VPN on public Wi-Fi in the UK: trains, hotels, cafes and airports
Public Wi‑Fi is still one of the clearest reasons to use a VPN. But the 2026 problem is no longer just “open network equals danger.” Modern attacks mix fake SSIDs, poisoned DNS, aggressive captive portals and behaviour-based sniffing. Why use a VPN becomes very practical the moment you sit in an airport lounge. It is also why understanding what a VPN is and how VPN works matters more on public networks than almost anywhere else.
Live privacy & tool status
Use this widget to see whether our reference privacy tools and feeds are behaving normally before you start troubleshooting your own setup.
The Public Network Threat Model
Evil Twin & Honeypot logic: attackers create lookalike SSIDs such as Starbucks_Free, Hotel Guest Fast or cloned airport names. Phones often reconnect automatically to familiar-looking networks. If you do not verify the exact SSID and your VPN auto-connect is not immediate, you can land on an attacker-controlled gateway before real protection starts. Here, VPN for remote work overlaps with public Wi‑Fi safety: both rely on forcing trust through a secure tunnel rather than trusting the network itself.
Sidejacking & session hijacking: even on HTTPS, a compromised public network can still expose enough metadata to make tracking, session inference, or opportunistic attacks possible. Attackers do not always need your full password. Sometimes they want cookies, app fingerprints, or login flow timings. Browser separation, VPN security basics, and a hard kill switch matter together.
DNS hijacking: fake routers and dirty captive portals can redirect bank, mail, or cloud logins to phishing clones by swapping the destination IP at the DNS layer. If your VPN forces private DNS inside the tunnel, that risk drops sharply. VPN encryption is only part of the story: you need the tunnel and the DNS path secured.
The Public Wi‑Fi Risk Scanner
📡 Public Wi‑Fi Risk Scanner
Pick your real situation. The scanner estimates practical risk and recommends the quickest defence protocol.
- Verify the SSID and avoid automatic rejoin if the name looks cloned.
- Pass the captive portal first, then enable VPN immediately.
- Use WireGuard / NordLynx first; switch to TCP 443 if the network blocks UDP.
- Run our Leak Test Tool and compare with DNS leak protection.
The Evil Twin Attack Simulator
🧪 Evil Twin Attack Simulator
Press start to compare what your phone reveals on a hostile network with and without an active tunnel.
Apps are syncing in the background.
Press start to simulate sniffing.
Captive portal troubleshooting
Captive portals are the most annoying part of hotel and airport Wi‑Fi because they create a dangerous gap before the tunnel starts. The best workflow is boring but reliable: join the network, finish the portal, then let your VPN lock down the session. If the page refuses to load, temporarily pause the VPN, visit a plain HTTP page or the OS network helper, complete the login, then reconnect. If the tunnel still breaks afterward, jump to VPN not connecting, VPN troubleshooting, or VPN setup guide.
| Problem | What it usually means | Fastest fix |
|---|---|---|
| Portal never appears | VPN or DNS blocks the login page | Pause VPN, open a plain site, finish the portal, reconnect VPN |
| Portal loads but VPN dies after login | UDP blocked or MTU mismatch | Switch to WireGuard first, then TCP 443 if needed |
| Banking page redirects strangely | Possible DNS hijack | Disconnect, reconnect VPN, verify DNS inside tunnel |
| Hotel Wi‑Fi works only without VPN | Firewall dislikes your protocol | Use VPN protocols comparison and try TCP 443 or IKEv2 |
Public Wi-Fi safety checklist
| Parameter | Danger without VPN | Protection with VPN | Importance |
|---|---|---|---|
| SSID / network name | Evil twin or honeypot network | Encrypted tunnel hides useful traffic data | ★★★★★ |
| Passwords and cookies | Session leakage and sniffing | Encrypted packets become useless noise | ★★★★★ |
| DNS requests | Phishing redirects and DNS hijack | Private DNS inside the tunnel | ★★★★☆ |
| Local attacks | Port scans and device discovery | Much lower visibility on the local network | ★★★☆☆ |
Visual diagnostics
Practical setup that works in real life
- Enable VPN auto-connect for unknown networks before you travel.
- Keep a real kill switch enabled on laptop and phone.
- Use DNS leak protection and verify IPv6 handling.
- Prefer WireGuard or NordLynx first; switch to TCP 443 if the network is hostile.
- For sensitive admin work, consider site-to-site VPN, VPN access control, or VPN for enterprise concepts rather than casual public Wi‑Fi use.
For device-specific help, jump to VPN on Android, VPN on iOS, VPN on Mac, VPN on Windows, or VPN on router. If you need a comparison before buying, see free VPN vs paid VPN, VPN advantages, VPN disadvantages, and VPN vs proxy.
Choosing a provider for public Wi-Fi
If you want low-friction safety, choose the service that gives you strong auto-connect, clean DNS handling, reliable killswitch behaviour, and simple app controls. NordVPN is the easiest “set and forget” option for frequent travellers. Surfshark is excellent value when you need many devices protected. Proton VPN is a good choice if privacy posture matters most. Also compare NordVPN vs Proton VPN or WireGuard vs NordLynx if you want to go deeper.
FAQ
Is public Wi‑Fi safe if the network has a password?
Password protection helps, but it does not remove captive portal abuse, DNS tricks, or internal network visibility. A VPN still matters.
Should I use Double VPN on public Wi‑Fi?
Usually not. It makes sense only for genuinely higher-risk sessions. For most people, a clean single tunnel with leak protection is enough.
What should I do if the portal blocks my VPN?
Finish the login first, then reconnect. If that fails, switch protocol or use VPN troubleshooting.
Updated on 20 June 2026. This guide is refreshed as public Wi‑Fi attack patterns and travel network behaviour evolve.
✓ Leak Test (IP / DNS / IPv6 / WebRTC)
✓ Streaming Diagnostic (tools & reachability)
Verification date: