πŸŒ™ LATE NIGHT MODE ACTIVATED β€” THE CLOWN IS WATCHING πŸŒ™
Home β†’ Resources β†’ Security β†’ VPN on Public WiFi

Using a VPN on
Public WiFi.

A practical step-by-step. When to connect, how to handle the captive portal, what to verify, what to enable. For airports, cafes, hotels, conferences, anywhere you don't own the AP.

⚑ The 30-second version
  1. Connect to WiFi.
  2. Complete the captive portal if there is one.
  3. Immediately turn on the VPN.
  4. Verify your IP changed at /tools/what-is-my-ip/.
  5. Browse normally.

Five steps, 30 seconds. The rest of this page is the longer explanation.

Why timing matters

The single biggest mistake people make with public WiFi and VPNs is treating "the VPN" as protection that's either on or off. The reality is more nuanced: there's a window between connecting to the WiFi and the VPN becoming active where you're exposed.

During that window:

  • Background apps may sync or check for updates.
  • Your email client may pull new messages.
  • Cloud services may push notifications.
  • Browser tabs you left open may refresh.

Most of this traffic is HTTPS, so it's not catastrophic. But the metadata (which services you use, what frequency, how much data) leaks to whoever's watching the network.

Minimizing the window means launching the VPN as the first thing you do after authenticating to the WiFi β€” not "after I check my email" or "after I finish what I was doing."

Step by step

Step 1: Connect to the WiFi

Use the most legitimate-looking SSID. If you're at a Starbucks, "Starbucks_WiFi" is more likely real than "Starbucks_Free_Faster." Ask staff if you're unsure β€” they'll tell you the correct SSID.

For password-protected WiFi, use the password the establishment provides; don't trust passwords scrawled on tables by previous customers.

Step 2: Handle the captive portal

Many public networks have a captive portal β€” the page that asks you to "Accept Terms" or sign in with email/social login. The captive portal works by intercepting your first HTTP request and redirecting you.

Two important things about captive portals:

  1. The VPN can't activate before the captive portal is complete, because the portal blocks non-HTTP traffic until you've authenticated. If your VPN tries to tunnel through, it'll fail. Don't fight this β€” complete the portal first.
  2. Don't enter credentials in the captive portal that you wouldn't want compromised. Captive portals are sometimes maliciously modified. If the portal asks for your work email and password, give it a junk email if possible, or skip the network.

Step 3: Launch the VPN immediately

The moment you're past the captive portal, open the VPN app and connect. On ClownVPN's Android app:

  1. Open the app.
  2. Tap the big connect button.
  3. Wait ~3-5 seconds for the tunnel to establish.
  4. The status indicator shows "Connected" with a server location.

If you've configured auto-connect on untrusted networks (recommended), the VPN starts automatically β€” you just need to confirm it succeeded.

Step 4: Verify

Open /tools/what-is-my-ip/ and confirm:

  • Your IP shows the VPN server's address, not your real one.
  • The location shows the VPN server's location.
  • The ISP/ASN shows ClownVPN's network.

If the IP still looks like your real one (you can recognize this by the ISP showing as Comcast/Verizon/AT&T/T-Mobile rather than ClownVPN), the VPN didn't connect β€” repeat Step 3.

If you want a deeper check, run /tools/dns-leak-test/ to confirm no DNS leaks.

Step 5: Browse normally

With the VPN active, browsing on public WiFi is roughly as secure as browsing on your home network. The local network sees encrypted traffic to one endpoint (the VPN server) and nothing about your activity beyond that.

Settings to enable for public WiFi

Kill switch (always on)

If the VPN drops, the kill switch blocks all traffic until it reconnects. Without this, a VPN drop on public WiFi briefly exposes your traffic to the network.

On ClownVPN Android: Settings β†’ Kill Switch β†’ On.

Auto-connect on untrusted networks

Configure the VPN to automatically connect when you join any network that's not your home/work WiFi. This eliminates the human-error path of "I forgot to turn it on."

On ClownVPN Android: Settings β†’ Auto-Connect β†’ Untrusted WiFi β†’ Configure trusted SSIDs (add your home network, office network, etc.).

Always-on VPN (Android system setting)

Android has a system-level "Always-on VPN" setting that ensures no traffic flows without the VPN active. Stronger than the app's kill switch (it survives app crashes, etc.).

