What a captive portal actually is

When you connect to hotel, airport, or cafe wifi, the network doesn't give you full internet access immediately. Instead, it intercepts your first web request and redirects you to a login page — a captive portal. You enter a room number, a voucher code, or accept terms of service. Only then does the network open up.

The name comes from the idea of your browser being "captured" and held until you complete the required action. Technically, the network router intercepts your DNS requests and HTTP traffic, returning a redirect to the login page instead of your intended destination.

You'll find captive portals on hotel wifi, airport lounges, train stations, cafes, hospital networks, conference centers, and anywhere that manages guest internet access. They're the standard mechanism for access control on shared public networks.

✓ Why it sometimes doesn't pop up automatically

Your device detects captive portals by making a test request to a known URL and checking if the response is what it expects. On iOS this is captive.apple.com; on Android it's connectivitycheck.gstatic.com. If this detection fails — sometimes it does — no popup appears. Open any HTTP site (not HTTPS) manually and you'll usually trigger the redirect.

Why your VPN blocks the captive portal

A VPN encrypts all traffic leaving your device before it touches the network. The captive portal works by intercepting unencrypted traffic and redirecting it. When everything is encrypted, the portal can't intercept it — so the redirect never happens and you just see a connection failure instead of the login page.

This is the correct behaviour from the VPN's perspective. It's doing its job. But it creates a practical problem: you need to complete the captive portal before you can use the internet, and the VPN is preventing that.

How to handle a captive portal with a VPN

⚠ NordVPN's captive portal detection

NordVPN has a built-in captive portal detection feature that automatically pauses the VPN just long enough for the portal to load, then reconnects. Check Settings → Advanced to confirm it's enabled. When it works, you don't need to manually toggle anything — the app handles the sequence for you.

Is the captive portal itself a security risk?

The portal itself is generally not malicious — it's standard infrastructure. But there are two things worth knowing.

First, the brief window between connecting to wifi and enabling your VPN exposes your traffic to the network. That's unavoidable and low-risk for the few seconds it takes to complete the portal. Don't use those seconds to check email or open banking apps.

Second, a malicious actor can set up a fake captive portal that looks like a hotel login page but is designed to harvest your credentials. This is rare but possible in high-risk environments. The tell: a legitimate captive portal only asks for room number, a code, or terms acceptance — it never asks for your email password or payment details.

Free Download

The Traveler's Digital Security Checklist

7 things to set up before you travel — including the exact hotel wifi and VPN sequence that keeps you protected from the moment you check in.

No spam. Unsubscribe anytime.

Frequently asked questions

Usually one of three things: your VPN is active and blocking the redirect, your device's captive portal detection failed, or you're trying to open an HTTPS page (which won't get redirected). Try disabling the VPN, then opening http://neverssl.com in a browser — this triggers the portal reliably.

Yes — NordVPN has a captive portal detection feature that pauses the VPN connection just long enough for the portal to load, then automatically reconnects. It's in Settings → Advanced. When it works correctly you don't need to manually toggle the VPN at all. It doesn't always trigger perfectly, so knowing the manual sequence is still useful backup.

For the 30 seconds it takes to complete the portal — yes, low risk. The key is to not open any apps or browse during that window. Complete the portal, re-enable the VPN immediately, verify it's connected, then use the internet normally. The brief unprotected window is an unavoidable trade-off of the captive portal system.

NeverSSL is a website deliberately kept on HTTP (not HTTPS) so that captive portals can intercept and redirect it. Modern browsers and most popular sites use HTTPS, which captive portals can't redirect. NeverSSL exists specifically to trigger captive portals when the automatic detection fails. Bookmark it before you travel.

The VPN we travel with

NordVPN — captive portal detection built in

Automatically handles captive portals on hotel and airport wifi. Re-connects the moment you've logged in, so you're protected without thinking about it.

Get NordVPN — Save up to 69% →

* Affiliate link — we earn a commission at no cost to you.