Cafes, airports, hotels, conferences, libraries. Untrusted networks you connect to anyway because it's free. Here's what can go wrong and how a VPN solves most of it.
🤖 Get The Free AppConcrete threats on an untrusted network, in rough order of how likely you are to encounter each:
Anyone on the same network with basic tools (Wireshark) can capture all unencrypted traffic in the air. They don't have to attack you — they just watch.
Difficulty: trivial. Detectability: none.
An attacker sets up a WiFi network with the same name as the legitimate one ("Starbucks_Free" or similar). Your phone connects automatically. They see all your traffic.
Difficulty: easy. Detectability: hard.
Some "free WiFi" captive portals inject ads, replace cookies, or perform tracking via JavaScript injection. The portal is literally a man-in-the-middle by design.
Difficulty: done by the venue itself. Detectability: medium.
The network operator (or someone who's compromised it) can return false DNS results — sending you to a fake login page, or a fake bank, or worse.
Difficulty: medium. Detectability: medium.
| Threat | With ClownVPN | Why |
|---|---|---|
| Passive packet sniffing | Mitigated | All traffic is AES-256-GCM ciphertext. They see noise. |
| Evil twin AP | Mitigated | Even if the attacker is the AP, your traffic is encrypted end-to-end to a ClownVPN server they don't control. |
| Captive portal MITM | Mitigated (post-login) | After portal login, the tunnel kicks in and the venue can't inject anything. |
| DNS spoofing | Mitigated | DNS queries go through the tunnel to Cloudflare 1.1.1.1, never the local network's DNS server. |
| ARP poisoning | Mitigated | Even if traffic is redirected, the contents are encrypted. |
| Direct attack on your device | Not mitigated | That's a host-OS problem. Keep your phone patched. |
Settings → Network & internet → VPN → ClownVPN ⚙️ → toggle Always-on VPN + Block connections without VPN. Now even before you open any app, the tunnel is up.
Settings → Network & internet → Internet → ⚙️ → toggle off auto-connect. This stops your phone from joining evil twins of networks you've previously trusted.
When you hit a "click to log in" page, briefly disconnect ClownVPN, accept the terms, then reconnect. Or use split tunneling to exclude the browser temporarily.
Once a quarter or after Android updates, run the leak verification guide to confirm everything is routing through the VPN as expected.
High traffic, lots of evil-twin attempts during peak hours. Also commonly logged by venue infrastructure.
Notoriously sketchy infrastructure. Captive portals routinely inject ads or track users.
Open networks with weak management. Easy to set up an evil twin in the next booth.
The classic VPN demo venue. Lots of curious people on the network, plus deliberate research traffic.
Often heavily logged "for security". Many also block specific categories of legitimate traffic.
Shared satellite or cellular uplinks with poor performance and unknown logging policies.