Work Laptop on the Road: VPN, Split Tunneling & Compliance Basics

30 Oct 2025

Travelling with a corporate laptop is a balancing act between security, performance and convenience. Your company VPN protects sensitive traffic, but it can slow things down, drain battery and block local services. Split tunnelling promises relief by sending only work apps through the VPN and letting everything else use the local connection. Used wrongly, it can leak data or breach policy. Used correctly, it’s a smart way to stay productive on hotel Wi‑Fi, airport lounges and 4G/5G hotspots. This guide explains what split tunnelling is, when to use it, how to prepare before you fly, and the battery/compliance trade‑offs to watch. It’s written for travellers first, while staying friendly to IT policies and tooling. We’ll also cover practical connectivity choices, from personal hotspots to regional eSIMs such as Esim North America and Esim Western Europe, so you aren’t left fighting captive portals when a meeting starts.

What is split tunnelling?

When you connect to a corporate VPN, you typically get one of two modes:

Full tunnel: All traffic goes through the VPN. Maximum control and security. Greater latency, bandwidth overhead and battery use.
Split tunnel: Only defined apps or destinations go through the VPN. Everything else goes out locally to the internet. Better performance and battery. Increased exposure if misconfigured.

There are two common flavours of split tunnelling:

Per‑app: Only specific applications (e.g., Outlook, Teams, SAP) use the VPN. Others (e.g., Spotify, personal browser tabs) bypass it.
Per‑destination: Traffic to corporate domains, subnets or IP ranges uses the VPN; everything else goes direct.

Key risks to understand:

Data leakage: If an app that handles company data is not routed via the VPN, logs and content may leak to local networks.
Policy breach: Many organisations disable or tightly control split tunnelling to enforce monitoring, DLP and compliance.
Captive portals: Some networks block or throttle VPNs. Split tunnelling can help you authenticate to the network, but policies still govern what’s allowed.

If your search intent is “vpn split tunneling travel,” the core takeaway is: it’s useful on the road, but only when your company explicitly allows and configures it.

Should you use split tunnelling on the road?

Pros (when permitted by IT): - Faster access to local/cloud services (video calls, maps, local content). - Better battery life due to reduced encryption overhead and lower round‑trip times. - Fewer geolocation issues for non‑work apps (streaming, public cloud buckets in‑region). - Smoother captive portal logins on hotel and airport Wi‑Fi.

Cons: - Increased risk surface on untrusted networks; misrouted traffic could expose metadata or content. - Harder for IT to enforce uniform controls and logs across all traffic. - Some collaboration tools may behave unpredictably when half inside, half outside the tunnel.

Bottom line: Use split tunnelling only if your IT policy allows it, ideally with centrally managed per‑app rules. If your device is managed (MDM/EDR), let IT push the profile. Avoid ad‑hoc, user‑side tweaks unless you have explicit approval.

Prepare your work laptop before you travel

Use this checklist one week before departure:

Confirm policy - Ask IT whether split tunnelling is allowed on corporate devices. - Clarify which apps must be forced through VPN and which can bypass. - Request written guidance for your destination(s).
Update and test - Patch your OS, VPN client and browser. - Test the VPN on at least two networks (home and a mobile hotspot). - Confirm you can reach key services (email, intranet, storage, CRM) with and without split tunnelling (if permitted).
MFA and recovery - Add backup MFA methods (TOTP app, phone, hardware key). - Generate one‑time recovery codes in case SMS is unavailable. - Ensure your device time zone and clock auto‑sync (MFA can fail with time drift).
Profiles and policies - Have IT push the correct VPN profile(s) and DNS split rules for your region. - Check that Always‑On VPN behaviour matches policy (e.g., blocks traffic until tunnel up). - Verify the kill switch is enabled if required.
Connectivity plan - Prefer mobile data over insecure public Wi‑Fi when possible. Load an eSIM for your route: see Destinations, or choose a regional plan like Esim North America or Esim Western Europe. Country options include Esim United States, Esim France, Esim Italy and Esim Spain. - Set up your phone’s personal hotspot as a backup. - Save hotel Wi‑Fi details offline, but avoid auto‑connect on unknown networks.
Contacts and contingencies - Save IT helpdesk contacts and escalation hours in your calendar (local time). - Request an alternative protocol/port (e.g., TLS/443) profile if your main VPN is blocked. - Ask for safe split tunnelling defaults if you’ll be presenting or streaming.

Pro tips: - Download offline installers for the VPN client and MFA app. - Cache the latest company root certificates in case the device can’t reach internal distribution points. - If travelling to higher‑risk regions, ask about a “clean laptop” policy and temporary accounts.

Configure split tunnelling safely (with IT approval)

Your corporate image may lock these settings; if so, use IT‑pushed profiles instead. If user‑config is permitted:

Windows 11/10 (generic steps)

Open your corporate VPN client. Look for “Split tunnelling,” “Per‑app VPN” or “Exclude local networks.”
Choose the mode approved by IT:
Per‑app include list: Add only work apps to the VPN list.
Per‑app exclude list: Keep all apps in VPN except those explicitly excluded (safer default).
Per‑destination: Add corporate subnets (e.g., 10.0.0.0/8), domains or DNS suffixes.
Ensure DNS for corporate domains resolves via the VPN (check “Use VPN DNS for internal domains”).
Enable the kill switch if required, and verify that non‑VPN traffic is blocked when the tunnel is down (for non‑split apps).
Apply and test:
Open a corporate app (should route via VPN).
Open a public website (should route directly if excluded).
Confirm IP paths with “whoami” sites or tracert; check DNS with nslookup against internal names.

macOS (generic steps)

In your managed VPN app or Network settings profile, locate split tunnelling controls.
Use per‑app or per‑domain routing as defined by IT; avoid wildcards that could capture personal traffic.
Verify “Send all traffic over VPN” is disabled only if split tunnelling is explicitly allowed.
Check DNS suffix search and internal resolver settings are applied when the tunnel is up.
Test with Activity Monitor’s per‑process network view or a browser extension that shows current egress IP.

