Shared Wi-Fi at Coworking Spaces? How a VPN Protects You

You sit down at a coworking space in Zurich, connect to the Wi-Fi, and open your client’s CRM. Contracts, invoices, contact details: all flowing over a network shared with dozens of strangers. The coworking space has a password on the Wi-Fi, so it feels secure. It is not.

That Wi-Fi password does one thing: it keeps people off the network who don’t have it. Once connected, every device on that network can see the others. Your DNS queries (every domain you visit), your connection timing, and the volume of data you send are all visible to anyone running freely available network analysis tools. A determined attacker on the same network can go further: intercepting connections, redirecting traffic, or impersonating the access point entirely.

This article breaks down the concrete threat model for shared Wi-Fi, explains where a VPN helps (and where it doesn’t), and covers the physical security habits that round out the picture.

The threat model: what can actually happen on shared Wi-Fi

First, the honest baseline: HTTPS does a lot of heavy lifting. When you visit a site over HTTPS (and in 2026, that’s nearly every site), the content of your communication is encrypted. An attacker on the same Wi-Fi cannot read your emails, see your passwords, or view the pages you load.

That’s the good news. Here’s what HTTPS does not protect.

DNS queries

Every time your browser resolves a domain name (crm.clientname.com, your-bank.ch, reddit.com), that query typically travels in plaintext. Anyone on the network can see every domain you visit, when you visit it, and how often. This is metadata, and it reveals a surprising amount: which clients you work with, which tools you use, which services you’re evaluating. For a freelancer or consultant, that’s commercially sensitive information.

Encrypted DNS (DoH or DoT) helps, but it requires explicit configuration on each device and doesn’t cover all applications. A VPN solves this by routing all DNS queries through the encrypted tunnel.

ARP spoofing

The Address Resolution Protocol (ARP) maps IP addresses to physical device addresses on a local network. It has no authentication mechanism. An attacker can send forged ARP messages, telling your laptop that their device is the router. Once successful, all your traffic flows through the attacker’s machine before reaching the internet. This is called a man-in-the-middle position.

With HTTPS, the attacker still can’t read encrypted content. But they can see all your DNS queries, monitor connection patterns, and selectively block or delay traffic. The tools to execute this (Ettercap, arpspoof) are free and require no special skills.

Rogue access points and evil twin attacks

An attacker sets up a Wi-Fi network with the same name as the coworking space’s legitimate network (“CoworkSpace_Guest”). Your laptop, configured to auto-connect to known networks, joins the fake one. Now all your traffic routes through the attacker’s hardware.

This is particularly effective in coworking spaces because the network name is public knowledge and people connect without thinking. Some attacks go a step further: the rogue access point proxies traffic to the real network, so everything appears to work normally while the attacker captures data.

SSL stripping

When you type “bank.ch” into your browser, the initial connection may briefly use HTTP before upgrading to HTTPS. In that moment, an attacker in a man-in-the-middle position can intercept the upgrade and keep serving you an HTTP version while maintaining an HTTPS connection to the real server. You see the page load normally, but your connection is unencrypted.

HSTS (HTTP Strict Transport Security) mitigates this for sites that implement it, and modern browsers are increasingly defaulting to HTTPS. But not every site uses HSTS, and the first visit to a new domain remains vulnerable unless the site is in the browser’s HSTS preload list.

The realistic risk level

To be clear: these attacks require an attacker to be physically present on the same network, with intent and tools. Most coworking sessions are uneventful. The risk is not that every café visit will get you hacked. The risk is that the attack surface exists, it’s trivially exploitable, and you have no way to detect it when it happens. Defense-in-depth means closing gaps before they’re exploited, not after.

How a VPN helps (and what it doesn’t do)

A VPN creates an encrypted tunnel between your device and a server operated by the VPN provider. All traffic, including DNS queries, flows through this tunnel. From the perspective of anyone on the local network, your data is an opaque stream of encrypted packets to a single IP address.

This neutralizes the local network attacks described above:

• DNS privacy: Your queries resolve through the VPN provider’s DNS servers, not the local network’s. No one on the coworking Wi-Fi sees which domains you visit.
• ARP spoofing protection: Even if an attacker redirects your traffic through their device, they see only encrypted VPN traffic. The content, metadata, and DNS queries are all hidden.
• Evil twin defense: If you accidentally connect to a rogue access point, the VPN tunnel still encrypts everything. The attacker gains nothing useful.
• SSL stripping prevention: Since all traffic goes through the encrypted tunnel, there’s no unencrypted HTTP moment to intercept.

What a VPN does not protect against

A VPN is not a security silver bullet. It protects your network traffic. It does not protect against:

• Phishing: A convincing fake login page works the same whether you’re on a VPN or not. The attack targets your judgment, not your network connection.
• Malware on your device: If your laptop is compromised, the attacker has access to your data before it reaches the VPN tunnel.
• The VPN provider itself: You’re shifting trust from the local network operator to the VPN provider. Choose one with a verified no-logs policy and independent audits.
• Social engineering: Someone looking over your shoulder or striking up a conversation to extract information is a coworking-specific risk that no software addresses.

