TunnelBear Review: Simplicity Is Beauty
Bears and VPNs exist in two very different worlds, but they both have something in common. Bears love the privacy of their caves, and likewise, VPN services too are getting increasingly serious about the privacy of their users. The number of VPN services is constantly rising. While some of them need elaborate configurations, others tend to confuse novice users with an array of options and settings. Canada-based TunnelBear Inc. borrows the bear's philosophy on online privacy and solves these problems with a minimalist VPN service called TunnelBear VPN.
TunnelBear Review: The Company
Company Rating: 3.5/5
Founded in June 2011 by Ryan Dochuk and Daniel Kaldor, TunnelBear Inc. is based out of Canada. Their team has an experienced group of network engineers, cryptography experts, and information security experts. The selection of the name TunnelBear is quite intuitive too, as tunneling is synonymous with VPN services and Canada is known for its sizable Grizzly Bear population.
TunnelBear was bootstrapped with $500, and over the last few years, its user base has grown from one million users to over 13 million users. It is one of the most popular startups in Canada.
We asked TunnelBear
How does bill c-11 and c-51 affect TunnelBear?
C11 and C51 haven't had any noticeable effect on TunnelBear. Unlike ISPs, TunnelBear operates under a strict no-logging policy and doesn't collect information that could identify you or your IP address. You can read more from our co-founder's perspective here.
TunnelBear co-founder Ryan Dochuk is serious about online privacy, and it is evident from the causes he supports and his various interview. He is also one of the signatories of an open letter to the Canadian PM demanding that Bill C-11 be repealed.
TunnelBear Review: UI and Features
UI and Features Rating: 4/5
A friendly UI can do wonders to the user experience. We loved TunnelBear's simplistic UI, and their bear notifications are not intrusive at all. This is a well-done interface. The features are easy to use, and TunnelBear has an excellent network of servers across locations.
TunnelBear takes pride in its simple UI. The minimal and simplistic interface takes a lot of options away from you, but if you are beginning with VPN services and do not understand a lot of those settings, TunnelBear makes your job easier.
With TunnelBear, you have access to 700+ tunneling servers spread across 20 countries.
India, Singapore, Hong Kong S.A.R, Japan
Norway, Sweden, Denmark, Ireland, UK, Netherlands, Germany, France, Switzerland, Italy, Spain
USA, Canada, Mexico
Tunnelbear allows five simultaneous connections across devices, which is a unique feature. You can use one TunnelBear account at the same time on five different desktop, iOS or Android devices, or browser extensions. But, it is important to note that multiple connections can impact your VPN speed.
Security and Privacy Features
As far as VPN protocol is concerned, TunnelBear uses OpenVPN for the Android and desktop clients, and IPSec/IKEv2 for the iOS client. You can read more about OpenVPN and IKEv2 protocols.
TunnelBear has various privacy features.
- No logging- TunnelBear does not log your originating IP address. It does not maintain a log of the websites you are visiting either, and anonymizes and scrambles your connection.
- Anonymous Payments- TunnelBear supports anonymous payments through Bitcoin. With Bitcoin, you can make payments without supplying your personal information like in traditional payments.
- Shared IP- TunnelBear uses shared IPs thereby putting you on the same IP address as many other users who connect to the same Tunnelbear server.
- Opt-out policy- TunnelBear complies with Canadian laws, and when you use TunnelBear, you agree to those laws. However, they also have an opt-out policy that lets you opt out of implied consent on any of your personal information collected by TunnelBear via. your payment method. This enables you to be in control of your personal information. Read more on opt-out at the consent section here.
- DNS Leak protection- Once TunnelBear connects to a server, it sends all further DNS requests over the tunnel and also encrypts them. This protects you from a DNS leak where your actual IP ends up making a public DNS query.
TunnelBear has an excellent breakdown of their security features on the official TunnelBear blog. This is also a transparent disclosure which impressed us a lot. TunnelBear uses strong AES-256 encryption.
