TunnelBear VPN: Middle of the Pack

VPN services encrypt your internet connections and help keep your data safe from prying eyes on unsecured Wi-Fi networks, or even from your internet service provider. They're also good for accessing video streams that aren't available outside certain countries.

TunnelBear and its grizzly-bear mascot can help you securely get online in a wide variety of worldwide locations, even if its network performance is somewhat middling. Its client software is appealing and easy to use (and you have no choice but to use it), and the service has a decent range of about 1,700 servers located in 20 countries.

Based in Toronto, TunnelBear is theoretically beyond the reach of U.S. law-enforcement authorities. That may change, though, because the company was bought recently by the U.S. antivirus giant McAfee.

If you're looking for a user-friendly, secure VPN service for casual use, you could do a lot worse than TunnelBear. But its configuration options are limited, and other VPN services cost less.

Costs and What's Covered

TunnelBear's free service limits you to 500MB a month of data, although if you tweet something nice about TunnelBear, the company will raise your cap to 1.5GB per month -- no joke. This is nice, but it's a pittance compared to the 10GB free monthly cap offered by Windscribe.

At $10 a month, TunnelBear's paid service is a bit on the pricey side, but you can pay $69.99 for an annual subscription, which works out to $5.83 a month. That's more than Private Internet Access' $3.33 per-month breakdown, but it's still a good value.

TunnelBear accepts lots of payment options, including credit cards, PayPal, Google Play Store, Apple's App Store and bitcoin. You can also use cash, or as the company calls it, "jars of honey."

The cash option isn't clearly explained on the website, but TunnelBear tech support told Tom's Guide that you can send cash payments, along with your registration email address, to 141 Bathurst St., Suite 101, Toronto, Ontario M5V 2R2, Canada.

You can have up to five simultaneous secure sessions, which is pretty standard across the commercial-VPN industry. Only a few, such as Windscribe, don't limit the number of concurrent users.


TunnelBear's client software sticks to the best-known platforms: PCs (Windows 7 SP1 and newer), Macs (OS X 10.10.5 Yosemite or newer), iPads and iPhones (iOS 9.3.5 or newer), and Android devices (4.1 Jelly Bean or newer).

There's no Linux client software, but the company posts detailed instructions on how to set up service on Ubuntu (version 16.04.2) or Fedora (version 25).

There are browser extensions for Chrome, Opera and Firefox, and a stand-alone ad blocker for Chrome. But be careful, as extensions protect only one browser's data and not the communications of other applications. There's no ad blocker built into the regular client software.

TunnelBear uses the OpenVPN protocol on Android, the IKEv2/IPSec protocol on macOS and iOS, and whichever happens to connect first on Windows.

TunnelBear is the VPN to get if you're into bears, because it liberally uses its grizzly mascot. You'll even hear a growl when you connect via the mobile app.

Unfortunately, you can't use the VPN service without TunnelBear client software, unless you're on Linux. As TunnelBear states on its website: "You cannot use TunnelBear on your Kindle/e-reader, Windows mobile devices, Apple/Android TV, gaming systems or by manually configuring your modem/router."

TunnelBear gets points for honesty, but some privacy-minded people would prefer to configure VPN connections themselves or use open-source OpenVPN client software. Many VPN services let you do this.

Servers and Configuration Options

The company operates about 1,500 servers around the world, but the number fluctuates, as TunnelBear uses a mix of dedicated and virtual servers. The latter type can boot up or shut down to accommodate network demand.

There are connection points in about 20 countries, ranging from Australia to the United Kingdom, but none in Russia or China.

Features and Interface

TunnelBear is the VPN to get if you're into bears, because it liberally uses its grizzly mascot throughout the site, software and service. TunnelBear's employees even have bear portraits and pseudonyms, such as Care Bear (support) and Vector Bear (design), which is half cute and half creepy.

The bear theme can get annoying on the mobile apps. They growl when you connect, but you can turn off the sound effects.

On the desktop, TunnelBear shows you a map of where you are and where you can connect. On Macs, a stylized "T" in the menu bar launches the program and connects to the service; the Windows taskbar icon can only connect/disconnect and exit the program.

