Every time I set up at a coffee shop or airport gate, I notice people nearby on the same open network with nothing protecting their traffic. Unencrypted public Wi-Fi lets anyone in range — using free software on any laptop — intercept login sessions, capture session cookies, and read unencrypted requests as they flow by. The single most effective way to stay safe on public Wi-Fi is to run a VPN, which encrypts your connection before it ever touches the router.
A VPN (Virtual Private Network) routes your traffic through an encrypted tunnel, turning readable data into scrambled noise for anyone snooping on the same network. Reliable options start at free, and setup takes under five minutes on any device you own.
Quick Answer
To stay safe on public Wi-Fi with a VPN: download Proton VPN (free, no data cap), enable the kill switch in Settings, then connect to the VPN before joining any public network. Keep it running the whole session. The kill switch blocks all traffic if the VPN drops, so you are never accidentally exposed.
Connect the VPN first, then join the network — that single sequence closes the most common exposure window.
Why Is Public Wi-Fi Risky?
Most café, hotel, and airport hotspots are unencrypted. Anyone on the same network can run a packet capture tool and record every byte flowing through. The two attacks I see most in security writing are packet sniffing — passively recording all traffic — and evil twin attacks, where a rogue access point mimics a legitimate-sounding name like “Airport-Free-WiFi” to lure nearby devices into connecting.
Even on HTTPS sites, your local network operator can see which domains you visit and when. A VPN encrypts that metadata too, not just the page contents.
Public Wi-Fi is dangerous not because attacks are constant, but because the effort cost for an attacker is near zero — one tool captures everything on the network at once.
Which VPN Should You Use for Public Wi-Fi?
The most important thing to verify is whether the provider’s no-logs policy has been independently audited by a third party. Marketing claims without an audit are meaningless. I always check the audit record before recommending any provider.
| VPN | Free Tier | Data Cap | Kill Switch | Audited |
|---|---|---|---|---|
| Proton VPN | Yes | None | Yes | Yes (Securitum, 2022) |
| Windscribe | Yes | 10 GB/month | Yes | Partial |
| Tunnelbear | Yes | 500 MB/month | Yes | Yes |
| Mullvad | No (€5/month) | None | Yes | Yes |
I use Proton VPN on public networks because the free tier has no data cap and a verified no-logs policy. For a paid option with strong privacy credentials, Mullvad’s flat monthly rate and clean audit history make it my second choice.
A free VPN with an audited no-logs policy beats a paid one with vague privacy terms — the audit matters more than the price tag.
How Do You Set Up a VPN on Your Phone or Laptop?
The steps below use Proton VPN as the example. Every major provider follows the same sequence: create an account, download the official app, enable the kill switch, and connect before joining the network.
Step 1: Create an Account
Go to protonvpn.com and sign up for the free plan. You only need an email address — no payment information required for the free tier.
Step 2: Download the Official App
Proton VPN has native apps for Windows, macOS, Android, and iOS. Download it from the official site or your device’s app store. Never install a VPN from an unofficial source or a sideloaded APK.
Step 3: Enable the Kill Switch
Open Settings in the app and turn on Kill Switch. This blocks all internet traffic if the VPN connection drops, so your real IP address and unencrypted traffic are never accidentally exposed mid-session.
Step 4: Connect Before Joining Public Wi-Fi
While still on mobile data, open the VPN app and tap Connect. Then join the café or hotel network. This closes the brief gap where your traffic is unprotected — a gap that opens when people activate the VPN only after they are already online.
Step 5: Verify You Are Protected
Open a browser and check whatismyipaddress.com. The location shown should match your VPN server, not your real city. If your actual location appears, disconnect and reconnect the VPN before continuing.
Pro tip: Enable auto-connect for unfamiliar networks in the app settings. On iOS go to Settings > VPN; on Android enable Always-on VPN under Settings > Network & Internet > VPN. You will never accidentally browse a public network without protection again.
Troubleshooting tip: If the hotel or café captive portal will not load, temporarily disable the VPN, complete the network login page, then immediately re-enable it. The portal needs your real IP to authenticate you first.
The full setup takes five minutes, and with auto-connect configured you will not need to think about it again.
What Else Can You Do to Stay Safer on Public Wi-Fi?
A VPN handles the biggest risk, but a few habits add meaningful depth to your protection.
- Stick to HTTPS sites. Check for the padlock in your browser’s address bar before entering any data. For an extra layer, enable DNS over HTTPS in your browser to encrypt your DNS lookups as well.
- Set your Windows network type to Public. Open Settings > Network & Internet > Wi-Fi > Properties and set the profile to Public. This disables file sharing and device discovery automatically.
- Avoid sensitive logins on public Wi-Fi. Even over a VPN, I keep banking and medical accounts for home. The VPN protects transit — it cannot fix a session that was already compromised.
- Log out when you are done. Session cookies remain a target even after you close a tab, so sign out explicitly on any shared or public machine.
Pair these habits with locking down your home router so the network you trust most is equally protected.
A VPN encrypts your transit; these habits close the gaps a VPN cannot seal on its own.
What VPN Mistakes Should You Avoid?
- Grabbing a random free VPN from the app store. Most unreviewed free VPNs log and sell your browsing data — the opposite of what you want. Fix: use only providers with independently audited no-logs policies.
- Turning on the VPN after connecting to public Wi-Fi. There is a brief unprotected window while the VPN negotiates its connection. Fix: always connect the VPN first, then join the public network.
- Skipping the kill switch. If the VPN drops mid-session, your real IP and traffic are immediately visible. Fix: enable the kill switch in settings and leave it permanently on.
- Trusting a network because the name sounds official. “Hotel_Secure” or “Airport-Official-WiFi” can be evil twin hotspots designed to capture credentials. Fix: ask staff for the exact network name and use your VPN regardless of what you find.
Configure the VPN correctly once — auto-connect and the kill switch handle the rest from there.
Frequently Asked Questions
Is a free VPN safe enough for public Wi-Fi?
Yes, if the provider has an independently audited no-logs policy. Proton VPN’s free tier is what I use when traveling — no data cap, no cost, and a verified privacy record. Most generic app-store freebies are the product being sold, not the user they protect.
Does a VPN slow down my connection?
In my experience, by about 10 to 20 percent. On a typical café connection that is barely noticeable for email and video calls — I have run Zoom calls on Proton VPN’s free tier without a single quality drop.
Can the coffee shop see what I am doing if I use a VPN?
No. Their router only sees encrypted packets flowing to your VPN server — it cannot read the contents or the destination URLs. The entire session looks like a stream of noise to anyone monitoring the local network.
Do I need a VPN if every site I visit uses HTTPS?
HTTPS protects the contents of each individual request, but your network operator can still see which domains you visit and how often. A VPN hides that metadata too — they protect different things and both matter on public Wi-Fi. Also pair your VPN habit with strong, unique passwords so any captured credential does minimal damage.
Conclusion
Staying safe on public Wi-Fi comes down to one decision: connect a VPN before you join the network. Proton VPN’s free tier removes every excuse — no data cap, no cost, independently audited. Enable the kill switch, turn on auto-connect, and you have closed the biggest vulnerability most travelers carry. For your next security step, learn how passkeys can replace your passwords entirely and cut another major attack surface.