The scene: you're at Shanghai Pudong Airport waiting for a delayed flight. You pull out your phone, connect to "Shanghai-Airport-Free-WiFi," fire up your VPN, scroll through Instagram, reply to a few Gmail messages, and check your bank balance.
Everything seems perfectly normal. But what you might not know is — that WiFi you just connected to isn't the airport's official network at all.
I'm Xiaolu, cybersecurity master's degree holder, former KPMG consultant, and currently a full-time privacy enthusiast. Today I want to have a serious conversation about something: when you use a VPN on public WiFi, you think turning on the VPN makes you safe, but the truth is there are far more pitfalls than you'd expect.
This isn't meant to scare you. By the end of this article, you'll know exactly where those pitfalls are and how to avoid them.
5 Major Security Risks of Public WiFi
Let's get one thing clear first: public WiFi is a high-risk environment by itself, regardless of whether you're bypassing internet censorship.
1. Man-in-the-Middle Attack (MITM): Fake WiFi, Real Eavesdropping
This is the classic technique. An attacker sets up a hotspot called "Starbucks-Free-WiFi" at Starbucks — identical to the real one. Your phone sees the stronger signal and auto-connects. Congratulations — all your network traffic is now flowing through the attacker's device.
This isn't some elite hacking skill. A laptop, a $20 WiFi adapter, and free open-source tools — any second-year cybersecurity student can pull it off. In high-traffic places like airports, hotels, and cafes, you simply cannot tell which one is real and which is fake.
2. DNS Hijacking: Connected to the Real WiFi, Still Getting Scammed
OK, so you've confirmed it's the official WiFi. Safe now? Not so fast.
DNS is like the internet's phone book — you type "google.com" and the DNS server tells your phone which IP to connect to. But if the public WiFi's DNS has been tampered with, typing "google.com" might redirect you to a pixel-perfect phishing site. You enter your username and password — and they're stolen.
The insidious part is that DNS hijacking shows virtually no visible signs. The URL bar looks normal, the page looks normal — you wouldn't suspect a thing.
3. Session Hijacking: Stealing Your Cookies
You log into Facebook, and your browser stores a Session Cookie so you don't have to log in again. But on unencrypted public WiFi, an attacker can intercept that cookie and impersonate you — logging into your account without ever needing your password.
While most major websites now use HTTPS encryption, not every site implements it properly. And some older browsers or apps may transmit unencrypted data in the background without you knowing.
You've definitely seen this: connect to WiFi and a page pops up asking for your phone number, email, or a WeChat QR code scan before you can get online.
The truth is, all that information gets logged. In mainland China, public WiFi captive portals typically require phone number verification, which means your online behavior can be tied to your real identity. Everything you do after that — how long you're connected, which websites you visit — is all on record.
5. WiFi Sniffing: Passive Eavesdropping You'll Never Detect
Even if an attacker does nothing but "listen," it's dangerous enough. WiFi sniffing tools can passively capture all unencrypted traffic on the same network — web pages browsed, files transferred, even chat content from certain apps.
The scariest part is that this attack is completely passive — it generates no abnormal traffic, and your phone won't trigger any alerts. You might be comfortably scrolling your phone in a hotel lobby while the person at the next table is watching everything on their laptop.
How Much Can a VPN Actually Protect You? Less Than You Think
Many people's security strategy is: connect to public WiFi → turn on VPN → browse safely.
The general logic isn't wrong, but there are 4 critical blind spots you need to know about.
What a VPN CAN do
A VPN creates an encrypted tunnel between your device and the VPN server. Once the connection is established, your network traffic is encrypted, and anyone in the middle sees nothing but gibberish. This effectively prevents most eavesdropping and attacks.
Blind Spot 1: Those Few Seconds Before the VPN Connects Are Unprotected
You connect to public WiFi, then open the VPN app and tap connect. Before the VPN actually establishes — usually 2-10 seconds — your device has already sent a flurry of background requests: DNS queries, app push notifications, email syncing, system update checks...
During those few seconds of "gap time," your real IP, DNS requests, and even some app data are fully exposed. If someone is monitoring, those seconds are enough.
