How to Fix WiFi Disconnecting When a VPN Is Active: Split Tunneling, Kill Switch, and Protocol Fixes
WiFi dropping the moment you connect your VPN? The culprit is usually a kill switch, an MTU mismatch, or the wrong protocol. Here are seven targeted fixes to keep you online.
Running a VPN protects your privacy, but it comes with a frustrating side effect: your WiFi can drop entirely the moment the VPN connects — or cut out repeatedly while the tunnel is active. The problem is almost never your router or ISP. It’s an interaction between the VPN client, its kill switch, the protocol it uses, and how your operating system handles the resulting traffic. Here is how to diagnose and fix each cause systematically.
Why a VPN Can Kill Your WiFi Connection
A VPN wraps every packet in an encrypted envelope before sending it to a remote server. This changes three things your network stack normally assumes: the packet size (MTU), the DNS resolver, and the default route. Any misconfiguration in these areas produces symptoms that look like a WiFi drop but are actually a routing or policy failure. The most common single cause is the VPN client’s kill switch activating when it should not.
Fix 1: Understand and Configure Your Kill Switch
A kill switch is a feature built into virtually every major VPN client — NordVPN, ExpressVPN, ProtonVPN, Mullvad, and others. When the VPN tunnel drops unexpectedly, the kill switch blocks all internet traffic to prevent your real IP from leaking. From your perspective, WiFi appears to disconnect instantly.
The fix depends on why the tunnel is dropping in the first place. If the VPN server is overloaded or temporarily unreachable, your kill switch will fire repeatedly. Switch to a different server in the same region and test again. If the tunnel is stable after that change, the original server was the problem.
On Android, the built-in “Always-on VPN” kill switch in Settings → Network & internet → VPN can conflict with the VPN app’s own kill switch. Use one or the other, not both. On captive-portal networks (hotels, airports), disable the kill switch temporarily to load the login page, then re-enable it after authentication.
Fix 2: Switch to a Better VPN Protocol
VPN protocols differ dramatically in how they handle unstable networks and network transitions. WireGuard is the best choice for most users in 2026: it uses a leaner handshake, recovers faster from brief signal interruptions, and can switch between WiFi and mobile data without rebuilding the tunnel from scratch. IKEv2/IPsec is the second-best option for mobile and handles network changes gracefully.
OpenVPN UDP is the most common default but the most likely to stall when packet loss is high — UDP drops silently. If you must use OpenVPN, switch to OpenVPN TCP for more reliable delivery on congested or high-loss connections. In your VPN app’s settings, look for a “Protocol” or “Connection type” selector and try WireGuard first.
Fix 3: Fix MTU Fragmentation
Every VPN protocol wraps your original packet in an encrypted outer envelope, consuming 40–80 bytes of overhead. On a standard 1500-byte Ethernet MTU, this leaves only 1420–1460 bytes for payload. If your VPN client doesn’t negotiate the MTU automatically, oversized packets get fragmented or silently dropped — causing pages to partially load, video streams to stall, and the connection to appear broken.
The safe starting value is 1420 bytes for WireGuard and 1400 bytes for OpenVPN. Set this in the VPN client’s advanced or interface settings. If problems persist, decrease in increments of 20 (1400, 1380, 1360) until traffic flows cleanly. Do not go below 1280, which is the IPv6 minimum MTU. See our guide on fixing WiFi MTU size issues for the full process.
Fix 4: Use Split Tunneling to Reduce Tunnel Load
Split tunneling lets you send only specific apps or destinations through the VPN while the rest of your traffic uses your normal connection. This reduces the load on the encrypted tunnel and eliminates disconnects caused by bandwidth-heavy traffic overwhelming the VPN server. Enable split tunneling in your VPN client and exclude video streaming apps, game clients, or large file transfers that don’t require VPN protection.
On Android, note that split tunneling and the system-level kill switch cannot run simultaneously — the OS will deadlock excluded apps. Use the VPN app’s own kill switch instead of the system setting if you need both features.
Fix 5: Disable IPv6 on Your Network Adapter
Many VPN clients tunnel IPv4 traffic correctly but leave IPv6 unrouted. When an IPv6-capable site or service tries to connect, the request bypasses the tunnel entirely, hits a firewall rule, and fails — appearing as a disconnect. Disable IPv6 on the adapter the VPN uses:
- Windows: Open Network Connections, right-click your WiFi adapter, choose Properties, uncheck Internet Protocol Version 6 (TCP/IPv6).
- macOS: Go to System Settings → Network, select WiFi, click Details, open the TCP/IP tab, and set Configure IPv6 to Link-local only.
- Linux: Add
net.ipv6.conf.all.disable_ipv6 = 1to/etc/sysctl.confand runsudo sysctl -p.
Fix 6: Disable Third-Party Firewall and Antivirus Interference
Security software — including Little Snitch on macOS, Malwarebytes, Bitdefender, and Windows Defender Firewall with custom rules — hooks into the network stack at a low level. After a VPN update or an OS update, these tools can misidentify the VPN tunnel interface and block it entirely. Temporarily disable each security tool and test whether the VPN holds a stable connection. Re-enable them one at a time to isolate the conflict, then create an exception for the VPN executable.
Fix 7: Flush DNS and Check for DNS Leaks
When a VPN connects, it should take over your DNS resolver. If it doesn’t, DNS queries leak outside the tunnel and create intermittent lookup failures that mimic a lost connection. After connecting to your VPN, visit a DNS leak test site and verify that the listed DNS server belongs to your VPN provider, not your ISP. If you see a leak, enable “DNS leak protection” in your VPN client settings, or manually set your DNS to the VPN provider’s resolver in your OS network settings.
After any protocol or setting change, flush the system DNS cache. On Windows run ipconfig /flushdns; on macOS run sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder.
Quick-Reference Fix Checklist
- Switch to a different VPN server in the same region
- Change protocol to WireGuard or IKEv2 in VPN client settings
- Set MTU to 1420 (WireGuard) or 1400 (OpenVPN) in VPN interface settings
- Enable split tunneling and exclude high-bandwidth apps
- Disable IPv6 on your WiFi adapter
- Temporarily disable third-party firewall and antivirus; add VPN exception
- Run a DNS leak test and enable DNS leak protection
- Flush DNS cache after making any change
If the VPN tunnel remains unstable after all of these steps, the bottleneck may be your router’s NAT table filling up under VPN load — particularly on older routers with limited RAM. See our guide on fixing double NAT issues for router-level fixes, and run a speed test before and after connecting to confirm how much throughput the VPN is consuming.
Related Articles
How to Fix Slow WiFi Speeds When Using a VPN: Split Tunneling, Protocol Selection, and Router-Level Tips
A VPN can cut your effective WiFi speed by 20–60%. Here’s how to recover most of that lost performance with split tunneling, smarter protocol choices, and a few router tweaks.
How to Fix CGNAT: What to Do When Your ISP Uses a Shared Public IP Address
CGNAT silently breaks port forwarding, self-hosting, and some gaming features. Here’s how to detect it, what it actually affects, and the five proven workarounds — from asking your ISP for a public IP to free VPN tunnels that bypass it entirely.
How to Fix Slow WiFi on a Hisense Roku TV: Band Selection, DNS, Roku Network Reset, and Firmware Update Fixes
Buffering or unstable WiFi on your Hisense Roku TV? From band selection and DNS to Roku’s hidden network reset, here are every proven fix in order from quickest to most thorough.