GUIDE

5 ways to protect yourself when your VPN connection fails

Using a VPN service is great for that warm sense of security that comes from knowing your online activity is hidden from view. Unfortunately, even the most stable connections occasionally ‘fail’ (disconnect from the VPN server). When this happens, the data packets are usually just routed through you ISP as normal, leaving your activity exposed. This can be particularly dangerous for people who leave BitTorrent clients running while they are away from their computers, as it means that trackers can be used to identify who they are, and what they are downloading.

Fortunately, there are now a number of ways to prevent either the whole computer, or selected programs accessing the internet once a VPN connection has been disconnected.

1. VPN clients with an ‘internet kill switch’

Perhaps the simplest way to ensure that no programs access the internet except over VPN, is to use am ‘internet kill switch’ built into your providers VPN client. Choosing this setting in the client’s Settings dialogue will prevent all traffic in and out of the computer in the event of a VPN fail.

PIA kill switch

Unfortunately this is a feature that we don’t see often enough, but is becoming more common. Some providers who do include a kill switch in their VPN clients are:

*Update March 2016: Please note this list is far from exclusive, as kill switches have become much more common since this article was first published.

Occasionally you may encounter problems re-connecting to the internet using this method. This is easily fixed by right-clicking on your internet connection and selecting ‘Troubleshoot problems’, which will reset your adaptor.

2. Use Vuze to download torrents

(Windows, OSX)

The popular BitTorrent client Vuze now (starting with version 4.8.1.0) includes a feature that detects whether it is running over VPN. If it finds that it’s not, it will alert the user with a pop-up warning, asking if they wish to only use the client over VPN. In theory this should work automatically, but when we tried, it didn’t. It is however not too difficult to set up manually.

a)      Make sure that your VPN connection is active, then in Vuze go to Tools -> Options -> and select ‘Advanced’ under ‘User Proficiency’

vuse 2

    b)    Then go to Connection -> Advanced Network Settings and look through the list for your VPN connection. It will look something like:

Windows (PPTP/L2TP) – WAN Miniport
Windows (OpenVPN) – Tap-Win32 Adapter V9
OSX – tun0 (or whatever network interface displays your VPN IP address)

Enter the interface name in the ‘Bind to local IP address or interface’ dialogue above the list

vuse 3

c)       Head down to the bottom of the list and make sure you check ‘Enforce IP bindings…’

vuse 4

d     d)   The little routing icon at the bottom of the Vuze client should now show green to let you know everything is working correctly. If you disconnect from your VPN provider the icon should turn red, and all torrent downloads will come to a stop.

vuse 6
In practice, when we disconnected from our VPN the icon remained green, but the torrent download did stop. When we reconnected the torrent download resumed.

3. Use VPNetMon

(Windows XP, Vista & 7)

VPNetMon is, as the name suggests, a VPN monitor that can be downloaded for free from here. It works by keeping a continual eyeon the IP address of your VPN, and if it is not detected will close any specified programs at once. According to Felix the creator, this happens so quickly that no new connection will be made from your real IP address.saa

a) Download, extract and run VPNetMon, then click ‘Opt’

vpnetmon 1b) You need to select any programs you want to shut down when the VPN disconnects (1).  You must then enter the first part of your VPN’s IP in the VPN IP Start box (2). This number can be found in one of the lower IPV4 Address boxes (3) when you are connected to your VPN

vpnetmon 8

c   c) When you now connect to your VPN  as normal, you should see your VPN IP address in one of the lower IPV4 Addresses boxes showing green (4). Programs you wish protected (which you selected in step b), should be launched from within the VPNetMon (5)

vpnetmon 6

d       d) you can test that everything is working correctly by disconnecting from your VPN. All specified programs will immediately shut down.

4. VPN Check

(Windows & Linux)

VPNCheck is another VPN monitoring program that will close down any specified programs when your VPN connection fails. Unlike VPNetMon, VPN Check is commercial piece of software that has a basic free edition, and a more fully featured Pro edition. We used the Free edition, but both versions can be downloaded from here .

a)   Download, install and run VPN Check, then Click on ‘Config’

vpn check 2b) Fill in your VPN account info (1). Although the documentation says that VPN Check works best with the ‘classic’ OpenVPN client, we found it worked just fine with the Private Internet Access’s custom software. Next add any programs (2) you want to shut down in the event of a VPN disconnect and close the window (the free version allows a maximum of 3 programs to be added here)

vpn check 3

c) Back at the Status screen, choose either ‘Cycle: IP Task’ to shut down the individual programs you selected above if your VPN disconnects, or ‘Cycle IP: Network’ to shut down your whole internet connection

vpncheck 9d     d)    You can check that everything is working as it should by disconnecting your VPN service. Any specified programs will immediately close, and an Alert will appear in the Task Bar.

vpn check 5

5. Manually configure your OS settings

Arguably the most secure way of ensuring that certain programs, or your  entire internet connection, shuts down when disconnected from a VPN server is to fiddle with the inner workings of your OS. This has the advantage of not needing to rely on third party software, which may go wrong, and is a more direct approach. However it is complicated, and will require some research and computer know-how. To get you started, here is a guide to changing TC/IP routes in Windows, and one on setting up firewall rules in Ubuntu. Good luck!

