If your VPN keeps disconnecting, start with the protocol: switching to WireGuard resolves the problem for most users within two minutes. If WireGuard is not available or does not help, the cause is one of seven other specific things covered below, each with a concrete fix. This guide covers desktop and mobile, all major protocols, and is ordered by what actually drives the majority of drops in practice.
Every time the tunnel collapses and reconnects, your real IP address is briefly exposed, your downloads stall, and on a corporate network your access vanishes mid-session. The cause is almost always identifiable from the drop pattern alone. Use the table below to match your symptom to the right section.
Quick Symptom Reference
| Symptom | Most Likely Cause | Fix Section |
|---|---|---|
| Drops every 1-3 minutes, reconnects instantly | Kill switch loop / protocol conflict | Kill Switch Loops |
| Drops when you move rooms or switch networks | Unstable Wi-Fi signal | Wi-Fi Instability |
| Slow, then disconnects on streaming or torrents | ISP throttling or server overload | ISP Throttling / Server Overload |
| Drops only on mobile, fine on desktop | Battery optimization killing the app | Mobile Battery Optimization |
| Connects then drops within 30 seconds | Firewall or antivirus blocking the tunnel | Firewall / Antivirus Interference |
| Frequent drops on public Wi-Fi or hotel networks | MTU mismatch causing packet loss | MTU Configuration |
| Drops specifically on router-level VPN | Router firmware / timeout settings | Router-Level VPN Drops |
Switch Your VPN Protocol First
Before you touch any other setting, try a different protocol. This resolves the problem for a significant share of users because different protocols handle network instability in completely different ways.
WireGuard is the most resilient option for most people. It uses UDP by default, reconnects in under a second after a brief signal drop, and has a far smaller codebase (roughly 4,000 lines versus OpenVPN’s 70,000+) meaning fewer failure points. If your VPN app offers WireGuard and you are not using it, switch now. The WireGuard project’s own documentation confirms the protocol is designed for silent roaming across network changes without dropping the session (wireguard.com/protocol).
OpenVPN over TCP is the right call when you are on a restrictive network, such as a hotel or corporate Wi-Fi that blocks standard VPN ports. TCP adds overhead but is far less likely to be dropped mid-session by packet inspection. The tradeoff is speed: TCP’s acknowledgment-and-retransmit mechanism adds roughly 15-25% latency overhead compared to UDP-based protocols under normal network conditions, as documented in the OpenVPN performance guidelines (openvpn.net/community-resources).
IKEv2/IPSec handles network transitions particularly well, which is why most mobile operating systems default to it for always-on VPN. If your phone drops the VPN every time you walk from Wi-Fi to cellular, IKEv2 with MOBIKE support (the extension that handles network changes mid-session, defined in RFC 4555) is the right pick. Check your VPN app settings; most providers expose the protocol selector under Connection or Advanced.
Protocol Comparison: Stability vs. Compatibility
| Protocol | Best for | Reconnect speed | Blocked by restrictive networks? |
|---|---|---|---|
| WireGuard | Most users; mobile roaming | Under 1 second | Sometimes (non-standard ports) |
| OpenVPN TCP port 443 | Hotel / corporate / carrier blocks | 3-8 seconds | Rarely |
| IKEv2 + MOBIKE | Wi-Fi-to-cellular transitions | 1-3 seconds | Sometimes (port 500 blocked) |
| OpenVPN UDP | Speed-priority on stable networks | 2-5 seconds | More often than TCP 443 |
Kill Switch Loops Are a Separate Problem
A kill switch is supposed to block all traffic when the VPN drops. A misconfigured kill switch creates a loop: VPN drops, kill switch blocks the reconnect attempt, VPN cannot reestablish, you wait indefinitely for a connection that never comes back.
The sign is specific. Your device shows no internet access after a disconnect, but when you manually disable the kill switch or restart the VPN app, connection restores immediately. That is a kill switch loop, not a VPN instability issue.
The fix: open your VPN app’s kill switch settings and look for an option called “Allow LAN traffic” or “Exclude private networks.” Enabling it lets the VPN app itself communicate with your router to reestablish the tunnel while blocking everything else. Most major clients (NordVPN, ExpressVPN, Mullvad) added this option in their 2023-2025 desktop app releases. If yours does not have it, disable the kill switch temporarily and re-enable it after the tunnel is stable.
On Windows, kill switch issues are compounded by Windows Filtering Platform (WFP) rules that persist after the VPN app crashes. A full reboot clears these. If you see frequent post-crash disconnect loops on Windows 10 or 11, reboot rather than just relaunching the app.
One limitation to acknowledge: if your VPN provider does not implement the “Allow LAN traffic” option, and your kill switch is non-negotiable for security reasons, the only reliable workaround is to switch to a provider that does. No client-side tweak substitutes for the feature being absent.
