How can I obtain a license for HomeTunnel?
You basically have two choices:
- You buy a TP-Link TL-MR3020 or TL-WR902AC from anywhere and install our software. In this case,
you will have a free trial period of 31 days.
- You find a shop that sells you a device with the software already installed. The shop
can sell you a license period of his own choice, but it is as least as long as the normal period of 31 days.
Here are the links for our current hardware distributors:
After having decided that you want to continue using your HomeTunnel VPN, you can
prolong the license from your HomeTunnel admin panel.
Once you have registered, you will see the license status in your HomeTunnel settings panel:
Depending on the remaining license time and
proxy data volume
you will be presented a product choice:
The image above is only a symbolic representation, our actual product portfolio with
prolongation time, proxy data volume and price is:
|HomeTunnel VPN service 1 year (120 GByte)||1||120||29.90 €/$|
|HomeTunnel VPN service 2 years (240 GByte)||2||240||39.90 €/$|
|HomeTunnel VPN service 3 years (360 GByte)||3||360||49.90 €/$|
|HomeTunnel VPN service 5 years (600 GByte)||5||600||59.90 €/$|
|HomeTunnel VPN Data Package 500 GByte||0||500||9.90 €/$|
Pick your preferred product from the proposed list.
Then, you can order via our reseller, Ditigal River:
The license will automatically be added after your payment has been received.
Why do I need HomeTunnel?
If you have a need to access your home
network from outside
, you will probably
face the problem that your router does not meet all of the requirements
for a VPN:
- Your router must be locatable from the internet, so you need either a fixed IP address or dynamic DNS.
You will likely not have a fixed IP given that they are scarce these days and the
choice of dynamic DNS providers is very limited in most routers - plus, most of these services are not free.
- You will want to use encryption for your VPN. Older mechanisms like
PPTP are not regarded as secure any more and IPSEC as the de-facto standard
is a pain to configure. On the other hand, OpenVPN as an emerging tool is very rarely
implemented. Many SOHO routers have none of these VPN mechanisms at all (like all Speedport variants).
IPv6 might seem like a nice alternative to NAT with IPv4, but it is not widely
Also, your specific router (like the Fritz!Box) probably offers many other nice features like
integrated VoIP or embedded media services, so you will not want to give it up
for another router that - say - does offer OpenVPN.
So why not choose a dedicated VPN appliance? And to take it further: Why not
one that integrates dynamic DNS and which makes configuration
as easy as 1-2-3
You see what this boils down to: HomeTunnel is the
solution for you.
What is the difference between "Direct" and "Proxy" mode?
By using the preferable "Direct" OpenVPN profile, your client(s) will connect to your router
directly without any intermediate relay. You can see this because the profile
uses a target address like "MAC
.wan.hometunnel.net" where MAC
HomeTunnel box's MAC.
A direct connection is only possible when a UDP port can be
forwarded from your router to the HomeTunnel box.
The appliance will try to enable this automatically if your router supports UPNP. As
an alternative, you can use the firewall settings of your router in order to
forward UDP port 1194 to the IP address of your HomeTunnel box.
If the port cannot be forwarded, the "Proxy" profile must be used. In this case,
your client uses the other OpenVPN profile to connect to one of our proxy servers
(the VPN connection target is "proxy.hometunnel.net").
The proxy server has been connected by your HomeTunnel box before via an outgoing
connection (those are allowed by most SOHO routers).
You can imagine these modes like in this picture:
Both modes are equally secure, since the VPN data is encrypted anyway, but "Direct" mode
is faster and should therefore be preferred.
Also, proxy mode has a
the available data volume
. After your remaining proxy data volume has been used up,
proxy mode will stop working until you refill it by buying some additional data volume.
I want to access another network (e.g. friend/familiy). How can I do that?
Bear in mind that you may only use our solution for lawful purposes and respect the privacy
of others. Many companies have rules that strictly forbid to use any 3rd party device in
their networks. Matter-of-fact, that is also part of our service terms
So, if you want to access a network that is not yours, be sure to get prior consent.
Anyway, to actually do it is quite easy: Just get a second HomeTunnel box and set it up
in your home network. If you want to administrate this device from your existing account,
go to the HomeTunnel box inventory view and use the "Register new device" button
to add the device to your inventory. You need to enter the MAC (which is printed on the device)
for that. You can also unclaim a device by removing it from your account's inventory.