Conclusion

Sooner or later every VPN user starts to worry about what will happen if their VPN connection drops while they are away. After all, we all know it happens from time to time, and what is the point of using VPN if your online activity can be exposed for all to see, sometimes for hours at a time, because you weren’t around to close down your programs? Well, as we have seen above, there are a number of methods available (most of them free) to help give you piece of mind.

Update 7 February 2014: We have just reviewed another ‘VPN kill switch’ program, VPN Watcher (Windows & OSX). Also, PIA’s Android app now includes the kill switch feature found in its desktop client.

Update 15 July 2014: We have written an article explaining Build your own VPN kill switch in Windows using Comodo.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


48 responses to “5 ways to protect yourself when your VPN connection fails

  1. I use VPNetMon, and it works perfectly with Windows 10. When I disconnect my VPN, my bittorrent client Deluge shuts down immediately. I bought a lifetime subscription for VPNGhost, which seems to be a reliable service provider, but they have not developed an app with a built-in kill switch yet.

    1. Hi Mona,

      Apps such as VPNetMon which detect when a VPN connection fails and then shut down the internet/any specified programs are good. I will say, though, that kill switches which use firewall rules to prevent any possibility of an internet connection outside the firewall are better. Hopefully VPNGhost will implement this feature in their client in the near future.

  2. You do not need a killswitch!
    You need a Firewall!

    You have only four things to do.

    1. Add a rule that blocks all outgoing and incomming Traffic on your Local Ethernet Device.
    2. Add an exception for your favorite DNS Server (to resolve the Hostname of your VPN Provider)
    3. Add an exception for your VPN Providers IP-Block.
    4. Add an Rule for your tun/tap or any other VPN Device to allow all outgoing Traffic for the VPN Tunnel.

    After this you are unable to connect to the Internet with your Local LAN Gateway even it is in your routing table for Fall Back routing! There will no way to access Internet without an VPN Connection.

    You prevent even the WebRTC Leak, the latest NAT Leak or DNS Leak! There are no leaks anymore corresponding your second internet connection because you are able to connect only to your VPN Provider with your local Gateway any other connections from your Client will be dropped out by your Local Firewall.

    This is simple to protect your Privacy and Piracy! 😉

  3. Hi Douglas, what about using a VPN router in a sensitive location? Use existing modem router for non-secure and VPN router for secure? Would that work?

    1. Hi ray,

      So how would you route non-secure data to one router, and secure data to another? This would work if you used 2 different computers, but still doesn’t solve the problem of VPN connection fails.

  4. For OS X users a simple solution in the case of VPN disconnection is to use an apple script that when activated will quit a download program ie:utorrent.
    Below is a sample of a script and all that’s needed is to replace the correct VPN server
    and the torrent download program; remembering when connecting to your VPN server to activate the script .In the case of a VPN disconnect this script will also give a
    visual and audio warning. The below sample script will need to be compiled using OS X
    Script editor.
    tell application “System Events”
    tell current location of network preferences
    set vpnConnection to the service “vpn (L2TP)Stock”
    if exists vpnConnection then connect the vpnConnection
    end tell
    — Check if UTORRENT is running
    repeat
    tell application “System Events”
    set utorrentIsRunning to (count of (every process whose name is “utorrent”)) > 0
    end tell

    — Check if VPN is down
    if current configuration of vpnConnection is not connected then
    if (utorrentIsRunning = true) then
    tell application “uTorrent” to quit
    say “WARNING VPN DISCONNECTED ” using “VICTORIA”
    display dialog “vpn disconnected”

    delay 10
    exit repeat
    else
    set errorCount to 1
    if (errorCount > 1) then
    tell application “uTorrent” to quit
    display dialog “vpn disconnected”
    delay 10
    exit repeat
    end if
    end if
    end if
    end repeat
    end tell

    1. Ian, I love the script! Just what I had been looking for – I couldn’t find a simple app to replicate it. However, as I run it, it seems that System Events will hold my CPU ransom for resources, even firing up the fans just due to the script alone. Any workarounds? And if not, would you recommend an app that does just this?

