Public Wi‑Fi Is a Trap (and How a VPN Helps)

I was in an airport lounge, half-asleep, trying to push a patch before boarding. The Wi‑Fi list showed two networks with the same name, and one of them had “_5G” stuck on the end like a badge of honor.

Public Wi‑Fi lies.

Most of the time, it’s not actively malicious. It’s just sloppy, crowded, and easy to abuse. And because it’s “free,” people treat it like tap water. You connect, you forget, you start doing real work.

The problem isn’t the coffee shop, it’s the shared air

On a typical home network, you’re behind a router you control, with devices you (mostly) trust. On public Wi‑Fi, you’re on a shared local network with strangers, all shouting into the same room.

If you’ve ever run Wireshark on an open hotspot, you know the feeling. It’s a flood of ARP chatter, mDNS, random broadcasts, and devices advertising services they never should have exposed outside their living room. Add one bored attacker with a laptop and tools like Bettercap, and the network turns into a playground.

The core issue is proximity. On Wi‑Fi, being “nearby” is enough to start messing with traffic flows.

Even if the website you’re using is properly encrypted, there are still other things an attacker can do locally: trick your device into talking to them first, mess with DNS, or push you toward a fake login page that looks right at a glance.

The attacks I keep seeing on public networks

Some of these are old. They still work because people are tired, rushed, and staring at tiny phone screens.

• Evil twin hotspots: a fake access point named like the real one (“HotelGuest” vs “HotelGuest_”) so you connect to the attacker.
• Captive portal phishing: a “sign in to Wi‑Fi” page that asks for email, a Google login, or a room number plus birthday.
• ARP spoofing / man-in-the-middle: the attacker convinces devices they’re the gateway, then relays traffic while watching metadata and trying downgrade tricks.
• DNS spoofing: your browser asks for bank.com, the network hands back the wrong IP, and you land on a convincing clone.
• Local network poking: scanning for open SMB shares, exposed printers, or misconfigured AirPlay/Chromecast endpoints.

Does this mean every café has someone running an evil twin? No. But it only takes one time to make you cautious.

“But it’s HTTPS, I’m fine,” right?

HTTPS (TLS) saved the internet. Full stop. If you’re using modern browsers, HSTS, and apps that validate certificates correctly, a lot of classic sniffing attacks turn into useless noise.

The catch is that “a lot” isn’t “all.”

Here’s what still bites people in practice:

First, captive portals are a special kind of annoying. Before you can get online, the network wants you to open a browser and accept terms. That moment is a sweet spot for phishing because users expect something weird to pop up. On phones, the captive portal window is stripped down, so you don’t see as much URL context.

Second, DNS still matters. If your device is using the hotspot’s DNS server, a hostile network can try to lie to you. DNS over HTTPS helps, but not every app uses it, and some devices quietly fall back.

Third, there’s the “metadata problem.” Even when your content is encrypted, the local network can often see where you’re connecting (destination IPs), timing, and how much data you’re moving. QUIC over UDP and TLS over TCP 443 don’t hide the fact you’re talking to something.

And finally, apps aren’t always as careful as browsers. I’ve seen mobile apps that do the wrong thing with certificate validation, especially on older Android builds or in weird embedded webviews.

What a VPN actually changes on public Wi‑Fi

A VPN doesn’t sprinkle magic dust on a bad network. What it does is simple: it creates an encrypted tunnel from your device to a server you trust, so the sketchy local network can’t see or tamper with your traffic in the middle.

When it’s working, it changes the risk profile in a few practical ways:

You stop caring about local snooping. The person two tables over can capture packets all day and mostly get ciphertext.

You stop trusting hotspot DNS. A decent VPN will route your DNS requests through the tunnel, so DNS spoofing at the café level becomes much harder.

You reduce the blast radius of “evil twin” Wi‑Fi. Even if you accidentally join the wrong network, the attacker is stuck staring at an encrypted tunnel instead of your sessions.

It also changes what breaks.