Pro tips: - Don’t exclude your browser if you access SaaS tools that handle company data—keep it on the VPN unless IT says otherwise. - Avoid excluding update services; patching over untrusted networks is sensitive and may be blocked by your company anyway. - If performance is poor, ask IT about protocol options (e.g., IKEv2 vs TLS) rather than changing encryption settings yourself.

Network choices on the road

Order of preference for reliability and safety:

Mobile data via eSIM on your laptop/tablet or phone hotspot.
Known, password‑protected networks you control (MiFi, travel router with your SIM/eSIM).
Enterprise‑grade public networks (airline lounges).
Hotel or café Wi‑Fi (last resort).

Why eSIMs help: - Stable IPs and lower contention than crowded hotel networks. - Fewer captive portals that break VPN handshakes. - Predictable costs and usage alerts.

Plan ahead with Destinations and pick a regional or country plan to match your itinerary: Esim North America, Esim Western Europe, Esim United States, Esim France, Esim Italy or Esim Spain. If you’re managing a team, centralise purchasing and support via For Business. Partners and MSPs can streamline provisioning through the Partner Hub.

Captive portal tip: - Most portals block VPNs until you accept terms. Temporarily disconnect the VPN, join the Wi‑Fi, complete the portal, then reconnect. If policy enforces Always‑On VPN, use mobile data to complete sign‑in or ask IT for a captive‑portal profile.

Battery and performance trade‑offs

VPNs consume CPU to encrypt/decrypt traffic and can keep radios active, increasing battery use. Practical steps:

Prefer modern, efficient protocols approved by IT. IKEv2 and WireGuard‑based options are generally lighter than older SSL/TLS stacks, but only switch if your organisation supports them.
Use split tunnelling (if allowed) for heavy, non‑sensitive traffic like video conferencing to reduce packets through the tunnel.
Avoid marginal Wi‑Fi. Weak signals force higher transmit power and retries. A good eSIM or hotspot can use less energy overall.
Close background sync and heavy downloads before joining a meeting. Cloud drive re‑indexing can saturate the tunnel.
Reduce resolution/frame rate in video calls if bandwidth is tight.
Let your device sleep between tasks; some VPN clients keep sockets alive—enable power‑friendly settings if IT permits.
Keep your device cool. Thermal throttling increases energy per task and can worsen VPN performance.

Compliance essentials (don’t break policy)

Respect MDM/EDR controls. Don’t install personal VPNs or proxies alongside corporate VPN clients.
Don’t modify encryption, DNS or split rules beyond what IT has approved.
Treat public cloud/SaaS as “work data” unless explicitly personal. If you use a browser for both, keep that browser within the VPN.
In restricted or high‑risk countries, consult IT about export controls, device searches and data minimisation. Ask whether a loaner device is required.
If your VPN is blocked regionally, use the IT‑approved fallback profile. Avoid consumer workarounds that could violate policy.

Troubleshooting on the road: quick fixes

If the VPN won’t connect: - Try another network (switch to your eSIM or hotspot). - Check time/date and time zone; re‑sync if MFA fails. - Complete captive portal sign‑in before reconnecting. - Toggle a secondary protocol/port profile (e.g., TLS/443) if provided. - Reboot the device; network stacks and drivers often recover on restart.

If split tunnelling misroutes traffic: - Flush DNS cache and retry. - Ensure corporate domains are on the “include” list. - Remove risky exclusions (e.g., your browser) and test again.

If calls are choppy: - Move the conferencing app to bypass VPN (only if IT allows). - Drop video quality or switch to audio‑only. - Swap to mobile data; hotel Wi‑Fi uplinks are often the bottleneck.

If you can’t reach internal sites: - Verify the VPN is up and that DNS suffix search is applied. - Try the short hostname and the FQDN. - Ask IT whether the site is geo‑restricted or requires a different profile.

Pro tips: - Keep offline copies of key docs for read‑only access if the VPN drops. - Save your helpdesk’s “known issues” page for quick self‑diagnosis.

FAQ

What is split tunnelling in a VPN? Split tunnelling routes only selected apps or destinations through the VPN, with other traffic using the local internet. It improves performance and battery life, but must be configured and approved by IT to avoid data leakage.
Is it safe to use split tunnelling on hotel Wi‑Fi? Only if your company allows it and has defined which traffic must stay inside the tunnel. Use mobile data where possible, and keep work apps (email, browsers used for SaaS, storage clients) inside the VPN.
Will a VPN slow my connection? Yes, some. Encryption and longer routes add latency and reduce throughput. Efficient protocols and split tunnelling (if permitted) mitigate this. A good eSIM or hotspot often outperforms congested Wi‑Fi.
Can I watch streaming services while connected to my corporate VPN? Often your company blocks or discourages this. Even if it works, streaming through the VPN can waste bandwidth and trigger policy issues. If allowed, keep streaming outside the tunnel with split tunnelling, and only on personal time.
My VPN breaks at captive portals. What should I do? Disconnect the VPN, complete the portal login, then reconnect. If your device enforces Always‑On VPN, connect via mobile data first or use an IT‑approved captive‑portal profile.
Should I tether from my phone or use hotel Wi‑Fi? Tethering via a regional eSIM is typically safer and more reliable. See Destinations for travel options, including Esim North America and Esim Western Europe.

