Fexyn
Fexyn
All posts

VPN for hotel and airplane Wi-Fi: what actually works

Fexyn Team··9 min read
travelpublic-wificaptive-portalsecurity

If you travel for work, you have hit some version of this. The hotel Wi-Fi works in the lobby and dies in your room. The airplane Wi-Fi charges $19 for one device but $29 for the day. The captive-portal page hangs because your VPN is on. The "free" Wi-Fi at the conference center asks for an email address and then injects ads into every webpage.

A VPN handles some of these problems and not others. This is the practical guide.

What a VPN actually fixes on travel networks

Three concrete problems:

Network operator can read your traffic. Hotel and airport network operators see every site you visit, every search, every login form (for non-HTTPS sites — which are rare in 2026 but still exist). A VPN encrypts the traffic between your device and the VPN provider, so the network sees only encrypted traffic to the VPN provider.

Rogue access points (evil twins). A laptop running airbase-ng a few feet from you can broadcast a Wi-Fi network called "Hilton Honors" or "Boingo Free" to trick devices into auto-connecting. Once connected, the attacker can MITM-anything-not-HTTPS and try downgrade attacks against HTTPS. A VPN tunnel established before browsing means the attacker only sees encrypted traffic to your VPN provider.

Country-specific content blocks. Hotel Wi-Fi in Russia, China, UAE, or Saudi Arabia inherits the country's filtering rules. Hotel Wi-Fi in Germany inherits Germany's DNS-level blocks of certain copyrighted content. Connecting through a VPN routes around the country-level filter.

What a VPN does not fix

Captive portals. Most hotel and airline Wi-Fi requires you to accept terms and possibly enter a room number on a "captive portal", a webpage that intercepts your first browser request. Your VPN cannot connect until you have completed the captive portal flow, because the captive portal blocks all non-portal traffic. The standard sequence: connect to Wi-Fi, open browser, complete portal, then connect VPN. Some VPN clients (including Fexyn) detect captive portals and show a "log into hotel Wi-Fi first" dialog.

Slow Wi-Fi. A VPN cannot make a 5 Mbps hotel connection into a 50 Mbps one. The VPN adds a small amount of overhead on top. If hotel Wi-Fi is slow before the VPN, it will be slightly slower after.

The hotel snitching to authorities. In countries where VPN use is restricted (UAE, Saudi Arabia, Iran), the hotel network operator can tell you are using a VPN; they see encrypted traffic to a VPN provider's IP. The VPN encrypts what you do; it does not hide that you are connected to a VPN. For most travellers in most countries, this is fine. Read the country page for your destination if you want the legal-exposure detail: UAE, Saudi Arabia, Iran.

The hotel charging extra for "premium" Wi-Fi. Some hotels offer faster Wi-Fi for a fee, with the basic tier rate-limited. A VPN does not change which tier you are on.

How captive portals actually work

Useful to understand because it shapes your usage pattern.

The captive portal sits at the network gateway. When your device connects to the Wi-Fi, the gateway intercepts your first DNS lookup or first HTTP request and redirects it to a "log in" page. Modern operating systems (iOS, macOS, Windows 11, recent Android) detect this automatically and pop up the portal in a system browser.

A VPN tunnel cannot establish until the captive portal allows traffic. The portal explicitly blocks everything except its own login flow. So:

  1. Connect to the Wi-Fi.
  2. Open a browser. The OS captive-portal detection should trigger automatically; if not, browse to any HTTP site (not HTTPS — captive portals can mess up HTTPS detection).
  3. Complete the portal: accept terms, enter your room number or last name and check-in date, accept the AUP.
  4. Test that the internet works: load a website you have not visited before to confirm.
  5. Connect your VPN.

If you keep your VPN set to auto-connect on system startup, this is the order it breaks. The auto-connect tries to reach the VPN server, fails because the captive portal is blocking, and the VPN client either hangs or shows an error. Fexyn handles this gracefully (we detect captive-portal-style failures and prompt for manual login), but the underlying problem is in the captive portal, not the VPN.

Airplane Wi-Fi specifics

In-flight Wi-Fi has a few quirks worth knowing:

Pricing tricks. Many airlines bill per-device per-flight, but bill the same amount whether you use it for 30 seconds or the entire flight. Some bill per-day across multiple flights. Some let you pay for the full flight and then lock you to one device. Read the pricing carefully. T-Mobile and Delta offer free Wi-Fi for some passengers; United and American mostly do not. Lufthansa charges per-flight; Emirates includes a small free allowance and charges for more.