This is why a VPN is one layer in a broader security setup, not a standalone solution.

Beyond the VPN: physical security in shared spaces

Coworking spaces introduce risks that are entirely offline. A few habits make a meaningful difference.

Screen privacy filters. A polarizing filter on your laptop screen makes it appear black from side angles. Anyone sitting next to you or walking behind you sees nothing. These cost around CHF 30-50 and are worth it if you handle client data, financial information, or anything covered by the nFADP.

Lock your screen. Every time you step away, even for 30 seconds to grab coffee. On macOS: Ctrl+Command+Q. On Windows: Win+L. Make it muscle memory.

Disable Bluetooth when not in use. Bluetooth discovery broadcasts your device name and type. Some attacks exploit Bluetooth vulnerabilities to establish connections without user interaction. If you’re not actively using wireless headphones or a keyboard, turn it off.

Shoulder surfing awareness. Position your screen away from high-traffic areas. Be conscious of who can see your display when you’re entering passwords or viewing sensitive documents. This sounds basic, but coworking spaces are designed for openness, and that openness works against privacy.

Don’t leave devices unattended. A locked screen protects against casual snooping but not against someone inserting a USB device or swapping a charging cable for a malicious one (USB data theft is a real, if niche, attack vector). Take your laptop with you or lock it in a locker.

Setting up a VPN for coworking

The best time to configure your VPN is before you’re sitting in the coworking space trying to get online. Here’s what matters for a coworking-focused setup.

Install and configure in advance

Download the app, log in, and verify it works on your home network. Test that your usual tools (video calls, cloud storage, CRM) function normally with the VPN active. Some corporate VPNs conflict with personal VPNs, so sort that out before you’re on a deadline.

Enable the kill switch

A kill switch blocks all internet traffic if the VPN connection drops. Without it, a momentary disconnection sends your traffic over the unprotected network, potentially exposing DNS queries and connection data. Every reputable VPN app includes this feature. Turn it on and leave it on.

Choose a nearby server

For users in Switzerland, connecting to a Zurich or Geneva server minimizes latency. NordVPN maintains multiple Swiss server locations, which keeps speeds high for local services and avoids unnecessary routing through distant countries.

Auto-connect on untrusted networks

Most VPN apps can detect when you join a new or untrusted Wi-Fi network and connect automatically. Enable this feature so you never accidentally browse unprotected on coworking Wi-Fi. NordVPN lets you define trusted networks (like your home Wi-Fi) where auto-connect is skipped, reducing friction.

Use the VPN’s DNS servers

Ensure your VPN app is configured to use its own DNS servers rather than your system defaults. This prevents DNS leaks where your queries bypass the VPN tunnel and go to the local network’s DNS server. Most VPN apps handle this automatically, but it’s worth verifying: search “DNS leak test” and run one while connected.

For a broader look at how a VPN fits into a complete personal security setup, see the VPN and password manager guide.

What about the coworking space’s own security?

Some coworking spaces take network security seriously. Most don’t, because their core business is desks and community, not IT infrastructure. Here’s what to look for and what to ask.

Signs of good network hygiene

• Client isolation (AP isolation): Each device on the network can reach the internet but cannot see or communicate with other devices. This blocks ARP spoofing and local network scanning. Ask the space manager if this is enabled.
• WPA3: The latest Wi-Fi security standard, significantly harder to attack than WPA2. If the network still uses WPA2 (common), it’s not a dealbreaker, but it’s another reason to use a VPN.
• Network segmentation: Separate VLANs for guests, members, and IoT devices (printers, smart TVs). This limits the blast radius if any single device is compromised.
• Captive portal with individual credentials: Each member gets unique login credentials rather than a shared password posted on the wall. This makes it harder for outsiders to join and provides accountability.

What you can ask

Most coworking space operators will answer basic network questions if you ask directly. “Is client isolation enabled on your Wi-Fi?” and “Do you use separate networks for members and guests?” are reasonable questions. If the answer is vague or the staff doesn’t know, assume the worst and rely on your own defenses.

Why you shouldn’t rely on it

Even well-configured coworking networks change. Staff turnover, router firmware updates, new equipment, or a simple misconfiguration can disable security features. The space’s incentives are uptime and ease of access, not hardened network security. Your VPN, your firewall, and your habits are the layers you control. The coworking space’s network security is a bonus, not a foundation.

The practical takeaway

Shared Wi-Fi in coworking spaces creates a specific, well-understood attack surface. HTTPS handles the bulk of content protection, but DNS queries, metadata, and connection patterns remain exposed. Local network attacks (ARP spoofing, rogue access points, SSL stripping) are trivial to execute with free tools.

A VPN closes these gaps by encrypting all traffic, including DNS, and making local network attacks ineffective. Combined with physical security habits (screen filters, lock screen discipline, Bluetooth hygiene) and a broader security stack, you can work from any shared space without exposing client data or personal information.

The setup takes 15 minutes. The protection is continuous.

---

For links on this page, NeoGuard may earn a commission from the provider. This supports our work and has no influence on our editorial recommendations. See our privacy policy for details.