Blind Spot 2: DNS Leak — Traffic Encrypted But DNS Queries Aren't
Some improperly configured VPNs let DNS queries travel through the local network instead of the VPN tunnel. The result: your network traffic is encrypted, but the question of "which websites you looked up" is public knowledge.
It's like sending a sealed letter, but the envelope has the recipient's address visible to everyone. The attacker doesn't know what you said to that website, but they know which websites you visited — and sometimes that's enough.
Blind Spot 3: Already-Leaked Cookies Can't Be Saved
If you logged into a website before the VPN connection was established, that Session Cookie has already been transmitted in an unencrypted state. Turning on the VPN afterward doesn't help — the cookie was already stolen.
Blind Spot 4: You Might Not Notice When the VPN Disconnects
Public WiFi signals are unstable, and VPN connections drop easily. If your VPN doesn't have a Kill Switch (automatic internet cutoff on disconnect), your traffic reverts to an unencrypted state during the disconnected period — and you might not notice at all, still scrolling through Instagram.
For more VPN basics, check out What Is a VPN? A Beginner's Guide.
Using Public WiFi to Bypass Censorship in China: Additional Risks
If you're on public WiFi in mainland China trying to get past the Great Firewall, the risks stack up even higher.
WiFi Real-Name Registration
Since 2024, the vast majority of public WiFi in mainland China requires phone number verification, and some locations even demand national ID numbers or facial recognition. This means your censorship-bypassing activity can be directly traced to your real identity.
At airports, high-speed rail stations, and hotels, the moment you scan to connect to WiFi, who you are, when you went online, and how long you were connected — it's all on record.
Anti-Fraud Apps May Detect VPN Connections
In recent years, China has been promoting the "National Anti-Fraud Center" app, which some regions require people to install. These apps have network monitoring capabilities and may detect VPN connection behavior and report it. While there haven't been widespread cases of punishment through this channel yet, the risk exists.
To understand the legal risks of using a VPN in China, see Is Using a VPN Illegal in China?.
Some WiFi Networks Actively Block VPNs
Certain public WiFi networks (especially at government buildings, state-owned enterprises, and some hotel chains) actively detect and block common VPN protocols. You might find that after connecting to WiFi at certain locations, your VPN just won't connect — it's not broken, it's being blocked.
If you're dealing with this, check out VPN Won't Connect? Here's How to Fix It.
Deep Packet Inspection (DPI)
Mainland China's network infrastructure employs deep packet inspection technology. On some public WiFi networks, DPI doesn't just block VPNs — it also logs the fact that you "attempted to bypass censorship" in the first place. Even if you ultimately failed to get through, the record of your attempt may be retained.
For the latest on blocking developments, see 2026 Q2 China Great Firewall Update.
Public WiFi Self-Protection Checklist (10 Items)
Alright, risks covered. Now for the practical stuff. Here's my personal standard operating procedure when using public WiFi:
Before Connecting
- 1. Turn on VPN before connecting to WiFi: Order matters. Start the VPN first (put it in a waiting-to-connect state), then connect to WiFi. This minimizes the unprotected gap.
- 2. Verify the WiFi name: Confirm the official WiFi name with staff. Don't just connect to anything that looks right. Watch out: attackers commonly add a space or underscore to the end of the legitimate name.
- 3. Disable auto-connect: Turn off "auto-join known networks" in your phone settings to prevent connecting to malicious hotspots without your knowledge.
While Connected
- 4. Confirm the VPN is actually running: After connecting to WiFi, verify the VPN status shows "Connected" and the VPN icon appears at the top of your phone.
- 5. Don't log into sensitive accounts: Even with a VPN on, avoid logging into online banking, important email, or any financial accounts on public WiFi. If it can wait until you're home on your own network, wait.
- 6. Only use HTTPS websites: Check for the lock icon in the browser address bar. If it's not there, close the site.
- 7. Close unnecessary apps: Apps you're not actively using but are syncing in the background (social media, email, cloud storage) are all potential leak points on public WiFi.
