diff --git a/firewall/interception.go b/firewall/interception.go
index edace3e9..9fd32998 100644
--- a/firewall/interception.go
+++ b/firewall/interception.go
@@ -163,6 +163,14 @@ func resetAllConnectionVerdicts() {
 			// Apply privacy filter and check tunneling.
 			filterConnection(ctx, conn, nil)
 
+			// Stop existing SPN tunnel if not needed anymore.
+			if conn.Verdict.Active != network.VerdictRerouteToTunnel && conn.TunnelContext != nil {
+				err := conn.TunnelContext.StopTunnel()
+				if err != nil {
+					log.Debugf("filter: failed to stopped unneeded tunnel: %s", err)
+				}
+			}
+
 			// Save if verdict changed.
 			if conn.Verdict.Firewall != previousVerdict {
 				conn.Save()
diff --git a/network/connection.go b/network/connection.go
index e3b45ddf..e61d12fa 100644
--- a/network/connection.go
+++ b/network/connection.go
@@ -162,6 +162,7 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
 	// connection is using.
 	TunnelContext interface {
 		GetExitNodeID() string
+		StopTunnel() error
 	}
 
 	// Internal is set to true if the connection is attributed as an