Latency is high. Satellite Wi-Fi on long-haul flights typically delivers 200-400ms of additional latency on top of the normal internet path. VPN servers add a small amount more. Real-time uses (video calls, gaming) are usually unusable; loading webpages and email work fine.

VoIP is often blocked. Many airlines block VoIP on the flight (Skype, FaceTime, WhatsApp calls) for cabin-noise reasons. Some block it via DNS filtering, some via DPI. A VPN routes around DNS filtering trivially; DPI blocking is harder, and even Fexyn Stealth (VLESS Reality with the Vision flow) sometimes loses against airline DPI because the underlying connection is so slow that the protocol overhead becomes a real cost.

iMessage and WhatsApp text usually work even on free tiers. Some airlines provide free messaging-only Wi-Fi as a marketing feature. The traffic profile is small enough that they can carry it without significant cost.

Hotel Wi-Fi specifics

Room number / name auth is not security. The captive portal asking for your room number and last name is access control, not encryption. Once you are on the network, every other guest on the same network can in theory see your traffic. (Modern hotel networks use client isolation to prevent guest-to-guest traffic, but client isolation has been broken before.) Use a VPN.

Smart-TV casting often breaks. Hotel Wi-Fi networks often block or rate-limit Chromecast, AirPlay, and similar peer-discovery protocols. With a VPN, your traffic exits to the VPN provider and back, so casting from your phone to the room TV stops working entirely. The fix is to disable the VPN during casting (compromising security) or to use the hotel's screen-mirroring app if they have one (often privacy-questionable).

Some hotels rate-limit aggressively. YouTube tends to work; large file downloads often get throttled. Some chains explicitly throttle BitTorrent and large-file protocols. Hotel-Wi-Fi guides on hotel review sites are surprisingly accurate about which chains have usable Wi-Fi.

Stay-out fees and disclaimers. Some hotel AUPs prohibit VPN use. Almost none enforce this. The legal exposure for using a VPN on hotel Wi-Fi in countries where VPN use is legal is essentially nil. Countries where VPN use is restricted (UAE, Saudi Arabia, Iran) are different; read the country page.

Setup: VPN + travel network in five minutes

The pattern that works:

  1. Before you travel, install Fexyn (or your VPN of choice) on every device you will travel with. Sign into the account.
  2. On the plane or in the hotel, connect to the Wi-Fi.
  3. Complete the captive portal in a browser.
  4. Confirm the basic internet works.
  5. Connect the VPN. Start with Fexyn Bolt (WireGuard) for speed.
  6. If you are in UAE, Saudi Arabia, China, Iran, or Pakistan, switch to Fexyn Stealth in app settings. The hotel Wi-Fi inherits the country's filtering rules; standard WireGuard may not work.

If you forgot to install before travel: most VPN provider websites are accessible from most travel networks in non-restrictive countries. Sign up at fexyn.com/pricing on hotel Wi-Fi, download from fexyn.com/download. The 7-day free trial does not require a card.

Frequently asked

Is hotel Wi-Fi safe without a VPN?

Mostly yes for HTTPS traffic (which is most of the web in 2026), if the hotel runs client isolation correctly. Mostly no for any non-HTTPS traffic, which still exists for older login portals, some legacy email setups, and any service that downgrades. A VPN is cheap insurance.

Should I use a VPN on airplane Wi-Fi?

If you are doing anything sensitive (email, work documents, banking), yes. The performance overhead is meaningful given how slow airplane Wi-Fi already is, but the security benefit is real. For just streaming Netflix on long-haul: probably not, unless you specifically want to access content that is geo-restricted from your departure or arrival country.

Will a VPN unblock free Wi-Fi limits?

No. The Wi-Fi access point limits are enforced based on your MAC address or device identity, not your traffic content. A VPN does not change either. Some users try MAC spoofing, which sometimes works but is technically against the AUP and gets you banned from the network if detected.

My VPN won't connect on hotel Wi-Fi. What now?

Three checks: (1) Did you complete the captive portal? Open a browser, browse to any HTTP site, see if the portal triggers. (2) Is the hotel blocking VPN traffic specifically? Some hotel chains block standard VPN ports. Try Fexyn Stealth (VLESS Reality runs over standard HTTPS port 443, which hotels never block). (3) Is the Wi-Fi just bad? Test against a different network if possible.

Try Fexyn free for 7 days. No card needed for the trial. Bolt is right for hotel Wi-Fi where it works; Stealth is the choice for hotels in restrictive countries or networks that block VPN traffic. VPN for public Wi-Fi covers café and conference Wi-Fi specifically.

VPN for hotel and airplane Wi-Fi: what actually works | Fexyn VPN