Orion/VPN
EN RU
Download app
◇ Use case 8 min read

VPN on public Wi-Fi: real risks, not fiction

Cafés, airports, hotels — public Wi-Fi is genuinely risky, just not in the way you've heard. What actually goes wrong, and why 10 GB of free Orion/VPN fixes it.

Daniel Moreno Consumer VPN editor

If you searched whether you need a VPN for public Wi-Fi, you’ve probably waded through articles written in 2012 and lightly reheated every year since. They tell you “anyone in the café can read your email,” that “hackers are sniffing the airport network,” and that without a VPN you might as well shout your bank password across the room.

Most of that is no longer true. Public Wi-Fi in 2026 is more boring than the old advice suggests. It’s also more risky in ways that advice never mentioned. So instead of recycling fear, let’s look at what changed, what didn’t, and where a VPN earns its keep on hotel and café networks today.

What’s NOT a problem anymore

The classic public Wi-Fi horror story goes like this: someone sets up a laptop in the corner, runs a tool, and watches your Gmail password float past in plain text. That story was real around 2010. It is mostly fiction now.

Why? Because almost every site you actually care about — your bank, your email provider, your social accounts, your shopping carts, the very page you’re reading — uses HTTPS. That little padlock in the browser bar means the connection between your laptop and the website is encrypted end-to-end. Even if someone could capture the bytes flying through the air, they’d see scrambled noise, not your password.

Modern browsers go further. Chrome, Safari, Firefox, and Edge now warn loudly when a page is not HTTPS. Many sites refuse to load over plain HTTP at all. Email providers force encrypted connections for both web access and the apps on your phone. Messengers like WhatsApp, Signal, iMessage, and Telegram add their own encryption layer on top.

So the cartoon villain in the corner with a laptop full of stolen passwords? That guy hasn’t really existed for years. If you’re wondering “is public Wi-Fi safe” in the old sense — for casual browsing of mainstream sites — yes, it’s mostly fine.

The problem is that the old advice was answering the wrong question.

What IS a real problem

Here’s what the public-Wi-Fi-is-fine crowd glosses over. The threats moved. They didn’t disappear.

Captive portal hijacks. That “Accept terms and connect” page hotel and airport networks force you through? It’s a perfect place to push you onto a fake page, redirect you to trackers, or quietly install a tracking certificate. It looks like the network’s own page because, well, it is. You have no good way to verify it.

Fake hotspots. Anyone with a fifty-dollar router can broadcast a network called “Free_Cafe_WiFi” or “Hotel_Guest” right next to the real one. Your phone, helpfully, will sometimes pick the stronger signal automatically. Now your traffic is flowing through someone else’s box. HTTPS still protects the contents — but the operator of that fake network can see which sites you visit, redirect you to look-alike phishing pages, or block specific apps until you do something you shouldn’t.

DNS-level tracking. Every time your laptop loads a page, it asks the network’s DNS server “where is example.com?” That request is usually unencrypted, and the network operator sees every single domain you visit, even when the connection itself is HTTPS. Hotels especially love this. Some sell that data. Some inject ads. Some just keep it for “marketing partners,” which is the same thing in a nicer suit.

Downgrade tricks on weaker apps. Most apps enforce HTTPS now. Some don’t. Old IoT companions, sketchy travel apps, certain games — there’s still a long tail of software that talks to its servers in plain text. On a hostile network, those apps can leak more than you’d guess.

IP-based fingerprinting. Your phone shows up to ad networks with the café’s public IP attached. Combine that with your device’s other signals and you’ve now told ad-tech “this person was at this café from 2:14 to 3:46 pm.” That data follows you home and slots into your existing profile.

So the real threat model on cafe and hotel Wi-Fi isn’t a hacker with a laptop. It’s the network itself, and everyone the network sells data to.

Who actually targets coffee shop Wi-Fi

Let’s be honest about who’s interested in your traffic at the airport.

The guy in the corner with the hoodie? Almost certainly not. He’s watching YouTube. The economics of attacking random strangers on public Wi-Fi just aren’t there in 2026 — there are way easier ways to make money in cybercrime, and most of them involve phishing emails, not lurking in Starbucks.

The network operator? Yes. Always. They see every domain you visit, every app’s connection, every captive portal interaction, and they keep that data for as long as their privacy policy lets them — which, in many countries, is “indefinitely.”

The ISP behind the network? Yes. The hotel’s upstream provider, the airport’s contracted Wi-Fi vendor, the city-government Wi-Fi consortium — they all have visibility into your DNS lookups and connection metadata. Some of them log it. Some sell it. Some hand it to advertisers in aggregate, which sounds harmless until you realize “aggregate” data is rarely as anonymous as the brochure claims.

Ad-tech companies? Absolutely. They want to know which networks you join because location data is gold. Cross-referencing café Wi-Fi sessions with your home IP is exactly how ad networks build the “this person travels for work, owns an iPhone, lives in zip 10003” profile that gets sold thousands of times a day.

Once you frame it that way, it stops being about hackers. It’s about surveillance you didn’t agree to, performed by parties you’ll never meet. That’s a cleaner reason to want a VPN than the imaginary man with a laptop.