If you want to assign the device to a new user account, proceed as normal and register
the account together with the new (or unclaimed) device.
The device will never be bound to your home network. Technically, you can use it in any
network - provided that you are allowed to do so. Ensuring that is strictly your
What is the difference between https://hometunnel.net and http://hometunnel?
the HomeTunnel cloud interface, which is operated by us. You can prolong your license and
trigger the generation of new credentials there.
refers to your local
HomeTunnel box interface, where you can download the VPN credentials.
I re-provisioned my client(s) with new credentials, but the VPN does not work any more. Why?
That part can be tricky, depending on your OpenVPN client software. You
probably did not delete the old profiles first. In that case, it is difficult to discriminate
the old and new versions of the OpenVPN profiles.
We therefore recommend to delete all deprecated profiles before importing the new ones.
What are the limitations of HomeTunnel?
HomeTunnel creates a VPN tunnel between your mobile device and your HomeTunnel box. This
has some implications:
- IP address collisions: To build a VPN tunnel, one uses a so-called transfer network with IP addresses in the range of 10.88.0.0/24 in proxy mode
or 10.89.0.0/24 in direct mode. So, there may be an address collision in either of the two networks that your tunnel
endpoints use (i.e. your mobile device and your HomeTunnel box).
Since these address ranges are rarely used in SOHO networks, the collision would occur more likely
on the client end. But, even if there really is a collision because you try to reach your home network from
within a company network, it would probably not have worked or be legal anyway because most company networks
have firewalls that block VPN traffic.
- Routed IP traffic: The second limitation is that all of that VPN traffic has to be "routed".
That term means that not all of the ethernet packets that can be seen on your home network will
actually be forwarded via the VPN. Any network protocol that relies on so-called "broadcasts"
will not pass through the VPN.
One example of this is Apple's Bonjour technology - which in turn means that Airprint cannot be used.
- NAT problems: Another limitation is that because the IP traffic from the transfer network has to be translated, services
on the clients cannot be accessed by devices in your home network. The VPN tunnel is much like
a one-way street: Connections can only be initiated by the client device, since its IP address 10.x.y.z
cannot be addressed by your other network devices. The client device's requests are translated (via a mechanism
called Network Address Translastion, or short: NAT) and in effect, the sender IP appears to be that of the HomeTunnel box.
Answers to such request are then NATed back, but only if the original request was initiated by
the client device in the first place.
- Connection speed: This may seem like no biggie, but it can be a
showstopper for some
data-intensive applications. Also, your
data volume may be limited.
There is a limited "proxy" data volume. What gives?
First, bear in mind that an active VPN tunnel creates data traffic. This is true even if there
is no actual user data being transferred, because the tunnel has to be kept open.
Thus, when you use your VPN tunnel (regardless if in
proxy or direct mode
you will use some of your mobile data volume.
So: always remember to close your VPN connection after you
have finished using it, especially if your ISP has set a traffic limit!
If you only use direct mode
you can stop reading here.
For proxy mode, HomeTunnel has a limit on the use of data volume of roughly the equivalent
of 10 GByte per month. Probably, this will not be an additional limitation for you at all,
e.g. if your mobile provider already imposes a similar limit for your smartphone
Matter-of-fact, purchasing a HomeTunnel license for a specific
period buys you a corresponding proxy data volume which is being added to the device.
Each time you use your VPN tunnel in proxy mode, the remaining data volume is
reduced by your traffic consumption. After the data volume has been used up, proxy mode will
stop working (direct mode is unaffected). You can check your remaining
proxy data volume in the HomeTunnel settings
We consider this neccessary in order to ensure a fair-use policy for all users.
If you have extremely data-intense applications (like video
streaming or large backups) and need more data volume, you have two options:
- Set up your home network to support using direct mode
- in direct mode, the remaining proxy data volume is never reduced, since our
cloud servers do not see your traffic.
- Buy additional proxy data volume via the HomeTunnel settings.
The first option is preferable anyway, because your data will take the direct route
between your mobile device and your home network. Besides conserving your proxy data volume,
this will also be significantly faster.
Why is it that I cannot stream videos over VPN?
This is most probably limited by your internet connection, not by the VPN.
First, you should know that video streaming uses a lot of bandwidth:
|Video type||Typical Bandwidth needed for MPEG-4|
The bandwidth needed is also determined by other factors, like compression method used, frame rate and complexity
of the audio and video material. Most Linux set-top-boxes employ MPEG-2 video compression, which uses
much more bandwidth than modern MPEG-4 codecs. Unless you have at least 10 MBit/s bandwidth,
do not expect to be able to stream even SD videos from such devices.
