Private DNS & Safer Browsing on the Road (Without Slowing Down)

30 Oct 2025

Travelling often means bouncing between hotel Wi‑Fi, café hotspots and mobile data. Each network you join can see, intercept or manipulate your DNS — the phone book lookups your device makes to turn website names into IP addresses. That’s where Private DNS (encrypted DNS) comes in. It wraps those lookups in encryption (DNS over TLS or DNS over HTTPS) so intermediaries can’t snoop or tamper. The result: cleaner, more private browsing with little to no speed penalty.

This guide explains how private DNS works, when to use it versus a VPN, and exactly how to enable it on Android, iOS/iPadOS, Windows and macOS. We’ll also cover captive portal “sign‑in” gotchas in hotels and airports, battery impact, and which DNS providers are worth trusting on the road. Combine private DNS with a local eSIM and you’ll avoid flaky public Wi‑Fi entirely in many destinations — see our regional options on Destinations including Esim United States, Esim France, Esim Italy, Esim Spain, Esim Western Europe and Esim North America.

What is Private DNS and why travellers should care

DNS translates website names into IP addresses. By default, these lookups are unencrypted and readable by anyone running the network you’re on (hotel, café, airport).
Private DNS encrypts those lookups:
DNS over TLS (DoT): DNS inside a TLS tunnel on port 853 (Android’s “Private DNS” uses DoT).
DNS over HTTPS (DoH): DNS inside standard HTTPS on port 443 (supported in Windows 11 and via apps on iOS/macOS).
Benefits:
Stops local network operators from snooping your browsing destinations.
Blocks simple DNS‑level ads/malware if you choose a provider that offers filtering.
Reduces risk of DNS hijacking on hostile or misconfigured networks.

Limits to understand: - Private DNS does not hide your IP address or encrypt the rest of your traffic — the websites you visit still see your IP, and the network can see the IPs you connect to. For that, use a VPN. - It may interfere with captive portals (those “agree & connect” pages) — easy to work around; see below.

Private DNS vs VPN: which should you use on the road?

Use Private DNS when:
You want lightweight privacy without changing location or routing all data.
You’re on mobile data (eSIM/local SIM) and mainly need DNS protection.
You want minimal battery and speed impact.
Use a VPN when:
You’re on untrusted public Wi‑Fi and doing sensitive tasks (banking, work logins).
You need to access corporate resources or a specific country’s services.
You must protect all traffic metadata, not just DNS.

Pro tip: On mobile networks, TLS in apps (HTTPS) already secures content. Pairing that with Private DNS covers the main leak (DNS) without the heavier overhead of a VPN.

How to enable Private DNS on your devices (How‑To)

Android 9 and newer (DoT)

Most modern Android devices support system‑wide Private DNS (DNS over TLS).

1) Open Settings > Network & Internet (or Connections on Samsung). 2) Tap “Private DNS”. 3) Choose “Private DNS provider hostname”. 4) Enter one provider hostname (examples): - Cloudflare: 1dot1dot1dot1.cloudflare-dns.com - Google: dns.google - Quad9 (malware blocking): dns.quad9.net - AdGuard (ad/malware filtering): dns.adguard.com 5) Save and reconnect to your network.

Notes: - “Automatic” tries encrypted DNS only if your current DNS supports DoT; “Off” reverts to unencrypted DNS. - If a captive portal won’t load, temporarily set Private DNS to “Off”, sign in, then switch it back on.

Pro tip: Quad9 is a strong travel choice for malware/phishing protection without logging personal data.

iPhone and iPad (iOS 14+ via profile or app)

iOS doesn’t have a one‑tap system setting for encrypted DNS. Use a trusted DNS app or configuration profile.

Option A — Cloudflare or NextDNS app: 1) Install the “Cloudflare 1.1.1.1” app or the “NextDNS” app from the App Store. 2) Open the app, grant permission to add a VPN/DNS configuration (this is a local device profile, not a full VPN tunnel for Cloudflare’s “DNS only” mode). 3) Enable “DNS‑only” mode (Cloudflare “1.1.1.1” without Warp) or choose your NextDNS profile. 4) Leave the app enabled; it will enforce DoH across apps.

Option B — Install an encrypted DNS profile: 1) Create a profile with a provider (e.g., NextDNS web dashboard). 2) Download and install the mobile configuration profile in Settings > General > VPN & Device Management. 3) Verify the profile is active.

Captive portal tip: Toggle the DNS app off, complete the Wi‑Fi sign‑in, then re‑enable.

Windows 11 (DoH)

1) Settings > Network & Internet > Wi‑Fi (or Ethernet) > Hardware properties. 2) Edit DNS server assignment > Manual. 3) Enable IPv4 (and IPv6 if you use it). 4) Enter DNS addresses (e.g., 1.1.1.1 and 1.0.0.1 for Cloudflare; 9.9.9.9 and 149.112.112.112 for Quad9). 5) Set “Preferred DNS encryption” to “Encrypted only (DNS over HTTPS)”. 6) Save. Reconnect to the network.

Quick verify: Visit your provider’s test page (e.g., Cloudflare’s “Help” page) to confirm DoH is active.

macOS (Big Sur and newer)

macOS supports encrypted DNS via configuration profiles or apps.

Option A — Use an app (simplest): 1) Install Cloudflare 1.1.1.1 or NextDNS app for macOS. 2) Grant permissions to add a DNS profile. 3) Enable DNS‑only mode (Cloudflare) or your NextDNS configuration.

