Hi folks, just some notes from the Proton VPN team that may be helpful, and some updates on what we are working on in this area:
Kill Switch for Linux
The Proton VPN Linux kill switch (https://protonvpn.com/support/advanced-kill-switch, as of v4.2.0 and above) uses a routing-table enforcement model that is standard for Linux networking. All outbound traffic is forced through a non-routable sink interface unless the VPN tunnel is active. This prevents applications from leaking traffic during unexpected disconnections.
A scenario highlighted in this discussion involves an advanced user manually binding an application with the appropriate privileges to a physical network interface. Such bindings intentionally bypass the system routing table and therefore bypass any routing-based firewall or kill-switch mechanism.
For typical users operating in a default environment, the kill switch prevents leaks as designed. For advanced users who intentionally create custom routing or interface-level rules, then naturally having the VPN interfere with this would be undesirable. However, we are actively evaluating additional enforcement layers to provide stronger safeguards against accidental misconfiguration - but without interfering with intended user behaviour.
MacOS Server Reconnection
A valid concern was raised about IP exposure during server switches on macOS. There are some mitigations against this in place - users are warned before switching servers that their VPN connection may be briefly interrupted, and users using any VPN on any platform are advised to bind to the VPN interface when torrenting (https://protonvpn.com/support/bittorrent-vpn). This is not, however, as robust as we would like.
As some posts in this thread have already pointed out, kill-switch limitations on macOS stem more from the OS itself, rather than specific individual VPN implementations. These limitations are documented in our knowledge base, but based on the feedback that we have received, we are presently revising them for clarity and to ensure that no one is inadvertently misled as to how Proton VPN handles these limitations. Proton VPN uses Apple’s Network Extension framework, which provides only limited control over how the operating system handles traffic during transitions such as tunnel renegotiation. Apple’s networking stack restricts low-level firewall and routing manipulation, making certain enforcement mechanisms that exist on other platforms technically impossible or unreliable on macOS.
Despite these platform constraints, we recognise that users expect the kill switch to behave as a leak-prevention mechanism across all operating systems, and ideally without additional measures being required by the user for their protection. To address this expectation, we had already started exploring alternative approaches on macOS to ensure that ProtonVPN meets both our internal standards and the strict criteria valued by this community.
An alternative used by other VPNs involves a tunnel interface set up by a daemon that runs without a sandbox on the user’s machine with elevated privileges. We did consider this solution, but rejected it. The legacy APIs that are used are ones that Apple has heavily signalled that they intend to deprecate, so this was not going to be a long-term, reliable solution.
What we are doing instead is baking the protections into the network stack itself to ensure that the protected tunnel must always be retained even when the connection is interrupted - either accidentally, or during server switches. This new cross-platform network architecture was the main thing that we were working on during our Autumn/Winter roadmap cycle (https://protonvpn.com/blog/product-roadmap-winter-2025-2026#:~:text=a%20random%20country.-,A%20new%20VPN%20architecture,-A%20powerful%20and). We haven’t officially announced our Spring/Summer roadmap for Proton VPN yet, but we can confirm now that we will be rolling this out in the first half of the Spring/Summer roadmap cycle.
We will publish updates as these start to roll into beta and production, and we welcome feedback from privacy-focused users who want to contribute insights.