Sign in Sign Up for FREE

Why Your VPN Blocks the Coffee Shop WiFi Login Screen

Your VPN is doing exactly what it was designed to do - but that design clashes with how public WiFi networks grant access. Understanding why this happens makes the fix obvious, and it only takes about 60 seconds to apply.

The Technical Explanation

When Mac joins a new WiFi network, a background service called captiveagent sends an HTTP probe request to captive.apple.com. If the server responds with the expected success page, Mac assumes the network is open. If anything else comes back (like a redirect to a portal login page), Mac launches the Captive Network Assistant popup.

When your VPN is running:

  1. Mac's probe request enters the VPN tunnel before it ever reaches the router.
  2. The encrypted packet goes directly to your VPN server - bypassing the coffee shop router entirely.
  3. Your VPN server fetches captive.apple.com normally and returns the success response.
  4. Mac sees a success response and concludes the network is open - popup never launches.
  5. But your actual browser traffic is still being blocked by the portal because you never logged in.

The VPN Kill Switch Makes It Worse

If your VPN has a kill switch enabled (which it should on a serious VPN), all traffic that cannot route through the VPN tunnel is blocked entirely. This means even if the captive portal could somehow intercept your request, the kill switch would drop it before it leaves your device. You end up completely stuck - the captive portal cannot reach you, and the VPN cannot connect until you have internet access from the portal.

Common Causes at a Glance

What You SeeUnderlying CauseQuick Fix
WiFi bars full, no popup, nothing loadsVPN tunnel answered the portal probeDisconnect VPN, rejoin network
VPN app stuck on "connecting"Kill switch blocking pre-login trafficDisable kill switch temporarily or disconnect VPN
Popup appeared once, never againmacOS marked the network as trustedForget the network and rejoin fresh
Portal loads but won't submitContent blocker or DNS filtering activeDisable blockers, use Safari private window
Works on phone, not on MacVPN only installed on the MacApply the disconnect-login-reconnect workflow below

Fix 1 - Disconnect, Log In, Reconnect (Works Every Time)

  1. Disconnect the VPN - Use the Disconnect button in your VPN app. If a kill switch keeps blocking traffic, pause or disable it for a minute as well.
  2. Forget the WiFi network - System Settings → Wi-Fi → click the network name → Forget This Network. (On macOS Monterey and earlier: System Preferences → Network → Wi-Fi → Advanced → remove it from Preferred Networks.)
  3. Rejoin the network - The Captive Network Assistant popup should appear within about 5 seconds.
  4. No popup? - Open Safari and visit http://captive.apple.com to force the redirect.
  5. Complete the login, confirm a normal website loads, then reconnect the VPN and re-enable the kill switch.
  6. Verify protection - Run the VPN leak test to confirm your real IP and DNS are hidden again.

Fix 2 - Enable Your VPN's Captive Portal Bypass

Some VPN providers have added a "captive portal bypass" mode. When enabled, the VPN temporarily releases control of traffic on port 80 when it detects a new network join, allowing the captive portal to redirect you. Look for this setting in your VPN app under names like:

  • Allow LAN (local area network) traffic
  • Bypass captive portals
  • Allow access to local network
  • Detect and handle captive portals

Mullvad, Proton VPN, and ExpressVPN all have versions of this feature. NordVPN and Surfshark require a manual disconnect/reconnect workflow.

Fix 3 - If That Didn't Work: Escalation Ladder

When the disconnect-and-rejoin routine still leaves you stuck, escalate through these steps in order. Each one clears a deeper layer of cached network state.

  1. Flush the DNS cache - In Terminal run sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder, then retry Safari with http://neverssl.com.
  2. Power-cycle the WiFi interface from Terminal - Run networksetup -setairportpower en0 off, wait 10 seconds, then networksetup -setairportpower en0 on. (If Wi-Fi is not en0 on your Mac, check with networksetup -listallhardwareports.)
  3. Confirm you actually have an IP address - Run ipconfig getifaddr en0. No output means DHCP failed; renew the lease under System Settings → Network → Wi-Fi → Details → TCP/IP.
  4. Try a different browser profile - A Safari private window (File → New Private Window) skips extensions and cached HSTS redirects that can swallow the portal page.
  5. Still stuck? - Work through the full captive portal troubleshooting guide, which covers content blockers, preference resets, and the manual trigger URLs.
ⓘ Run our VPN leak test after reconnecting to public WiFi to verify your VPN is properly protecting your connection again.

The Recommended Workflow for Public WiFi

This is the same sequence covered in depth in the public WiFi + VPN guide for Mac. If you want the background on what an unprotected open network actually exposes, read how public Wi-Fi affects your privacy.

  1. Before leaving home, note your VPN provider and its kill switch setting.
  2. When you arrive at the coffee shop, disconnect your VPN before joining the WiFi.
  3. Join the network, complete the captive portal login.
  4. Verify you have basic internet access (any website loads).
  5. Reconnect your VPN.
  6. Run a VPN leak test to confirm your traffic is protected.

Frequently Asked Questions

Should I turn off my VPN to connect to hotel WiFi?

Yes, briefly. Disconnect the VPN, join the network, complete the portal login, confirm a website loads, then reconnect the VPN immediately. The exposure window is under a minute, and some VPN apps offer a captive portal bypass setting that removes the need to disconnect at all.

What is a captive portal bypass setting in a VPN app?

It is a mode where the VPN temporarily lets the operating system's portal detection traffic travel outside the encrypted tunnel when you join a new network. That allows the login popup to appear while the rest of your traffic stays protected. Mullvad, Proton VPN, and ExpressVPN all ship a version of this feature.

Why does my Mac say connected to WiFi but nothing loads when the VPN is on?

Your Mac joined the network, but the captive portal never granted real internet access because the VPN answered the system's connectivity probe through its own tunnel. The VPN then cannot establish a working connection either, especially with a kill switch enabled. Disconnect the VPN, log in through the portal, and reconnect.

Related Guides

Captive Portal Fix Public WiFi + VPN VPN Leak Test VPN Guide