On one of my Windows PCs, the TunnelBear server map took up only two-thirds of the screen and couldn't be moved or expanded; on another PC, full screen was an option. The general settings section lets you get disconnect notifications, minimize the screen and start up the program and service whenever you launch Windows.

The Security tab lets you block traffic while connecting or use the "GhostBear" option to make your encrypted data stream look more like regular data to fool websites and services (such as Netflix) that try to reject VPN connections. You can't adjust TunnelBear's encryption, but you can force a downgrade from the standard web TCP protocol to the less picky UDP protocol if you've got a shaky connection.

You can designate certain Wi-Fi networks, such as your home or office network, as "trusted." TunnelBear can then automatically connect as soon as you leave a trusted network. (You'll still have to turn off the VPN link manually when you reconnect to a trusted Wi-Fi network.)

The company's iOS and Android apps look similar, displaying a connection map with a location selector at the bottom of the screen. There's also a connect/disconnect switch at the top. Configuration options are similar to the desktop set, but the mobile apps let you contact tech support directly.

TunnelBear's kill switch is called VigilantBear, and you can enable it in the Settings menu in Windows, macOS and Android. There's no iOS version as of yet.

TunnelBear also offers a free password manager called RememBear. It's not part of the VPN client applications.

Privacy Protections

TunnelBear uses a mix of encryption protocols. There's a chart to break down the variations, but in brief:

— PCs and Macs use SHA-256 for authentication and 4,096 Diffie-Hellman public-key encryption for the handshake, while all data coming into or going out of the system uses AES-256 symmetrical encryption.

— iOS systems use different techniques based on which operating system is in use. iOS 8 matches AES-128 encryption for data with SHA-1 for authentication and 1,548-bit Diffie-Hellman encryption for the handshake. iPhones and iPads with iOS 9 raise authentication to SHA-256 and handshake encryption to 2,048-bit Diffie-Hellman.

— Android phones and tablets use SHA-256 authentication and 2,048-bit Diffie-Hellman encryption for the handshake, and all data is coded with AES-256 keys.

McAfee acquiring TunnelBear changes the equation for privacy-conscious people who might want to avoid the snooping eye of the FBI.

This secure setup should allow web surfing without leaving any wake, but you can't customize any of the specs the way you can with Private Internet Access.

As this story was being edited, Silicon Valley antivirus giant McAfee announced (on March 8, 2018) that it had acquired TunnelBear. That changes the equation for privacy-conscious people who might want to avoid the snooping eye of the FBI.

TunnelBear plans to continue as a stand-alone brand, but the company will now be at least partly under U.S. jurisdiction. Users worried about the U.S. National Security Agency (NSA) or Britain's GCHQ, the Government Communications Headquarters, should be aware that Canada shares information with those agencies.

Like most VPN services, TunnelBear says it doesn't collect user log files. It backs that claim up with a long but remarkably clear privacy policy, as well as a third-party security audit.

TunnelBear is fairly transparent about its personnel, listing Ryan Dochuk and Daniel Kaldor as co-founders on the company About web page. The firm was privately owned until its acquisition by McAfee.

MORE: Best VPN Services for Staying Anonymous Online

The site lists most of the other employees only by their first names and surname initials. You can have fun cross-referencing them with the colleagues listed on Dochuk and Kaldor's LinkedIn pages.

That One Privacy Site, a fount of information for everyone suspicious of VPN providers, gives TunnelBear generally good marks, except for its Canadian location and its affiliate-marketing program. That may change now that McAfee, which counts the NSA among its clients, is involved.

Full disclosure: Tom's Guide may participate in the TunnelBear affiliate program and make a bit of money if you buy a subscription through this website. That does not affect our review.


I used and tested TunnelBear and six other commercial VPN services while traveling from New York to the Netherlands, Germany and the Caucasian country of Azerbaijan.

TunnelBear's average download speed of 21.0 megabits per second (Mbps) was down 52 percent from the pretest average of 31.8 Mbps.

