What are your available SSH ports?

We have tried our best to allow multiple points of access for SSH tunneling. You may use any of the following ports to connect to SSH:

Port 21
Port 22
Port 23
Port 25
Port 53
Port 80
Port 443
Port 524
Port 5555
Port 8888

If you require another port to be accessible via SSH, please do not hesitate to contact us.

Back to the top

What are your available OpenVPN ports?

We have tried our best to allow multiple points of access for OpenVPN tunneling. You may use any of the following ports to connect via OpenVPN:

Port 53 (UDP)
Port 80 (UDP)
Port 110 (TCP/UDP)
Port 143 (TCP/UDP)
Port 443 (UDP)
Port 465 (TCP/UDP)
Port 993 (TCP/UDP)
Port 995 (TCP/UDP)
Port 1194 (TCP/UDP)
Port 8181 (TCP/UDP)

If you require another port to be accessible via OpenVPN, please do not hesitate to contact us.

Back to the top

How many total connections can I have active at once?

A single account can have up to five simultaneous connections (total).

If you need this limit to be raised, please do not hesitate to contact us.

Back to the top

IP Addressing

All clients on each Tunnelr node share the same IP. Due to the price that we are able to offer our tunnel service for, it would be incredibly difficult for us to pay the server costs and offer dedicated IPs for each connection. This does not mean that you share any sort of information - it just means that you, and ten other people have the same public IP address.

It is also important to note, that to most users, this will not make any difference. This only applies if you plan to run accessible services on your own personal machine while tunneling via OpenVPN, PPTP or L2TP.

It's perfectly safe to be on the same shared IP. However, you are not actually "using" the shared IP - it is just an "exit" interface on our server. Your computer actually gets assigned a local /30 from a 10.x.x.x network for the tunnel endpoints (this includes a gateway ip, broadcast and one usable ip) and we specifically disallow communication between the separate /30's.

Think of it as if you are on your own small segregated LAN - the only local IP's that you are able to communicate with are yourself and the server endpoint (us). To some extent it is possibly even safer to be on a shared IP, as it is very difficult to pinpoint 'actions' to a certain user and requires quite a bit of work. Whereas with a static IP, it is a very simple association: 'this IP did something bad; our configs point to this account'.

If you have any additional questions or comments, please feel free to contact us at support@tunnelr.com

Back to the top

What are the differences between SSH/OpenVPN/PPTP/L2TP/SOCKS?

We've outlined the primary differences below. In a nutshell however, if you want to tunnel only certain applications like web or mail, SSH tunnels may be enough for you. If the idea is maximum security, we'd recommend using OpenVPN or L2TP/IPSEC.

SSH Tunnel:

- Creates a connection to our servers through a terminal program (ie: PuTTY, OSX terminal).
- Applications must be configured to route traffic through the tunnel for encryption to take place.
- Ideal for tunneling only certain traffic (like using a webbrowser at work to access blocked content)
- Data is encrypted

OpenVPN Tunnel:

- Uses an OpenVPN client to connect to our servers
- All native software on your machine will use the secure VPN connection. No need to configure software individually.
- Can be cumbersome to setup initially.
- Freeware OpenVPN clients, especially for Windows, leave a lot to be desired. We recommend downloading and installing Viscosity if you are going to be connecting with OpenVPN often (it will make things much easier!)
- Data is encrypted using public/private key encryption

L2TP/IPSEC Tunnel:

- Windows and OSX both support it natively, meaning no additional clients or software is needed
- Easy to setup
- All data is encrypted by IPSec
- Has widespread support on mobile devices like iPhones and Android devices

PPTP Tunnel:

- Easiest to setup, only requires a username, password and the server you wish to connect to
- Data is encrypted, but the encryption can be broken
- Has widespread support on mobile devices like iPhones and Android devices

SOCKS Tunnel:
- No data is encrypted
- Fast
- Great for just getting around country restrictions (Hulu, YouTube, BBC) and viewing content
- Requires a username and password to authenticate (authentication may not be supported in some applications)

Back to the top

What are your current locations?