After Disconnecting
- 8. Forget the network: After you're done, go to WiFi settings and select "Forget This Network" to prevent auto-connecting next time.
- 9. Clear browser cookies: Especially if you started browsing before the VPN was connected.
- 10. Watch for unusual notifications: Over the next few days, look out for "unusual login" notification emails. If you get one, change your password immediately and enable two-factor authentication.
Risk Levels by Location
Not all public WiFi is equally dangerous. Here's my personal risk classification:
| Location |
Risk Level |
Primary Risks |
Recommendation |
| Airport (international) |
Medium |
MITM, sniffing |
Turn on VPN before connecting; avoid sensitive operations |
| Airport (mainland China) |
High |
Real-name registration + DPI + MITM |
Use mobile data if possible |
| Chain coffee shops |
Medium |
Fake hotspots, sniffing |
Confirm WiFi name with staff |
| Hotels |
Medium-high |
DNS hijacking, captive portal data collection |
Verify VPN is working properly |
| Train stations (mainland China) |
High |
Real-name registration + VPN blocking |
Use mobile data for circumvention |
| Co-working spaces |
Medium |
Sniffing, session hijacking |
Use VPN + avoid sensitive operations |
If you're heading to mainland China for a business trip, it's strongly recommended to prepare your circumvention tools in advance. Check out our Business Trip to China VPN Guide.
(Quick plug time)
Alright, after all those risks, time for a quick recommendation.
Sunset Browser has done quite a bit of optimization for public WiFi environments — with its proprietary encrypted tunnel technology, multiple layers of encryption plus traffic obfuscation, and fast enough connection establishment to minimize that dangerous unprotected gap. Most importantly, it doesn't log your browsing history, so you can rest easy on that front.
Free users can watch a short ad for 30 minutes of access — plenty to scroll through social media at an airport lounge.
Alright, plug over. Let's wrap up with the final bit of substance.
FAQ
Am I safe on public WiFi if I turn on a VPN?
Not entirely. A VPN encrypts your network traffic and significantly improves security, but there are blind spots: the gap before VPN connects, DNS leaks, and unprotected periods when VPN disconnects. A VPN is the most important layer of protection, but it's not the only one.
Can my censorship-bypassing activity be detected on public WiFi?
On public WiFi in mainland China, the risk is indeed higher. WiFi real-name registration means your activity can be traced to your real identity, and deep packet inspection technology makes VPN detection possible. When bypassing censorship in mainland China, prioritize mobile data over public WiFi.
How can I tell if a WiFi network is fake?
It's very difficult. Fake WiFi hotspots can perfectly mimic real ones, including the name and login page. The safest approach: confirm the official WiFi name with on-site staff, watch for duplicate network names, and turn on your VPN immediately after connecting. If the same name appears twice, the weaker signal might actually be the real one (since fakes typically boost their power to attract connections).
Is mobile data safer than public WiFi?
Generally, yes. Mobile data is encrypted through your carrier, making man-in-the-middle attacks far more difficult than on public WiFi. When bypassing censorship in mainland China, mobile data at least eliminates the "public WiFi real-name registration + fake hotspot" risks. Of course, mobile data isn't completely safe either — you should still use a VPN.
Is hotel WiFi safer than coffee shop WiFi?
Not necessarily. Hotel WiFi usually has a password, which feels more secure than open coffee shop WiFi, but guests share the same network, so sniffing risks remain. And hotel captive portals typically request more personal information (name, room number, passport number), creating leak risks no lower than at a coffee shop.
Conclusion: Public WiFi Isn't Off-Limits — Just Use Your Head
I'm not telling you to never connect to public WiFi again — that's unrealistic. But I hope that every time you connect to free WiFi, there's a checklist running in your head: WiFi name verified? VPN on? Am I doing anything sensitive?
The truth is, public WiFi plus a VPN is currently the most practical combination, but a VPN isn't a magic shield — it has its limits. Knowing where those limits are is what truly protects you.
Next time you're waiting at an airport, remember: turn on the VPN first, then connect to WiFi. That order of operations might matter more than you think.