Sign in Sign Up for FREE

Why Your VPN Blocks the Coffee Shop WiFi Login Screen

Your VPN is doing exactly what it was designed to do - but that design clashes with how public WiFi networks grant access. Understanding why this happens makes the fix obvious, and it only takes about 60 seconds to apply.

The Technical Explanation

When Mac joins a new WiFi network, a background service called captiveagent sends an HTTP probe request to captive.apple.com. If the server responds with the expected success page, Mac assumes the network is open. If anything else comes back (like a redirect to a portal login page), Mac launches the Captive Network Assistant popup.

When your VPN is running:

  1. Mac's probe request enters the VPN tunnel before it ever reaches the router.
  2. The encrypted packet goes directly to your VPN server - bypassing the coffee shop router entirely.
  3. Your VPN server fetches captive.apple.com normally and returns the success response.
  4. Mac sees a success response and concludes the network is open - popup never launches.
  5. But your actual browser traffic is still being blocked by the portal because you never logged in.

The VPN Kill Switch Makes It Worse

If your VPN has a kill switch enabled (which it should on a serious VPN), all traffic that cannot route through the VPN tunnel is blocked entirely. This means even if the captive portal could somehow intercept your request, the kill switch would drop it before it leaves your device. You end up completely stuck - the captive portal cannot reach you, and the VPN cannot connect until you have internet access from the portal.

How to Get Around It

MethodWorks With Kill SwitchDifficulty
Disconnect VPN, log in to portal, reconnect VPNYesEasy
Enable "bypass captive portal" in VPN appDepends on VPNEasy (if available)
Use split tunneling to exclude portal trafficNoMedium
Open Safari, visit http://neverssl.comNoEasy (sometimes works)
Use Mac WiFi Diagnostics to bypassNoMedium

VPNs With Built-in Captive Portal Support

Some VPN providers have added a "captive portal bypass" mode. When enabled, the VPN temporarily releases control of traffic on port 80 when it detects a new network join, allowing the captive portal to redirect you. Look for this setting in your VPN app under names like:

  • Allow LAN (local area network) traffic
  • Bypass captive portals
  • Allow access to local network
  • Detect and handle captive portals

Mullvad, Proton VPN, and ExpressVPN all have versions of this feature. NordVPN and Surfshark require a manual disconnect/reconnect workflow.

ⓘ Run our VPN leak test after reconnecting to public WiFi to verify your VPN is properly protecting your connection again.

The Recommended Workflow for Public WiFi

  1. Before leaving home, note your VPN provider and its kill switch setting.
  2. When you arrive at the coffee shop, disconnect your VPN before joining the WiFi.
  3. Join the network, complete the captive portal login.
  4. Verify you have basic internet access (any website loads).
  5. Reconnect your VPN.
  6. Run a VPN leak test to confirm your traffic is protected.

Related Guides

Captive Portal Fix Public WiFi + VPN VPN Leak Test VPN Guide