Your client portal is always kept up-to-date with the latest Tunnelr locations. We recommend using the dropdown on your dashboard page to find a location closest to you!

This list updates frequently.

Current nodes as of writing this, 05/2014:

nyc.tunnelr.com - New York - NY, United States
mclean.tunnelr.com - Mclean- VA, United States
newark.tunnelr.com - Newark - NJ, United States
dallas.tunnelr.com - Dallas - TX, United States
seattle.tunnelr.com - Seattle - WA, United States
la.tunnelr.com - Los Angeles - CA, United States
fremont.tunnelr.com - Fremont - CA, United States
london.tunnelr.com - London - England, UK
maidenhead.tunnelr.com - Maidenhead - England, UK
zurich.tunnelr.com - Zurich - Switzerland
falkenstein.tunnelr.com - Falkenstein - Germany
groningen.tunnelr.com - Groningen - Netherlands
stockholm.tunnelr.com - Stockholm - Sweden
paris.tunnelr.com - Paris - France
madrid.tunnelr.com - Madrid - Spain

Back to the top

What are DNS leaks and how can I prevent them?

A DNS leak occurs when your computer runs a DNS query outside of an established VPN tunnel.

For OpenVPN users:
Tunnelr runs a local DNS recursor on every exit node. While our OpenVPN server configurations are set to push the DNS settings to you via the config, it is nevertheless possible that your computer will not honor this setting and continue using the DNS servers assigned via DHCP by your ISP/router/etc.Please verify that you are using the (TCP) or (UDP) resolver when connected to one of our nodes, to ensure that you are not leaking DNS requests outside of the tunnel.

For OpenSSH users:
Due to the nature of SOCKS support - the support for eliminating DNS leaks varies from application to application and you will have to do some additional research to see whether your program supports making DNS requests via the SOCKS proxy
For example: to enable SOCKS based DNS requests in Firefox and Thunderbird, you can open the 'about:config' settings page and adjust the 'network.proxy.socks_remote_dns' setting to 'true'.

Verify that you are using as the resolver when connected to the VPN.

Verify that you are using as the resolver when connected to the VPN.

For ProxyCap:
Verify that you have selected the "Resolve names remotely" checkbox in the rule configuration panel.

Back to the top

Do you support TCP or UDP for OpenVPN?

The OpenVPN configuration you download via our portal is preconfigured to tunnel via UDP, however there are some cases where you may need to tunnel via TCP. If so - no worries - we run OpenVPN in both TCP and UDP mode.

Open up the OpenVPN config in your favorite editor and change the 'proto udp' line to 'proto tcp'. If you are using a client such as Viscosity - go to Preferences, select the connection, click edit and change the "Method Protocol: " from UDP to TCP; click 'Save' and you're done!

Back to the top

What are the recommended OpenVPN clients?

OpenVPN is unique in the fact that it requires additional software to be installed on your machine to facilitate a connection.

Configuring OpenVPN clients can be a bit tricky, and we've helped hundreds of users get started. If you are having difficulty, open a support ticket and we'll be able to help.


OpenVPN.net client
Pros: Free
Cons: Clunky interface, often buggy, doesn't handle disconnections well.

Direct download links: 3.2.2 32bit / 3.2.2 64bit
Older client: http://srv1.tunnelr.com/downloads/openvpn-client-1...

Viscosity by SparkLabs
Pros: Excellent user experience, clean interface, strong logging, lots of features
Cons: Is not freeware

Download link: here


Pros: Free, works well
Cons: Not as polished as commercial products

Download link: here

Viscosity by SparkLabs
Pros: Excellent user experience, clean interface, strong logging, lots of features
Cons: Is not freeware

Download link: here

Back to the top

How do I switch Tunnelr locations?

Unlike with older versions of the Tunnelr service - you do not need to do anything special to utilize a different exit node.

If you know the hostname of the VPN node (such as 'nyc.tunnelr.com' or 'paris.tunnelr.com'), simply update your VPN configuration to point to the new hostname and you should be set.

