Stay safe on hotel Wi-Fi — and stay connected to home

If you'll stay on your own cellular plan in your own country and never touch shared Wi-Fi or sensitive accounts, a VPN is less critical. For essentially every international trip that involves Wi-Fi or remote-account access, it sits in the same essentials bracket as travel insurance and a power adapter.

• You'll log into anything from hotel, airport or café Wi-Fi: Open and shared networks are the biggest single reason travelers need a VPN. Anything you type — passwords, banking sessions, email — can be intercepted by other people on the same network without the right precautions. A VPN encrypts every byte before it leaves your device, which makes those intercepts unreadable.
• You want banking, payments and home apps to keep working: Many banks and payment providers detect a foreign IP address and lock the session as suspected fraud. A VPN routes your connection through a server in your home country so the bank sees a familiar address and lets you in. Without one, you may find yourself unable to check a balance, confirm a card payment or pass a two-factor prompt.
• Your usual streaming, news or sport library matters to you: Streaming services rotate their catalog by region because of licensing. News sites and sports broadcasters do the same. A VPN connection through your home country restores the library you actually pay for, including the live broadcasts you'd otherwise miss.
• Your destination has a restrictive network environment: Some networks block popular messaging apps, social platforms or cloud services. A VPN tunnels through that blocking because the local network sees only encrypted traffic to the VPN server, not which services you're actually using.

A VPN — Virtual Private Network — creates an encrypted tunnel between your device and a server run by the VPN provider. Everything you send goes through that tunnel before reaching the wider internet. To anyone watching the network — the hotel's Wi-Fi system, other guests on the same SSID, the local internet provider — your traffic is encrypted gibberish flowing to one server somewhere. They can't read your data, see which sites you visit or capture your passwords.

The VPN server then acts as the middleman. It receives your encrypted request, decrypts it, forwards it to the website or app you actually wanted, takes the reply, encrypts it again and sends it back through the tunnel to your device. From the website's point of view, the request came from the VPN server's location, not yours. That is why a VPN lets you keep using your bank and your streaming library: as far as those services can tell, you're still at home.

All of this happens continuously and invisibly. Once the VPN is connected, you use your phone or laptop exactly as you always do. Pages load, apps work, emails send and receive. The only difference is that everything is encrypted in flight and your real location is hidden.

Public Wi-Fi is the number one reason travelers reach for a VPN, and the risk is not theoretical. Hotel lobbies, airport terminals, station concourses and coffee shops all run open or shared networks. On those networks, an attacker with basic tools can place themselves between you and the router in what's called a man-in-the-middle attack — silently reading your data as it passes through. The more common variant is the evil twin: a fake hotspot named something like Hotel_Guest_WiFi that looks legitimate but is actually run by the attacker. Your device latches onto whichever signal is strongest, and from that moment everything you send goes through equipment you don't control.

Modern web pages mostly use HTTPS, which encrypts the contents of a single browser session. But HTTPS doesn't cover everything. It doesn't cover your email app checking for new mail in the background. It doesn't cover most messaging apps' metadata. It doesn't cover the DNS lookups that quietly reveal every domain you visit. A VPN encrypts all of that at the device level, before the network ever sees it. Even on a compromised Wi-Fi, the network operator gets nothing readable.

The other category is geo-aware services. Your bank's website detects a foreign IP address and triggers fraud prevention, locking the account until you call customer support — which is awkward when you're six time zones away. Streaming platforms show a different library or shut you out entirely. Airline and hotel booking sites sometimes nudge prices based on the location they detect. A VPN connection through a server in any country you choose lifts all of that. The bank sees you at home. The streaming service serves your usual library. The booking sites can't run their location-based pricing on you.

And on networks that filter aggressively — corporate Wi-Fi, some hotel networks, certain national filtering systems — a quality VPN tunnels straight through, because the filter sees only encrypted traffic to a VPN server. The services you're actually using stay invisible to the filter.