      Cheers
      James

  5. A simple, yet cumbersome, method for linux users is to start your vpn, access the network settings for your main internet connection, select ip4 and select “use this connection only for rescources on it’s network”. After saving you settings, doing so will make it so nothing will leave your private network in the case of a vpn drop.

    Please note, this may not be the case for all distros. But, it is the case for ubuntu and any distos using cinnamon or gnome. It has been a while since I have used other desktop environments, but it may also may be the case there.

  6. I’d also like to know how I can configure my Firewall in OS X so that it acts as a Kill Switch; I only really want to stop the torrent client if the VPN disconnects.

  7. Hi

    I bought VPN Monitor but I don’t understand the set-up instructions. When it says ‘add new server’ in preferences, does this mean you have to write in the names of each individual server you use on a given VPN? I was hoping you just type in the name of your VPN service. I also cannot find where you write in the name of the programme that you want to close if the VPN breaks. Hope someone can advise.

    1. Hi Brian,

      I am afraid that I am not familiar with ‘VPN Monitor’ (from your description it does not sound the same as VPNetMon described here.) If you post a link to the software you are using I will have a look and try to help.

  8. Just a quick remark (and possible question) regarding kill switches and OpenVPN GUI’s: On OS X, I use PIA with Viscosity (an OpenVPN client) instead of the PIA client/app. For general DNS leak prevention, there are solid options in preferences. To my knowledge, Viscosity doesn’t have an option entitled “kill switch,” but it has a few nifty tricks that provide essentially the same function. They outline these on one of their knowledge base pages. To prevent connections in case of VPN disconnect, I like to use the routing technique outlined on that page. I like the added comfort of knowing nothing is sent/received until manual WiFi dis/reconnection when that happens.
    The part that is a bit of a question is that I think that this should be able to work with any VPN provider, since it’s just client behavior, right?

    1. As long as the VPN provider gives you the config files and you purchase a Viscosity license (it’s only free with some VPN providers), then I would say that theoretically, yes.

  9. After searching the web for solutions on implementing a fail-safe kill switch that would kick in when the VPN client crashes or fails (happened to me TWICE with Anonymizer VPN client on Windows 7), I couldn’t find one that would work. I finally figured out how: use the built-in Windows Firewall.

    For example, let’s configure Chrome to only allow traffic through the VPN, but not anywhere else. So, if VPN dies, Chrome should not be allowed to go anywhere.

    VPN network is set to the “Public” network profile.
    Home network is set to the “Home” or “Work” network profile, aka “Private”.

    In Windows Firewall with Advanced Security, set the Incoming rules to:
    Chrome (configure the program path): Allow only for “Public”. Block it for “Private,Domain”

    For Outgoing rules:
    Chrome (configure program path): Block for “Private,Domain”

    Hope this helps anyone else trying to find a solid kill-switch solution. There are other tweaks you can make to the Windows Firewall, but I won’t get into that here.

    1. but when you are using any internet and system security software like Norton , your windows Firewall disabled and managed by Norton so this above your method wont work there

      1. Hi sf,

        Correct, although it should be possible to configure any firewall (including the one used by Norton Security) to achieve the same thing (its just the details that differ). As a general rule, the basic principles are:

        1. Add a rule that blocks all outgoing and incoming traffic on your Local Ethernet Device.
        2. Add an exception for your favorite DNS Server (to resolve the hostname of your VPN provider)
        3. Add an exception for your VPN provider’s IP addresses
        4. Add an Rule for your tun/tap or any other VPN Device to allow all outgoing Traffic for the VPN Tunnel.

  10. I’d like to suggest a simpler way to use VPNCheck if what you want to do is kill all internet access with the drop of any Windows VPN connection. Simply leave configuration unconfigured. You can then connect to your VPN via Windows status tray icon for connections and then start VPNCheck and click on Cycle IP: Network. Or you can do it in the other order starting VPNCheck first. You are now protected

    When a connection drops or your IP address changes your traffic is blocked and Windows attempt to reconnect will fail. Simply click on VPNCheck’s Cycle IP:Network again to start it and clear the block. Then click on reconnect for your VPN. The order of these two steps is important.

    1. Hi Don,

      Thanks for that hint. I don’t have VPN Check installed anymore, but it sounds like it should work a treat.

  11. Hi,

    I am using Vuze on Mac. The interface name lists in Vuze is very few. The tun0 address is 10.30.1.6. I cannot find my VPN ip address in the lists.

    Please help me.

    Thank you.

    1. Hi Robin
      The Tun address will give the internal IP provided by your provider. I’m not familiar with Vuze but I’ve been meaning to do a tutorial on how to check if your torrent is going through the VPN or not – so thanks for reminding me. I’ll aim to bring this out this week or next.
      Peter

    1. Hi Jos,

      Thanks (obviously my DuckDuckGo-fu skills failed me this time)! I agree that this seems a great little program. You can configure Little Snitch to act as a VPN kill switch, and then VPN monitor will try to reconnect your VPN asap. Nice.

