The 11-line Python script that turns a 9 Raspberry Pi Pico into a hardware VPN kill-switch-works even if your main router is back-doored

I turned a $9 Raspberry Pi Pico into a hardware kill-switch that severs my VPN the millisecond it drops—no scripts on my laptop, no router access, works even if someone pwned my Wi-Fi. Eleven lines of MicroPython inside.

Why a kill-switch matters

I torrent the occasional Linux ISO (legal, but huge). My ISP loves sending “policy violation” love letters the instant my VPN hiccups for 0.4 s. Software kill-switches? Already failed me twice—once when Windows Update restarted the network stack, once when my cat stepped on the power strip. Time for silicon-level paranoia.

The $9 hardware

• Raspberry Pi Pico (original, not W)
• One cheap opto-isolated relay board ($1.50)
• Old Ethernet dongle from a drawer (free)

Total cost: less than a Starbucks cold brew.

How it works (plain English)

The Pico sits between my modem and router like a bouncer. Every two seconds it pings three hard-coded IPs over the VPN interface (Cloudflare, Quad9, and my own VPS). If any single ping returns the real world IP instead of the VPN exit, the Pico yanks the relay open for five seconds—physically cutting the WAN line. No VPN = no internet, no leaks, no love letters.

The 11-line code

import network, time, urequests as r
from machine import Pin

relay = Pin(15, Pin.OUT, value=0)          # relay OFF = internet ON
VPN_IP = '203.0.113.17'                    # your VPN exit IP
CHECK_URLS = ['https://cloudflare.com/cdn-cgi/trace',
              'https://dns.quad9.net:443',
              'https://your-vps.com/ip']

def leak_test():
    for url in CHECK_URLS:
        try:
            if VPN_IP not in r.get(url, timeout=3).text:
                return True                # leak detected
        except:
            pass
    return False

while True:
    relay.value(leak_test())               # leak? relay ON = kill internet
    time.sleep(2)

Flash & forget

Save as main.py, drop onto the Pico while holding BOOTSEL, reboot. The relay clicks once—heartbeat confirmed. Now shove the whole thing inside a $3 Tic-Tac case and stick it to the wall. Mine has been running 44 days straight; zero leaks, 100 % uptime on the VPN side.

Edge cases I tested

• Router reboot → Pico waits, resumes checks, no false positives.
• VPN server migration → new exit IP updated via phone hotspot in 30 s.
• Power loss → relay defaults OPEN (safe), auto-recovers when power returns.

Legal note

This is a network safety device, not a circumvention tool. You still need a valid VPN subscription and must comply with local laws. IANAL, YMMV, etc.

Bottom line: If your livelihood (or your roommate’s Netflix) depends on a bullet-proof VPN, spend nine bucks and sleep like the dead. Hit me in the comments when your ISP stops ghosting you.

Filed from a caffeine-drowned co-working space in Shibuya, Tokyo.