VPNs add overhead. On mobile, that means extra battery use, especially if you’re on a flaky signal with packet loss and the tunnel keeps renegotiating. Some networks also block or throttle UDP, which can make WireGuard feel amazing one minute and unusable the next. If you’ve ever had to switch a tunnel from UDP to TCP in a hotel at midnight, you know.

Protocol choice matters here. WireGuard is usually my default because it’s fast and stable, but there are environments where you need other options or disguises.

A short list of protocols and transports you’ll run into:

• WireGuard (UDP by design, great performance when the network isn’t hostile)
• IKEv2 (often solid on iOS, quick to reconnect when switching between LTE and Wi‑Fi)
• OpenVPN (heavier, but sometimes easier to force through restrictive networks)
• VLESS+REALITY and Shadowsocks-2022 (more “censorship-circumvention” than classic VPN, commonly used with clients like Hiddify, NekoBox, V2RayNG, and Shadowrocket)

If you’re shopping for a service, I’d look at the boring stuff before anything else: clear protocol support, a kill switch that actually works on your OS, and sane DNS handling. If you want a quick checklist of what DuduVPN exposes and how it’s intended to behave, the DuduVPN features page is the right place to start.

The stuff I do every time before joining public Wi‑Fi

I don’t treat this as paranoia. It’s just hygiene.

First, I turn off auto-join. iOS and Android both love remembering networks forever. That’s how you end up connecting to “CoffeeShopWiFi” two weeks later in a different neighborhood, because an attacker copied the SSID.

Second, I make sure I’m on the right network profile. On Windows, set the network to Public so file sharing and discovery aren’t casually exposed. On macOS, check you’re not sharing files or printers. On Linux, don’t leave Samba open and assume no one will notice.

Third, I connect the VPN before opening anything sensitive. Email, Slack, GitHub, banking, password managers. I don’t wait for the “something feels off” moment.

If I’m traveling with multiple devices, I sometimes bring a small travel router running OpenWrt (or a GL.iNet box) and put the VPN on that. It’s less fiddly than managing tunnels on a laptop, a phone, and a tablet separately, and it keeps random IoT-ish gadgets off the raw hotspot.

One more thing: keep an eye on the VPN icon after sleep/wake. Mobile networks love to “help” by pausing background activity, and some VPN apps need a nudge to reestablish the tunnel cleanly.

When a VPN won’t save you

A VPN doesn’t stop you from handing your password to a fake captive portal. It also doesn’t fix a compromised device, a shady browser extension, or a laptop that’s been running without updates since last winter.

And it won’t make a bad hotspot fast. If the Wi‑Fi is saturated, you’ll still feel it. The VPN can even make it feel slightly worse because you’ve added an extra hop and encryption work.

If you’re hitting weird issues, it’s usually one of these: the network blocks VPN traffic, your MTU is wrong (symptoms look like “some sites load, some hang”), or the tunnel keeps flapping due to packet loss. That’s the moment to check the provider’s troubleshooting docs. The DuduVPN FAQ should answer the common “why does this hotel Wi‑Fi hate me” questions without sending you down a Reddit rabbit hole.

Picking a VPN like you actually plan to use it

The hardest part of VPNs isn’t the crypto. It’s behavior under stress.

Does it reconnect quickly when you walk out of the café and your phone switches to LTE? Does it fail closed (kill switch) when the tunnel drops, or does your laptop quietly fall back to the open network? Can you pin a server location when you need consistency, or does it bounce you around?

Also, be honest about your own habits. If you’re only going to toggle a VPN on once a week, you want something that’s one tap, not a weekend project.

If you’re comparing providers, you’ll end up looking at plans sooner or later. The DuduVPN pricing page is straightforward enough to sanity-check what you’re paying for versus how many devices you’ll actually connect.

Near the end of my own checklist, I tend to land on “does it work in the places I go.” If you want to try it, start with DuduVPN and set it up once, then keep the Telegram bot handy for quick config help when you’re on the road.

Don’t join a hotspot until you’ve turned off auto-join and your VPN is already connected.