Next step: If you’re equipping a team for secure travel, centralise data plans and support with For Business.

Read more blogs

Andes Highlights (3 Weeks): Peru–Bolivia–Chile–Argentina Connectivity

Planning a south america itinerary 3 weeks through the high Andes? This route stitches together Peru’s Sacred Valley, Bolivia’s La Paz and Salar de Uyuni, Chile’s Atacama Desert, and northern Argentina’s quebradas or Mendoza wine country—often by long-distance bus and a couple of short flights. Connectivity is different at altitude: coverage is strong in cities but drops in high passes and salt flats; bus Wi‑Fi is patchy; border towns can be blackspots. The smart move is an eSIM with multi‑country coverage, backed by offline maps, offline translations, and a simple routine for crossing borders by bus without losing service. Below you’ll find a practical, connectivity-first itinerary; checklists to prep your phone, apps and documents; and on-the-ground tips for staying online where it matters: booking transport, hailing taxis, backing up photos, and navigating when the signal disappears.If you’re transiting via Europe or North America, you can also add a layover eSIM to stay connected door-to-door. Start with our country list on Destinations, then follow the steps, and you won’t waste time chasing SIM shops at 3,500 metres.The 3‑week Andes route at a glanceWeek 1: Peru (Cusco, Sacred Valley, Machu Picchu) - Fly into Cusco (or Lima then connect). - Base in Cusco; day trips to Pisac/Chinchero/Maras–Moray. - Train to Aguas Calientes; Machu Picchu visit; return to Cusco or continue to Puno/Lake Titicaca.Week 2: Bolivia and Chile (La Paz, Uyuni, San Pedro de Atacama) - Bus/collectivo via Copacabana to La Paz. - Fly or overnight bus to Uyuni. - 3‑day Uyuni–altiplano tour ending in San Pedro de Atacama (Chile).Week 3: Chile and Argentina (Atacama to Salta or Mendoza/Buenos Aires) - Choose: - North: San Pedro to Salta/Jujuy by bus; fly to Buenos Aires. - Or South: San Pedro–Calama flight to Santiago; bus or flight to Mendoza; onward to Buenos Aires.Connectivity notes (quick): - Cities: generally strong 4G/4G+; 5G in major hubs (Santiago, Buenos Aires). - Altitude/rural: expect long no‑signal stretches (Uyuni, altiplano passes, Paso Jama). - Bus Wi‑Fi: often advertised, rarely reliable. Plan to be offline onboard. - Border regions: networks switch; a multi‑country eSIM avoids sudden loss.eSIM vs local SIMs for a 4‑country tripFor a route with multiple borders and remote legs, eSIM wins on time and reliability.What a multi‑country eSIM gets you: - One plan across Peru, Bolivia, Chile, Argentina (check coverage per country on Destinations). - No passport/SIM registration queues at kiosks. - Keep your home number active on the physical SIM for calls/SMS codes. - Instant top‑ups if you burn data on photos or navigation.When a local SIM still helps: - Long stay in one country with heavy data use (e.g., a month in Buenos Aires). - Dead zones where a different local network performs better (rarely worth the hassle on a 3‑week pace).Practical approach: - Use an eSIM as your primary data line across all four countries. - If you find a specific local network far better in one region, add a cheap local SIM and keep the eSIM as backup.Device readiness checklist (before you fly)1) Check eSIM compatibility and SIM‑lock status on your phone.2) Buy and install your eSIM while on home Wi‑Fi. Keep a PDF/printed copy of the QR code.3) Label lines clearly (e.g., “eSIM Andes Data”, “Home SIM”).4) Turn on data roaming for the eSIM; leave roaming off for your home SIM to avoid charges.5) Set up dual‑SIM rules: data on eSIM; calls/SMS default to home SIM if needed.6) Download offline: Google Maps/Organic Maps for all target regions; language packs (Spanish at minimum); bus/air tickets; hotel confirmations.7) Cloud backups: set to upload on Wi‑Fi only; pre‑create shared albums for travel companions.8) Test tethering/hotspot with your laptop/tablet.If you’re transiting popular hubs, consider a short layover eSIM: - USA connections: add an Esim United States or a broader Esim North America.- Europe connections: Madrid/Barcelona? Use an Esim Spain. Paris or Rome? See Esim France and Esim Italy. Multi‑country layovers? Try Esim Western Europe.City‑by‑city connectivity notesCusco & the Sacred Valley (Peru)Coverage: Good in Cusco city; variable in high villages (Maras/Moray) and along Inca Trail approaches.Tips: Download Sacred Valley maps offline; pin viewpoints and ruins. most taxis use WhatsApp—save your accommodation’s number.Machu Picchu/Aguas Calientes: Patchy to none at the citadel. Upload your photos later; don’t rely on live ticket retrieval.Lake Titicaca: Puno and CopacabanaPuno: Reasonable 4G; bus terminals crowded—screenshot QR tickets.Crossing to Copacabana: Expect a signal drop around the border; have directions saved offline.La Paz (Bolivia)Good urban 4G; the cable car network has decent signal but tunnels do not.Yungas/“Death Road” tours: Mountain valleys cause dead zones—share your emergency contacts with the operator, carry a charged power bank, and don’t plan remote calls.Uyuni and the Altiplano (Bolivia to Chile)Uyuni town: OK 4G; ATMs finicky—use Wi‑Fi for banking apps.Salt flats/lagunas: Assume offline for most of the 3‑day tour. Guides often carry satellite phones; agree a pickup time/place in San Pedro and preload your map route.San Pedro de Atacama (Chile)Town: Solid 4G; accommodations often have Wi‑Fi but speeds vary.Geysers, Valle de la Luna: Offline navigation essential; sunrise trips start before mobile networks wake up in some areas.Salta/Jujuy or Mendoza/Buenos Aires (Argentina)Salta/Jujuy: Good city coverage; quebradas have long no‑signal sections.Mendoza: City 4G/5G; vineyards outside town can be patchy.Buenos Aires: Strong 4G/5G; ideal for cloud backups and large downloads before you fly home.Border crossings by bus: step‑by‑stepThe big ones on this route: Peru–Bolivia (Puno/Copacabana), Bolivia–Chile (Uyuni–San Pedro via Hito Cajón), Chile–Argentina (Paso Jama to Salta or Los Libertadores to Mendoza).How to keep service and sanity:1) The day before:- Top up your eSIM data.