Windows, Mac OS, Android
iOS 9 and above
iOS 8 and below
We asked TunnelBear
Who hosts TunnelBear tunneling servers? How does TunnelBear select hosts in different countries with different data retention laws?
Although our physical servers are located in many different countries around the world, TunnelBear does not store personally identifiable information outside of Canada’s physical borders. In addition, all of our servers are fully disk-encrypted, to keep out prying eyes.
TunnelBear's security on Desktop and iOS 9 and above are pretty hardened. Yet, iOS 8 and below uses a weak encryption with AES 128-bit, a weak authentication with SHA-1 and a weak key exchange with 1548-bit Diffie-Hellman, all of which have been broken in the last few years by security researchers and the NSA.
We observed in our tests that TunnelBear uses the QUIC protocol for transport. However, this can cause choppy connections for reasons like:
- Slow Internet connection- QUIC does not guarantee the order of packet delivery.
- Firewall- Your Internet connection has a firewall that blocks UDP based protocols.
Situations like these can result in your audio and video streams appearing broken. TCP override saves the day by ensuring reliable packet delivery.
However, TCP override did not change the protocol from QUIC to TCP or any TCP variant in our tests. We have reached out to TunnelBear support on this and are waiting for a reply.
Update: TunnelBear came back to us with a beta version client where this issue with TCP override was fixed. This fix will be out with their next stable release.
VigilantBear: The Kill-switch
It is common for VPNs to lose connection to their servers occasionally, and this is the brief period when your Internet connection is unsecured. This causes a serious privacy leak called IP leak and defeats the purpose of using a VPN service altogether. The VigilantBear feature blocks your Internet connection till the time TunnelBear reconnects to its server automatically after losing connection.
GhostBear: The Stealth Mode
GhostBear is TunnelBear's stealth mode, and it is very helpful for people who want to bypass Government and ISP censorship. Some users have reported that TunnelBear's GhostBear feature works in China which is great news. This means you can access Netflix, Spotify and BBC iPlayer sitting in China, or even tune in to your favorite NFL or soccer feed. TunnelBear became hugely popular during anti-government protests in Turkey. When Turkey tried blocking VPN access, GhostBear allowed Turkish citizen access to Twitter and YouTube, and TunnelBear joined this anti-censorship revolution by offering free unlimited data to users in Turkey.
We asked TunnelBear
How does GhostBear work? Is it still OpenVPN underneath? If yes, what additional security is added to OpenVPN in GhostBear?
GhostBear is TunnelBear's advanced anti-censorship features which address several different censorship techniques. This includes blocking TunnelBear's domains and the use of Deep Packet Inspect (DPI) to detect OpenVPN/IPSec traffic and then throttle or block that traffic. We integrated and developed proxy and obfuscation technologies which help our VPN data look like regular https traffic, making it more difficult to block. Obfuscation is performed by adjusting the packet inter-arrival times and transport protocol packet length distribution.
GhostBear uses TPKT protocol. TPKT is a remote desktop protocol and is harder to block as many applications depend on this protocol. We also noticed that TunnelBear uses Obfsproxy to scramble the TLS handshake, thereby making it difficult to determine that a VPN connection is being established with the server. This feature worked perfectly fine.
SplitBear is a feature that lets you tunnel specific applications on mobile devices. This feature can come in handy in two situations.
- When you are on the free TunnelBear plan and want to use a VPN for critical activities, this feature can save your bandwidth.
- When you are connected to a slow TunnelBear server, SplitBear can let you stream videos at normal speeds through the YouTube app, while securing the rest of your web-browsing activities.
TunnelBear once had interesting features like IntelliBear and Maul Tracker that were discontinued later. It also stopped allowing torrents on its network for reasons explained here.
It is important to note that although TunnelBear lets you change these settings when you are already connected to a server, the changes do not take effect until you reconnect to the server.
