To properly enter how the Kill Switch works, you have to come back to the way the VPN acts on the system.
Technically speaking, the operation of a virtual private network is based on the creation of a virtual network interface, as tun0 (for VPN IP) or tap0 (for simulated Ethernet VPNs). It is she who takes over from the physical network card, and which redirects the entire traffic to a remote server, by encrypting it. As long as the tunnel is active, all traffic must pass through this secure channel, without exception.
But in the event of a cut – whether due to the instability of the connection, a server change or a software interruption – the VPN interface ceases to operate. Depending on the system configuration, traffic can then resume by default via the physical network card, or be temporarily blocked, while the session is recovered. In all cases, if no protective mechanism is activated, the recovery can be carried out without alert, without encryption, with your real IP address.
It is precisely this silent tilting that the Kill Switch seeks to block. Depending on the implementation, when activated, it monitors interfaces, network roads or the VPN session, and immediately blocks any communication attempt that would bypass this interface, whether it is implicit or explicit redirects. It is not just a question of “cutting the internet”, but preventing any automatic redirection outside tunnel, whether towards the local or internet network.