- Confirm your plan includes both countries you’re entering/leaving.- Download offline maps for both sides of the border and your town of arrival.- Save bus company WhatsApp and terminal address offline.2) On departure morning:- Keep a paper copy or offline PDF of tickets, insurance, and accommodation proof.- Charge phone and power bank; pack a short cable in your daypack.3) On the bus:- Don’t count on bus Wi‑Fi. Keep your eSIM as primary, but expect drops near mountain passes.- If your phone supports it, enable “Wi‑Fi calling” for later when you reach accommodation Wi‑Fi.4) At the border posts:- Data may be unavailable. Keep QR codes and booking numbers offline.- After exiting one country and entering the next, toggle Airplane Mode off/on to re‑register on the new network.- If the eSIM doesn’t attach, manually select a network in Mobile Settings.5) Arrival:- Send your accommodation a quick WhatsApp when you’re back online.- Recheck your eSIM’s data roaming is on; confirm you’re on an in‑country network, not a weak roaming partner.Pro tips: - Dual profiles: If your eSIM allows, keep a secondary profile for a different network in the same country—helpful in border towns.- Cash buffer: Some border terminals don’t accept cards; download a currency converter for offline use.Offline survival kit (5‑minute setup)Maps: Download regions for Cusco, Sacred Valley, Puno, La Paz, Uyuni, San Pedro, Salta/Jujuy or Mendoza, and Buenos Aires.Translations: Download Spanish for offline use; add phrasebook favourites (bus tickets, directions, dietary needs).Documents: Save PDFs of passports, tickets, hotel addresses; star them for quick access.Rides: Screenshots of pickup points; pin bus terminals and hotel doors.Entertainment: Podcasts and playlists for long bus legs, set to download on Wi‑Fi only.Altitude and your tech: what changesCoverage gaps lengthen: Fewer towers at high altitude; valleys can block signal. Assume offline on remote excursions.Batteries drain faster in cold: Keep your phone warm and carry a power bank (10,000–20,000 mAh).Hotel Wi‑Fi may be congested: Schedule big uploads (photo backups, app updates) for big-city stays like Santiago or Buenos Aires.GPS still works offline: Your blue dot shows on offline maps without data—preload everything.Data budgeting for 3 weeksTypical traveller usage across this route: - Messaging/Maps/Bookings: 0.2–0.5 GB/day- Social and photo sharing: 0.3–0.7 GB/day- Occasional video calls/streaming: 0.5–1.0 GB/dayFor a mixed-use trip, plan 15–25 GB for 3 weeks. Heavy creators should double it and upload over hotel Wi‑Fi when possible. If you work remotely, consider a higher‑capacity plan and a backup eSIM; see our guidance on For Business.Practical route with transport and connectivity cuesDays 1–4 Cusco base: Strong city signal; day trips may be spotty—go offline-ready.Days 5–6 Machu Picchu: Expect no service at the ruins; sync tickets ahead.Days 7–8 Puno to La Paz via Copacabana: Border signal drop; re‑register networks after crossing.Days 9–11 Uyuni tour to San Pedro: Treat as offline; charge nightly; carry spare cables.Days 12–14 San Pedro: Stable in town; tours offline; top up data before Paso Jama.Days 15–17 Salta/Jujuy or Mendoza: Good urban 4G; rural patches are offline.Days 18–21 Buenos Aires: Strongest connectivity of the trip; clear your uploads and map downloads for the flight home.Partnering and stopover extrasHospitality and tour operators in the Andes: help your guests stay connected—explore co‑branded solutions via our Partner Hub.Transatlantic flyers: test your eSIM setup on a layover with an Esim United States or Esim Western Europe before hitting high-altitude blackspots.FAQs1) Do I need a local SIM in each country?No. A multi‑country eSIM covering Peru, Bolivia, Chile and Argentina is simpler and works well for a 3‑week pace. Consider a local SIM only if you’ll spend longer in one country and want the absolute best regional coverage.2) Will my WhatsApp number change with an eSIM?No. WhatsApp is tied to your registered number, not your data line. Keep your home SIM active for voice/SMS (roaming off if you wish), and use the eSIM for data—WhatsApp continues as normal.3) Can I hotspot to my laptop or camera?Yes. Enable tethering on your eSIM. Mind your data: cloud backups and OS updates can burn gigabytes—set them to Wi‑Fi only or schedule in big cities.4) What if there’s no signal on the Uyuni/Atacama legs?That’s expected. GPS still works offline. Pre-download maps and translations, carry a power bank, and sync plans with your tour operator before departure.5) Will I get roaming charges at borders?If you’re using a multi‑country eSIM with coverage in both countries, you won’t incur extra roaming fees from your home carrier. Keep roaming off on your home SIM to avoid accidental use.6) I’m connecting via Europe or the US—worth getting a layover eSIM?Yes. It’s an easy way to test your setup and stay reachable. Try Esim North America or country options like Esim Spain, Esim France, or Esim Italy for common hubs.Next step: Browse South America coverage options and build your plan on Destinations.

