Frequently Asked Questions

How can I obtain a license for HomeTunnel?

You basically have two choices:
  1. You buy a TP-Link TL-MR3020 or TL-WR902AC from anywhere and install our software. In this case, you will have a free trial period of 31 days.
  2. You find a shop that sells you a device with the software already installed. The shop can sell you a license period of his own choice, but it is as least as long as the normal period of 31 days. Here are the links for our current hardware distributors:

    Varia Store
After having decided that you want to continue using your HomeTunnel VPN, you can prolong the license from your HomeTunnel admin panel. Once you have registered, you will see the license status in your HomeTunnel settings panel:

License status

Depending on the remaining license time and proxy data volume, you will be presented a product choice:

 Product choice

The image above is only a symbolic representation, our actual product portfolio with prolongation time, proxy data volume and price is:

Product nameYearsGBytesPrice
HomeTunnel VPN service 1 year (120 GByte)112029.90 €/$
HomeTunnel VPN service 2 years (240 GByte)224039.90 €/$
HomeTunnel VPN service 3 years (360 GByte)336049.90 €/$
HomeTunnel VPN service 5 years (600 GByte)560059.90 €/$
HomeTunnel VPN Data Package 500 GByte05009.90 €/$

Pick your preferred product from the proposed list. Then, you can order via our reseller, Ditigal River:



The license will automatically be added after your payment has been received.

Why do I need HomeTunnel?

If you have a need to access your home network from outside, you will probably face the problem that your router does not meet all of the requirements for a VPN:
  1. Your router must be locatable from the internet, so you need either a fixed IP address or dynamic DNS. You will likely not have a fixed IP given that they are scarce these days and the choice of dynamic DNS providers is very limited in most routers - plus, most of these services are not free.
  2. You will want to use encryption for your VPN. Older mechanisms like PPTP are not regarded as secure any more and IPSEC as the de-facto standard is a pain to configure. On the other hand, OpenVPN as an emerging tool is very rarely implemented. Many SOHO routers have none of these VPN mechanisms at all (like all Speedport variants).
IPv6 might seem like a nice alternative to NAT with IPv4, but it is not widely available yet.

Also, your specific router (like the Fritz!Box) probably offers many other nice features like integrated VoIP or embedded media services, so you will not want to give it up for another router that - say - does offer OpenVPN.
So why not choose a dedicated VPN appliance? And to take it further: Why not one that integrates dynamic DNS and which makes configuration as easy as 1-2-3?
You see what this boils down to: HomeTunnel is the solution for you.

What is the difference between "Direct" and "Proxy" mode?

By using the preferable "Direct" OpenVPN profile, your client(s) will connect to your router directly without any intermediate relay. You can see this because the profile uses a target address like "MAC.wan.hometunnel.net" where MAC is your HomeTunnel box's MAC.
A direct connection is only possible when a UDP port can be forwarded from your router to the HomeTunnel box. The appliance will try to enable this automatically if your router supports UPNP. As an alternative, you can use the firewall settings of your router in order to forward UDP port 1194 to the IP address of your HomeTunnel box.
If the port cannot be forwarded, the "Proxy" profile must be used. In this case, your client uses the other OpenVPN profile to connect to one of our proxy servers (the VPN connection target is "proxy.hometunnel.net"). The proxy server has been connected by your HomeTunnel box before via an outgoing connection (those are allowed by most SOHO routers).
You can imagine these modes like in this picture:

Proxy vs. direct mode

Both modes are equally secure, since the VPN data is encrypted anyway, but "Direct" mode is faster and should therefore be preferred. Also, proxy mode has a limit on the available data volume. After your remaining proxy data volume has been used up, proxy mode will stop working until you refill it by buying some additional data volume.

I want to access another network (e.g. friend/familiy). How can I do that?

Bear in mind that you may only use our solution for lawful purposes and respect the privacy of others. Many companies have rules that strictly forbid to use any 3rd party device in their networks. Matter-of-fact, that is also part of our service terms.