TunnelBear Review: Speed Test
Speed Rating: 2.5/5
While there were a few servers that were consistently fast, many TunnelBear servers were quite slow throughout our tests. We were not impressed by TunnelBear's speed.
When you let TunnelBear connect to a server automatically, it selects the fastest server based on the ping time, but this is not necessarily the fastest server. The speed can depend on multiple factors besides ping time and latency. At Tom's VPN, we have a six-step guide to testing VPN speeds, and we applied this test to TunnnelBear. Here are the results.
TunnelBear Speed Test Results
During our TunnelBear review we tested server speeds at four different times over a one-day period. The best and most consistent speeds throughout the day are available in Singapore, Germany, and the UK.
We also calculated the day average at these three locations based on the percentage of base speed.
Average Speed as percentage of base Internet Speed
Besides, here are the best one-time speeds we got from TunnelBear server in the course of our tests.
Best speed in Mbps
Two additional TunnelBear features affected the speed consistently.
- GhostBear- GhostBear caused a 25% reduction in speed.
- Simultaneous connections- When connected to the same Wifi network, a second connection caused a 30% drop in speed. However, this was not the case when we connected from the same TunnelBear account but over different Wifi networks.
TunnelBear Review: Security Test
Security Rating: 3/5
Great encryption, perfect forward secrecy, a real stealth mode and good performance in various leaks tests were positive signs. However, TunnelBear leaves a lot to its users like being vigilant in turning off torrent clients before connecting to TunnelBear, and a kill-switch, which did not work on one of our test machines. TunnelBear still has some work to do when it comes to security.
Tom's VPN Security Lab Tests
At Tom's VPN, we perform a detailed packet capture through our test machines to check all the security features that any VPN promises as part of its service.
Expand to check our test results
When connecting without any additional security feature turned on, we observed that TunnelBear uses QUIC protocol to send encrypted data. On the stealth mode called GhostBear, TPKT was used to send scrambled packets. All good here.
TLS Handshake Test
With the stealth mode (GhostBear) turned on, we observed that TunnelBear successfully hides the TLS handshake with Obfsproxy. Moreover, TunnelBear mentions that it uses Diffie-Hellman key exchange over the tunnel to maintain perfect forward secrecy.
TunnelBear mentions in its Terms clearly that it does not support BitTorrent. But how does it ensure that you are not using BitTorrent? Well, it does not, and you will put yourself at risk if you use BitTorrent with TunnelBear. The moment we tried downloading the Ubuntu ISO over BitTorrent, we noticed that TunnelBear stopped anonymizing and encrypting some of our packets. Use your discretion here.
Kill Switch Test
TunnelBear's kill-switch is called VigilantBear. Although VigilantBear worked perfectly on Windows 10 on a home connection, we noticed that it did not block the Internet on a Windows 7 64-bit machine that was on a restricted Windows domain. This is a matter of concern, and we have informed TunnelBear support.
Destination IP Test
To conduct this analysis, we filtered out all QUIC packets, and packets with the VPN server address. This would give us all the packets that communicated elsewhere from our IP address.
We could see a couple of [FIN, ACK] termination request packets communicating directly with our IP from Windows servers and CDN servers. This is not an IP leak as:
- For these packets to exist, we would have had connected to these servers before establishing the VPN connection
- This is how TCP works in general to ensure delivery and close connections.
We could also see a couple of multicast requests like MDNS requests to 224.0.xxx.xxx, SSDP service discovery requests to 239.255.xxx.xxx and LLMNR name resolution requests to 224.0.xxx.xxx. These are local discovery packets and travel inside the local network.
Other than these local discovery protocols and termination connections, all other packets were routed to TunnelBear's VPN server properly.
However, we did detect a direct SSL connection to an ie100.net domain. Google Chrome uses this connection for its safe browsing feature, and TunnelBear did not encrypt this request.
