How do you practice safe public wifi access?

Peter Kim Frank on November 25, 2019

What methods and/or tools do you employ to stay safe while using the internet from a public wifi connection?

Image via Unsplash

markdown guide

Firewall. ProtonVPN, if there's any concerns. HTTPS Everywhere plugin. I also override my DNS by default.


Do you use Cloudflare's or Google DNSes or something else?


I use I don't trust Google any further than I can pitch their server farm.

Might as well run a local Dnsmasq instance doing recursive resolution on TLDs directly, instead of just moving your trust from google to cloudflare.

I know what TLDs are, but the rest I got kind of lost. Is this just running your own DNS server?

Basically, instead of reaching out to "central" DNS servers that aggregate entries from every registrar, you'll roll your own "central" server, i.e. you'll contact the associated registrar on each new DNS request.

Apart from using a VPN, what you guys are talking about sounds like an alien language to me.

Is all that something everyone should learn to do or do you consider yourselves kind of extra-snowden-like-concerned-about-security because the CIA is trying to catch you? 😊

Instead, it's mostly about being able to easily block ads, avoid country-level/ISP-level censorship (very common in lots of places, sadly)

Might as well run a local Dnsmasq instance doing recursive resolution on TLDs directly, instead of just moving your trust from google to cloudflare.

You know, that's a bit like saying "Might as well store your entire financial assets in gold in a safe under your bed instead of moving your money from a shady mega-corp bank to a Federally-insured, member-owned credit union." It's a bit on the 'overkill' side for many people, myself included.

But why trust Cloudflare over Google? Simple. Guess which one of those sells browsing history as one of their primary forms of income?

I didn't say trusting Cloudflare was bad, or Google was better than CF.

Google sucks, CloudFlare is a move in the right direction, but

  1. Cloudflare is still a centralized and closed infrastructure
  2. Cloudflare is US-hosted

That's two very good reasons to avoid it

I don't see those as automatic reasons to avoid it, any more than the "all financial institutions are bad" assertion some people make (see my previous example) is even remotely wise.

For example, if US-hosted or centralized is an automatic negative, then DEV must not be trustworthy.

I don't have the luxury of time or hardware to set up and run my own DNS resolution server. Most people don't. So, until someone sets up an open-infrastructure, free, public DNS service, Cloudflare is hardly something "to be avoided".

We have to draw the line between common sense and fearmongering.

There are lots of open-infrastructure DNS...

And time, hardware?

We're talking about a 2MB-consuming daemon sitting idle on your computer, which takes roughly 5 minutes to set up on a first-time setup.

Maybe you don't want to take this time, that doesn't make this solution somehow bad or to avoid.

And that daemon can handle DNS for my entire network, including multiple computers and a public-facing, always-on server that is central to our production work? And you can guarantee that I'll never have to suddenly stop what I'm doing to debug it? And that it'll be accessible from any wifi spot I'll ever connect to worldwide, and never go pear-shaped when I least expect it?

If setting up a reliable, works-for-everything DNS is really that easy, it's a marvel and ever even gained adoption.

The fact is, "it takes minutes to set up" never takes into account the inevitable time sink that comes when (a) things don't go according to the docs (more than half the time, ask any IT), or (b) when things break (at least once with everything you ever set up, ask any IT).

So no, I don't have that time.

Well, if it's sitting on your computer, yes, that's kind of the point.

And your complaint about time doesn't change the validity of this solution.

Well, if it's sitting on your computer, yes, that's kind of the point.

Amazing. Too bad I actually couldn't accomplish that with two full days of trying to do exactly that for my network, with the help of two professional, experienced Linux ITs no less. "We must have done something wrong," I suppose.

And your complaint about time doesn't change the validity of this solution.

I never said it wasn't valid, but the way you're talking, it should be the only solution.

In any case, thank you for (apparently) retracting your earlier assertion that it couldn't take more than five minutes.

Amazing. Too bad I actually couldn't accomplish that with two days of trying, with the help of two professional, full-time ITs. "Must have done something wrong."

RTFM. Especially with the plethora of Dnsmasq guides available on Internet, and with Dnsmasq providing one of the simplest and most basic configurations.

I never said it wasn't valid, but the way you're talking, it should be the only solution.

Everyone has their ways of understanding English, I guess.


Because of course it never occured to three Linux professionals in two days that we should read the documentation.

Ahh, the four-letter mantra of the people who don't have any real answers, but love to tell everyone they're wrong. At least that tells me I can leave this conversation — you've announced you have no actual knowledge or insight to share. Thanks for saving everyone the time of taking you seriously. Ta!