You can view a complete list of all VPN nodes by visiting the status page within the portal.

Back to the top

Where can I download PuTTY?

Please visit: http://www.chiark.greenend.org.uk/~sgtatham/putty/...

Or download it directly by following this link: http://the.earth.li/~sgtatham/putty/latest/x86/put..

Back to the top

What are the SSH public keys?

1024 8c:af:03:50:30:eb:ef:60:99:04:f9:32:b6:94:9a:f6 (DSA)
2048 40:3f:c0:1e:de:b7:97:e4:9b:21:74:0b:f0:15:62:f7 (RSA)
2048 94:23:bf:33:76:a9:3d:3e:d4:ed:85:76:ab:72:39:e5 (RSA1)

1024 33:d0:6a:7f:c6:bf:c2:4e:49:2c:ff:3c:bc:2d:a0:94 (DSA)
2048 3f:f5:8f:24:c8:92:f9:a1:13:ec:3d:81:48:d1:47:24 (RSA)
2048 20:4a:ff:ff:92:cb:19:87:ed:b9:22:17:ce:65:a0:28 (RSA1)

1024 f1:20:02:bf:79:22:af:66:c0:15:21:2d:90:1b:45:15 (DSA)
2048 ba:f8:d4:09:d3:2d:3a:21:35:da:1f:e3:60:b6:01:81 (RSA)
2048 5d:b1:40:bd:02:ce:86:4c:53:9a:1a:25:96:66:1f:9e (RSA1)

1024 7c:92:67:b5:50:7c:0e:81:41:e9:f2:14:21:77:6a:e9 (DSA)
2048 a5:56:3e:cd:ec:94:b4:ea:c9:22:49:86:c7:7c:8e:59 (RSA)
2048 18:c9:8e:ef:ba:7c:a4:94:d6:ba:4b:57:0d:83:64:04 (RSA1)

1024 f6:c9:1d:9e:9d:25:4c:12:a0:a4:f5:31:2d:81:57:b6 (DSA)
2048 4b:40:a0:8a:62:08:45:6a:18:88:59:75:a4:2e:36:f7 (RSA)
2048 86:ae:12:bc:c9:ef:b2:8b:4c:2d:e1:ac:83:22:0f:39 (RSA1)

1024 09:45:b1:2e:89:37:da:6d:46:77:33:f8:40:8e:ca:5e (DSA)
2048 37:4f:67:f5:d5:0d:68:8f:27:fd:ed:93:17:29:03:64 (RSA)
2048 5b:cc:b1:64:47:e4:9f:c1:50:20:36:a8:b5:aa:e0:39 (RSA1)

1024 2d:d5:0d:83:39:29:fd:5d:72:d7:29:9b:00:a7:8d:ae (DSA)
2048 42:6f:95:52:7a:b8:78:f6:50:ff:18:7c:c8:0b:7c:43 (RSA)
2048 c0:77:37:a8:58:5c:e6:96:92:ad:32:35:75:f8:08:b4 (RSA1)

1024 f4:6a:87:e7:ea:36:36:ae:ec:bb:89:d7:97:a6:53:56 (DSA)
2048 10:0a:17:a2:59:17:21:14:df:18:ac:8f:42:22:02:9a (RSA)
2048 95:7e:52:78:4a:4e:28:79:6e:e1:c0:f7:04:32:c2:5b (RSA1)

1024 40:d5:ca:ff:12:90:ae:ec:3a:4f:92:cc:be:cd:0a:5a (DSA)
2048 50:5e:e9:26:88:cf:4b:42:48:6d:e9:5b:26:33:80:12 (RSA)
2048 2e:b3:b4:63:bf:96:ec:b4:7a:95:4e:fd:e0:1a:05:74 (RSA1)

1024 7d:19:ed:33:e4:0f:6d:72:68:4a:90:c6:57:a0:6e:21 (DSA)
2048 b0:7c:74:01:86:c3:d1:df:89:f2:90:37:4a:a7:ee:2e (RSA)
2048 ee:7a:f6:d5:3d:2f:23:da:c9:da:00:19:8c:3e:34:84 (RSA1)

