Proton VPN Cracks a Stubborn Windows Puzzle: How Three Critical Features Can Finally Work in Harmony

Proton VPN has resolved a long-standing Windows limitation that prevented its kill switch, split tunneling, and Stealth protocol from running simultaneously, delivering a critical upgrade for privacy-conscious users operating in high-risk environments worldwide.
Proton VPN Cracks a Stubborn Windows Puzzle: How Three Critical Features Can Finally Work in Harmony
Written by Emma Rogers

For years, virtual private network users on Windows have been forced into an uncomfortable trade-off: choose maximum security or choose full functionality, but don’t expect both at the same time. Proton VPN, the privacy-focused service born out of CERN and headquartered in Switzerland, has now resolved a long-standing technical limitation that prevented three of its most important features from operating simultaneously on Windows machines. The fix, quietly rolled out in a recent update, addresses a frustration that power users and enterprise security teams have grappled with since the features were first introduced.

The three features in question — the kill switch, split tunneling, and the proprietary Stealth protocol — represent the backbone of a serious VPN deployment. The kill switch ensures that no internet traffic leaks outside the encrypted tunnel if the VPN connection drops unexpectedly. Split tunneling allows users to route only selected applications or traffic through the VPN while letting other traffic flow directly to the internet, a critical capability for anyone who needs to access local network resources or bandwidth-sensitive services alongside VPN-protected browsing. And Stealth, Proton VPN’s obfuscation protocol, is designed to disguise VPN traffic so that it can evade deep packet inspection and censorship firewalls — a tool of enormous importance for users in countries with restrictive internet regimes. As TechRadar reported, the inability to use all three features together on Windows had been a notable gap in Proton VPN’s offering, one that the company has now closed.

Why the Three-Feature Conflict Persisted on Windows

The technical challenge behind this limitation was rooted in how Windows handles network traffic at the operating system level. VPN kill switches typically work by modifying firewall rules or network adapter configurations to block all non-VPN traffic. Split tunneling, meanwhile, requires granular control over which packets are routed through the VPN tunnel and which are allowed to bypass it. These two features already create a complex interplay of routing rules and firewall exceptions. Adding Stealth — which wraps VPN traffic in an additional layer of obfuscation using TLS — introduced yet another variable into an already delicate system. On Windows, where the networking stack behaves differently than on Linux or macOS, getting all three to coexist without conflicts proved to be a significant engineering challenge.

Proton VPN’s development team had previously acknowledged the limitation, and users who attempted to enable all three features simultaneously would find that certain combinations were simply unavailable in the client interface. The kill switch might be grayed out when Stealth and split tunneling were active, or split tunneling options would disappear when the Stealth protocol was selected. This forced users into difficult choices. A journalist working in a censorship-heavy environment, for example, might need Stealth to connect at all, but also need split tunneling to access local services and a kill switch to ensure that a dropped connection didn’t expose their identity. Until now, that user would have had to sacrifice at least one layer of protection.

A Fix That Reflects Proton’s Broader Engineering Ambitions

The resolution of this three-way conflict is more than a minor patch — it reflects the maturation of Proton VPN’s Windows client architecture. According to details shared by the company and reported by TechRadar, the fix required reworking how the Windows client manages network routing rules when multiple features are active simultaneously. Rather than applying each feature’s rules independently — which created conflicts — the updated client now uses a unified approach to traffic management that accounts for the interactions between the kill switch, split tunneling, and Stealth protocol from the outset.

This kind of architectural work is often invisible to end users but is precisely the sort of deep engineering that separates enterprise-grade VPN services from consumer-oriented offerings. Proton VPN has been steadily positioning itself as a serious contender in the privacy and security market, competing not only with consumer VPN brands like NordVPN and ExpressVPN but also with more security-focused tools used by journalists, activists, and organizations operating in high-risk environments. The ability to run all three features simultaneously on Windows — the world’s most widely used desktop operating system — closes a gap that competitors could have exploited as a differentiator.