So, if you want to access a network that is not yours, be sure to get prior consent.
Anyway, to actually do it is quite easy: Just get a second HomeTunnel box and set it up in your home network. If you want to administrate this device from your existing account, go to the HomeTunnel box inventory view and use the "Register new device" button to add the device to your inventory. You need to enter the MAC (which is printed on the device) for that. You can also unclaim a device by removing it from your account's inventory.
If you want to assign the device to a new user account, proceed as normal and register the account together with the new (or unclaimed) device.
The device will never be bound to your home network. Technically, you can use it in any network - provided that you are allowed to do so. Ensuring that is strictly your responsibility.

What is the difference between https://hometunnel.net and http://hometunnel?

https://hometunnel.net refers to the HomeTunnel cloud interface, which is operated by us. You can prolong your license and trigger the generation of new credentials there.
http://hometunnel refers to your local HomeTunnel box interface, where you can download the VPN credentials.

I re-provisioned my client(s) with new credentials, but the VPN does not work any more. Why?

That part can be tricky, depending on your OpenVPN client software. You probably did not delete the old profiles first. In that case, it is difficult to discriminate the old and new versions of the OpenVPN profiles.
We therefore recommend to delete all deprecated profiles before importing the new ones.

What are the limitations of HomeTunnel?

HomeTunnel creates a VPN tunnel between your mobile device and your HomeTunnel box. This has some implications:

  1. IP address collisions: To build a VPN tunnel, one uses a so-called transfer network with IP addresses in the range of 10.88.0.0/24 in proxy mode or 10.89.0.0/24 in direct mode. So, there may be an address collision in either of the two networks that your tunnel endpoints use (i.e. your mobile device and your HomeTunnel box).
    Since these address ranges are rarely used in SOHO networks, the collision would occur more likely on the client end. But, even if there really is a collision because you try to reach your home network from within a company network, it would probably not have worked or be legal anyway because most company networks have firewalls that block VPN traffic.
  2. Routed IP traffic: The second limitation is that all of that VPN traffic has to be "routed". That term means that not all of the ethernet packets that can be seen on your home network will actually be forwarded via the VPN. Any network protocol that relies on so-called "broadcasts" will not pass through the VPN. One example of this is Apple's Bonjour technology - which in turn means that Airprint cannot be used.
  3. NAT problems: Another limitation is that because the IP traffic from the transfer network has to be translated, services on the clients cannot be accessed by devices in your home network. The VPN tunnel is much like a one-way street: Connections can only be initiated by the client device, since its IP address 10.x.y.z cannot be addressed by your other network devices. The client device's requests are translated (via a mechanism called Network Address Translastion, or short: NAT) and in effect, the sender IP appears to be that of the HomeTunnel box. Answers to such request are then NATed back, but only if the original request was initiated by the client device in the first place.
  4. Connection speed: This may seem like no biggie, but it can be a showstopper for some data-intensive applications. Also, your data volume may be limited.

There is a limited "proxy" data volume. What gives?

First, bear in mind that an active VPN tunnel creates data traffic. This is true even if there is no actual user data being transferred, because the tunnel has to be kept open.
Thus, when you use your VPN tunnel (regardless if in proxy or direct mode), you will use some of your mobile data volume. So: always remember to close your VPN connection after you have finished using it, especially if your ISP has set a traffic limit!

If you only use direct mode, you can stop reading here.

For proxy mode, HomeTunnel has a limit on the use of data volume of roughly the equivalent of 10 GByte per month. Probably, this will not be an additional limitation for you at all, e.g. if your mobile provider already imposes a similar limit for your smartphone data traffic.
Matter-of-fact, purchasing a HomeTunnel license for a specific period buys you a corresponding proxy data volume which is being added to the device. Each time you use your VPN tunnel in proxy mode, the remaining data volume is reduced by your traffic consumption. After the data volume has been used up, proxy mode will stop working (direct mode is unaffected). You can check your remaining proxy data volume in the HomeTunnel settings.