To enable: Settings β†’ Network & Internet β†’ VPN β†’ ClownVPN β†’ Settings gear β†’ Always-on VPN.

Block connections without VPN (Android)

Right below "Always-on VPN" there's a "Block connections without VPN" toggle. Enable this for the strongest protection β€” Android will block all network traffic if the VPN isn't active.

What this protects against, and what it doesn't

With the above setup on public WiFi, you're protected against:

  • Passive packet sniffing.
  • Metadata exposure (SNI, DNS, IP).
  • Most evil twin AP attacks (traffic terminates at VPN exit, not local AP).
  • Network-level DNS spoofing.
  • SSL stripping on HSTS-non-preloaded sites.

You're not protected against:

  • Attacks on your device (malware, keyloggers, OS vulnerabilities).
  • Phishing β€” if you click a malicious link, the VPN doesn't stop you.
  • Account-level surveillance β€” if you log into Google, Google knows it's you.
  • Lateral attacks from other devices on the same WiFi (device firewall handles this, not the VPN).

Common pitfalls

  1. Connecting to fake SSIDs. "Free_Airport_WiFi" is almost always not the airport's official network. Check signage or ask staff.
  2. Skipping the IP verification step. The VPN app can show "Connected" while a configuration issue silently leaks traffic. Verify with a third-party tool.
  3. Using a sketchy free VPN to "save data." Reputable free VPNs are fine. Unknown free VPNs on public WiFi are worse than no VPN.
  4. Logging into sensitive accounts during the captive portal phase. Wait until the VPN is active. Your bank can wait 30 seconds.
  5. Forgetting to turn off the VPN when you leave. Not a security issue, but battery and connection-speed penalty. Configure auto-disconnect when leaving the network if you don't want this.

Related reading

πŸŽͺ FAQ

Should the VPN auto-connect on every WiFi network, or just public ones?
Most users want it to auto-connect on untrusted networks (public WiFi, hotel, conference) but not on their home WiFi where they trust the network. Android's 'trusted WiFi' lists in VPN apps let you set this β€” connect everywhere except your saved home/work SSIDs. ClownVPN's Android app has this setting under Auto-Connect β†’ Trusted Networks.
What's a 'kill switch' and do I need one on public WiFi?
A kill switch blocks all internet traffic if the VPN connection drops. Without it, if your VPN disconnects mid-session, your traffic falls back to the unprotected WiFi briefly until the VPN reconnects β€” exposing any active connections during that gap. On public WiFi, that brief exposure can be enough for sniffing or session-hijacking attacks. Yes, you want a kill switch. ClownVPN has one; enable it in Settings β†’ Kill Switch.
Why does the captive portal page sometimes not load until I disconnect the VPN?
Because the VPN is already trying to tunnel traffic before you've authenticated to the WiFi. The captive portal intercepts your initial HTTP request and redirects it to the login page β€” but the VPN's outbound traffic doesn't match the captive portal's expected format, so it gets blocked. The fix: connect to WiFi, complete the captive portal authentication first, then enable the VPN. Some VPN apps (including ours) detect captive portals and pause briefly to let you through.
Is using a free VPN on public WiFi actually safe?
Depends entirely on the provider. A reputable free VPN (ours, ProtonVPN, Windscribe free) handles public WiFi well β€” strong encryption, leak protection, kill switch, no monetization at your expense. Sketchy free VPNs (unknown providers, fly-by-night Android apps) can be worse than no VPN β€” they have full visibility into your traffic and incentive to monetize it. The free VPN you choose matters more than the free vs paid distinction.
Should I use the WiFi password as part of my security?
Marginally helpful but don't rely on it. A password-protected WiFi (WPA2/WPA3) encrypts traffic between your device and the AP, which prevents passive sniffing by other people on the same network. But: if everyone on the network has the password (typical for cafes, hotels), other paying customers can still potentially MITM you. And WPA2 has known weaknesses (KRACK attack from 2017) that WPA3 fixes. Treat password-protected public WiFi as marginally safer than open WiFi, not as 'safe.'

πŸŽͺ 30-Second Setup

Install once. Auto-connect everywhere except home. Done.

πŸ€– Get The Free App