Does VPN Work on Airplane WiFi? Everything You Need to Know

Millions of people connect to airplane WiFi every day to check email, do work, and browse the web at 35,000 feet. Most of them have no idea who else is on that network, how it's configured, or what the provider can see.

If you're wondering whether a VPN works on airplane WiFi, the short answer is: yes, in most cases. But there is a specific step in the connection sequence that trips people up, and skipping it means your VPN never connects at all. This article explains exactly how airplane WiFi works, why the risks are real, the correct way to connect with a VPN, and what a VPN does and doesn't protect.

How Airplane WiFi Actually Works

Inflight WiFi is not magic. It's a shared internet connection delivered either via ground-based towers (ATG — air-to-ground) or satellites, depending on the airline and provider. The major providers — Gogo, Viasat, and Starlink — each use different architectures, but from a security standpoint they all share one important characteristic: passengers are on a shared public network.

Gogo's own vice president of communications has publicly stated that their inflight service is "public" and "operates in the same ways as most open WiFi hotspots on the ground," cautioning passengers against "accessing sensitive materials while in flight." That's the provider themselves telling you the network is not inherently secure.

What makes inflight WiFi different from a coffee shop connection is scale. A flight might have 100–300 passengers sharing one network. You can't see who they are, what devices they're running, or whether any of them are attempting to intercept traffic. Airlines implement network segmentation and firewalls, but as cybersecurity expert Gregory Gerdts told Travel + Leisure: "You're trusting the airline and their provider to do it correctly" — and you have no way to verify that yourself.

The Real Risks of Airplane WiFi Without a VPN

Security researchers flag several concrete risks on inflight networks:

Man-in-the-Middle Attacks

A passenger running the right software can attempt to intercept unencrypted traffic on the shared network. Security consultant Shaun Rosen is direct on this: "Any activity involving the transmission of sensitive or high-value data should be strictly avoided unless an active, trusted VPN connection is established. A successful man-in-the-middle attack could intercept credentials or sensitive documents."

Rogue Access Points

One of the most common inflight threats is also the simplest. A bad actor can create a WiFi network with a name similar to the airline's official network — "United_WiFi" versus "United-WiFi" — and wait for passengers to connect. Once connected to the rogue network, all traffic flows through the attacker's device. Without a VPN, everything is readable. With a VPN already connected, the attacker sees only encrypted data.

As Nick Nikiforakis, associate professor of computer science at Stony Brook University, explains: "It is, in theory, possible that someone else on the same flight is broadcasting their own WiFi, with the hope that some fraction of users connect to them."

Provider Visibility

The WiFi provider — Gogo, Viasat, or whoever operates the airline's inflight system — can see your unencrypted traffic. In 2014, Gogo was discovered to be issuing fake SSL certificates to intercept HTTPS connections. While that specific practice was reportedly stopped, it illustrated that inflight providers are technically capable of reading your traffic and have done so before. A VPN encrypts traffic before it reaches the provider's systems.

Phishing and Fake Login Pages

The login page you see when you first connect to inflight WiFi is served by the airline's captive portal. It looks official, but on a rogue network it could be a convincing fake designed to harvest your airline loyalty credentials, credit card number (for paid WiFi), or corporate login. CyberFence's Web Shield actively filters DNS queries to block known phishing domains, adding a layer of protection even against these attempts.

Does a VPN Work on Airplane WiFi? The Correct Answer

Yes — but with one important caveat that determines whether you actually stay protected.

Most airline WiFi systems use a captive portal: a web page that intercepts your connection and requires you to either pay for access or accept terms before letting traffic through. If your VPN is already active when you try to connect, it will block the captive portal — your device won't be able to reach the portal to authenticate, and you'll appear to have no internet connection.

The result: VPN active, internet not working. Most people assume the VPN is broken or incompatible with airplane WiFi. It isn't. The captive portal is simply blocked by the VPN tunnel.

The Correct Connection Sequence

1. Connect to the airline's WiFi network as normal — your device joins the network.
2. Make sure your VPN is OFF at this point.
3. Open a browser — the captive portal will appear automatically, or navigate to any URL to trigger it.
4. Complete the payment or login on the captive portal until you see a "connected" confirmation.
5. Turn your VPN on immediately — before you do anything else online.

This sequence gets you through the captive portal while ensuring your actual browsing starts protected. The window between step 4 and step 5 — where you're authenticated but the VPN isn't on yet — is brief. The risk in that window is low if you haven't started transmitting any sensitive data. Start the VPN before you open email, access work systems, or do anything else.

What Airlines Actually Block

Most commercial airlines do not block VPN traffic. Delta explicitly allows VPN use. United's inflight security documentation treats passenger devices as "untrusted by default" and encourages normal cybersecurity hygiene — which includes VPN use.