We consider this neccessary in order to ensure a fair-use policy for all users. If you have extremely data-intense applications (like video streaming or large backups) and need more data volume, you have two options:
  1. Set up your home network to support using direct mode - in direct mode, the remaining proxy data volume is never reduced, since our cloud servers do not see your traffic.
  2. Buy additional proxy data volume via the HomeTunnel settings.
The first option is preferable anyway, because your data will take the direct route between your mobile device and your home network. Besides conserving your proxy data volume, this will also be significantly faster.

Why is it that I cannot stream videos over VPN?

This is most probably limited by your internet connection, not by the VPN. First, you should know that video streaming uses a lot of bandwidth:

Video typeTypical Bandwidth needed for MPEG-4
SD3 MBit/s
HD5 MBit/s
Ultra-HD25 MBit/s

The bandwidth needed is also determined by other factors, like compression method used, frame rate and complexity of the audio and video material. Most Linux set-top-boxes employ MPEG-2 video compression, which uses much more bandwidth than modern MPEG-4 codecs. Unless you have at least 10 MBit/s bandwidth, do not expect to be able to stream even SD videos from such devices.

Many broadband connections have asymmetrical speeds, such as 50 MBit/s downstream and 10 MBit/s upstream. This may not be limiting at your home network, where you can watch internet videos (in downstream direction), but it can be a bottleneck when you try to get your data out upstream from your home network. In the latter case, your upstream speed poses an upper limit. Actual bandwidth may be even more limited, depending on the route your data traffic takes on its way to your client.

You should try to use direct mode, because your data will then take the direct route between your mobile device and your home network. Besides conserving your proxy data volume, this will also be significantly faster.

Is this really secure?

Yes.

The HomeTunnel VPN credentials are created on your HomeTunnel box, transmitted over your home network only and stored on your client device(s). They are never seen or intercepted by our cloud systems in cleartext.

You should follow the instructions on how to protect your credentials closely. If you do, nobody but you (that excludes us, too) has access to the credentials that are used to encrypt the data that flows between your mobile device(s) and your HomeTunnel box.

Also, what is much different from other VPN types that are used to protect your privacy on the internet: With those, you must trust your VPN provider not to spy on the clear-text traffic that enters or leaves his systems. With HomeTunnel, only encrypted traffic passes our systems - if at all.

We (HomeTunnel GmbH) could not even access your home network if authorities asked us to do so, despite the fact that (encrypted) VPN traffic may pass our cloud systems on its way (that happens only in proxy mode, BTW).
The credentials will not leave your realm unless you decide otherwise.

The OpenVPN software that is being used for encryption is Open-Source, which means it can be inspected for hidden backdoors and bugs by specialists all over the world. The same is true for the HomeTunnel box firmware which creates the credentials. These facts make it very unlikely that something is hidden within our solution.

Granted, any complex software can contain bugs (this is the reason why we accept no liability) - but: the worst-case scenario would be that a hacker gains access to your HomeTunnel box. From there, he could only access unprotected ressources on your home network.

That being said, ask yourself a few questions:

  • Are you even sure that nobody has access to your realm (= home network) already?
  • For example: Do your or your kid's friends know your WiFi password?
  • Is your WiFi protected at all by a strong mechanism (i.e. WPA or WPA2 and not WEP)?
  • Are all ressources on your home network password-protected?
  • Do you, by any chance, use powerline ethernet (HomePlug)? Did you change its default password?
  • How many appliances do you use in your home network (think of webcams, networked printers, NAS boxes, set-top-boxes, routers and the like) of which you cannot even theoretically inspect the software because it is closed-source?
  • You did change the default password of your HomeTunnel box, didn't you?

How should I handle my VPN credentials?