Option B — Install a DNS profile: 1) Generate a DoH/DoT profile from your provider (e.g., NextDNS). 2) Install via System Settings > Privacy & Security > Profiles (or Profiles in System Preferences on older macOS). 3) Apply to active network services.

Captive portal tip: Pause the app/profile temporarily to complete hotel/airport sign‑in pages.

Captive portals: the gotcha and the fix

Encrypted DNS can prevent captive portals from redirecting you to the sign‑in page because the network expects to intercept DNS. Here’s how to handle it smoothly:

Join the Wi‑Fi network.
If the login page doesn’t appear within 10 seconds:
Android: Settings > Network & Internet > Private DNS > Off. Then re‑open your browser and go to http://neverssl.com to trigger the portal.
iOS/macOS: Pause your DNS app/profile. Try http://neverssl.com or open the Wi‑Fi network’s info and tap “Join Network”/“Login”.
Windows: Temporarily switch encryption to “Unencrypted only” or disable your DNS tool; reconnect and sign in.
Once you’re online, re‑enable Private DNS.

Pro tips: - Some networks re‑check the portal after idle time; keep the DNS tool handy to toggle. - If the portal still won’t load, “Forget” the network and try again with Private DNS off until authenticated.

Will Private DNS slow me down or drain battery?

Speed: - The overhead of DoT/DoH is tiny after the first handshake. With anycast networks (Cloudflare, Google, Quad9), latency is comparable to or better than many hotel DNS servers. - DoH may add a fractionally higher CPU cost than plain DNS, but it’s negligible on modern devices. - Pick a nearby, reputable provider to avoid detours.

Battery: - Private DNS maintains lightweight encrypted sessions; the impact is minimal, far less than a full VPN. - VPNs keep an always‑on tunnel with regular keep‑alive traffic and packet processing — expect noticeably higher battery drain. - On mobile data, modern radios dominate battery use; private DNS won’t be the deciding factor.

Testing tip: Use a DNS benchmark app or “dig” from a laptop tethered to your phone to compare latency before and after.

Choosing a trusted DNS provider

Look for a clear privacy policy, broad global footprint, and (if desired) security filtering:

Cloudflare (1.1.1.1): Fast, strong privacy stance, no content filtering by default. DoT: 1dot1dot1dot1.cloudflare-dns.com. DoH supported widely.
Google (8.8.8.8): Globally fast and reliable; transparent but different privacy model from Cloudflare.
Quad9 (9.9.9.9): Security‑focused with threat blocking, non‑profit; strong choice for travellers wanting extra protection.
AdGuard DNS: Optional ad/malware blocking; privacy‑friendly.
NextDNS: Highly configurable filtering, logs you control; requires a personalised profile.

Pro tip: For family devices, NextDNS/AdGuard can block trackers and malicious domains while travelling, reducing risky clicks on unfamiliar networks.

A practical travel checklist

Before you fly: - Update your device OS and apps (security patches). - Set up Private DNS or install your DNS app/profile. - Save provider hostnames or app toggles for quick captive portal workarounds. - Add a lightweight VPN for when you must trust public Wi‑Fi. - Consider a local eSIM so you can skip public Wi‑Fi altogether; browse regional options on Destinations — including Esim Western Europe and Esim North America.

On the day: - Prefer mobile data where possible. If you’re heading to the US or Europe, check Esim United States, Esim France, Esim Italy and Esim Spain. - On Wi‑Fi, enable Private DNS; toggle off only briefly for captive portals. - Use a VPN for banking or work portals on public Wi‑Fi. - Avoid installing random “Wi‑Fi booster” apps; stick to reputable DNS/VPN tools.

For teams and partners: - Business travellers can standardise encrypted DNS and eSIMs through our For Business solutions. - Travel providers and IT resellers can collaborate via our Partner Hub.

When you still need a VPN (even with Private DNS)

Accessing corporate networks or region‑locked services where location matters.
Using truly untrusted or tampered networks (e.g., conferences, shared coworking).
Hiding destination IP metadata from local network operators.
Enforcing security policies across all traffic for a business fleet.

Private DNS protects DNS queries; a VPN protects the entire session. It’s fine to run both when needed — start with Private DNS by default, escalate to VPN for sensitive sessions.

FAQ

Does Private DNS change my location like a VPN?
No. It only encrypts DNS lookups. Your IP address and approximate location remain the same.
Will Private DNS break streaming or apps while travelling?
Rarely. Some hotel or airline networks require their own DNS; if something fails, temporarily switch Private DNS off, then back on after login/stream start.
Is DoT or DoH better for travel?
Both are secure. Use what your device supports natively: Android prefers DoT; Windows 11 uses DoH. Performance differences are negligible.
Can I use Private DNS on cellular data with an eSIM?
Yes. It works on any network type. Pairing Private DNS with a local eSIM gives private, fast lookups without relying on risky public Wi‑Fi. See regional options on Destinations.
Which DNS provider should I pick?
For speed and privacy: Cloudflare or Google. For added threat protection: Quad9. For custom filtering/log control: NextDNS. Stick to one you trust.
Does Private DNS save battery compared to a VPN?
Yes. It has a much smaller battery impact because it encrypts only DNS, not all traffic.

Next step: Set up Private DNS on your devices today, then choose a local eSIM for your next trip on Destinations so you can rely on mobile data instead of risky public Wi‑Fi.