Sloan, the sloth mascot Comment marked as low quality/non-constructive by the community View code of conduct

@jason No one forced you to follow up with this solution. There are people who actually know what they are talking about and also people who rant about knowing professionals. You're not in the first group apparently.

You're not in the first group apparently.

Gosh, wish I'd known that before I'd gone and run a secure, production-grade development server for six years. I'll be sure to tell those two IT friends of mine they aren't knowing professionals either. They've wasted years of their lives successfully doing a job they apparently can't do.

Deserved sarcasm aside, I merely said that it wasn't a "fix-all". It's a valid solution, but not the only solution, and not necessarily one that magically works in every imaginable scenario. (P.S. My experience with dnsmasq was from about two years ago, not today.)

"RTFM" is never an appropriate response to anyone. My anger is directed at that, and rightly so. There are many people here on DEV who would be crushed by that remark, with its deliberately hateful insinuation of stupidity. "I read the documentation, but I didn't get it. I must not be legitimate." An insinuation you just helped add fuel to.

I came here to say that maybe the topic of setting up your own "central" server could be a good dev.to article!

I did write a handful of articles on dnsmasq, for ad-blocking, conditional DNS request proxying, and such.

Indeed you have! Thanks for pointing that out, I'll bookmark them. :)

If you find anything ambiguous or have any questions, don't hesitate to ask on associated articles.

I don't see those as automatic reasons to avoid it

pokes oar in

Not specifically against Cloudflare, but personally I don't like encouraging anyone to go with the centralised solution. As long as everyone does it because "that company's alright", people will keep seeing it as safe. I see it as comparable to the "why would I use free software when I can pay for something good?" point of view.


It's usually slow or can't connect, needs login so you have to go get a password from some desk or something, need to agree to some weird terms to use. Unsafe on top of all that. In the age of LTE, why bother?


VPN. For work, we have one by default and if I'm at a café working on open source or anything else on my personal devices, I use a VPN as well. Currently I'm using NordVPN.

Having said that, 2019-10-21: NordVPN confirms it was hacked | TechCrunch, so I may need to look for a new VPN. 🤔 Suggestions welcome


Possibly not your thing, however I run my own VPN server in Azure using tinc and/or plain ssh tunnelling (SOCKS) on a small Debian VM.

I also ensure my browser forwards DNS lookups over SOCKS if I'm using that protocol, and my VM relies on Azure DNS - I could run my own dnsmasq based full DNS but meh.. at least it's out of the grasp of the local hotel / Cafe full of sniffers, etc.


Hello ! I already tested Mullvad VPN and i like it! It's 5$ per month.

Very easy to use.

You can pay with Paypal, credit card, Bitcoin and more !

Mullvad Payment process


I currently use PIA (Private Internet Access) but once my subscription is expired I will probably switch to Cloudflare Warp, unfortunately it seems that they only support mobile.


Sure, happy to help :)

First, this article will have you up in less time than it takes to read the docs from a commercial solution.

Second, you can do it for less than five bucks per month on a fast, private machine of your own that is on no ones radar:

This next article, recently updated, has been around a while, and points out added advantages and possibilities such as also having the convenience of your apps running via X on your remote, fast, and secure sever:

I hope that helps


I don't care much for ad hominem, and can't understand why someone would be so incalcitrant about something as simple as a three string install invocation, producing a working, running instance of BIND, and then just a couple of configs like pointing your resolver to that daemon and placing something like search . on top in your /etc/resolve.conf because it really can be that simple to make such a huge difference in the autonomy that you'll enjoy - let alone safety.

This is simply what you do, or it was for decades, without even thinking twice. Why that tends to elude many folks completely escapes me - why wouldn't someone do this?

And Diane's suggestion of incorporating Dnsmasq is just a lighter weight version of that.

I simply do not find it plausible that a couple of sysadmins were unable to just whup it out in the course of yawning with half their brain tied behind their back.

These simple basics just aren't given adequate coverage in curriculum during this culture of containerization.

Heck, we've only been using DNS since 1985.

The question that the OP asked was about securing ones communications over public WiFi. It may not be what everyone should do (as one person dismissed), although it is indeed something that everyone should consider.

Here's a little litmus test:

The next time you (the proverbial you, no one in particular here) happen into a large, busy Starbucks, look around for that person, you'll see them. You're looking for someone who is inconspicuously conspicuous (maybe it's the blue mohawk; the safety pin through the nose; the anarchist laptop stickers; the pocket protector and Google glasses), and your spidey sense will tingle.

Now... Look at the room from their perspective...

Now tell me what you think you should be doing for your security :)


My router offers a VPN service out of the box, so I connect there any time I'm in an untrusted wifi. Super handy when travelling with limited roaming-data.