1024 2d:03:6d:30:d3:5a:27:f8:82:46:02:aa:2c:b4:20:cb (DSA)
2048 ca:e7:5b:16:bb:62:cc:b4:ab:ec:9d:1f:d1:ad:8f:8e (RSA)
2048 e3:d9:f4:e8:7f:6b:bf:28:84:f0:c4:04:a0:61:21:c2 (RSA1)

1024 89:a5:4e:f3:b0:d5:85:56:95:23:7f:e7:2f:b6:7a:d6 (DSA)
2048 df:d2:48:51:cd:49:c5:b7:aa:05:a3:d7:1f:90:fd:26 (RSA)
2048 a3:28:df:e5:4e:e5:e6:cf:a9:9a:9e:4f:13:c1:3f:20 (RSA1)

1024 80:4d:7c:f2:49:cc:ad:2e:12:f2:84:cc:5d:63:42:90 (DSA)
2048 d7:17:37:96:4a:6a:41:b7:dd:12:b1:df:69:fc:34:cd (RSA)
2048 b3:4a:bb:4e:06:4c:97:7e:bf:f3:87:38:92:4d:a8:11 (RSA1)

1024 9c:2b:57:fd:2f:76:7c:1f:f5:6f:fb:d7:3b:cb:4f:f9 (DSA)
2048 95:23:16:3f:76:60:33:4f:45:3f:ba:8f:cb:ae:f1:05 (RSA)
2048 7a:d9:49:ed:4b:6b:42:11:3a:86:8f:ca:b1:61:3b:6d (RSA1)

1024 d5:42:c8:fd:a2:fc:ee:d5:79:fc:63:c6:91:25:4a:bb (DSA)
2048 33:e5:86:a3:ae:9d:c8:bf:ee:c3:21:64:08:ed:78:37 (RSA)
2048 fd:77:08:47:bf:17:c3:94:f6:b0:ce:e2:14:4a:67:5f (RSA1)

Back to the top

What are the DNS resolver IPs?

While our servers are configured to send you the appropriate DNS server during the connection negotiation, there are cases where you may have to set the resolver manually. If so, please use the following list:

OpenVPN (TCP) -
OpenVPN (UDP) -

Note that for OpenSSH tunneling, you need to ensure that the application itself is configured to send DNS requests over the tunnel. For example, in order for Firefox to perform DNS requests over the SOCKS proxy, you must set network.proxy.socks_remote_dns to true.

Back to the top

What encryption algorithms do you support?

L2TP is configured to support aes-256, aes-128 and 3des (in that order) for encryption and sha1 for hashing.

OpenVPN uses blowfish, 2048 bit x509 keys and sha1 for message digest.

Our OpenSSH daemons are configured to accept aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour. Note that the client's configuration determines which cipher suite will be used.

PPTP is configured to only allow mschap-v2 and mppe-128 (highest possible).

Back to the top

Supported Key Exchange Algorithms and MACs

All of the nodes support the following list of key exchange algorithms (kex) and MACs for OpenSSH:

  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • curve25519-sha256@libssh.org
  • gss-gex-sha1-
  • gss-group1-sha1-
  • gss-group14-sha1-


  • hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
  • umac-64-etm@openssh.com,umac-128-etm@openssh.com,
  • hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
  • hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
  • hmac-md5-96-etm@openssh.com,
  • hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
  • hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
  • hmac-sha1-96,hmac-md5-96

Back to the top

Known issues with MMS on Android while connected to VPN

A known, reported (and unfixed) issue exists in most recent versions of Android (up to Nougat, 7.x) that prevents folks from receiving MMS messages while connected to VPN.

The report can be found here: https://issuetracker.google.com/issues/37074617

Unfortunately there does not seem to be any good workarounds at this time.

Thanks goes out to our customer for bringing the issue up.

Back to the top