Read more blogs

Andes Highlights (3 Weeks): Peru–Bolivia–Chile–Argentina Connectivity

Planning a south america itinerary 3 weeks through the high Andes? This route stitches together Peru’s Sacred Valley, Bolivia’s La Paz and Salar de Uyuni, Chile’s Atacama Desert, and northern Argentina’s quebradas or Mendoza wine country—often by long-distance bus and a couple of short flights. Connectivity is different at altitude: coverage is strong in cities but drops in high passes and salt flats; bus Wi‑Fi is patchy; border towns can be blackspots. The smart move is an eSIM with multi‑country coverage, backed by offline maps, offline translations, and a simple routine for crossing borders by bus without losing service. Below you’ll find a practical, connectivity-first itinerary; checklists to prep your phone, apps and documents; and on-the-ground tips for staying online where it matters: booking transport, hailing taxis, backing up photos, and navigating when the signal disappears.If you’re transiting via Europe or North America, you can also add a layover eSIM to stay connected door-to-door. Start with our country list on Destinations, then follow the steps, and you won’t waste time chasing SIM shops at 3,500 metres.The 3‑week Andes route at a glanceWeek 1: Peru (Cusco, Sacred Valley, Machu Picchu) - Fly into Cusco (or Lima then connect). - Base in Cusco; day trips to Pisac/Chinchero/Maras–Moray. - Train to Aguas Calientes; Machu Picchu visit; return to Cusco or continue to Puno/Lake Titicaca.Week 2: Bolivia and Chile (La Paz, Uyuni, San Pedro de Atacama) - Bus/collectivo via Copacabana to La Paz. - Fly or overnight bus to Uyuni. - 3‑day Uyuni–altiplano tour ending in San Pedro de Atacama (Chile).Week 3: Chile and Argentina (Atacama to Salta or Mendoza/Buenos Aires) - Choose: - North: San Pedro to Salta/Jujuy by bus; fly to Buenos Aires. - Or South: San Pedro–Calama flight to Santiago; bus or flight to Mendoza; onward to Buenos Aires.Connectivity notes (quick): - Cities: generally strong 4G/4G+; 5G in major hubs (Santiago, Buenos Aires). - Altitude/rural: expect long no‑signal stretches (Uyuni, altiplano passes, Paso Jama). - Bus Wi‑Fi: often advertised, rarely reliable. Plan to be offline onboard. - Border regions: networks switch; a multi‑country eSIM avoids sudden loss.eSIM vs local SIMs for a 4‑country tripFor a route with multiple borders and remote legs, eSIM wins on time and reliability.What a multi‑country eSIM gets you: - One plan across Peru, Bolivia, Chile, Argentina (check coverage per country on Destinations). - No passport/SIM registration queues at kiosks. - Keep your home number active on the physical SIM for calls/SMS codes. - Instant top‑ups if you burn data on photos or navigation.When a local SIM still helps: - Long stay in one country with heavy data use (e.g., a month in Buenos Aires). - Dead zones where a different local network performs better (rarely worth the hassle on a 3‑week pace).Practical approach: - Use an eSIM as your primary data line across all four countries. - If you find a specific local network far better in one region, add a cheap local SIM and keep the eSIM as backup.Device readiness checklist (before you fly)1) Check eSIM compatibility and SIM‑lock status on your phone.2) Buy and install your eSIM while on home Wi‑Fi. Keep a PDF/printed copy of the QR code.3) Label lines clearly (e.g., “eSIM Andes Data”, “Home SIM”).4) Turn on data roaming for the eSIM; leave roaming off for your home SIM to avoid charges.5) Set up dual‑SIM rules: data on eSIM; calls/SMS default to home SIM if needed.6) Download offline: Google Maps/Organic Maps for all target regions; language packs (Spanish at minimum); bus/air tickets; hotel confirmations.7) Cloud backups: set to upload on Wi‑Fi only; pre‑create shared albums for travel companions.8) Test tethering/hotspot with your laptop/tablet.If you’re transiting popular hubs, consider a short layover eSIM: - USA connections: add an Esim United States or a broader Esim North America.- Europe connections: Madrid/Barcelona? Use an Esim Spain. Paris or Rome? See Esim France and Esim Italy. Multi‑country layovers? Try Esim Western Europe.City‑by‑city connectivity notesCusco & the Sacred Valley (Peru)Coverage: Good in Cusco city; variable in high villages (Maras/Moray) and along Inca Trail approaches.Tips: Download Sacred Valley maps offline; pin viewpoints and ruins. most taxis use WhatsApp—save your accommodation’s number.Machu Picchu/Aguas Calientes: Patchy to none at the citadel. Upload your photos later; don’t rely on live ticket retrieval.Lake Titicaca: Puno and CopacabanaPuno: Reasonable 4G; bus terminals crowded—screenshot QR tickets.Crossing to Copacabana: Expect a signal drop around the border; have directions saved offline.La Paz (Bolivia)Good urban 4G; the cable car network has decent signal but tunnels do not.Yungas/“Death Road” tours: Mountain valleys cause dead zones—share your emergency contacts with the operator, carry a charged power bank, and don’t plan remote calls.Uyuni and the Altiplano (Bolivia to Chile)Uyuni town: OK 4G; ATMs finicky—use Wi‑Fi for banking apps.Salt flats/lagunas: Assume offline for most of the 3‑day tour. Guides often carry satellite phones; agree a pickup time/place in San Pedro and preload your map route.San Pedro de Atacama (Chile)Town: Solid 4G; accommodations often have Wi‑Fi but speeds vary.Geysers, Valle de la Luna: Offline navigation essential; sunrise trips start before mobile networks wake up in some areas.Salta/Jujuy or Mendoza/Buenos Aires (Argentina)Salta/Jujuy: Good city coverage; quebradas have long no‑signal sections.Mendoza: City 4G/5G; vineyards outside town can be patchy.Buenos Aires: Strong 4G/5G; ideal for cloud backups and large downloads before you fly home.Border crossings by bus: step‑by‑stepThe big ones on this route: Peru–Bolivia (Puno/Copacabana), Bolivia–Chile (Uyuni–San Pedro via Hito Cajón), Chile–Argentina (Paso Jama to Salta or Los Libertadores to Mendoza).How to keep service and sanity:1) The day before:- Top up your eSIM data.