Do you mean a VPN Service hosted on your router?

Mine also, but I don't enable that because then that it's counted as incoming and outgoing traffic by my internet provider and discounted from my monthly quote.


Yeah, exactly. I'm in the lucky situation to have uncapped giga up/down so this works fine for me.


I have a DigitalOcean droplet running WireGuard. Costs $5 per month.

I run the WireGuard client on all my devices set to auto connect to it on all SSIDs except my home network.


  • It auto connects seamlessly away from home.
  • All traffic on all ports can be sent via my server.
  • I get a known (and consistent) external IP address when I’m on VPN. Means that I can protect services I use and still access them when out and about.
  • I have control of what the VPN server is logging.
  • It’s much faster than OpenVPN and other solutions.


  • It’s on me to set up the VPN server and keep it secure.
  • Because my IP external IP is consistent it could easily be traced back to me if big brother government wanted to find who it was.

I would love to find out more about this style of setup.

I personally use both Torguard and Windscribe VPN services.


There's this neat thing called HTTPS which uses this thing called encryption to set up a private connection between you and the website that no one can eavesdrop.

Hope that comes off as light hearted and not condescending. VPNs used to be the answer when public WiFi meant using HTTP websites but that's no longer the case. HTTPS sets an encrypted tunnel per user, doesn't matter if others are listening on the wire. The only problem is if they are intercepting your traffic which is easier to do on open WiFi but that's a more complicated hijack (search evil twin attacks). Notably, using a VPN is letting someone intercept your traffic so you should opt on not using a VPN unless you need to avoid geo-blocking.


Agree. I only use VPN/Tor when I travel to countries that have censorship. In the EU I am fine with just using HTTPS and browser extensions to block ads and tracking stuff.

Also, I use Little Snitch to block requests to Google Analytics API from third-party software installed on my mac


To stay safe is just not using public wifi connection. If you have to just use it for general browsing purpose, not for login with your crendential to any website. Better use your phone data package if available :)


Possibly stupid question: Is this still a problem with https?
There should "only" be metadata visible to the provider and potential adversaries or am I missing something here?


There are many services that your pc might be using. Not just https.

For example.... One email client, a chat service, or any other app that uses a protocol different from http / https.


Ah, of course. I just thought about web browsing...
Thanks :)


DNS queries, unless using something such as DoT or DoH, are plaintext. Their answers, too.


I am following a very plain solution, which is I use keepsolid VPN to access any Wi-Fi point.

I know this is a bit insane but I use it even on my Wi-Fi good because I don't trust myself :P but to make sure I will not forget to enable it when I really need it


VPN. Although, nothing is 100% safe, but definitely makes it a bit better.


I've a docker image with tor[1][2] that I run locally and connect to it as SOCKS5 proxy and route all my HTTP/S traffic through it.
For SSH access, I use ProtonVPN and work VPN.

  1. github.com/boris/docker/tree/maste...
  2. hub.docker.com/r/boris/tor

I use NordVPN, Proton VPN or Mullvad with auto connect enabled on wifi connections. With DNS set to use CloudFlares for DoHttps

I also have "Little Snitch" installed on my Mac that notifies me of every outbound connection including MacOS Firewall. is not a true VPN, only encrypts your DNS requests not the traffic itself.


Agreed. It doesn't hide the location, but + Warp improves security.

I have some reservations about Warp+, spending $4.99 to improve speed which several benchmarks show it actually doesn't improve the speed of your connection.

Agreed on the improved security bit.

I agree again for the pricing part. But Warp+ improves the speed by avoiding internet traffic jams.


Tenta browser had a beta program where they allowed free 2 year VPN. I was an early adopter. Been using that lately to connect to geo blocked services from India. Sad most VPN services have only 2 servers in India and one of them never works. I try to avoid banking on public WiFi. This is only on mobile unfortunately.


Like a couple of others, I'd like to say "I don't use public wifi" but the fact is that every now and then I have to.

The first thing I do is try to connect on a VPN. If there are any issues, like it not going through at all, I abandon the wifi channel and tell my device to forget the SSID. For instance, Virgin Trains will try to MITM so I'll put up with using intermittent 4G instead.


with a traditional MITM attack aside from https of the websites you visits, you should install comprehensive internet security solution on your computer and always up to date.


My recent research drove me to virtual machine with parrot os.
Stndard security/anonymity practices included.


I Have made my own VPN using the outline and Google Cloud Platform. It works perfectly!


Https and firewall mostly. Also purevpn just to be extra safe


VPN and a bunch of browser plugins (Privacy Badger, HTTPS Everywhere, an Adblocker).

code of conduct - report abuse