Many broadband connections have asymmetrical speeds, such as 50 MBit/s downstream and 10 MBit/s
upstream. This may not be limiting at your home network, where you can watch internet videos (in
downstream direction), but it can be a bottleneck when you try to get your data out upstream from your home network.
In the latter case, your upstream speed poses an upper limit. Actual bandwidth may
be even more limited, depending on the route your data traffic takes on its way to your client.
You should try to use direct mode
because your data will then take the direct route
between your mobile device and your home network. Besides conserving your proxy data volume,
this will also be significantly faster.
Is this really secure?
The HomeTunnel VPN credentials are created on your
transmitted over your
home network only and
stored on your
They are never seen or intercepted by our cloud systems in cleartext.
You should follow the instructions
on how to protect your credentials
If you do, nobody but you
(that excludes us, too) has access to the credentials that are used
to encrypt the data that flows between your mobile device(s) and your HomeTunnel box.
Also, what is much different from other VPN types that are used to protect your privacy on the internet: With those,
you must trust your VPN provider not to spy on the clear-text traffic that enters or leaves
his systems. With HomeTunnel, only encrypted traffic passes our systems - if at all.
We (HomeTunnel GmbH) could not even access your home network if authorities
asked us to do so, despite the fact that (encrypted) VPN traffic may pass our cloud systems on its way
(that happens only in proxy mode
The credentials will not leave your realm unless you decide otherwise.
The OpenVPN software that is being used for encryption is Open-Source, which means it can
be inspected for hidden backdoors and bugs by specialists all over the world.
The same is true for the HomeTunnel box firmware which creates the credentials. These facts make it very
unlikely that something is hidden within our solution.
Granted, any complex software can contain bugs (this is the reason why
we accept no liability
) - but: the worst-case scenario would be that a
hacker gains access to your HomeTunnel box. From there, he could only access unprotected ressources on your home
That being said, ask yourself a few questions:
- Are you even sure that nobody has access to your realm (= home network) already?
- For example: Do your or your kid's friends know your WiFi password?
- Is your WiFi protected at all by a strong mechanism (i.e. WPA or WPA2 and not WEP)?
- Are all ressources on your home network password-protected?
- Do you, by any chance, use powerline ethernet (HomePlug)? Did you change its default password?
- How many appliances do you use in your home network (think of webcams, networked printers,
NAS boxes, set-top-boxes, routers and the like) of which you cannot even theoretically inspect the software because it is closed-source?
- You did change the default password
of your HomeTunnel box, didn't you?
How should I handle my VPN credentials?
Credentials should be handled like a key: Never give them to anybody you do not trust,
not even for a short while - as they might be copied and used without your knowledge.
Applied to computers, that means that your VPN credentials
should always stay in your realm, i.e. stored on your mobile device(s) and not escape from your
network. They should not be transferred unprotected, e.g. via unencrypted E-Mail, although that migth seem handy.
Instead, download them directly from the local admin interface of your HomeTunnel box.
You can request recreation of the credentials if you are suspicious that they may have been
compromised, e.g. when your smartphone is stolen.
Also, remember to protect your HomeTunnel box by changing the
How can I create new credentials in case they have been compromised?
Login to the HomeTunnel cloud interface and look into the details section of your HomeTunnel box.
There is a button where you can reset all of your credentials. Afterwards, you must restart your HomeTunnel box -
either via hardware reset or via the firmware menu on your local HomeTunnel box interface. Once the
box is online again, it will generate new credentials that you can import to your VPN clients.
Make sure you first delete the old credentials from your client apps in order to not get confused.
What is the default password for the HomeTunnel box?
The default password is "hometunnel" (username is "root").
I forgot my password. What now?
As for the HomeTunnel cloud interface, this is fairly easy: Just try to sign in
and then click on the "forgot password"
link in the form,
then follow the instructions.
For the HomeTunnel box, you can press the
on the top for 5 seconds -
but no longer.
After that procedure, the root password should have been reset to the default value of "hometunnel".
Login to your HomeTunnel box and change that password now!
We detected a network attack from your servers. Are you mad?
- Check your data. While it may be true that an IP connection exists between your network
and our servers, it has been initiated by a device situated in your
The connection in question is probably an outgoing connection from a HomeTunnel box.