31 Oct 2025

Inflight & Maritime Roaming: How to Avoid Shock Bills (2025)

If you’ve ever stepped off a flight or cruise to an unexpected roaming bill, you’ve likely met the inflight and maritime networks that quietly connect your phone at 35,000 feet or out at sea. These aren’t normal mobile networks. They use satellite backhaul, sit outside most inclusive roaming plans, and are priced at premium wholesale rates that get passed straight to you. Data can be charged by the megabyte at eyewatering rates; calls and texts aren’t cheap either. The good news: bill shock is 100% avoidable with a little prep. In this guide, we’ll demystify how inflight and shipboard networks bill, show you exactly how to disable them, and share safer alternatives—like port‑day eSIMs and Wi‑Fi packages—that keep you connected for a sensible price. Whether you’re flying long‑haul, cruising the Med, or ferry‑hopping, use this checklist-driven playbook to stay online without risking maritime roaming charges.Why inflight and maritime roaming is differentHow these networks billAircraft and ships run small onboard cellular networks (often branded AeroMobile, SITAONAIR/OnAir, Panasonic, Telenor Maritime, WMS, or “Cellular at Sea”).Your phone sees them like any other roaming partner and may auto‑connect if mobile data/roaming is on.Usage is routed via satellite, then rated by your home carrier at special “non‑terrestrial” tariffs. These typically sit outside any domestic allowance or standard roaming bundles.On your device, the operator name may show as “AeroMobile”, “OnAir”, “Cellular at Sea”, or an unfamiliar code (often starting with 901-xx).Not included in your roaming bundle“Roam Like at Home” in the EU and most global roaming add‑ons usually exclude inflight/maritime networks.Welcome texts and usage alerts can be delayed or missing while you’re connected at sea/in‑air, so don’t rely on them.Spend caps and data bars may not trigger in real time; charging records can arrive hours later.Typical costs to expectPrices vary by carrier, but this is a realistic market picture (per-person, pay‑as‑you‑go roaming):Data: £5–£15 per MB inflight; £3–£10 per MB at sea. A single photo upload or app update can cost pounds.Calls: £2–£6 per minute (both inbound and outbound).SMS: £0.50–£1.50 each.Bundles: A few airlines offer paid inflight roaming “passes” via certain carriers, but read the small print—many still cap at very low data amounts.Bottom line: keeping data roaming on around these networks is the fast lane to maritime roaming charges and bill shock.Where travellers get caughtAt altitude: Phones latch onto the cabin network; background services (mail, messaging backups, cloud photos, app refresh) burn megabytes within minutes.At sea days: Cruise lines broadcast a strong shipboard signal; your phone prefers it once the shore network fades.Near port: You may still see the ship’s network at the pier. If “automatic” network selection is on, your phone can reattach to the maritime signal when you step back onboard.False confidence in caps: Spend caps and warning texts can arrive too late to save you from charges already incurred.Dual‑SIM confusion: Travellers think the travel eSIM protects them, but the primary SIM remains “roam‑enabled” and quietly connects to the ship/plane network.How to avoid bill shock: step‑by‑stepBefore take‑off or boarding a cruiseDo this while you still have reliable terrestrial signal.1) Turn off data roaming on all SIMs- iPhone: Settings > Mobile Data > Data Roaming = Off (repeat for each line).- Android: Settings > Network & Internet > SIMs > Data Roaming = Off (per SIM).2) Lock network selection to “Manual” and pick your current terrestrial carrier- iPhone: Settings > Mobile Data > Network Selection > turn off Automatic.- Android: Settings > Mobile Networks > Network Operators > turn off Automatic.3) Keep Airplane Mode as your default in the air/at sea; plan to re‑enable Wi‑Fi only- This completely blocks auto‑attach to satellite networks.4) Optional but recommended- Turn off Wi‑Fi Assist (iPhone): Settings > Mobile Data > Wi‑Fi Assist = Off.- Disable Background App Refresh (iPhone) / restrict background data (Android).- For dual‑SIM: set the travel eSIM as the only “Data” line; set your primary SIM to “Off” for data and ideally for voice while airborne/at sea.In the air: safest settingsBefore pushback: enable Airplane Mode.Then enable Wi‑Fi only for the airline hotspot.Do not turn off Airplane Mode to “grab a quick signal.” Even a minute of background data can be costly.At sea: safest settingsWhile sailing: keep Airplane Mode on; enable Wi‑Fi only if you’ve bought the ship’s plan.On port days: once the ship is docked, step ashore and connect to a terrestrial network or your port‑day eSIM.If you remain onboard in port, your phone may still see the ship network. Leave Airplane Mode on until you have strong shore Wi‑Fi or a verified local mobile signal.Quick checklist: zero‑risk configurationAirplane Mode: On (in air/at