- Confirm your plan includes both countries you’re entering/leaving.- Download offline maps for both sides of the border and your town of arrival.- Save bus company WhatsApp and terminal address offline.2) On departure morning:- Keep a paper copy or offline PDF of tickets, insurance, and accommodation proof.- Charge phone and power bank; pack a short cable in your daypack.3) On the bus:- Don’t count on bus Wi‑Fi. Keep your eSIM as primary, but expect drops near mountain passes.- If your phone supports it, enable “Wi‑Fi calling” for later when you reach accommodation Wi‑Fi.4) At the border posts:- Data may be unavailable. Keep QR codes and booking numbers offline.- After exiting one country and entering the next, toggle Airplane Mode off/on to re‑register on the new network.- If the eSIM doesn’t attach, manually select a network in Mobile Settings.5) Arrival:- Send your accommodation a quick WhatsApp when you’re back online.- Recheck your eSIM’s data roaming is on; confirm you’re on an in‑country network, not a weak roaming partner.Pro tips: - Dual profiles: If your eSIM allows, keep a secondary profile for a different network in the same country—helpful in border towns.- Cash buffer: Some border terminals don’t accept cards; download a currency converter for offline use.Offline survival kit (5‑minute setup)Maps: Download regions for Cusco, Sacred Valley, Puno, La Paz, Uyuni, San Pedro, Salta/Jujuy or Mendoza, and Buenos Aires.Translations: Download Spanish for offline use; add phrasebook favourites (bus tickets, directions, dietary needs).Documents: Save PDFs of passports, tickets, hotel addresses; star them for quick access.Rides: Screenshots of pickup points; pin bus terminals and hotel doors.Entertainment: Podcasts and playlists for long bus legs, set to download on Wi‑Fi only.Altitude and your tech: what changesCoverage gaps lengthen: Fewer towers at high altitude; valleys can block signal. Assume offline on remote excursions.Batteries drain faster in cold: Keep your phone warm and carry a power bank (10,000–20,000 mAh).Hotel Wi‑Fi may be congested: Schedule big uploads (photo backups, app updates) for big-city stays like Santiago or Buenos Aires.GPS still works offline: Your blue dot shows on offline maps without data—preload everything.Data budgeting for 3 weeksTypical traveller usage across this route: - Messaging/Maps/Bookings: 0.2–0.5 GB/day- Social and photo sharing: 0.3–0.7 GB/day- Occasional video calls/streaming: 0.5–1.0 GB/dayFor a mixed-use trip, plan 15–25 GB for 3 weeks. Heavy creators should double it and upload over hotel Wi‑Fi when possible. If you work remotely, consider a higher‑capacity plan and a backup eSIM; see our guidance on For Business.Practical route with transport and connectivity cuesDays 1–4 Cusco base: Strong city signal; day trips may be spotty—go offline-ready.Days 5–6 Machu Picchu: Expect no service at the ruins; sync tickets ahead.Days 7–8 Puno to La Paz via Copacabana: Border signal drop; re‑register networks after crossing.Days 9–11 Uyuni tour to San Pedro: Treat as offline; charge nightly; carry spare cables.Days 12–14 San Pedro: Stable in town; tours offline; top up data before Paso Jama.Days 15–17 Salta/Jujuy or Mendoza: Good urban 4G; rural patches are offline.Days 18–21 Buenos Aires: Strongest connectivity of the trip; clear your uploads and map downloads for the flight home.Partnering and stopover extrasHospitality and tour operators in the Andes: help your guests stay connected—explore co‑branded solutions via our Partner Hub.Transatlantic flyers: test your eSIM setup on a layover with an Esim United States or Esim Western Europe before hitting high-altitude blackspots.FAQs1) Do I need a local SIM in each country?No. A multi‑country eSIM covering Peru, Bolivia, Chile and Argentina is simpler and works well for a 3‑week pace. Consider a local SIM only if you’ll spend longer in one country and want the absolute best regional coverage.2) Will my WhatsApp number change with an eSIM?No. WhatsApp is tied to your registered number, not your data line. Keep your home SIM active for voice/SMS (roaming off if you wish), and use the eSIM for data—WhatsApp continues as normal.3) Can I hotspot to my laptop or camera?Yes. Enable tethering on your eSIM. Mind your data: cloud backups and OS updates can burn gigabytes—set them to Wi‑Fi only or schedule in big cities.4) What if there’s no signal on the Uyuni/Atacama legs?That’s expected. GPS still works offline. Pre-download maps and translations, carry a power bank, and sync plans with your tour operator before departure.5) Will I get roaming charges at borders?If you’re using a multi‑country eSIM with coverage in both countries, you won’t incur extra roaming fees from your home carrier. Keep roaming off on your home SIM to avoid accidental use.6) I’m connecting via Europe or the US—worth getting a layover eSIM?Yes. It’s an easy way to test your setup and stay reachable. Try Esim North America or country options like Esim Spain, Esim France, or Esim Italy for common hubs.Next step: Browse South America coverage options and build your plan on Destinations.

