The Real Risk Picture for Public WiFi
Public WiFi security threats are often overstated in marketing materials. The most cited attack -- the man-in-the-middle attack where someone intercepts your traffic -- is much harder to execute against HTTPS traffic than it was in 2015. Today, over 95% of web traffic is encrypted with HTTPS/TLS. If you visit a website with a padlock in your browser, your traffic is encrypted end-to-end regardless of whether you are on public WiFi. An attacker on the same network can see what domains you connect to, but not the content of your HTTPS requests.
What Threats Remain Real
Evil twin networks: an attacker creates a fake WiFi network with a plausible name ('Coffee Shop WiFi' instead of 'CoffeeShopGuest'). If you connect, all your traffic goes through their router. For HTTPS sites you are still protected by TLS. But unencrypted apps, DNS queries, and metadata are exposed. This attack is rare but real, especially in high-traffic locations (airports, train stations). DNS leaks: even with HTTPS, your DNS queries (which domains you visit) may go to the network's DNS server unencrypted. A VPN routes DNS through the VPN's encrypted tunnel. Rogue apps: some apps still transmit data without proper encryption. A VPN protects against these. Unencrypted protocols: email on older IMAP/SMTP without TLS, some IoT devices, HTTP (not HTTPS) sites.
What a VPN Actually Does on Public WiFi
A VPN encrypts all traffic between your device and the VPN server, including DNS queries. Even if an attacker on the public network can see your traffic, it is an encrypted tunnel they cannot read. Your real IP is hidden from sites you visit (they see the VPN server's IP). Your ISP at the other end of the connection cannot see your activity. What a VPN does NOT do: protect against malware on your device, protect against compromised HTTPS certificates (these attacks are state-level and rare), protect against sites you are already logged into before connecting to the VPN.
When to Use a VPN on Public WiFi
Always recommended: airports, train stations, hotels (high-value targets for attacker setup), any network you do not control. Less critical but not harmful: home networks of friends/family (trusted environment). Specifically important: when using banking apps or accessing sensitive work systems on public networks (many corporate policies require VPN on untrusted networks). Specifically not needed: your own home broadband (unless you also want to hide from your ISP).
Practical Setup
For casual public WiFi protection, any reputable VPN works well. Enable the kill switch so if the VPN drops, traffic does not leak unencrypted. On iOS and Android, set the VPN to connect automatically on untrusted networks. Some VPNs (Mullvad, ProtonVPN) have an 'always-on' mode that prevents any connection outside the VPN tunnel.