So when taking a laptop in a coffee shop, the common practice says we should use a VPN to connect to the wifi to avoid potential attacks. But I notice you need to connect to the wifi before you can activate the VPN. So in that small window of time where I connect to the wifi without the VPN on, is there a chance I get attacked? Or is there a better practice I am missing?
If the websites you visit are https:// (few sites nowadays are http://), then your connections are encrypted anyway. You don’t really need a vpn in an average coffee shop, but it doesn’t hurt - it is just another layer of encrypted protection on top of https and any other encrypted protocols you use.
Its bollocks. You don’t need a VPN to connect to a public WiFi. For real. It used to be a problem around ten or so years ago when the Web wasn’t encrypted with https like it is today.
But today, as long as you see a green padlock at the top left of your browser, an attacker cannot own you. Very few sites don’t use https these days, and if you try to visit a site that does not use https, your browser will throw all kinds of warnings at you.
There’s a lot of answers, but I don’t see one that seems to have addressed the OP’s question of, "So in that small window of time where I connect to the wifi without the VPN on, is there a chance I get attacked? "
The answer is yes. Until you are on the VPN, you are not… on the VPN. 
Any requests to the internet would direct from your laptop to the local (WiFi) network, and then to the Internet. As folks have mentioned/you can infer, if you’re using HTTPs or some other SSL protocol, your headers/destinations are visible to anyone sniffing, but not the content. Any MitM would see, for example, IP destinations for the VPN connection as it was being set up, and while it is running.
That being said- and you can read the other answers ad nauseum - you can probably see that the small amount of traffic as you set up the VPN connection are a passing risk compared to the majority of the data you will be passing back and forth over HTTP(s) after the VPN connection is made. If, as is well argued below, that’s a concern for you.
That’s when the killswitch kicks in, as it block all connections.
Use Linux. With the 5.10 kernel or better. Run it from a flash drive. Your chances of getting ‘hacked’ become less than 0.01%.
Could be wrong but aren’t you still vulnerable to a man-in-the-middle attack even if the website is https?
A VPN will protect you from a MITM attack on a public wi-fi network.
Don’t hold me to this as I’m not 100% on how the underlying networking is handled on all operating systems and sometimes there may be leaks depending on your device/overall setup but generally the “Always on VPN & Killswitch” will prevent your device making any outgoing network requests till the VPN connection is established.
Another benefit (which is very conditional) is that if you accidentally select that it’s a “Private” network, where it allows other devices to discover yours, a VPN will make sure your computer ports are closed to all other computers on the network.
That’s why you can’t use a wireless printer on your network if you don’t have split-tunneling on - your computer can’t see the printer, and the printer can’t see your computer.
This. Run a modern, updated browser, use https, and public wifi is perfectly safe.
Little late, but in case anyone is reading. Requests to websites themselves are not encrypted. The packet of information leaks the domain name/website of what you’re trying to view. It’s only the contents that are encrypted.
DNS is known to expose this information. I run a VPN at home with a self-hosted DNS that forwards to Cloudflare. This helps avoid having coffee shops sniff my DNS packets as well.
Yes, ok… But technically if you have a situation where the certs are compromised, you would be better off on a VPN. As specifically stated (without any details) in this advice (from the NordVPN site, ha ha ha):
For a properly configured website with SSL / TLS certificates, the risks to the user are minimal. Without these certificates, any information you access on a website that is not encrypted is easily intercepted in transit.
What is more meaningful- as has been debated ad absurdum other posts in here- you do get more privacy over a VPN, because your requests are obfuscated behind the VPN.
We can ignore/minimize the items in this list that are mitigated by use of a properly-chained SSL connection, but the rest may be of value to the average user.
aren’t you still vulnerable to a man-in-the-middle attack
It would require some fiddling with certificates and/or a break in the cert chain… In theory you would get warning about that happening as the not-secure HTTPS connection was being set up for the first time.
But, all other things being equal, I can say superficially, that you are more vulnerable to a MitM attach without a VPN, but not ‘vulnerable’ in the sense that it’s easy or an immediate risk without additional things being in place on your laptop/browser.
Yes. The networks can proxy all requests to a TLS proxy (MITM proxy) that generates certificates on the fly. They will make certificates and verify the requests/handshake with the requested domain, decrypt the information, etc.
I want to say that for this to work transparently to the original client, they need the root certificate of the MITM proxy to be trusted in their x590 certificate pool, but I could be wrong.
This will determine whether your VPN is enabled or not.
I am still reading!
Another option would be to configure Firefox to use DNS over HTTPS (with Cloudflare or quad9 for example).
if you have a situation where the certs are compromised, you would be better off on a VPN.
A VPN company is far more likely to be compromised than a certificate authority
you do get more privacy over a VPN, because your requests are obfuscated behind the VPN.
But unfortunately the same requests are sent to the VPN provider first, and it is not beyond the realm of possibility that they pull a sneaky on their customers. Theoretically, you can easily be less private over a VPN than over just Https so long as VPN companies aren’t infallible.
but I could be wrong
You are not. This is what they do in businesses on corporate machines, but they are able to push out the proxy cert to client trusted stores. Your coffee shop cannot.
I’m actually not sure this site tells you anything about being on a VPN… And I presume you mean a NORD-like public VPN.
It will tell you (more or less) where your IP address is coming from geographically, and I guess that tells you if you are on a VPN… …More or less…
Yes, they see the host names, true.
And, with the camera on the door or on the ceiling inside the coffee shop, they also see your face. And since you’ve probably paid for something, they might even have your personal details via a credit card. That’s all true, too.
But, there’s nothing “unsafe” about using free public wifi (in that people might steal your stuff).