  12. An alternative approach if you use MAC OS X, is to use an App like “VPN Monitor” which will, immediately (no delay, no polling) reconnect the dropped VPN service or fall back on another VPN server if the preferred service is not reachable. This is usually done under a second. If you are really paranoid, you can add Little Snitch to block traffic when the VPN is down during the reconnect attempt.

    1. Hi Jos,

      Thanks for the tips (little snitch is an outgoing Firewall app for OSX). The ‘VPN Monitor’ app sounds great, but I am unable to locate it – perhaps you could send a link?

  13. Just thought people should know, Private Internet Access’ VPN Kill Switch, isn’t working ATM. What upsets me most, is they knew about the issue for at least a month, according to their forums, but did not send a general alert out to their customers. This has made me doubt their integrity and professionalism, so I’ll be looking at other options.

    Thanks for the info on VPNetMon, it does the job correctly.

  14. VPN Check did all I have asked for; with VPNetMon I wasn’t yet successful yet. It seems that VPN Check can be used with more than one VPN because it doesn’t need to know the IP address of the VPN. Problem solved! Thanks again.

    1. Hi Mango,

      I’m glad you liked the article, and that VPN Check is working out for you. I use VPNNetMon without any issues, but then I run just just one VPN at a time.

  15. Pete, thank you for this extremely helpful article! I am just beginning to use VPNs and still figuring out whether it is possible to switch between CyberGhost, VPN4ALL and HMA without ruining the installation of the other VPNs. I installed HMA at last, and the other two VPNs don’t seem to like that. I searched for this topic when I realized that the AVAST firewall informs me at least every few hours that the connection ‘switches’ to my normal internet connection, whereas the VPS programmes don’t seem to realize that. Or they keep silent.

    It is not really important now whether I use a VPN or not, I am just experimenting with more data protection, and I don’t like the idea of being suddenly offline because I have to reboot in the worst case. And I wouldn’t like to loose at least 60 tabs in two browsers if they are closed down.

    In the moment I would be happy to get the information whether (a) the internet connection still works (WLAN, the Alfa USB adapter driver doesn’t seem to know whether it still conects) and (b) whether VPN is used.

    But if I desperately want to avoid a connection that doesn’t use the VPN I should use one of the two programms (and the binding option in HMA) with all my internet programms.

    Perhaps I should use two instances of the same programme with different ‘profiles’, so that I just get the information about the status of the VPN connection on ‘calm’ days, but on ‘stormy’ days the programmes and the connection will be closed immediately.

    I am already curious to read more on this website to improve my faible knowledge of the networking stuff. Perhaps there is a link somewhere to sites that teach computer network 101. 🙂

  16. Thanks for your reply.. I found out that VPNcheck is running on mono and probably wont work with squeeze, which is Debian.. (as i have been told). But thanks again for your help.

  17. Hello.

    Thanks for a great post.

    However, i have a question. I couldent find a solution for a similar problem i have with my server, running Debian (openmediavault). I am connected to a VPN through a program called OpenVPN. There is no user interface, it all happens from a command line. But how do i make sure, that the internet traffic is stopped, if the connection fails? I realized that my greatest fear had come true, when my VPN subscription had ran out, and my server was connected to the internet without any VPN protection…!!! 🙂 Do you have any idea what i can do to prevent this?

    Thanks for your time!!!

    Bob.

    1. Hi Bob,

      No, the generic open source OpenVPN client (any version, including GUI ones) does not provide an internet kill switch. On Windows and OSX this is why custom clients such as PIA’s have an edge, but I am not aware of any Linux (Debian or otherwise) clients that support this feature. However, VPN Check (which we talk about in the article) should work for you. We don’t currently have a Debian system set up to test this, so why not give it a try (the basic version is free), and let us know how you got on?

  18. Best way is to have the blocking logic in the router. Then you dont have to worry about installing software or fiddling with O/s. And it works for any device which connects over the VPN.

  19. Another way:
    Have a dedicated server running an VPN -> a PC getting internet from that server running its own VPN(different type and brand, bitcoin payed) -> The torrent mentioned.

    Question:
    Will it be double crypted so the VPN running on server dont see what the client is doing? As in if the VPN service is unreliable it cant rat you out if it go wrong?

    1. Hi Paranoid,

      How is the second PC accessing the internet through the dedicated server? The normal method is for a VPN client to connect directly with a provider’s VPN server.

Leave a Reply

Your email address will not be published. Required fields are marked *