Wi-Fi Instability and What to Do About It
Your VPN tunnel runs on top of your network connection. If the underlying Wi-Fi signal is dropping frames or switching between the 2.4GHz and 5GHz bands, the VPN sees it as a dead connection and terminates the session.
The fastest diagnostic: open your router admin panel (usually 192.168.1.1 or 192.168.0.1) and check if band steering is enabled. Band steering automatically moves devices between 2.4GHz and 5GHz based on signal strength, and each switch looks like a brief network loss to any active VPN tunnel. Disabling band steering, or assigning your device a static band, eliminates this entirely.
If you are experiencing broader connectivity problems that outlast the VPN fix, check out our guide on wifi connected but no internet for a full diagnostic flow, including DNS flush steps and adapter reset commands.
For desktop, a wired Ethernet connection removes Wi-Fi instability from the equation completely. VPN drops over Ethernet are almost always a software issue, not a network issue, so this also helps narrow down the cause.
ISP Throttling and Server Overload
Some ISPs throttle VPN traffic specifically. They cannot decrypt it, but they can identify it by the destination port or traffic fingerprint and reduce its priority during peak hours. The pattern you see: VPN works fine at 7am, drops repeatedly between 7pm and 10pm. That is a throttling signature, not a VPN bug.
The fix on the protocol side is to switch to OpenVPN over TCP port 443 or enable your VPN’s obfuscation mode if available. Port 443 is the same port used by HTTPS, so throttling it would break most of the web; ISPs generally leave it alone. Mullvad’s Bridge mode and ExpressVPN’s Lightway protocol both use obfuscation by default and handle ISP-level interference well.
Server overload is a different cause with similar symptoms. A VPN server under heavy load drops tunnels when resources are exhausted. The fix is to connect to a less popular server in the same region rather than the auto-selected one. In most VPN apps, the server list shows load percentage; anything above 70% is worth avoiding. Switching from a US-East server to a US-West or Canadian server often resolves drops during peak US evening hours.
If you are also fighting slow speeds alongside the disconnections, the server load fix often addresses both. Our breakdown on how to increase your internet speed covers additional steps including QoS router settings that can help when your ISP is the bottleneck.
Firewall and Antivirus Interference
Windows Defender, third-party antivirus suites, and network-level firewalls all inspect outbound traffic. Some treat VPN tunnel packets as suspicious and terminate them, particularly if the VPN is using a non-standard port or protocol.
The test: temporarily disable your antivirus real-time protection and try the VPN. If the disconnections stop, the antivirus was the cause. Do not leave protection disabled; add the VPN executable and its associated driver to the antivirus exclusion list instead. For Windows Defender, go to Virus and Threat Protection, then Exclusions, and add the VPN app’s install folder. For Malwarebytes, add the process in Settings under the Allow List.
On Windows, also check your firewall’s outbound rules. A rule that blocks UDP port 51820 (WireGuard’s registered default port per IANA) or UDP port 1194 (OpenVPN default) will cause immediate tunnel failure. On corporate machines, this is often enforced by group policy and requires an admin to resolve. The workaround is switching to OpenVPN over TCP port 443, which firewall rules almost never block.
Mobile Battery Optimization Kills VPN Connections
This is the most common reason a VPN keeps disconnecting on Android and, less often, on iOS. Android’s battery optimization puts background apps to sleep, which terminates their network connections. The VPN app loses its socket, the tunnel drops, and depending on your settings it may or may not reconnect when the screen turns back on.
On Android, the fix is to exempt your VPN app from battery optimization entirely. Go to Settings, then Apps, find your VPN app, open Battery settings (sometimes called Battery Usage), and select “Unrestricted” or “No restrictions.” The exact path varies by manufacturer: Samsung calls it “Battery optimization,” Xiaomi/MIUI calls it “No restrictions” under Battery Saver. Android’s official developer documentation classifies VPN apps as services that should be exempted from Doze mode restrictions for this exact reason (developer.android.com/training/monitoring-device-state).
Also enable “Always-on VPN” from Android’s built-in VPN settings (Settings, Network and Internet, VPN) rather than relying solely on the app. The OS-level VPN connection persists across app sleep cycles in a way the app-managed connection does not.
On iOS, VPN connections can drop when the phone goes to lock screen if the associated app is not designated as a “Network Extension.” This is handled by the VPN provider at the app level; there is no user setting to change. If your VPN drops on iOS specifically, switching to a provider whose iOS app uses the Network Extension API (rather than IKEv2 profiles) is the most reliable fix.
MTU Mismatch and Packet Loss
MTU (Maximum Transmission Unit) defines the largest packet your connection can carry. VPN tunnels add overhead to each packet, which means the effective MTU inside the tunnel is lower than your base connection’s MTU. When this is misconfigured, large packets get fragmented or silently dropped, causing the tunnel to stall and eventually time out.
