VPN for Public Wi-Fi in the UK (2025): Safe Coffee-Shop & Travel Setup

TL;DR — quick preset

Full presets: Best VPN Settings (UK) • Protocols: WireGuard vs OpenVPN vs IKEv2.

Why public Wi-Fi is risky

• Open networks expose your device metadata and can be trivially spoofed (evil-twin SSIDs).
• Shared LANs let others attempt snooping or ARP/DNS mischief if your device is lax.
• Captive portals sometimes inject scripts or block UDP traffic that VPNs use.

Reminder: A VPN encrypts your traffic and hides destinations from local observers, but it won’t stop phishing or malware. Keep your browser and OS updated and be wary of prompts from captive pages.

Best VPN settings for UK public Wi-Fi

• Auto-connect on untrusted Wi-Fi: ON.
• Kill switch: ON (system-level on Android “Block connections without VPN”).
• DNS leak protection: ON; ensure the app uses provider DNS.
• Protocol order: WireGuard/NordLynx → fallback to OpenVPN TCP/443 for hotels/campuses.
• Split tunneling (optional): keep banking and browsers inside the tunnel; exclude only apps that refuse VPNs.

Step-by-step: iOS • Android • Windows • macOS

iOS/iPadOS

• Settings inside the app: WireGuard/NordLynx, Auto-connect on untrusted Wi-Fi.
• Disable iCloud Private Relay while testing/leak-checking.
• If roaming frequently, IKEv2 can be a stable alternative; switch back to WG for speed later.

Android

• System: Settings → Network & internet → VPN → ⚙ → Always-on + Block connections without VPN.
• Prefer WireGuard; if captive portal blocks, connect to Wi-Fi, complete portal, then use TCP/443.

Windows 10/11

• Use the provider app (WG first; TCP/443 fallback). Enable kill switch and DNS leak protection.
• After connecting: cmd → ipconfig /flushdns if sites feel “sticky”.

macOS

• Use the native app (system extension). Enable kill switch.
• Flush DNS if needed: sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder.

Captive portals & strict networks

1. Join Wi-Fi first and complete the portal login on http://example.com if it doesn’t pop automatically.
2. Once online, connect the VPN. If it fails, switch protocol to OpenVPN TCP/443.
3. If the portal keeps returning, temporarily disconnect VPN, finish the portal, then reconnect.

TCP/443 often fixes hotels, trains and offices that throttle UDP/WireGuard. Switch back to WireGuard for speed later.

IP/DNS/WebRTC leak checks

1. Disconnect VPN → check baseline IP (country/ISP).
2. Connect VPN (UK) → confirm the IP shows UK and a VPN ASN.
3. Run extended DNS + WebRTC tests → make sure no ISP resolvers appear.

Full walkthrough: IP/DNS/WebRTC leaks — UK.

Travel & work tips

• Prefer 5 GHz Wi-Fi or tether to your phone if the café network is sketchy.
• Turn off sharing (printer/file discovery) on laptops when on public networks.
• Browser hygiene: use HTTPS-only mode and a tracker-blocking extension alongside the VPN.
• Don’t trust captive downloads: avoid driver/browser updates offered by login pages.

See also: Best VPN Settings (UK) • Protocols.

Video: Public Wi-Fi safety with a VPN — UK quick guide

FAQ

Is using a VPN on public Wi-Fi legal in the UK?

Yes. VPNs are legal. Always follow local laws and platform terms.

Which protocol is best for cafés and hotels?

Start with WireGuard/NordLynx. If the network is strict or flaky, use OpenVPN TCP/443.

Do I connect the VPN before or after the captive portal?

After. Join the Wi-Fi and complete the login page first, then connect the VPN.

Does a VPN stop phishing and malware?

No. It encrypts your traffic and hides destinations from local observers. Still use good browser hygiene and updates.