Credentials should be handled like a key: Never give them to anybody you do not trust, not even for a short while - as they might be copied and used without your knowledge.
Applied to computers, that means that your VPN credentials should always stay in your realm, i.e. stored on your mobile device(s) and not escape from your network. They should not be transferred unprotected, e.g. via unencrypted E-Mail, although that migth seem handy. Instead, download them directly from the local admin interface of your HomeTunnel box.
You can request recreation of the credentials if you are suspicious that they may have been compromised, e.g. when your smartphone is stolen. Also, remember to protect your HomeTunnel box by changing the default password during setup.

What is the default password for the HomeTunnel box?

The default password is "hometunnel" (username is "root").

I forgot my password. What now?

As for the HomeTunnel cloud interface, this is fairly easy: Just try to sign in and then click on the "forgot password" link in the form, then follow the instructions.

For the HomeTunnel box, you can press the WPS button on the top for 5 seconds - but no longer. After that procedure, the root password should have been reset to the default value of "hometunnel". Login to your HomeTunnel box and change that password now!

We detected a network attack from your servers. Are you mad?

  1. Check your data. While it may be true that an IP connection exists between your network and our servers, it has been initiated by a device situated in your network.
    The connection in question is probably an outgoing connection from a HomeTunnel box. Most likely, one of your employees wanted to work from home and has connected a HomeTunnel box to your network for this purpose - possibly in violation of your company security policy. Thus, it is not us, but your employee breaking your security. Go and find the device and disconnect it from your network. Before you ask: We will not tell which of our customers is the owner of the device without legal obligation to do so.
  2. Had you taken the appropriate security measures in your network, this would never be possible in the first place. Obviously, your firewall blocks only incoming connections.
    From a security perspective, there is no difference between an incoming and an outgoing bi-directional IP connection. You have chosen to ignore this fact and thereby enabled a mechanism otherwise known as firewall piercing.
  3. Measures you can take to prevent that from happening again:
    • Do not accept unknown devices in your company network (i.e. implement IEEE 802.1x).
    • Have your firewall block unauthorized outgoing connections to the internet.
    • Do not let network devices request port forwarding via UPNP.
    • You can also block our cloud servers in your firewall - but anybody with physical access to your network being able to initiate outgoing IP connections could pierce your firewall using any other endpoint on the internet. If you seriously consider this approach, you should block the whole internet.

How can I find the MAC of my HomeTunnel Box?

On the side of your HomeTunnel box, there is a printed label like this:
HomeTunnel box label
There, you can find the MAC address in the upper right corner. It consists of 12 hexadecimal digits and identifies your HomeTunnel box uniquely.

How can I connect to the TP-Link device in order to flash the HomeTunnel firmware?

Over Ethernet
You can connect your PC directly via the supplied ethernet cable. Disconnect both your PC and the TP-Link device from your ethernet LAN first.
Over wireless LAN
On the side of your HomeTunnel box, there is a printed label like this:
HomeTunnel box label
The default settings are needed to access the firmware flashing menu on an OEM box that still has the original TP-Link software. After your TP-Link device has been upgraded with the HomeTunnel firmware, the following settings will no longer apply:

  • SSID: This is the manufacturer-supplied wireless LAN name. You can connect to this wireless LAN in order to put the HomeTunnel firmware on it.
  • KEY: This is the password you must enter to connect to the wireless LAN of the device.
Applying to both
  • IP: This is the IP address of the device. You must enter it in your browser to access the firmware flashing menu.
  • Username/Password: To access the device, you must enter these in the login form of the device.
The IP, Username and Password are the same for wireless and Ethernet access, namely 192.168.0.254, "admin" and "admin".

How can I find the HomeTunnel box in my home network?

How you can find your HomeTunnel box in order to access its web user interface, is dependent on your home network environment:

  1. After you have registered on this website, a link for local administration is visible in the settings view for your HomeTunnel box.
  2. If your router supports it, the HomeTunnel box will register in your local DNS under the name "hometunnel". Thus, the URL "http://hometunnel" may work for you.
  3. Most SOHO routers have a list of active DHCP leases so that you can see which IP has been assigned to your device (its MAC can be found on the side label).
  4. If your HomeTunnel license is active, you should be able to access the web UI via "http://<MAC>.lan.hometunnel.net", replacing <MAC> with the actual MAC of your HomeTunnel box. That name resolves to the LAN IP of your HomeTunnel box.

