How to Use a VPN on Public WiFi on Mac
Public WiFi is one of the highest-risk network environments you can use. Connecting to Starbucks, hotel, or airport WiFi without a VPN exposes your traffic to anyone on the same network who knows how to use basic packet capture tools. But using a VPN with public WiFi requires a specific sequence to avoid getting stuck at the captive portal.
Why Public WiFi Is Risky Without a VPN
- Anyone on the same network can capture unencrypted HTTP traffic using free tools like Wireshark.
- Rogue access points can impersonate legitimate networks - your device joins the attacker's network thinking it is the real one.
- DNS requests are visible to the network operator, revealing every site you visit even over HTTPS.
- Session cookies can be stolen from unencrypted connections, giving attackers access to logged-in accounts.
The Right Order of Operations
- Arrive at the location. Do not connect to the WiFi yet.
- Make sure your VPN is disconnected. This is required to pass through the captive portal.
- Connect to the WiFi network. Wait for the captive portal popup. If it does not appear, open Safari and visit
http://neverssl.com. - Complete the portal login. Accept terms or enter credentials.
- Verify basic connectivity. Make sure a website like google.com loads normally.
- Connect your VPN immediately. Do not browse until your VPN is active.
- Run a VPN leak test. Confirm your real IP is hidden and there are no WebRTC or DNS leaks.
What to Look for in a VPN for Public WiFi
| Feature | Why It Matters |
|---|---|
| Kill switch | Blocks all traffic if VPN drops - prevents accidental exposure |
| DNS leak protection | Ensures DNS queries go through the VPN, not the cafe's router |
| Captive portal bypass | Lets portal detection work without fully disconnecting VPN |
| WireGuard protocol | Faster and more stable on high-latency public networks |
| Auto-connect on untrusted networks | VPN turns on automatically when joining public WiFi |
ⓘ After you have completed the captive portal and connected your VPN, run the VPN leak test to confirm your real IP address is hidden and your DNS is not leaking.