A captive portal is the splash page that public Wi-Fi networks display to require login or terms acceptance before granting internet access. Standard at hotels, airports, coffee shops, conferences, and most pay-or-free public networks. The portal intercepts initial HTTP traffic and redirects to the login page; once the user authenticates or accepts terms, the portal releases the connection.
What it means in practice
The captive portal creates two operational complications for privacy-aware users. First, the always-on VPN: most VPN clients prevent traffic from leaving the device until the tunnel is established, but the captive portal needs to be reached before the VPN can establish (the portal is between the device and the rest of the internet). The workflow becomes: connect to the network with VPN off, complete the captive-portal authentication, enable the VPN, then resume normal use. Many VPN clients have a “captive portal detection” feature that briefly bypasses the VPN to allow portal authentication. Second, the captive-portal page itself can be an attack vector: a malicious operator (or a compromised legitimate operator) presents a phishing page collecting email or social-media credentials under the framing of “verify your identity to continue.”
Where it shows up
Encountered at: every hotel network, every airport network, every conference network, most coffee-shop and restaurant networks, and increasingly public-transit Wi-Fi systems (subway, train, plane). The portal pages range from minimal (accept terms, click to continue) to invasive (provide email, phone number, social-media handle, sometimes payment information). The privacy-respecting defaults: provide minimal information (a throwaway email or alias if email is required, never your real phone number, never social-media credentials), accept the terms only after reading what you are accepting (some are surprisingly broad about data collection), and enable the VPN as soon as the captive portal is cleared.
What you can change today
Three habits. First, always treat a captive portal as an untrusted page: do not enter real-name credentials, do not link social-media accounts, do not provide your phone number, and use a throwaway email if email is required (a Proton alias or SimpleLogin alias works). Second, configure your VPN client to handle captive portals gracefully (most modern clients have a detection feature; verify it works in your environment by testing once). Third, after the portal clears, re-enable the VPN and verify it is connected before doing anything sensitive on the network. The captive portal is a brief vulnerability window; closing it requires the VPN to be the next thing you check.