31 Oct 2025

No Service After Installing an eSIM: 10 Checks to Do First

When your eSIM installs but your phone still shows “No Service”, it’s usually a setup detail, not a dead SIM. The good news: most fixes take minutes and don’t require support. This traveller-first checklist walks you through the 10 most common causes—coverage and plan activation, data line selection, roaming and network mode toggles, APN configuration, IMS (VoLTE) registration, and when to reissue a QR. Follow the steps in order; test after each change. If you’re roaming across borders, keep an eye on network selection and data roaming settings as you move. Finally, make sure you bought the right regional product (e.g. Esim North America vs a single-country plan). With a few precise tweaks, most “esim no service” cases go from offline to online in under 10 minutes.Pro tip: Do all installation and major changes over a stable Wi‑Fi connection, and keep your original QR or activation details handy.Before you start: quick basicsRestart your phone.Ensure Wi‑Fi is on and working.Update iOS/Android to the latest version.If you installed the eSIM abroad, toggle Airplane Mode on for 10 seconds, then off.The 10 checks (in order)1) Confirm coverage, plan activation, and date validityVerify your eSIM plan is active for today and includes the country you’re in.If you’re travelling cross-border, confirm your plan’s region (e.g. Esim Western Europe vs single-country options like Esim France, Esim Italy or Esim Spain).Check coverage for your destination via Destinations. Rural areas or islands can have patchy service.If your plan shows expired or out of data, you’ll often see “No Service” or “SOS only”—top up or activate a fresh plan.Pro tip: In the US, coverage varies by carrier. If you’re using a US plan like Esim United States, move to a spot with open sky or try manual network selection (see Check 7).2) Confirm device compatibility and unlock statusEnsure your phone supports eSIM and is network-unlocked.iPhone: iPhone XS/XR or newer support eSIM.Android: recent Google Pixel, Samsung Galaxy S/Note/Flip/Fold, and others support eSIM.Check it’s not carrier-locked:iPhone: Settings > General > About > Carrier Lock should say “No SIM restrictions”.Android: Insert a different physical SIM (if available) to verify it accepts other networks, or ask your original carrier.Make sure 4G/LTE (and 5G if applicable) are supported bands for your destination.Pro tip: If the phone is locked, you’ll likely see “No Service” on foreign eSIMs. Unlocking is required.3) Verify the eSIM line is installed, turned on, and set for dataiPhone:Settings > Mobile Data (Cellular) > tap your eSIM > ensure “Turn On This Line” is enabled.Set “Mobile Data” to your eSIM line. If you need your physical SIM for calls, keep “Default Voice Line” on physical and data on eSIM.Android (varies by brand):Settings > Network & Internet > SIMs > ensure the eSIM is enabled.Set “Mobile data” to the eSIM.Pro tip: If you see multiple eSIMs, rename them so you can select the correct one.4) Temporarily disable other SIMs to isolate the issueTurn off the physical SIM or other eSIMs for a minute so the phone focuses on the travel eSIM.Toggle Airplane Mode on for 10 seconds, then off.Check if service appears. If yes, re-enable your other SIM and set priorities:Data on the travel eSIM.Calls/SMS on your home SIM (if you need it).Pro tip: iPhone users—disable “Allow Mobile Data Switching” while testing.5) Enable Data Roaming and confirm network modeiPhone: Settings > Mobile Data > Data Roaming > On. Then Mobile Data Options > Voice & Data: select 4G or 5G (not 3G).Android: Settings > Network & Internet > Mobile network > Data roaming > On. Preferred network type: 4G/5G Auto.Turn off any “Data Saver/Low Data Mode” while testing.Why this matters: Most travel eSIMs are roaming profiles by design. If roaming is off, you’ll get “No Service”.6) Check APN settings (and add them manually if needed)Many eSIMs auto-configure the APN. If they don’t, data won’t start even if you have signal bars.Find the APN from your activation email or profile details.iPhone: Settings > Mobile Data > your eSIM > Mobile Data Network > enter APN exactly (leave username/password blank unless provided).Android: Settings > Network & Internet > Mobile network > Access Point Names > add APN. Save and select it.Toggle Airplane Mode after saving.If APN fields are locked: remove and reinstall the eSIM (see Check 10), or perform a Network Settings reset: - iPhone: Settings > General > Transfer or Reset > Reset > Reset Network Settings. - Android: Settings > System > Reset options > Reset Wi‑Fi, mobile & Bluetooth.Note: A network reset clears saved Wi‑Fi/Bluetooth—reconnect to Wi‑Fi afterwards.7) Switch between Automatic and Manual Network SelectionStart with Automatic. If it shows “No Service”, try Manual:iPhone: Settings > Mobile Data > Network Selection > turn off Automatic > wait for the list > tap a listed carrier > test.Android: Settings > Network & Internet > Mobile network > Network operators > Search networks > choose one.If multiple networks appear, test each. Give it up to 2 