-80% OFF Deal 🔥
For most Windows users, simply connecting to Surfshark VPN through the desktop app encrypts web browser traffic and some other internet-enabled software. But here’s the catch: not all apps automatically route their data through the VPN tunnel by default. Certain Windows applications — especially older programs or system-level tools — can still leak your real IP if they connect outside the VPN tunnel.
If your goal is complete privacy and security, you’ll want to force Surfshark VPN to handle all internet traffic on your Windows device — whether it’s Chrome, Steam, Outlook, Spotify, or background services. This guide will walk you through exactly how to do that, with step-by-step setup tips, technical explanations, and advanced configurations to ensure no app bypasses your VPN.
Even when you think your VPN is active, certain Windows services or apps can:
Use split connections (partial VPN routing) without you realizing it.
Rely on direct system DNS lookups that leak your location.
Automatically switch to a direct internet connection if the VPN drops for a second.
Continue syncing or updating in the background without VPN encryption.
By forcing Surfshark VPN to handle all outbound and inbound connections on your PC:
Every app, service, and background process uses the VPN tunnel.
You eliminate accidental IP leaks and DNS leaks.
You add an extra defense against ISP logging and traffic shaping.
You protect sensitive programs like email clients, banking apps, and VoIP tools.
The Surfshark Windows app installs a virtual network adapter (TAP adapter or WireGuard interface) that acts as your new secure gateway. By default:
The adapter is given higher priority in Windows’ network routing table.
Supported apps automatically send their data through it.
The app’s Kill Switch cuts traffic if the VPN drops.
However, certain Windows processes may still use local or fallback routes — especially if you manually configured IP settings or use third-party networking tools.
That’s where “forcing” comes in — we’re going to make sure the VPN adapter is the only active route for all applications.
Surfshark’s Windows app includes two Kill Switch modes:
Soft Kill Switch – Stops internet access if VPN is disconnected, but allows reconnecting without restarting.
Strict Kill Switch – Blocks all internet traffic outside the VPN at all times.
To enable strict mode:
Open the Surfshark VPN app on Windows.
Go to Settings → VPN Settings → Kill Switch.
Enable Strict mode.
With strict mode on, every single app on Windows must use the VPN — even background Windows Update downloads won’t bypass it. If the VPN is not active, there’s simply no connection at all.
SEO side note: People often search for “Surfshark block internet without VPN Windows”, and this is exactly that feature.
For even more control, you can configure Windows Firewall to only allow internet traffic through the Surfshark VPN adapter.
Press Win + R → type wf.msc → press Enter to open Windows Defender Firewall.
In the left panel, click Advanced settings.
Go to Outbound Rules → New Rule.
Select Custom and click Next.
For Program, choose All programs.
For Protocol and Ports, leave as default.
For Scope, leave blank.
Under Which remote IP addresses, select These IP addresses → Add Surfshark VPN server IP ranges (optional) or just proceed for adapter control.
Under Which network connection types, choose Local area network types → deselect everything except the VPN interface.
Choose Block the connection for all other network profiles (Domain, Private, Public).
Name it something like Block Non-VPN Traffic.
This ensures any traffic outside the VPN tunnel is blocked at the OS level — even if a rogue app tries to connect directly.
Surfshark’s Bypasser is usually used to exclude apps from the VPN tunnel, but you can also reverse the logic — exclude everything except the apps you want, forcing those to only work with VPN.
While this doesn’t force all traffic through the VPN, it’s a great option if you want a selective lockdown for sensitive programs like:
Torrent clients
Email software
Banking apps
Secure messaging platforms
If you want to ensure every device and app on your network uses Surfshark, you can install Surfshark VPN on your router. This forces all outgoing connections — including those from Windows — through the VPN, no matter what app is running.
Covers devices that don’t support VPN apps (smart TVs, game consoles).
No risk of app-level bypass.
Works even if the Surfshark Windows app is closed.
Tip: Use a router with policy-based routing so you can still exclude certain devices if needed.
Once you’ve set up forced VPN routing, you should test it to make sure there are no leaks.
IP Leak Test – Visit sites like ipleak.net or dnsleaktest.com to verify only the VPN IP appears.
App Traffic Check – Use tools like GlassWire or Wireshark to see which interface each app is using.
Disconnect VPN – Ensure no app continues to access the internet without Surfshark.
Windows power settings can disable the VPN adapter during sleep mode.
Fix: Go to Device Manager → Network adapters → Surfshark Adapter → Properties → Power Management → uncheck “Allow the computer to turn off this device to save power.”
