Use case

Public Wi-Fi is hostile by default

What can actually go wrong on hotel and café networks, and what a VPN does about it.

The threats are real, but boring

You'll see VPN ads scream about hackers in coffee shops as if every barista is a black hat. The actual risks are quieter and harder to notice:

Packet sniffing. Anyone on the same Wi-Fi can passively capture unencrypted traffic. HTTPS protects most page content now, but plenty of mobile apps still leak metadata, tokens, or full payloads over plain HTTP.
Evil twin access points. Someone sets up a hotspot called "Marriott_Guest_2" in the lobby. Your laptop joins it because the SSID looks plausible. Now they're your network operator.
Captive portal injection. The portal that asks you to accept terms can also inject scripts into HTTP responses. Some hotel networks have been caught doing this for ad insertion.
Session hijacking. Cookies for sites that don't use HSTS can be lifted off the wire and replayed.
DNS manipulation. The portal often forces all DNS through their resolver, which can return wrong answers for sites they want to redirect or log.

What a VPN actually fixes

The tunnel encrypts everything between your laptop and the Fexyn server. To anyone on the local Wi-Fi, your traffic looks like opaque ciphertext heading to a single IP. They see how much you sent and roughly when; they don't see what you sent or where it ended up.

That defeats packet sniffing, session hijacking, and DNS manipulation in one move. Evil twins still get to be your gateway, but the gateway sees encrypted traffic and a Fexyn DNS server (running inside the tunnel) — not your real lookups.

The kill switch is the unglamorous hero here

Public Wi-Fi reconnects constantly. You walk between floors, the laptop drops the AP, picks up another one, re-associates. Without a kernel-level kill switch your traffic flows out unprotected during each transition.

Fexyn's kill switch lives in Windows Filtering Platform — kernel-level firewall rules that exist before the VPN handshake completes and survive network-change events, sleep, hibernate, and process crashes. There's no userland race condition.

How kill switches actually work

Captive portals — work with them, not against them

Hotel and airport portals require you to accept terms before they let your traffic out. The VPN can't tunnel through a portal that hasn't let you in yet. The workflow:

Connect to the Wi-Fi.
Disable the kill switch temporarily, OR open a browser to an HTTP site so the portal redirects.
Complete the portal sign-in.
Re-enable the kill switch and connect Fexyn.

Fexyn's app detects the portal pattern and prompts you. We'd rather ask once than have you stare at a failed handshake.

Free VPNs on public Wi-Fi are worse than no VPN

The VPN that's free, no signup, no email — that one. The economics don't add up unless someone is paying. Documented cases include logging traffic for resale, injecting ads into web pages, renting your IP as a residential proxy node, and quietly turning client devices into a botnet. On a hostile network, you'd be inviting a second attacker into the path.

Fexyn's 7-day free trial is the honest version of free. You sign up, you use it, you decide.

What a VPN doesn't fix on public Wi-Fi

Phishing pages over HTTPS. The VPN encrypts what you send, not what you decide to type into a phishing form.
Browser extension malware that's already installed. The VPN doesn't inspect what your browser sends out the tunnel.
Shoulder-surfing. Someone reading your screen at a café table is outside the threat model.
Compromised endpoints. If your laptop is already infected, the VPN can't help.