Other Online Security Tests
IPv4, IPv6, DNS and WebRTC Leak Test
Doileak is an excellent online tool that combines a number of leak tests into one. We checked TunnelBear for IPv4 leak, DNS leak and WebRTC leak at Doileak test and all these tests passed with good results.
This online test is something that you too can carry out after connecting to any VPN service.
TunnelBear Review: Support
Support Rating: 5/5
They say the first step to solving a problem is acknowledging that there is one. TunnelBear understands this philosophy well. Their responsive and cheerful support gets full stars from us.
TunnelBear has an active support team. We had to go back and forth in communication with TunnelBear for various questions, suggestions, and issues that we found during our review and their response time has been around 24 hours. The responses are courteous, have a personal touch, and they also provide you with links to further technical details when needed.
TunnelBear support can be reached in three ways.
- Directly at their official email@example.com email
- The support page on their website
- From inside the TunnelBear client application
The TunnelBear help page has a vast treasure of commonly asked issues and questions and is worth reading.
However, we were disappointed at the fact that there was no live chat option on the support page, which is a very common support feature nowadays.
TunnelBear Review: Pricing
Pricing Rating: 4.5/5
A free monthly plan that isn't a time-limited trial, mobile-only plans at reduced prices and an unlimited plan with attractive yearly rates impressed us. However, TunnelBear does not offer refunds once you have made your purchase. Apart from this caveat, it's a good deal.
TunnelBear comes in three usage plans- Little, Giant, and Grizzly. Additionally, there are mobile-only plans- the Mobile Giant and Mobile Grizzly. We recommend the Grizzly Plan; it is value for money.
Little Bear Plan
- Free signup and usage
- 500 MB free monthly data
- 1 GB of additional data topup
- Free to use on mobile
Giant Bear Plan
- $7.99 per month
- Monthly payments
- Unlimited usage bandwidth
- Mobile plan at $3.99 monthly
Grizzly Bear Plan
- $4.17 per month
- Yearly payment of $49.99
- Unlimited usage bandwidth
- Mobile plan at $29.99 yearly
The Little plan offered by TunnelBear is a free subscription. This makes TunnelBear one of the few VPN providers with a free usage plan, which lets you try it out for free before buying it. The free plan comes with reasonable bandwidth limits but has access to most TunnelBear features and servers. Additionally, it also allows you to top-up your monthly TunnelBear bandwidth by 1 GB of data for free with a simple tweet to @theTunnelBear. Effectively, you can use TunnelBear for free every month for basic usage. If you need unlimited bandwidth, The Giant and Grizzly plans will serve your purpose.
We asked TunnelBear
Is there any speed/feature difference between the free and the paid subscription?
The paid subscription allows you to access certain countries that aren't available in the free version. In addition, the free version is capped at 500 MB and doesn't get priority support.
You can pay for a TunnelBear subscription using Visa, MasterCard, American Express and anonymously through Bitcoins. However, there is one problematic issue when it comes to refunds. TunnelBear mentions in its Terms of Service that although users can cancel their subscription anytime, TunnelBear does not offer refunds.
TunnelBear Review: Our Verdict
Overall Rating: 3.7/5
Over the three weeks that we spent reviewing TunnelBear, we fell in love with their UI. The availability across devices and browser extensions is impressive. To add to that, TunnelBear allows five connections from the same account. The pricing schemes will not burn a hole in your pocket either, and their security standards are updated too. TunnelBear definitely gets extra credits for its responsive and cheerful support team, which has been a delight to talk to.
If we ignore the fancy app for a second, TunnelBear does have a few security issues. VigilantBear (the kill-switch) did not work in one of our tests. There is no warning for leaking BitTorrent connections and we found a bug in TunnelBear where TCP override was not working for us. To add to these problems, we noticed that TunnelBear servers offered below average speed and we managed a best consistent speed at 66.5% of our ISP's connection speed.