• A VPN does not make you anonymous: Your VPN provider can see your real IP address and which sites you connect to. Reputable providers commit to no-logging policies that have been audited by independent firms, but that's their word — you are trusting them. If true anonymity is your actual goal (unusual for the typical traveler), a VPN alone is not enough.
• A VPN slows your connection a little: Encryption costs a small amount of processing power and routing through a remote server adds distance. A quality provider typically costs you 10–30% of raw speed — barely noticeable for browsing and email, more noticeable for video calls and large downloads. Pick a server geographically close to wherever you actually are to minimize the hit.
• Some networks actively try to block VPNs: Some corporate Wi-Fi, some hotel captive portals and some filtering systems use deep packet inspection to identify and drop VPN traffic. Premium providers counter this with obfuscation features that disguise VPN traffic as ordinary HTTPS browsing. When a connection fails, switching protocol or turning on obfuscation usually solves it.
• Some services can spot VPN use: Banks and streaming services maintain lists of IP ranges belonging to known VPN providers. Some block those ranges outright; others let you in but flag the session for extra verification — an additional code, a temporary hold, a follow-up notification. That's security working as intended, not a defect. Telling your bank about travel dates before you leave reduces the friction substantially.

• Install on every device you'll travel with: Phone, laptop, tablet. Premium providers allow five to ten simultaneous connections on one account, so you can keep everything protected without juggling logins. Install the native app rather than a browser extension — extensions only encrypt browser tabs, native apps encrypt everything the device sends.
• Test against real workloads: Connect to a server in your home country and check the things you actually need: your bank logs in, your banking app's two-factor prompt arrives, your streaming library plays, your work tools load. Then try a server near your destination and confirm the same. If something fails at home, it will fail abroad — fix it now.
• Turn on the kill switch: The kill switch is the single most important feature for travel. It blocks all internet traffic if the VPN connection drops unexpectedly — which happens when a laptop wakes from sleep, when you switch Wi-Fi networks, or when the hotel link gets flaky. Without it, your device silently falls back to the unprotected network and your bank app may send a request with your real IP before you notice.
• Verify DNS leak protection: DNS queries translate website names into addresses. If those queries leak outside the VPN tunnel, anyone watching the network sees every domain you visit even though the page contents are encrypted. Quality VPN apps route DNS through the tunnel automatically, but it's worth confirming with a DNS leak test site while connected.
• Have a fallback protocol ready: If the default protocol can't connect at the destination, knowing how to switch matters. Most providers offer multiple options — WireGuard, OpenVPN, sometimes a proprietary obfuscation mode. Switching from WireGuard to OpenVPN-over-TCP-443 (which looks like ordinary web traffic to most filters) is the standard rescue move.

• Using a free VPN: Free VPN providers need revenue, and if you aren't paying with money, you are paying with data. Free providers commonly monetize by selling browsing data to advertisers, injecting ads into web pages or running resource-intensive processes on your device. Several well-known free apps have been caught doing all three. The security tool you installed to protect your data is mining it. A paid travel VPN costs less per month than a single airport coffee.
• Not testing before travel: Discovering on the road that the app won't install, the subscription has lapsed or the service is blocked at the destination is the worst time to find out. Downloading new apps and troubleshooting connectivity on a foreign network with potential language and bandwidth limits is far harder than doing it from your sofa.
• Leaving the VPN off on public Wi-Fi: The VPN only protects you when it's actually connected. Many travelers turn it on for banking but browse casually without it, exposing DNS queries, browsing history and any background app traffic that isn't individually encrypted. On public Wi-Fi the safest move is to leave the VPN on continuously.
• Forgetting to enable the kill switch: The VPN is active, you're browsing safely, then the hotel Wi-Fi drops for three seconds. Without a kill switch your device silently reconnects unprotected, your banking app sends a request with your real IP, and that brief window is enough for exposure. Kill switches exist for exactly that scenario — turn them on.
• Expecting total anonymity: A VPN protects you from local network threats and unlocks geo-restricted services. It does not make you invisible online. Your VPN provider, the websites you log into (through cookies and accounts) and your device itself can still identify you. For travel purposes the protection level is more than adequate — but it's worth understanding where the line sits.