In and out of continents, coffee shops and hotel rooms, TunnelBear was behind Private Internet Access (PIA) and Hotspot Shield in download speed, but ahead of the other four services (CyberGhost, Mullvad, VPN Unlimited and Windscribe).

TunnelBear's best result was a second-place showing in network-connection time. Its average time of 6.5 seconds was nearly double that of PIA, but less than a quarter of VPN Unlimited's 36.5 seconds.

On the other hand, TunnelBear's network latency of 67.6 milliseconds was 463 percent more than before any VPN was connected, placing TunnelBear in the middle of the pack of seven. (Network latency is how long a data packet takes to go from one endpoint to another, and, in these tests, back again.) PIA's 150 percent latency increase was the best of the bunch, and VPN Unlimited's 815 percent jump was the worst.

TunnelBear's average download speed of 21.0 megabits per second (Mbps) was down 52 percent from the pretest average of 31.8 Mbps. That's behind Hotspot Shield's 28 percent drop and PIA's rather phenomenal result of only a 7 percent drop. The other services fared worse, although Windscribe was right behind TunnelBear, with a 56 percent drop.

Despite that ranking, TunnelBear fell to sixth out of seven when downloading a 780MB video file, achieving a speed of 1.23 Mbps. That's 55 percent slower than the pretest level. Only Mullvad did worse.

Upload speed isn't as important as download speed for most users, but TunnelBear's average upload speed of 14.2 Mbps, off by 51 percent from pretest levels, also put it sixth out of seven. CyberGhost's drop of 56 percent brought up the rear; PIA, with a drop of only 7 percent, again led the pack.

Like most of the services I tested, TunnelBear didn't have a local connection server in Azerbaijan. I had to use Romania-based servers 1,500 miles away, but connected easily.

Over many gigabytes of downloads on three continents, TunnelBear was moderately dependable, requiring only three reconnections overall. It maintained a 12-hour continuous connection without error and streamed music and videos to my phone and iPad without trouble. I was able to keep three devices connected at once.

Setup and Customer Support

I created an account on the TunnelBear website by entering a valid email address and a password. TunnelBear sent me an email message so I could verify that I was for real. (If you're worried about privacy, use a burner email address.) Next, I downloaded and ran the service's 65MB installer program.

I then paid for the service and chose a home-base location. A final email confirmation meant I was ready to go, and the service connected on the second try. From start to successful connection, it took me about 4 and a half minutes to set up TunnelBear. The free-service process is roughly the same, minus the payment steps.

TunnelBear offers good online support, but only its mobile apps have direct links to tech-support web pages. Online explainers answer most of the basic and advanced questions. All personal tech support is via email; the cartoon bear on the support web pages has a headset on, but he's not taking your calls.

Bottom Line

If you can put up with annoying sound effects and overly cute animation, TunnelBear will serve as a reliable VPN service with reasonable geographic range. It's moderately priced, has user-friendly software and offers decent network performance. Plus, TunnelBear has a free service, doesn't keep usage logs, uses solid encryption techniques and lets you pay in cash.

TunnelBear does make you use an email address, which could, in theory, be traced back to you. Unlike other VPN services, you must use TunnelBear's client software. The McAfee acquisition means that TunnelBear is now owned by a U.S. company.

As long as you're buying American, we instead recommend Private Internet Access, which is faster, cheaper and lets you use a much wider variety of software and protocols. If you prefer an all-Canadian service, we recommend Windscribe.


Client software platforms: Windows, Mac, Android, iOS, Chrome, Firefox and Opera extensions
Supported protocols:
OpenVPN, IKEv2/IPSec
No. of servers:
About 1,500
No. of countries:
About 20
Country of registration:
Canada, but under U.S. ownership
Payment options:
Credit card, PayPal, Bitcoin, Apple App Store, Google Play Store, cash
Real name necessary?
Encryption protocol:
Data usage:
Bandwidth usage:
Max. no. of simultaneously connected devices:
Customer support:
Privacy policy:
No logging

Credit: Tom's Guide

Create a new thread in the Antivirus / Security / Privacy forum about this subject
This thread is closed for comments
No comments yet
Comment from the forums
    Your comment