I don't know exactly where you got Proton's claim from ... but this is what they say in their support section:
> A kill switch is a security feature that protects your IP address in case you unexpectedly lose the connection to a Proton VPN server. In case the connection is interrupted, a kill switch blocks all external network traffic to and from your device *> *until the connection is automatically re-established to the same VPN server. **
(my highlight)
source: https://protonvpn.com/support/what-is-kill-switch
This is generally how kill switch works basically everywhere. As it doesn't tear down the virtual network interface (including the redirect routes, routing your internet traffic via the VPN) until it has established a new connection to the remote server.
What is being demonstrated here is that the user implicitly *disconnects* the connection before starting to connect to the new chosen server.
A more accurate test for kill switch is to block the network traffic for the amount of time it takes for the VPN client to start "recovering" the connection by establishing a new connection *to the same* server. That new server may have a different IP address.
The reason this isn't possible to achieve when switching servers completely is that the encryption certificates would result in a mismatch, thus tearing down the connection as the client wouldn't be able to identify if it's a man-in-the-middle (MITM) attack happening, with a host trying to impersonate the real VPN server it should be connected to.
🐈⬛David Sommerseth
npub16u…s2f6s
2026-03-12 16:17:51 UTC
in reply to nevent1q…y843
Author Public Key
npub16undjuczsmkhvdzy3rvxglyvmc9vkjh5p64me8efzv4knetkhvgqds2f6sSeen on
wss://relay.momostr.pinkPublished at
2026-03-12 16:17:51 UTCEvent JSON
{
"id": "343db9115bef6cecd7df64e3cf93e9030a7a6a7667f9add40970141e5f5b4df0",
"pubkey": "d726d9730286ed76344488d8647c8cde0acb4af40eabbc9f29132b69e576bb10",
"created_at": 1773332271,
"kind": 1,
"tags": [
[
"e",
"55d179bfabb550012635f34ec7390e9a539b5b5b08e7d586a22144f973dfab3e",
"",
"root",
"6ed558644a36c275bbac67c50fc2cac2d43123c10fd4a384152297dc97750495"
],
[
"p",
"6ed558644a36c275bbac67c50fc2cac2d43123c10fd4a384152297dc97750495"
],
[
"proxy",
"https://infosec.exchange/@dazo/116217103773001644",
"web"
],
[
"proxy",
"https://infosec.exchange/users/dazo/statuses/116217103773001644",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/dazo/statuses/116217103773001644",
"pink.momostr"
],
[
"-"
]
],
"content": "I don't know exactly where you got Proton's claim from ... but this is what they say in their support section:\n\n\u003e A kill switch is a security feature that protects your IP address in case you unexpectedly lose the connection to a Proton VPN server. In case the connection is interrupted, a kill switch blocks all external network traffic to and from your device *\u003e *until the connection is automatically re-established to the same VPN server. **\n\n(my highlight)\nsource: https://protonvpn.com/support/what-is-kill-switch\n\nThis is generally how kill switch works basically everywhere. As it doesn't tear down the virtual network interface (including the redirect routes, routing your internet traffic via the VPN) until it has established a new connection to the remote server.\n\nWhat is being demonstrated here is that the user implicitly *disconnects* the connection before starting to connect to the new chosen server.\n\nA more accurate test for kill switch is to block the network traffic for the amount of time it takes for the VPN client to start \"recovering\" the connection by establishing a new connection *to the same* server. That new server may have a different IP address.\n\nThe reason this isn't possible to achieve when switching servers completely is that the encryption certificates would result in a mismatch, thus tearing down the connection as the client wouldn't be able to identify if it's a man-in-the-middle (MITM) attack happening, with a host trying to impersonate the real VPN server it should be connected to.",
"sig": "9385a74370b77da1eb00ac2866ab5100d4f7578564452143b406cb09b43d159fd4d7cca09b042b9c71e650ab2e07caec27f94ff730d1f12664fd96f0a68f5cec"
}