When you tap Connect, your device and the VPN server run a cryptographic handshake. Both sides exchange encryption keys using asymmetric cryptography — a process that establishes a shared secret without ever transmitting that secret over the network. Once the handshake completes, all later traffic is encrypted with fast symmetric algorithms such as AES-256 or ChaCha20.

The two protocols you'll meet most often handle this differently. WireGuard is the modern default: a minimal, auditable codebase (roughly 4,000 lines of code, compared with hundreds of thousands for older protocols), UDP-only, and exceptionally efficient on mobile devices where battery life matters. Its main limitation is exactly that UDP-only stance — a network administrator can block it simply by dropping non-TCP traffic on unusual ports.

OpenVPN is the older, more flexible alternative. It can run over UDP or TCP, and when configured on TCP port 443 — the same port every HTTPS website uses — it becomes very hard for basic firewalls to tell apart from normal browsing. That makes OpenVPN the better choice on restrictive networks, even though it costs you a little speed compared with WireGuard.

Deep packet inspection is the technique advanced filtering systems use to identify VPN traffic even on standard ports. Every protocol has distinctive byte patterns in its packet headers — DPI examines those patterns to identify and block VPN connections. Obfuscation features counter this by randomizing packet headers and padding traffic so it matches the statistical profile of ordinary HTTPS browsing. It's an ongoing technical arms race between VPN providers and the systems that try to spot them.

A DNS leak happens when your device sends domain-name lookups outside the tunnel. Normally, when you visit a website, your device asks a DNS server to translate the domain name into an IP address. If that lookup goes to your internet provider's DNS server instead of the VPN's, the provider — and anyone watching the network — sees every site you visit, even though the page contents are encrypted. Quality VPN apps route all DNS through the tunnel automatically, but a leak-test page is the easy way to verify.

• Isn't my iPhone already doing this with iCloud Private Relay?: Not quite. Private Relay is a Safari and Mail feature, not a system-wide VPN — it does not encrypt the traffic from your banking app, your email client other than Apple Mail, your messaging apps or anything else outside Safari. It also doesn't change your apparent country in a way that satisfies your bank or unlocks your home streaming library. Private Relay is a worthwhile extra; it's not a substitute for a travel VPN.
• Will Netflix and other streaming services still work?: Mostly yes, sometimes flaky. Streaming services maintain block-lists of IP addresses belonging to known VPN providers, so a given server may be blocked while another server in the same country works fine. The standard fix is to switch to a different server in your home country until one connects through. Premium providers rotate IPs regularly, which is part of what you're paying for.
• Do I need a VPN if I only use my phone's cellular data?: Cellular is meaningfully safer than open Wi-Fi — the connection between your phone and the cell tower is already encrypted, so the man-in-the-middle and evil-twin attacks don't apply. But cellular doesn't solve geo-blocking (your bank still sees a foreign IP, your streaming library still rotates) and it doesn't change the fact that your roaming carrier or the local mobile operator can still see which sites you connect to. The case for a VPN is weaker on cellular than on hotel Wi-Fi, but it's not zero.
• Should I leave the VPN on all the time abroad?: On public or shared Wi-Fi, yes — keep it running continuously. On your own cellular plan, it's less critical but still adds privacy and keeps banks and streaming services from rotating you out. The trade-off is the small speed reduction and modest battery cost. Many seasoned travelers leave it on by default and only disconnect for specific tasks that need a local IP, like a navigation app that doesn't work through a VPN.
• Does a VPN drain my phone battery?: Somewhat. Encryption uses processing power, which uses battery. On a modern phone with an efficient protocol such as WireGuard, the impact is roughly 5–15% of additional consumption over a full day — noticeable but not crippling. If battery is critical on a given day, run the VPN when you're on Wi-Fi or accessing sensitive services and disconnect on cellular when you're comfortable with the connection.