sea)Wi‑Fi: On (only if you intend to use onboard/airport/port Wi‑Fi)Bluetooth: As needed for headphonesData Roaming: Off (all SIMs)Network Selection: ManualDual‑SIM: Only your intended data eSIM is active for dataPro tip: Add these settings to a note or screenshot so you can re‑check quickly.Safer alternatives that actually work1) Airline Wi‑Fi and messaging plansMany carriers offer flat‑price passes for browsing or messaging.Pros: predictable cost; often enough for email and IM; unlimited messaging passes are increasingly common.Watch‑outs: streaming or VPN may be blocked or sold as an add‑on; speeds vary by route and aircraft.2) Cruise Wi‑Fi packagesBuy for the days you need rather than the whole voyage.Pros: unlimited data tiers exist; cheaper than cellular satellite roaming; supports calls/messages via apps.Watch‑outs: per‑device limits, throttling, and app blocks (video calling) are common; premium tiers may be required for video.3) Port‑day eSIM strategyUse a local or regional eSIM for each country you’ll visit—only when you’re ashore. Switch data to Wi‑Fi while sailing.Browse country and regional options on Destinations.Examples:USA calls? See Esim United States.City breaks in France? Use Esim France.Italian ports? Consider Esim Italy.Barcelona and the Balearics? Try Esim Spain.4) Regional passes for multi‑country tripsIf you’re visiting several countries in one cruise or fly‑drive, regional eSIMs keep things simple:Western Europe: Esim Western Europe covers popular EU stops under one plan.USA, Canada, Mexico: Esim North America is ideal for repositioning cruises or North American tours.How to use on port days:1) Keep Airplane Mode on until docked.2) Step ashore, then turn off Airplane Mode and select your eSIM as the data line.3) Confirm you’re on a terrestrial network (carrier name from the eSIM’s coverage list).4) When sailing again, revert to Airplane Mode and Wi‑Fi only.Pro tips to minimise data while travellingPre‑download maps, playlists, and shows over hotel or home Wi‑Fi.Turn off cloud photo backups and auto‑updates while abroad.Use apps that offer “low data mode” (e.g., streaming services, maps).Prefer Wi‑Fi calling and messaging apps (iMessage, WhatsApp, Signal) when on paid Wi‑Fi; disable carrier voice roaming entirely if you don’t need it.On iPhone, set your travel eSIM as “Data Only” and keep your primary SIM for calls/texts on Wi‑Fi calling.If you must keep mobile voice on for critical calls, set network selection to manual and re‑check after every take‑off or sail‑away.For business travellers and travel partnersCorporate travellers: equip teams with a clear inflight/at‑sea policy and pre‑trip device setup. Managed eSIMs and rules-based spend caps reduce risk. Learn more For Business.Travel trade and cruise specialists: add bill‑shock prevention to your pre‑departure comms and offer packaged eSIMs for port days. Explore our tools in the Partner Hub.Frequently asked questionsQ1) If data roaming is off, can I still be charged?A: With data roaming off, you shouldn’t incur data charges—but calls and SMS can still be billed at inflight/maritime rates if your device connects to the ship/plane network for voice/SMS. The safest approach is Airplane Mode with Wi‑Fi on.Q2) Will my EU “Roam Like at Home” plan cover maritime roaming charges?A: No. Roam Like at Home applies to terrestrial networks in the EEA. Inflight and maritime networks are excluded and typically charged at special rates.Q3) How do I know I’m on a ship or aircraft network?A: Look for operator names like “AeroMobile”, “OnAir”, “Cellular at Sea”, “Telenor Maritime”, or unfamiliar numeric codes. If you’re in the air or far from shore and you see any signal without Airplane Mode, assume it’s a satellite-backed network and disconnect.Q4) Are airline “mobile roaming passes” good value?A: They can be if priced sensibly and you only need light messaging. Compare them with the airline’s Wi‑Fi plans—Wi‑Fi often offers more data for less money. Always check the data cap and what services are included.Q5) Can I use WhatsApp on a cruise without paying for Wi‑Fi?A: Not safely. If your phone connects to the ship’s cellular network, even small messages can trigger maritime roaming charges. Buy the cruise Wi‑Fi package or wait for port‑day terrestrial service with a local/regional eSIM.Q6) What’s the best setup for a multi‑country cruise?A: Use Airplane Mode at sea, buy a cruise Wi‑Fi package if you need connectivity while sailing, and activate a regional eSIM—such as Esim Western Europe or Esim North America—for port days.The takeawayInflight and shipboard mobile networks are designed for convenience, not value. They sit outside most roaming bundles and bill at satellite‑grade prices. Prevent maritime roaming charges by defaulting to Airplane Mode in the air and at sea, re‑enabling Wi‑Fi only, and using port‑day or regional eSIMs when you’re back on shore.Next step: Plan your port‑day coverage with our country and regional options on Destinations.

