As much as I love Linux, windows is handy on occasion because it will straight snitch on your compromised router or ISP if it senses that your VPN killswitch has been compromised in any way by an OS backdoor. This is useful because there are no other signs, and the network will act like it isn’t connected through anything but the VPN otherwise (http site IP address checks, ping requests, etc). I’m not unconvinced this isn’t just a bug in the operating system itself accidentally telling on the NSA or other potential hackers, but since there are intentional backdoors built into windows anyway, it’s useful in context.
Usually, when you connect to a VPN with a Killswitch like proton, then hover over the taskbar icon for the tooltip, the network SSID you actually connected to says no internet, but the VPN protocol you are using appears also and says internet. When your Killswitch is compromised though, BOTH will say internet access in that tooltip when you hover the internet icon. This is windows telling you that it senses your KS is leaking because the DNS resolvers for that tooltip happen at a level lower than any other software or spyware would have access to in a consumer OS like windows. You can read more about how the Network Connectivity Status Indicator works in the link below.
NCSI tries to load a specific page via HTTP (more precisely: a text document) and tests whether it can be retrieved. If that is not successful, Windows reports “No Internet access”.
But the mechanism also checks whether the domain the document is hosted on resolves to the expected IP address. So, it might also assume proper internet access if this test is successful but the document can’t be retrieved.
I detected my home network was compromised this way. Interestingly, I went to Starbucks public WiFi with my beloved proton, and my exact same laptop showed the VPN Killswitch now showed no more leak. The public network was more secure than my home! Check out that link for more on that lower level windows process and remember if you think your network is compromised you can use a free and open tool like Wireshark to analyze your packets and DNS requests without too bad of a learning curve for tech minded people:
Stopped here ngl
there’s nothing I can find equivalent to this. the closest thing is in cinnamon, it tells you the last time a connection was used, which you can use to square up and make sure the SSID matches also.