more stringent than they are for macOS, so we cannot replicate the workaround we designed for macOS on iOS. Thus, from a technical standpoint, Always-on VPN is the best that can be achieved on iOS today. However, in the process of designing our Kill Switch workaround for macOS, we were in close communication with Apple engineers who expressed a willingness to reconsider their native VPN infrastructure’s restrictions. Those discussions have continued and we are currently working with Apple to find a way to implement a Kill Switch on iOS.
The addition of this new Kill Switch to ProtonVPN for macOS
will help you stay secure no matter how unstable your connection is. If you
already use ProtonVPN, your app will either update automatically or prompt you
to update. Please join us on Facebook, Twitter, and Reddit and let us know what
The ProtonVPN Team
You can get a free ProtonVPN account here.
To get a free ProtonMail encrypted email account, visit: protonmail.com