30 Oct 2025

VPN for Travel: When You Need It, When You Don’t, and Best Practices

Travelling with a VPN can be a smart move—but not for every connection or every task. The right setup keeps your banking and accounts safe, helps when streaming libraries change, and prevents snooping on public Wi‑Fi. The wrong setup can drain your battery, slow you down, or even cause bank apps to lock you out. This guide cuts through the noise with practical, traveller-first advice on when to use a VPN, when to skip it, and how to configure it properly. We’ll cover banking and streaming workflows, split tunnelling, battery impact, and regional legality notes—plus checklists you can follow before you fly.Most importantly: mobile data from a reputable eSIM is typically safer than public Wi‑Fi. If you can move sensitive tasks (like banking) to cellular data via a local plan—think [Esim Western Europe], [Esim North America], or country options like [Esim United States], [Esim France], [Esim Italy], and [Esim Spain]—you’ll reduce the need for a VPN and avoid many connection headaches. When you do use a VPN, do it deliberately.When you need a VPN while travellingUse a VPN for any of the following:Public Wi‑Fi (hotels, cafés, airports): Encrypts your traffic to reduce snooping and rogue access point risks.Banking logins from a new country: A VPN with a home-country exit can reduce fraud flags and MFA loops. See best practices below.Streaming or sites with regional libraries: A VPN may help access your home library while abroad. Expect mixed results; platforms actively block VPNs.Voice and messaging apps where services are blocked: A VPN can sometimes restore access where VoIP or messaging is restricted.Bypassing DNS hijacking and content injection: Some networks tamper with traffic. A VPN gives you a clean path.Remote work requirements: Your employer may mandate a VPN for internal tools. If you’re travelling for work, coordinate with IT or see [For Business].Pro tip: - If Wi‑Fi makes your apps glitchy, toggle a VPN on with a local server (for performance) or switch to mobile data via an eSIM.When you don’t need a VPNSkip the VPN in these cases:On mobile data via an eSIM: Cellular networks are inherently harder to snoop than open Wi‑Fi. For sensitive tasks abroad, use data from [Esim Western Europe], [Esim North America], or a country plan like [Esim United States] rather than hotel Wi‑Fi.Speed-sensitive tasks where encryption overhead matters: Real-time calls, gaming, or large uploads may perform better without a VPN—especially on weak Wi‑Fi.Services that require your true location/IP: Some airline apps, local transport tickets, and banking fraud engines may block or challenge VPN IPs.Apps with end-to-end encryption already in place: Messaging apps with E2EE are safe transport-wise, though a VPN can still hide metadata from local networks.When your VPN is causing more harm than good: If your bank locks you out or streaming refuses to load, disconnect or use split tunnelling.VPN vs eSIM mobile data: which to use and whenBest default: eSIM mobile data (no VPN). Use a trusted provider, avoid public Wi‑Fi for sensitive tasks, and you’ll be secure enough for everyday travel.Add a VPN on Wi‑Fi. Especially in airports, cafés, co‑working spaces, or rentals with unknown routers.Add a VPN on mobile data only when needed. For example, to reach corporate resources or to try a home streaming library.Not sure which eSIM you’ll need? Browse country and regional plans via [Destinations], including bundles like [Esim Western Europe] and [Esim North America], or country plans such as [Esim France], [Esim Italy], [Esim Spain], and [Esim United States].Banking abroad: the smart setupWhy banks flag loginsBanks use device fingerprints, IP geolocation, and behaviour analytics. A sudden login from a new country—or from a known VPN data centre—can trigger extra verification or temporary blocks.Step-by-step: banking that “just works”Update your banking app at home. Test logins on Wi‑Fi and mobile data.Enable strong authentication. App-based 2FA or biometrics are best.Prefer mobile data over Wi‑Fi when abroad. Use your eSIM for all banking sessions.If you must use Wi‑Fi, enable your VPN—but choose a server in your home country.Disable ad‑blockers/trackers for the banking app if it fails to load; they can interfere.Keep your phone number active for OTPs if your bank relies on SMS, or switch to app-based OTP before departure.Avoid repeated failed logins. If you get stuck, switch off the VPN and try again on mobile data.Troubleshooting: - Banking app won’t load on VPN: Switch to a home-country server. If still failing, disconnect VPN and try on mobile data. - MFA loop: Clear the app cache and cookies (or reinstall). Swap networks (e.g., move from hotel Wi‑Fi+VPN to eSIM). - New device detection: Don’t factory reset or switch phones mid-trip unless necessary.Pro tip: - Keep a secondary bank/credit card with a separate app as backup in case one provider is overzealous with fraud rules.Streaming on the road: realistic expectationsWhat can work: - Catch-up TV or home library access via a VPN exit in your home country. - Downloaded content before travel—most reliable, no VPN needed. - Regional free-to-air apps that don’t enforce strict geo-checks.What often won’t: - Big platforms with aggressive VPN detection. Even “working” servers can stop at any time. - Casting from a VPN’d phone to a smart TV on hotel Wi‑Fi. The TV and phone must be on the same network; VPN can break discovery.Battery and data impact: - VPN + streaming = more CPU and up to 5–15% extra data overhead. Use efficient protocols (WireGuard) and drop video resolution if on metered data. - On weak Wi‑Fi, adding a VPN can amplify buffering. Try a nearby server, or use eSIM data.Split tunnelling for streaming: - Want only your streaming app on the VPN and the rest local for speed and maps? Use split tunnelling (details below). If unavailable on your