VPN and Captive Portals: How to Get Online Without Disabling Your VPN Permanently

Your VPN is doing exactly what it's supposed to do. Unfortunately that means the portal can't reach you.

Why your VPN blocks the login page

When your VPN is connected, all traffic from your Mac is encrypted and tunneled to the VPN server before going anywhere else. The hotel or airport router sits between you and the internet — and between you and the VPN server.

For a captive portal to work, the router needs to intercept your unencrypted HTTP requests and redirect them to the login page. When a VPN is active:

• Your traffic is encrypted before it reaches the router
• The router can’t intercept or redirect encrypted traffic
• The portal redirect never happens

Some VPN clients have a “captive portal mode” or “bypass” option. Most don’t — or it only works some of the time.

The fix: disconnect, authenticate, reconnect

This is the reliable method:

1. Disconnect your VPN — find your VPN client in the menu bar or Dock and disconnect
2. Wait a few seconds for the OS to detect the captive portal (or use Force Login Page in Hotspot Guide)
3. Complete the login in the portal browser
4. Verify you’re online — Hotspot Guide will confirm you have real internet access
5. Reconnect your VPN — this is the step people often forget

Will reconnecting the VPN kick me off again?

No. Once you’re authenticated with the captive portal, your device’s MAC address is whitelisted on the network. Reconnecting the VPN doesn’t un-authenticate you from the portal. Your traffic will flow VPN → portal router → internet, all encrypted.

Split tunneling (advanced)

Some VPN clients support split tunneling — routing only specific traffic through the VPN while letting other traffic go directly. If your VPN has this:

• Route captive.apple.com (and related Apple domains) outside the VPN
• Let all other traffic go through the VPN

This lets the OS detect and authenticate the captive portal without disconnecting. Check your VPN client’s documentation for split tunneling options.

If the VPN reconnects automatically

Some VPN clients (especially corporate ones) reconnect automatically on network change. If yours does:

1. Temporarily disable auto-reconnect in your VPN client’s settings
2. Authenticate through the portal
3. Re-enable auto-reconnect
4. Manually reconnect the VPN

If you’re on a managed corporate device and can’t change VPN settings, contact your IT department — they may be able to add a captive portal exception to your profile.

MDM-managed VPN profiles

If your Mac is enrolled in Mobile Device Management (MDM) — typically a company-issued device — your VPN profile may be installed and managed at the system level. You may not be able to disconnect it from the VPN client UI.

Check System Settings → VPN for a system-level VPN that can be toggled. If it’s grayed out or managed, ask your IT team. They can often add a captive portal exception to the profile without requiring you to call a helpdesk every time.

Get Hotspot Guide

Diagnose captive portal issues in seconds — even before you're online. $9.99, one-time purchase.