The Kill Switch: Why It Cannot Be Optional for Serious Users

The importance of the kill switch in a VPN deployment cannot be overstated. When a VPN connection drops, even momentarily, the user’s real IP address and unencrypted traffic can be exposed to their internet service provider, network administrators, or surveillance systems. For the average consumer streaming geo-restricted content, this might be a minor inconvenience. For a dissident communicating from within an authoritarian state, it can be a matter of personal safety. Kill switches have become a standard feature across the VPN industry, but their implementation varies widely. Some providers offer application-level kill switches that only block traffic from specific apps, while others implement system-wide kill switches that halt all internet activity until the VPN reconnects. Proton VPN offers the latter, more comprehensive approach, which is precisely why its interaction with other features was so technically complex.

Split tunneling, for its part, has become increasingly essential as remote work has blurred the boundaries between personal and professional internet use. An employee working from home might need to route corporate traffic through a VPN while allowing personal streaming or local printer access to bypass the tunnel. Without split tunneling, all traffic goes through the VPN, which can introduce latency, reduce bandwidth, and prevent access to local network devices. The feature is also valuable for users who need to access services that block VPN traffic — banking applications, for instance — while maintaining VPN protection for everything else.

Stealth Protocol and the Fight Against Censorship

Proton VPN’s Stealth protocol occupies a particularly critical niche. Traditional VPN protocols like OpenVPN and WireGuard, while secure, produce traffic patterns that are relatively easy for sophisticated censorship systems to identify and block. Countries like China, Russia, Iran, and others have invested heavily in deep packet inspection technology that can detect and throttle or block VPN connections. Stealth addresses this by disguising VPN traffic to look like ordinary HTTPS web browsing, making it far more difficult for censorship systems to distinguish VPN traffic from regular internet use.

The protocol was developed specifically for users in restrictive environments, and its importance has grown as internet censorship has intensified globally. Freedom House’s annual Freedom on the Net report has documented a steady decline in internet freedom across dozens of countries, with VPN blocking becoming an increasingly common tactic. For users in these environments, Stealth isn’t a nice-to-have feature — it’s the difference between being able to connect to the open internet and being cut off entirely. The fact that these users can now combine Stealth with both a kill switch and split tunneling on Windows represents a meaningful improvement in their security posture.

What This Means for the Competitive VPN Market

Proton VPN’s fix arrives at a time when the VPN industry is undergoing significant consolidation and differentiation. The market has moved well beyond simple IP-masking services, with leading providers competing on the basis of protocol innovation, server infrastructure, transparency, and the depth of their security feature sets. Proton VPN has leaned heavily into its Swiss jurisdiction, its open-source client code, and its roots in the privacy-focused community that grew up around CERN and ProtonMail (now Proton Mail). The company’s decision to make its VPN client open source and subject to independent security audits has been a key differentiator, and the resolution of the three-feature conflict on Windows reinforces its commitment to technical rigor.

Competitors will likely take note. NordVPN, for instance, offers its own obfuscation technology and split tunneling capabilities, but the seamless integration of all three features — kill switch, split tunneling, and obfuscation — on Windows is not something every provider has achieved. As VPN usage continues to grow, driven by both privacy concerns and the practical demands of remote work, the ability to offer a fully functional, no-compromise security suite on the world’s dominant desktop platform becomes an increasingly important selling point.

The Road Ahead for Proton VPN’s Windows Client

Proton VPN has not disclosed the full technical details of how the routing conflict was resolved, which is understandable given that such information could be useful to adversaries seeking to fingerprint or block the service. However, the company has a track record of publishing detailed technical blog posts about its protocol development and security architecture, and it would not be surprising to see a more thorough explanation in the coming weeks. The open-source nature of the client also means that independent security researchers will be able to examine the changes and verify that the integration of the three features does not introduce new vulnerabilities.

For now, Windows users of Proton VPN should ensure they are running the latest version of the client to take advantage of the fix. The update is available through the standard update mechanism within the application. Users who rely on any combination of the kill switch, split tunneling, and Stealth protocol are advised to test their configurations after updating to confirm that all three features are functioning as expected. In a world where digital privacy is under constant pressure from both state and commercial actors, the ability to deploy every available security tool simultaneously — without compromise — is not a luxury. It is a necessity.

Subscribe for Updates

AppSecurityUpdate Newsletter

Critical application security news and insights developers and security teams need—covering real-world vulnerabilities, emerging risks, and practical remediation without the noise.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us