minutes after selection.If only 2G/3G options appear, stick with 4G if available. Many modern travel eSIMs don’t support 3G/2G for data.Cross-border tip: Switching countries on a regional plan (e.g. Esim Western Europe) may require a brief manual selection to latch onto a partner, then you can go back to Automatic.8) Confirm IMS registration (VoLTE/4G Calling)IMS handles 4G voice (VoLTE) and Wi‑Fi Calling. Some networks require VoLTE for full registration.iPhone: Settings > Mobile Data > your eSIM > Voice & Data > ensure 4G/5G with VoLTE is on.Samsung: Settings > Connections > Mobile networks > VoLTE calls: On.Google Pixel: Settings > Network & Internet > SIMs > eSIM > Enable 4G Calling/VoLTE.Advanced (Android): You can view IMS status via Phone app > dial ##4636## > Phone information > IMS registration: Registered. If not registered, toggle VoLTE off/on, reselect the network (Check 7), or reboot.Note: Data can work without IMS, but some carriers require IMS before allowing any service. If IMS won’t register where 4G signal exists, move outdoors or try another partner network.9) Update carrier settings, system software, time, and regioniPhone: Settings > General > About—if a Carrier Settings Update prompt appears, accept it.Android: Check for system updates and any vendor-specific carrier configuration updates.Ensure time/date are set to Automatic and the correct time zone—wrong time can block authentication on some networks.If you installed the eSIM in one country and powered on in another, a second reboot often helps the device request fresh network parameters.10) Reinstall or request a QR reissue (clean install)If you’ve tried everything above:Remove the eSIM profile:iPhone: Settings > Mobile Data > your eSIM > Remove eSIM.Android: Settings > Network & Internet > SIMs > your eSIM > Delete.Reinstall over strong Wi‑Fi. Use the original QR or activation code. Do not scan the same QR multiple times on different phones.If the QR has been consumed or the install failed mid‑way, request a reissue. Resellers can do this in the Partner Hub. Team admins can coordinate via For Business.After reinstall: repeat Checks 3–8 quickly (enable Data Roaming, set the eSIM as the data line, confirm APN/VoLTE, try manual network select).Pro tip: If you move from the US to Canada/Mexico on a regional plan like Esim North America, expect a brief delay while the SIM registers on the new partner. A manual network nudge (Check 7) speeds this up.Extra things to verify if you’re still offlineYou’re indoors with poor coverage: step outside or move near a window.You used all data: top up or switch plan.VPN or private DNS is interfering: disable while testing.Power-saving mode is limiting connectivity: turn off temporarily.IMEI restrictions: very rare, but if the device IMEI is blocked in-country, you may see persistent “No Service”.When to contact support (and what to include)If “No Service” persists after all 10 checks, contact support with:Device make/model and OS version.Country/city, and whether you’re indoors/outdoors.eSIM ICCID (and EID if requested).Screenshots of:SIM status page,APN screen,Network operators list,IMS registration status (if on Android).A brief list of which checks you’ve completed.This speeds up resolution significantly.FAQs1) Why does my eSIM show Installed but still says “No Service”? - The line may be off, data roaming disabled, APN missing, or the phone is still prioritising another SIM. Work through Checks 3–7 first—those resolve most cases.2) Do I need Data Roaming enabled for a travel eSIM? - Yes. Travel eSIMs are typically roaming profiles. Keep Data Roaming on, and set the preferred network to 4G/5G.3) Will voice calls work on my travel eSIM? - Many data-only eSIMs provide data only. Use apps (WhatsApp, FaceTime, etc.) for calling. If your plan includes voice/SMS, ensure VoLTE/IMS is enabled (Check 8) and select a supported network manually if needed (Check 7).4) My APN field is blank or locked—what do I do? - Reinstall the eSIM to refresh carrier settings (Check 10). If manual entry is allowed, use the APN provided in your activation email. A Network Settings reset can also unlock APN editing.5) Can I keep my physical SIM active while using the eSIM for data? - Yes. Set the eSIM as the Mobile Data line and keep your physical SIM for calls/SMS. If there’s conflict, disable the physical SIM briefly to let the eSIM register, then re-enable and set correct priorities.6) I’m crossing borders in Europe. Do I need a new eSIM? - Not if you chose a regional plan like Esim Western Europe. As you cross borders, the SIM will roam to partner networks. If it hesitates, toggle Airplane Mode or try manual network selection once per new country.Pick the right plan before you flyChoosing a plan matched to your route prevents most “No Service” surprises. See coverage and options for your trip in Destinations, or go straight to regional picks like Esim North America and Esim Western Europe, or country plans such as Esim United States, Esim France, Esim Italy and Esim Spain.Next step: Check coverage and pick the right plan for your itinerary via Destinations.