However, some airlines and corporate aviation operators restrict certain ports or protocols. A small number of inflight networks block UDP traffic, which affects WireGuard connections (WireGuard runs over UDP). If this happens, a VPN that supports fallback to TCP — or a different protocol — will maintain connectivity.

Some inflight networks also restrict traffic to common ports only (80, 443), which can interfere with certain VPN protocols. WireGuard, which uses port 51820 by default, may be blocked on these networks. If you encounter connectivity issues with your VPN on a specific airline, try switching to OpenVPN over TCP on port 443 — this traffic is virtually indistinguishable from standard HTTPS and passes through almost all inflight firewalls.

Does VPN Work in Airplane Mode?

No — and this is a common source of confusion. When your device is in full airplane mode, WiFi and cellular are both disabled. There's no internet connection, so a VPN has nothing to tunnel through.

However, most devices let you turn WiFi back on manually after enabling airplane mode. Once you connect to the inflight WiFi network with WiFi enabled in airplane mode, you can use a VPN normally. Airplane mode with WiFi re-enabled is actually a reasonable practice — it keeps cellular off while letting you use the VPN-protected inflight connection.

What a VPN Protects on Airplane WiFi

Once connected correctly, here's what a VPN protects:

• Traffic content — Everything you send and receive is encrypted. Other passengers and the WiFi provider see only encrypted data flowing to the VPN server.
• DNS queries — Without a VPN, DNS lookups (which happen before every website you visit) are unencrypted and visible to the inflight network. A VPN routes DNS through the encrypted tunnel, hiding which sites you're visiting.
• Login credentials — Email logins, work system access, banking credentials transmitted over the VPN are encrypted end-to-end.
• Your real IP address — The websites you visit see the VPN server's IP, not your actual IP or location.

What a VPN Does Not Protect on Airplane WiFi

Being accurate about this matters:

• Rogue network connection — If you connect to a fake WiFi network before turning on the VPN, the attacker may be able to redirect you to a phishing page during the captive portal step. The VPN doesn't help if you enter credentials on a fake portal before activating it.
• Malware already on your device — If your device was infected before the flight, the VPN tunnel carries malicious traffic in an encrypted wrapper.
• Phishing via email or links — A VPN does not prevent you from clicking a malicious link in an email. Web Shield DNS filtering blocks known phishing domains, but a new or highly targeted attack may not be in the blocklist.
• VPN drops on intermittent connections — Inflight WiFi is notoriously unstable. If the connection drops, an unprotected VPN will let traffic flow unencrypted while reconnecting. This is exactly what a kill switch prevents — it cuts all internet traffic the moment the VPN tunnel goes down, waiting until the VPN reconnects before allowing traffic through again.

Why the Kill Switch Matters More on Airplane WiFi

Inflight WiFi drops and reconnects more than most connections. Every reconnection is a window where your device reverts to unprotected traffic — unless the kill switch is active.

Without a kill switch, the sequence is: VPN drops → your device sends traffic directly → VPN reconnects → protected again. That gap could be 5 seconds or 30 seconds. On an inflight network with other passengers monitoring traffic, that window exposes your session.

With a kill switch active: VPN drops → all internet traffic halted → VPN reconnects → traffic resumes. No gap, no exposure.

CyberFence includes a built-in kill switch that activates automatically when the VPN tunnel drops. On inflight WiFi specifically, this is not an optional feature — it's the difference between actual protection and the illusion of it.

Practical Advice for Business Travelers

Security experts consistently advise the same things for inflight work sessions:

• Verify you're connecting to the correct airline network — the name should match what flight crew or the in-seat screen displays.
• Use the correct captive portal connection sequence (off → portal → on).
• Enable the kill switch before doing any work.
• Avoid software updates on inflight WiFi — wait until you're on a trusted network.
• Do not perform banking transactions without a VPN active — and ideally, defer them until you land.
• Use your mobile hotspot instead if you have good cell signal and a sufficient data plan — it's a private connection that doesn't share bandwidth with 200 strangers.

The Bottom Line

A VPN works on airplane WiFi in the vast majority of cases, on the vast majority of airlines. The key is the connection sequence: join the network, complete the captive portal without the VPN active, then turn the VPN on immediately before doing anything else.

On inflight networks especially, the kill switch is essential — intermittent connections mean frequent VPN reconnects, and each one is a gap without protection unless the kill switch is cutting traffic during those moments.

Inflight WiFi is comparable to any other public network. The encryption, zero-logs architecture, kill switch, and DNS-level filtering that protect you at a hotel or coffee shop are the same features that protect you at 35,000 feet.