If you’re new to the broader picture, our why you need a VPN explainer covers everyday browsing.

What a VPN actually does on public Wi-Fi

When you turn on Orion/VPN before joining the café network, three things change.

First, all your device’s traffic gets wrapped in an encrypted tunnel — not just your web browser, but every app: messengers, mail clients, your password manager, the random utility that pings home every five minutes. The network operator sees one connection going out: encrypted bytes to a VPN server. They don’t see the apps inside.

Second, your DNS lookups go through the tunnel too. The hotel’s DNS server no longer logs every domain you visit. It just sees that you opened a tunnel and stopped asking questions. The list of “where did this person go online” goes blank.

Third, your apparent IP address becomes the VPN server’s IP. The café’s network can’t tag your traffic with their location to feed ad-tech. From the public internet’s point of view, you might be in Frankfurt or Amsterdam — not Terminal 4 at JFK.

That’s the honest scope of what a VPN does on a hostile network. Not magic. Three concrete things, all of which directly counter the real threats above.

Traffic gets AES-256 encryption, a cipher that even nation-states don’t try to brute-force. Combined with our no-log policy — explained in our no-log VPN guide — your café session leaves no trail with us either. The network operator doesn’t see your activity. We don’t keep it.

What a VPN doesn’t fix

This is the part most VPN articles skip, which is exactly why we lead with it.

A VPN doesn’t fix bad passwords. If you reuse “Summer2024!” across your bank, your email, and the random shopping site that gets breached next month, no amount of encrypted tunneling will save you. Use a password manager.

A VPN doesn’t fix malware on your device. If something nasty is already installed, it can talk to its command server through the tunnel just fine. Encryption only helps when both ends are trustworthy.

A VPN doesn’t fix social engineering. If you click a phishing link from a “delivery confirmation” SMS and type your bank credentials into a fake page, the VPN faithfully encrypts that mistake and delivers it to the attacker. The padlock isn’t a brain.

A VPN doesn’t fix accounts with weak two-factor or none at all. If someone has your password and you’re not using an authenticator app or hardware key, the network you were on doesn’t really matter.

A VPN doesn’t fix legal jurisdiction, taxes, or being logged into your real account. It hides what the network sees. It doesn’t change who you are once you log in.

We mention all this because trust is the actual product here. We’d rather you understand the limits than oversell. If you want a deeper rubric, our how to choose a VPN post lays out what to look for and what’s marketing.

Practical setup for travel

Here’s a no-drama checklist for actually using a VPN on the road.

Install before you travel. Set up the VPN on your laptop and phone at home, on a network you trust. Don’t try to download a VPN client over hotel Wi-Fi for the first time — the first thing some hostile networks do is mess with software downloads.

Turn on auto-connect for unknown networks. Most modern VPN apps can activate automatically when you join a network you’ve never used before. That covers the gap between “I clicked Connect on the airport Wi-Fi” and “I remembered to start the VPN” — which is exactly when the captive portal grabs as much data as it can.

Keep the auto-disconnect-traffic feature on. Sometimes called a “kill switch,” sometimes just an option in settings — what it does is stop your traffic the moment the VPN drops, so nothing leaks out the side. On hotel Wi-Fi that flickers in and out, this matters more than people realize.

Pick a server geographically close to where you are. Same continent will be faster and just as private as one across the world. There’s no privacy bonus for adding latency.

Don’t turn the VPN off for “trusted” networks while traveling. The hotel network you used yesterday is not the same one tonight after a firmware push. Treat every traveling network as untrusted. Your battery won’t notice.

Reconnect after airplane mode. If you toggle airplane mode on a flight, double-check the VPN comes back up before you do anything important on the in-flight Wi-Fi. Those networks are some of the chattiest about your traffic.

That’s the whole playbook. No paranoia, no theater, just five settings that take ten minutes to get right once.

Public Wi-Fi in 2026 isn’t the wild west of 2010. It’s something quieter and more permanent: a background hum of networks logging where you went, what you used, and how long you stayed. Orion/VPN turns the hum off, and 10 GB free per month makes the cost of trying it zero.

Try Orion/VPN free
10 GB on us. macOS app available now. Both protocols, every region, no card required.
Download for macOS → See plans →
◇ Guide 12 min read

Why you need a VPN in 2026 (even if you're not a journalist)

ISP tracking, public Wi-Fi, censorship, geo-blocks, work-from-anywhere. Eight everyday reasons a VPN matters in 2026 — plus 10 GB free to try Orion/VPN now.

Read article →
◇ Education 9 min read

No-log VPN: what it really means and how to verify

"No logs" gets thrown around a lot. Here's what a real no-log VPN means, what to check before you trust one, and how Orion/VPN is built so we can't read your traffic.

Read article →
◇ Guide 12 min read

How to choose a VPN: a 7-point buyer's checklist

Logs, jurisdiction, protocols, speeds, server count, app quality, refunds — the seven things that matter when choosing a VPN. Try Orion/VPN free with 10 GB and zero card.

Read article →