Most likely, one of your employees wanted to work from home and has connected a HomeTunnel box
to your network for this purpose - possibly in violation of your company security policy.
Thus, it is not us, but your employee breaking your security.
Go and find the device and disconnect it from your network.
Before you ask: We will not tell which of our customers is the owner of the device
without legal obligation to do so.
Had you taken the appropriate security measures in your network, this would never
be possible in the first place. Obviously, your firewall blocks only incoming connections.
From a security perspective, there is no difference between an incoming and an outgoing
bi-directional IP connection. You have chosen to ignore this fact and thereby enabled a
mechanism otherwise known as firewall piercing.
Measures you can take to prevent that from happening again:
- Do not accept unknown devices in your company network (i.e. implement IEEE 802.1x).
- Have your firewall block unauthorized outgoing connections to the internet.
- Do not let network devices request port forwarding via UPNP.
- You can also block our cloud servers in your firewall - but anybody with physical access to your
network being able to initiate outgoing IP connections could pierce your firewall using any other
endpoint on the internet. If you seriously consider this approach, you should block the whole
How can I find the MAC of my HomeTunnel Box?
On the side of your HomeTunnel box, there is a printed label like this:
There, you can find the MAC address in the upper right corner.
It consists of 12 hexadecimal digits and identifies your HomeTunnel box uniquely.
How can I connect to the TP-Link device in order to flash the HomeTunnel firmware?
You can connect your PC directly via the supplied ethernet cable.
Disconnect both your PC and the TP-Link device from your ethernet LAN first.
Over wireless LAN
On the side of your HomeTunnel box, there is a printed label like this:
The default settings are needed to access the firmware flashing menu
on an OEM box that still has the original TP-Link software.
After your TP-Link device has been upgraded with the HomeTunnel firmware, the following
will no longer apply
- SSID: This is the manufacturer-supplied wireless LAN name. You can connect to this
wireless LAN in order to put the HomeTunnel firmware on it.
- KEY: This is the password you must enter to connect to the wireless LAN of the device.
Applying to both
- IP: This is the IP address of the device. You must enter it in your browser to access the
firmware flashing menu.
- Username/Password: To access the device, you must enter these in the login form
of the device.
The IP, Username and Password are the same for wireless and Ethernet access, namely
, "admin" and "admin".
How can I flash the HomeTunnel firmware to a TP-Link TL-MR3020 v3?
DISCLAIMER: Support for this device type is EXPERIMENTAL.
For example: we disabled the wireless drivers until further notice.
Also, since TFTP recovery is a rather complicated and error-prone process, we recommend getting a ready-made HomeTunnel appliance
from one of our distributors.
Recently, TP-Link has introduced a new hardware variant of the TL-MR3020, namely the v3.
The device is based on a Mediatek MT7628NN chipset instead of the old AR9331. This has both pros and cons:
- The device has more RAM and flash memory
- There are no more problems with certain USB devices like with the TL-MR3020 v1
- The WiFi support from the open source driver is flaky
- The device can be updated via the user interface with firmware images signed by TP-Link only
While most of these points are not relevant for use as a HomeTunnel box, the last one is:
It means the TP-Link MR3020 v3 cannot be flashed via the web interface any more. The only
way to get HomeTunnel firmware onto these devices is via the TFTP recovery process.
We recommend using our TFTP server virtual appliance
with your favorite Virtualisation Tool (VirtualBox or VMWare).
The appliance has the firmware file already prepared, configures itself to the correct IP addresses and can be updated online.
You can also set up a TFTP server manually:
- On a Windows machine with a program like TFTPD32 or
use a Linux or MacOS TFTP server (most distributions provide this).
- Copy the HomeTunnel firmware image from here to the TFTP server directory
and rename it with the filename "tp_recovery.bin".
- Configure the IP address of the TFTP server machine to 192.168.0.225.
With the TFTP server for the firmware ready, you can start the flashing process:
- Connect the TL-MR3020 v3 to the TFTP server machine's network - preferably via a direct cable.
- Power on the TL-MR3020 v3 while pressing the large WPS button for a few seconds.
- This will start the TFTP download and flash process.
- After a successful flashing process the TL-MR3020 v3 will act as a HomeTunnel box.
For future HomeTunnel firmware updates, you can then use the usual sysupgrade image.
You will only need this procedure again if you want to undo all changes and revert the TL-MR3020 v3 back to OEM state
(an OEM recovery image needed for this is in the download section and is present on the TFTP server virtual appliance, too).