30 Oct 2025

Work Laptop on the Road: VPN, Split Tunneling & Compliance Basics

Travelling with a corporate laptop is a balancing act between security, performance and convenience. Your company VPN protects sensitive traffic, but it can slow things down, drain battery and block local services. Split tunnelling promises relief by sending only work apps through the VPN and letting everything else use the local connection. Used wrongly, it can leak data or breach policy. Used correctly, it’s a smart way to stay productive on hotel Wi‑Fi, airport lounges and 4G/5G hotspots. This guide explains what split tunnelling is, when to use it, how to prepare before you fly, and the battery/compliance trade‑offs to watch. It’s written for travellers first, while staying friendly to IT policies and tooling. We’ll also cover practical connectivity choices, from personal hotspots to regional eSIMs such as Esim North America and Esim Western Europe, so you aren’t left fighting captive portals when a meeting starts.What is split tunnelling?When you connect to a corporate VPN, you typically get one of two modes:Full tunnel: All traffic goes through the VPN. Maximum control and security. Greater latency, bandwidth overhead and battery use.Split tunnel: Only defined apps or destinations go through the VPN. Everything else goes out locally to the internet. Better performance and battery. Increased exposure if misconfigured.There are two common flavours of split tunnelling:Per‑app: Only specific applications (e.g., Outlook, Teams, SAP) use the VPN. Others (e.g., Spotify, personal browser tabs) bypass it.Per‑destination: Traffic to corporate domains, subnets or IP ranges uses the VPN; everything else goes direct.Key risks to understand:Data leakage: If an app that handles company data is not routed via the VPN, logs and content may leak to local networks.Policy breach: Many organisations disable or tightly control split tunnelling to enforce monitoring, DLP and compliance.Captive portals: Some networks block or throttle VPNs. Split tunnelling can help you authenticate to the network, but policies still govern what’s allowed.If your search intent is “vpn split tunneling travel,” the core takeaway is: it’s useful on the road, but only when your company explicitly allows and configures it.Should you use split tunnelling on the road?Pros (when permitted by IT): - Faster access to local/cloud services (video calls, maps, local content). - Better battery life due to reduced encryption overhead and lower round‑trip times. - Fewer geolocation issues for non‑work apps (streaming, public cloud buckets in‑region). - Smoother captive portal logins on hotel and airport Wi‑Fi.Cons: - Increased risk surface on untrusted networks; misrouted traffic could expose metadata or content. - Harder for IT to enforce uniform controls and logs across all traffic. - Some collaboration tools may behave unpredictably when half inside, half outside the tunnel.Bottom line: Use split tunnelling only if your IT policy allows it, ideally with centrally managed per‑app rules. If your device is managed (MDM/EDR), let IT push the profile. Avoid ad‑hoc, user‑side tweaks unless you have explicit approval.Prepare your work laptop before you travelUse this checklist one week before departure:Confirm policy - Ask IT whether split tunnelling is allowed on corporate devices. - Clarify which apps must be forced through VPN and which can bypass. - Request written guidance for your destination(s).Update and test - Patch your OS, VPN client and browser. - Test the VPN on at least two networks (home and a mobile hotspot). - Confirm you can reach key services (email, intranet, storage, CRM) with and without split tunnelling (if permitted).MFA and recovery - Add backup MFA methods (TOTP app, phone, hardware key). - Generate one‑time recovery codes in case SMS is unavailable. - Ensure your device time zone and clock auto‑sync (MFA can fail with time drift).Profiles and policies - Have IT push the correct VPN profile(s) and DNS split rules for your region. - Check that Always‑On VPN behaviour matches policy (e.g., blocks traffic until tunnel up). - Verify the kill switch is enabled if required.Connectivity plan - Prefer mobile data over insecure public Wi‑Fi when possible. Load an eSIM for your route: see Destinations, or choose a regional plan like Esim North America or Esim Western Europe. Country options include Esim United States, Esim France, Esim Italy and Esim Spain. - Set up your phone’s personal hotspot as a backup. - Save hotel Wi‑Fi details offline, but avoid auto‑connect on unknown networks.Contacts and contingencies - Save IT helpdesk contacts and escalation hours in your calendar (local time). - Request an alternative protocol/port (e.g., TLS/443) profile if your main VPN is blocked. - Ask for safe split tunnelling defaults if you’ll be presenting or streaming.Pro tips: - Download offline installers for the VPN client and MFA app. - Cache the latest company root certificates in case the device can’t reach internal distribution points. - If travelling to higher‑risk regions, ask about a “clean laptop” policy and temporary accounts.Configure split tunnelling safely (with IT approval)Your corporate image may lock these settings; if so, use IT‑pushed profiles instead. If user‑config is permitted:Windows 11/10 (generic steps)Open your corporate VPN client. Look for “Split tunnelling,” “Per‑app VPN” or “Exclude local networks.”Choose the mode approved by IT:Per‑app include list: Add only work apps to the VPN list.Per‑app exclude list: Keep all apps in VPN except those explicitly excluded (safer default).Per‑destination: Add corporate subnets (e.g., 10.0.0.0/8), domains or DNS suffixes.Ensure DNS for corporate domains resolves via the VPN (check “Use VPN DNS for internal domains”).Enable the kill switch if required, and verify that non‑VPN traffic is blocked when the tunnel is down (for non‑split apps).Apply and test:Open a corporate app (should route via VPN).Open a public website (should route directly if excluded).Confirm IP paths with “whoami” sites or tracert; check DNS with nslookup against internal names.macOS (generic steps)In your managed VPN app or Network settings