The symptom is specific: the VPN connects and works for small requests (browsing, DNS lookups) but fails on large file transfers, video streaming, or any sustained data exchange. That fragmentation signature is almost always MTU.
For WireGuard, the recommended MTU is 1420 for most Ethernet connections and 1280 for connections that add additional overhead (cellular, PPPoE). You set this in the WireGuard configuration file under the [Interface] section. For OpenVPN, add --mssfix 1400 and --fragment 1400 to your config. Most modern VPN apps auto-detect MTU, but if you are using a custom config file or a self-hosted server, manual tuning is often necessary.
To find the optimal MTU for your specific connection, run a ping test with the “Do Not Fragment” flag set and incrementally lower the packet size until you stop seeing drops. On Windows: ping -f -l 1400 8.8.8.8, then lower 1400 until the ping succeeds without fragmentation. Add 28 bytes for IP and ICMP headers, and that is your MTU ceiling.
Router-Level VPN Drops
Running a VPN directly on your router means every device on your network gets the tunnel automatically. The failure mode is different from app-level VPNs. Routers have session timeout values, and a VPN tunnel that sits idle for too long gets dropped at the router level before the VPN server even knows there is a problem.
The most common cause on consumer routers running DD-WRT, OpenWRT, or Asus-WRT is the NAT keepalive interval. By default, many routers time out UDP sessions after 30-60 seconds of inactivity. Add --ping 10 --ping-restart 60 to your OpenVPN config to send keepalive packets every 10 seconds, which keeps the session open through the router’s NAT table.
For IKEv2 on routers, enable Dead Peer Detection (DPD) if your firmware supports it. DPD sends a probe every 30 seconds and tears down the tunnel cleanly if no response comes back in three attempts, then immediately reconnects, rather than leaving a half-open session that never recovers.
Router firmware matters too. Manufacturers like Asus and Netgear push firmware updates that change VPN handling behavior. If your router-level VPN drops started after a firmware update, rolling back one version and testing is a legitimate diagnostic step.
If you have tried a best free VPN option and still see drops, the problem is almost never the VPN tier itself; it is one of the protocol, network, or device-level causes above. Free VPN providers run smaller server fleets, so server overload is more likely, but the same fixes apply.
What this guide does not cover: enterprise VPN configurations (Cisco AnyConnect, GlobalProtect, Fortinet), split-tunnel policy conflicts set by IT administrators, or VPN drops caused by ISP-level deep packet inspection on a country-wide basis (common in some regions). Those require network administrator access to diagnose.
Information in this guide reflects VPN client behavior as of June 2026. Protocol specifications and app UI paths may change with provider updates.
Frequently Asked Questions
Why does my VPN keep disconnecting every few minutes?
Frequent disconnections every few minutes usually point to a kill switch loop, protocol mismatch, or server overload. Start by switching your VPN protocol to WireGuard if available, then check your kill switch settings for an “allow LAN traffic” option. If the drops happen on a schedule tied to time of day, ISP throttling is the more likely cause.
Why does my VPN disconnect when my phone screen turns off?
Android’s battery optimization puts the VPN app to sleep when the screen locks, which drops the tunnel. Go to Settings, Apps, your VPN app, Battery, and set it to “Unrestricted.” Also enable Always-on VPN from Android’s native VPN settings for a connection that persists through app sleep cycles.
Does changing VPN server fix disconnection issues?
Yes, when server overload is the cause. An overloaded server drops connections under heavy load. Switch to a server in the same region showing under 50% load in your VPN app’s server list. If the drops stop immediately, server overload was the culprit. This does not fix protocol, firewall, or MTU-related drops.
Why does my VPN work on Wi-Fi but not on mobile data?
Cellular carriers often block or throttle non-standard VPN ports. Switch to OpenVPN over TCP port 443, which mimics HTTPS traffic and is rarely blocked by carriers. Some carriers also block IKEv2 on port 500. WireGuard over port 443 (available in some providers as a custom config) is another option that clears most carrier-level blocks.
Can my antivirus software disconnect my VPN?
Yes. Antivirus programs that perform deep packet inspection can identify and terminate VPN tunnel packets. The fix is to add your VPN application folder and its associated driver files to the antivirus exclusion list rather than disabling protection entirely. On Windows Defender, exclusions live under Virus and Threat Protection settings.
What MTU setting should I use for a VPN?
For WireGuard on standard Ethernet, set MTU to 1420. For WireGuard over cellular or PPPoE, use 1280. For OpenVPN, add --mssfix 1400 to your configuration. If you are self-hosting or using a custom config, run a ping fragmentation test to find your specific connection’s optimal MTU before locking in a value.
If you have worked through every fix above and your VPN still drops consistently, the issue likely sits at the provider level. A provider running undersized server infrastructure or outdated protocol implementations cannot be fixed from your end. Our guide to the best free VPN options covers reliability and uptime data so you can compare providers before switching.