Certain apps hardcode their own DNS or IP.
Fix: Enable NoBorders mode in Surfshark, and force all DNS queries through the VPN in adapter settings.
Routing all traffic through the VPN means even low-priority background tasks (updates, syncs) use encryption.
Fix: Switch to WireGuard protocol in Surfshark for maximum speed.
For Windows power users, Netsh (a built-in Windows networking tool) offers a way to adjust routing rules so that only the Surfshark VPN adapter can handle internet traffic.
Open Command Prompt as Administrator.
Type netsh interface ipv4 show interfaces to list all network interfaces.
Note the Index number for the Surfshark VPN adapter.
Use
netsh interface ipv4 set interface [INDEX] metric=1
to give Surfshark the highest priority.
For all other adapters (Wi-Fi, Ethernet), set metrics higher than 1 so Windows routes traffic through Surfshark by default.
Save changes and restart your PC.
This prevents Windows from using non-VPN adapters unless Surfshark is disconnected intentionally.
If you need more detailed control than Windows Firewall provides, third-party tools like SimpleWall, GlassWire, or Comodo Firewall can block all traffic unless it’s going through the Surfshark interface.
Advantages of this approach:
Easier to manage rules per application.
Real-time notifications if an app tries to bypass the VPN.
More advanced logging than the default Windows firewall.
Some apps and games simply won’t function when all their traffic is forced through a VPN — often because of anti-VPN measures or geo-blocking rules.
Examples include:
Certain online multiplayer games
Banking websites with strict location checks
Streaming platforms with aggressive VPN detection
Use Surfshark’s Bypasser to exclude the problematic app.
Temporarily disable Strict Kill Switch when you need to use it without VPN.
Connect to a VPN server physically closer to your real location to avoid suspicion.
Even when all traffic goes through Surfshark, DNS leaks can still occur if Windows uses local DNS resolvers. To avoid this:
Go to Control Panel → Network and Sharing Center.
Click Change adapter settings.
Right-click the Surfshark VPN adapter → Properties.
Select Internet Protocol Version 4 (TCP/IPv4) → Properties.
Select “Use the following DNS server addresses” and enter Surfshark’s DNS (often 162.252.172.57 and 149.154.159.92), or use a trusted encrypted DNS provider.
Repeat for IPv6 if necessary.
This ensures that DNS lookups are encrypted and routed through the VPN tunnel.
If you run virtual machines (VMware, VirtualBox, Hyper-V) alongside your main Windows system, you should also force those VMs to use the VPN.
Options include:
Installing Surfshark directly inside the virtual machine OS.
Bridging the VM’s network adapter to the VPN adapter in Windows.
Routing the VM through a VPN-enabled virtual router.
This prevents the VM from leaking traffic outside Surfshark’s tunnel.
To keep your “force all apps through Surfshark” setup working smoothly:
Update Surfshark regularly to get protocol improvements and bug fixes.
Check your routing table after Windows updates — some updates reset adapter priorities.
Run periodic leak tests using multiple services.
Monitor your connection speed and switch servers if performance drops.
Routing everything through the VPN can sometimes impact speed. To reduce slowdowns:
Always use WireGuard protocol for maximum throughput.
Choose the nearest Surfshark server to your location.
Avoid double encryption modes (like MultiHop) unless needed.
Close background apps that consume bandwidth.
Forcing all Windows apps to use Surfshark VPN isn’t just about hiding your IP — it also:
Shields vulnerable apps from direct exposure to the internet.
Prevents malware from “phoning home” without encryption.
Blocks ISP-level packet sniffing for all types of traffic, not just browsers.
Adds a layer of anonymity for P2P and VoIP usage.
If after setting this up you still notice bypass traffic:
Ensure Surfshark’s Strict Kill Switch is enabled.
Double-check Windows Firewall rules for adapter enforcement.
Verify that the VPN adapter is top priority in network metrics.
Look for third-party apps that override system proxy settings.
Restart Windows after every major configuration change.
Forcing Surfshark VPN to route all Windows app traffic is one of the most reliable ways to maintain complete online privacy. By combining Surfshark’s built-in Kill Switch with Windows Firewall rules, adapter priority adjustments, and DNS leak prevention, you create a secure environment where no application can bypass the encrypted tunnel — whether intentionally or by accident.
This setup takes a bit of time to implement, but once it’s in place, your Windows device becomes a fully locked-down VPN-only system. From web browsing and gaming to software updates and background sync, everything is protected under Surfshark’s encryption, keeping your identity, location, and data safe from prying eyes.