profile, locate split tunnelling controls.Use per‑app or per‑domain routing as defined by IT; avoid wildcards that could capture personal traffic.Verify “Send all traffic over VPN” is disabled only if split tunnelling is explicitly allowed.Check DNS suffix search and internal resolver settings are applied when the tunnel is up.Test with Activity Monitor’s per‑process network view or a browser extension that shows current egress IP.Pro tips: - Don’t exclude your browser if you access SaaS tools that handle company data—keep it on the VPN unless IT says otherwise. - Avoid excluding update services; patching over untrusted networks is sensitive and may be blocked by your company anyway. - If performance is poor, ask IT about protocol options (e.g., IKEv2 vs TLS) rather than changing encryption settings yourself.Network choices on the roadOrder of preference for reliability and safety:Mobile data via eSIM on your laptop/tablet or phone hotspot.Known, password‑protected networks you control (MiFi, travel router with your SIM/eSIM).Enterprise‑grade public networks (airline lounges).Hotel or café Wi‑Fi (last resort).Why eSIMs help: - Stable IPs and lower contention than crowded hotel networks. - Fewer captive portals that break VPN handshakes. - Predictable costs and usage alerts.Plan ahead with Destinations and pick a regional or country plan to match your itinerary: Esim North America, Esim Western Europe, Esim United States, Esim France, Esim Italy or Esim Spain. If you’re managing a team, centralise purchasing and support via For Business. Partners and MSPs can streamline provisioning through the Partner Hub.Captive portal tip: - Most portals block VPNs until you accept terms. Temporarily disconnect the VPN, join the Wi‑Fi, complete the portal, then reconnect. If policy enforces Always‑On VPN, use mobile data to complete sign‑in or ask IT for a captive‑portal profile.Battery and performance trade‑offsVPNs consume CPU to encrypt/decrypt traffic and can keep radios active, increasing battery use. Practical steps:Prefer modern, efficient protocols approved by IT. IKEv2 and WireGuard‑based options are generally lighter than older SSL/TLS stacks, but only switch if your organisation supports them.Use split tunnelling (if allowed) for heavy, non‑sensitive traffic like video conferencing to reduce packets through the tunnel.Avoid marginal Wi‑Fi. Weak signals force higher transmit power and retries. A good eSIM or hotspot can use less energy overall.Close background sync and heavy downloads before joining a meeting. Cloud drive re‑indexing can saturate the tunnel.Reduce resolution/frame rate in video calls if bandwidth is tight.Let your device sleep between tasks; some VPN clients keep sockets alive—enable power‑friendly settings if IT permits.Keep your device cool. Thermal throttling increases energy per task and can worsen VPN performance.Compliance essentials (don’t break policy)Respect MDM/EDR controls. Don’t install personal VPNs or proxies alongside corporate VPN clients.Don’t modify encryption, DNS or split rules beyond what IT has approved.Treat public cloud/SaaS as “work data” unless explicitly personal. If you use a browser for both, keep that browser within the VPN.In restricted or high‑risk countries, consult IT about export controls, device searches and data minimisation. Ask whether a loaner device is required.If your VPN is blocked regionally, use the IT‑approved fallback profile. Avoid consumer workarounds that could violate policy.Troubleshooting on the road: quick fixesIf the VPN won’t connect: - Try another network (switch to your eSIM or hotspot). - Check time/date and time zone; re‑sync if MFA fails. - Complete captive portal sign‑in before reconnecting. - Toggle a secondary protocol/port profile (e.g., TLS/443) if provided. - Reboot the device; network stacks and drivers often recover on restart.If split tunnelling misroutes traffic: - Flush DNS cache and retry. - Ensure corporate domains are on the “include” list. - Remove risky exclusions (e.g., your browser) and test again.If calls are choppy: - Move the conferencing app to bypass VPN (only if IT allows). - Drop video quality or switch to audio‑only. - Swap to mobile data; hotel Wi‑Fi uplinks are often the bottleneck.If you can’t reach internal sites: - Verify the VPN is up and that DNS suffix search is applied. - Try the short hostname and the FQDN. - Ask IT whether the site is geo‑restricted or requires a different profile.Pro tips: - Keep offline copies of key docs for read‑only access if the VPN drops. - Save your helpdesk’s “known issues” page for quick self‑diagnosis.FAQWhat is split tunnelling in a VPN? Split tunnelling routes only selected apps or destinations through the VPN, with other traffic using the local internet. It improves performance and battery life, but must be configured and approved by IT to avoid data leakage.Is it safe to use split tunnelling on hotel Wi‑Fi? Only if your company allows it and has defined which traffic must stay inside the tunnel. Use mobile data where possible, and keep work apps (email, browsers used for SaaS, storage clients) inside the VPN.Will a VPN slow my connection? Yes, some. Encryption and longer routes add latency and reduce throughput. Efficient protocols and split tunnelling (if permitted) mitigate this. A good eSIM or hotspot often outperforms congested Wi‑Fi.Can I watch streaming services while connected to my corporate VPN? Often your company blocks or discourages this. Even if it works, streaming through the VPN can waste bandwidth and trigger policy issues. If allowed, keep streaming outside the tunnel with split tunnelling, and only on personal time.My VPN breaks at captive portals. What should I do? Disconnect the VPN, complete the portal login, then reconnect. If your device enforces Always‑On VPN, connect via mobile data first or use an IT‑approved captive‑portal profile.Should I tether from my phone or use hotel Wi‑Fi? Tethering via a regional eSIM is typically safer and more reliable. See Destinations for travel options, including Esim North America and Esim Western Europe.Next step: If you’re equipping a team for secure travel, centralise data plans and support with For Business.

30 Oct 2025