How can I find the HomeTunnel box in my home network?
How you can find your HomeTunnel box in order to access
its web user interface, is dependent on your home network environment:
- After you have registered on this website, a link for local administration is visible
in the settings view for your HomeTunnel box.
- If your router supports it, the HomeTunnel box will register in your local DNS under the
name "hometunnel". Thus, the URL "http://hometunnel" may work for you.
- Most SOHO routers have a list of active DHCP leases so that you can
see which IP has been assigned to your device (its MAC can be found on the side label).
- If your HomeTunnel license is active, you should be able to access the web UI via
"http://<MAC>.lan.hometunnel.net", replacing <MAC> with the actual MAC of your
HomeTunnel box. That name resolves to the LAN IP of your HomeTunnel box.
The settings view says that my HomeTunnel box firmware is outdated. How can I update?
You can download the most-current version of the sysupgrade software from
and upgrade via the local HomeTunnel web user interface. Your settings and credentials can be kept.
I want to sell my HomeTunnel box. How should I do that?
You should go to the HomeTunnel box inventory list and remove the device
from your account, effectively unclaiming it.
Afterwards, you can either reset the unit to factory defaults via
its local web user interface, by pressing the WPS button for at least 10 seconds
or even by re-flashing it back to the original TP-Link firmware.
All approaches will clear the old credentials so that no client device can connect to
the HomeTunnel box any more.
What are the button and the sliding switch for?
The WPS button on the top of your HomeTunnel box has three functions:
- When pressed very shortly, it will reboot your HomeTunnel box.
- When pressed for 4 to 9 seconds, it will reset the password to the default of "hometunnel".
- When pressed for 10 to 15 seconds, the device will be reset to default settings. This is a dangerous
action since it erases all credentials. You will have to use the admin view in order to
generate new credentials. Also, you will have to provide them to your VPN client device(s) again.
When the button is pressed for more than 15 seconds and then released, nothing happens.
Pressing the buttons only works only after the startup phase has already finished.
The sliding switch has no designated function yet.
How much power will the HomeTunnel box consume?
The TP-Link device is rated at 2 Watts maximum, but we have measured ~1 Watt to be typical.
Being energy-efficient was one of the selection criteria for the hardware. Hint: Many SOHO-Routers
have USB connectors. If yours does, you can connect the USB power cable of the HomeTunnel box directly and do
not have to use the power supply.
What about the Open-Source obligations?
Our software makes use of LEDE
as basis for the HomeTunnel box firmware.
The modifications we have done to LEDE / OpenWRT are completely open and you can download the
build tools from http://download.hometunnel.net/gpl/
This is not only to honor the GPL obligations, but also to show that we have nothing to hide.
How can I power-on a networked device from remote?
Many networking devices (like NAS boxes and PCs) are Wake-On-LAN capable. They
can be woke up by sending them a special network packet.
After you login into your HomeTunnel box (which you can do via a running VPN connection),
choose "Network->Wake-On-LAN" from the menu:
You will have to enter the device's MAC address into the form.
It consists of 12 hexadecimal digits and identifies your networked device uniquely.
Devices that have once been contacted by your HomeTunnel box already will also show up
in the dropdown list. You will have to know which device is which, though.
If you do not know exactly, you can guess by entering the MAC into
any online MAC-OUI database
as the first 6 digits of a known MAC (like 40:16:7E in the image above) identify a device's manufacturer (here: ASUSTek COMPUTER INC.).
Otherwise, you will have to note the device's corresponding MAC beforehand in order to start it later.
Can I connect to my network using DS-Lite?
Some ISPs (like Unitymedia) cannot offer IPv4 addresses any more and have
to resort to IPv6 via a configuration called DS-Lite (dual-stack lite). With that, it becomes very
difficult to even open any connection to one's own home network, e.g. if your mobile ISP does not offer IPv6, which
is often the case.
With HomeTunnel, this is no big problem: Since in proxy mode
, the connection
to our cloud servers can be opened via IPv4, your mobile devices can also access the end of the tunnel via IPv4.
You may not be able to use direct mode with DS-Lite, though.
How can I access my file shares by smartphone or tablet?
On Android, you can find many so-called "file managers" like
that allow accessing network file shares,
you can find a comparison here
On iOS, there is FileExplorer Free
other apps, but you are more limited in what you can actually do with the files.