The settings view says that my HomeTunnel box firmware is outdated. How can I update?

You can download the most-current version of the sysupgrade software from http://download.hometunnel.net/firmware/ and upgrade via the local HomeTunnel web user interface. Your settings and credentials can be kept.

I want to sell my HomeTunnel box. How should I do that?

You should go to the HomeTunnel box inventory list and remove the device from your account, effectively unclaiming it. Afterwards, you can either reset the unit to factory defaults via its local web user interface, by pressing the WPS button for at least 10 seconds, or even by re-flashing it back to the original TP-Link firmware.
All approaches will clear the old credentials so that no client device can connect to the HomeTunnel box any more.

What are the button and the sliding switch for?

The WPS button on the top of your HomeTunnel box has three functions:
  1. When pressed very shortly, it will reboot your HomeTunnel box.
  2. When pressed for 4 to 9 seconds, it will reset the password to the default of "hometunnel".
  3. When pressed for 10 to 15 seconds, the device will be reset to default settings. This is a dangerous action since it erases all credentials. You will have to use the admin view in order to generate new credentials. Also, you will have to provide them to your VPN client device(s) again.
When the button is pressed for more than 15 seconds and then released, nothing happens. Pressing the buttons only works only after the startup phase has already finished.
The sliding switch has no designated function yet.

How much power will the HomeTunnel box consume?

The TP-Link device is rated at 2 Watts maximum, but we have measured ~1 Watt to be typical. Being energy-efficient was one of the selection criteria for the hardware. Hint: Many SOHO-Routers have USB connectors. If yours does, you can connect the USB power cable of the HomeTunnel box directly and do not have to use the power supply.

What about the Open-Source obligations?

Our software makes use of LEDE or OpenWRT as basis for the HomeTunnel box firmware. The modifications we have done to LEDE / OpenWRT are completely open and you can download the build tools from http://download.hometunnel.net/gpl/. This is not only to honor the GPL obligations, but also to show that we have nothing to hide.

How can I power-on a networked device from remote?

Many networking devices (like NAS boxes and PCs) are Wake-On-LAN capable. They can be woke up by sending them a special network packet.

After you login into your HomeTunnel box (which you can do via a running VPN connection), choose "Network->Wake-On-LAN" from the menu:

Wake-On-LAN
You will have to enter the device's MAC address into the form. It consists of 12 hexadecimal digits and identifies your networked device uniquely. Devices that have once been contacted by your HomeTunnel box already will also show up in the dropdown list. You will have to know which device is which, though. If you do not know exactly, you can guess by entering the MAC into any online MAC-OUI database, as the first 6 digits of a known MAC (like 40:16:7E in the image above) identify a device's manufacturer (here: ASUSTek COMPUTER INC.).
Otherwise, you will have to note the device's corresponding MAC beforehand in order to start it later.

Can I connect to my network using DS-Lite?

Some ISPs (like Unitymedia) cannot offer IPv4 addresses any more and have to resort to IPv6 via a configuration called DS-Lite (dual-stack lite). With that, it becomes very difficult to even open any connection to one's own home network, e.g. if your mobile ISP does not offer IPv6, which is often the case.
With HomeTunnel, this is no big problem: Since in proxy mode, the connection to our cloud servers can be opened via IPv4, your mobile devices can also access the end of the tunnel via IPv4. You may not be able to use direct mode with DS-Lite, though.

How can I access my file shares by smartphone or tablet?

On Android, you can find many so-called "file managers" like TotalCommander that allow accessing network file shares, you can find a comparison here.
On iOS, there is FileExplorer Free and some other apps, but you are more limited in what you can actually do with the files.