device, consider a second browser or a dedicated streaming device.Pro tip: - Download episodes over a fast network before a long train or flight. It sidesteps geo-blocks and saves battery.Split tunnelling: how and when to use itWhat it is: - Split tunnelling lets you choose which apps or sites use the VPN and which go direct.When to use: - Banking: Route your bank app via a home-country VPN while leaving maps and ride‑hailing off VPN for better location accuracy. - Streaming: Put the streaming app through the VPN; keep everything else local for speed. - Work: Send corporate tools via the company VPN, keep personal browsing normal.How to set it up (general): - Android: Many VPN apps offer “Split tunnelling” or “Per‑app VPN.” Choose apps to include or exclude from the tunnel. - Windows/macOS: Look for “Split tunnelling,” “App exclusions,” or “Bypass VPN for selected apps” in your VPN client. Some allow domain-based rules. - iOS/iPadOS: Per‑app split tunnelling is limited. Some VPNs provide app exclusions; if yours doesn’t, use workarounds like a dedicated browser for VPN use, or keep critical apps on mobile data while other tasks run on Wi‑Fi+VPN.Pro tips: - Prefer “include list” (only chosen apps use VPN) for tighter control. - Test each app after changes—some ignore system proxies and behave differently.Battery, speed and data: making a VPN travel‑friendlyProtocol matters: WireGuard (or modern variants) is efficient and fast; IKEv2 is stable on mobile; OpenVPN can be heavier on battery.Server choice: Nearby servers reduce latency and drain. Use a home-country server only when you truly need that IP.Auto‑connect logic: Configure “auto‑connect on insecure Wi‑Fi” rather than “always on” to save battery.Kill switch: Enable it on laptops; on phones, use it when you must ensure no leaks (e.g., on hostile networks). Remember it blocks traffic if the VPN drops.Background apps: Limit background sync and cloud photo uploads on metered/VPN connections.Tethering: VPN on the phone plus hotspot adds overhead. If possible, run the VPN on the tethered device instead.Legal and policy notes by regionLaws and enforcement vary. High‑level guidance for travellers:EU/UK/US/Canada: VPNs are generally lawful for personal use. Platforms may still block VPN IPs; terms of service apply.Turkey/Egypt: VPNs are sometimes throttled or specific services blocked. Have multiple protocols available (WireGuard and IKEv2/OpenVPN).India: VPN use is legal; some services changed logging policies. Stick to reputable providers.UAE/Oman: Authorities penalise misuse of VPNs to commit offences. Access to unlicensed VoIP may be limited. Expect some blocks.Russia: Many VPNs are restricted or blocked; connections may be unreliable.China: Most foreign VPN apps are blocked. If you need one, set it up before arrival and expect instability. Corporate solutions fare better.Iran: Extensive restrictions; connections can be risky and unreliable.Practical tips: - Install and test your VPN before you go. - Keep multiple protocols and server options. - Be prepared to fall back to mobile data via eSIM where Wi‑Fi is filtered.Note: Rules change. Check local regulations and service terms in your destination. For plan coverage, see [Destinations].Quick setup checklistBefore you travel: - Choose a reputable VPN with WireGuard and IKEv2 support. - Install on all devices and test banking logins at home. - Enable app‑based 2FA for financial accounts. - Configure auto‑connect on insecure Wi‑Fi and a kill switch where needed. - Set up split tunnelling for banking/streaming apps if available. - Download offline maps and streaming content in advance. - Add a travel eSIM for safer mobile data: check regional bundles like [Esim Western Europe] and [Esim North America], or country plans such as [Esim France], [Esim Italy], [Esim Spain], and [Esim United States].On the road: - Prefer eSIM mobile data for sensitive tasks; avoid public Wi‑Fi when possible. - Use VPN on public Wi‑Fi; pick the nearest server unless you need a home IP. - If something breaks, toggle VPN off/on, switch servers, or move to mobile data.For teams and business travellersCoordinate with IT: Use approved clients/protocols and per‑app VPN profiles.Separate profiles: Keep work apps in a managed profile (Android) or use MDM on iOS/macOS to enforce per‑app VPN.Performance planning: Offer regional gateways for roaming staff to reduce latency.Policy: Document when VPN is mandatory vs optional to preserve battery on the move.If you manage roaming teams or resell travel connectivity, explore Simology’s solutions [For Business] and our [Partner Hub].FAQDo I need a VPN for hotel Wi‑Fi?It’s strongly recommended. Hotel Wi‑Fi is shared and often poorly segmented. A VPN encrypts your traffic and reduces exposure to snooping or rogue hotspots.Will a VPN break my banking app?It can. Banks often block data centre IPs. Try your bank on mobile data first. If using Wi‑Fi, connect your VPN to a home‑country server. If it still fails, disconnect the VPN and use eSIM data.Is it legal to use a VPN abroad?In many countries, yes. Some restrict or block VPNs, and misuse can carry penalties. Check local rules in your destination and follow platform terms. Be prepared with eSIM data as a fallback.Which VPN protocol is best for travel?Start with WireGuard for speed and battery efficiency. If blocked or unstable, switch to IKEv2 (good on mobile) or OpenVPN UDP/TCP as a last resort.Do I need a VPN if I use an eSIM?Often no, especially for banking and routine browsing on mobile data. Still use a VPN on public Wi‑Fi or when you specifically need a home IP or company access.Will a VPN reduce my battery life?Modestly. Expect extra drain, especially on weak networks. Use efficient protocols, nearby servers, and auto‑connect only on insecure Wi‑Fi to minimise impact.Next step: Pick a local or regional eSIM to keep sensitive tasks on mobile data and reduce VPN headaches. Start with [Destinations].

30 Oct 2025