VPN for Public Wi-Fi: Network Hygiene Without the Paranoia
On public Wi-Fi, a VPN encrypts your traffic so the network operator cannot easily intercept it. Connect VPN first, then open email or banking. Verify the network name, keep 2FA on, and switch to mobile data if the network seems wrong.
What public Wi-Fi actually risks
The realistic threat on café or hotel Wi-Fi is not a sophisticated hacker — it is a misconfigured network that leaks traffic, or an evil twin hotspot that intercepts unencrypted connections.
HTTPS protects content, but does not hide which sites you visit from the network. A VPN adds that layer.
What a VPN does on public Wi-Fi
All traffic from your device goes to the VPN server before reaching any website. The local network sees encrypted traffic to one destination — the VPN server — rather than all your individual connections.
Order of operations
Connect to the network. Verify the network name. Start VPN. Then open banking, email or work tools. This order matters — opening sensitive apps before VPN connects exposes that initial traffic.
Public Wi-Fi scenarios
Airport lounge Wi-Fi, hotel Wi-Fi, coffee shop networks, conference centre networks — all behave differently, but the same principle applies: treat any network you did not configure as untrusted.
When to switch to mobile data instead
If the network name looks suspicious (two networks with nearly identical names), if the captive portal demands unusual permissions, or if the VPN refuses to connect after re-import — use mobile data instead and troubleshoot later.
Continue with the next logical step
The actions below follow the page intent: start with the primary next step, then use setup, support, or the travel checker if needed.
Frequently asked questions
HTTPS encrypts content but not metadata — the network still sees which domains you visit, when, and how often. A VPN hides this too.
For anything involving accounts you care about: yes. For casual browsing of public information: the risk is lower, but a VPN has no downside if it is already configured.
Without a VPN, yes — DNS queries and connection metadata are visible. With a VPN, the coffee shop router sees only encrypted traffic to your VPN server.
A rogue Wi-Fi network with the same name as a legitimate one (e.g. 'Starbucks WiFi'). Devices connect automatically. Traffic goes to the attacker's router. Always verify the network name with staff.