TunSafe is a very promising new project, consisting of an implementation of the WireGuard VPN protocol in the form of open-source VPN client apps for Windows, macOS, Linux, FreeBSD as well as mobile platforms iOS and Android.
What makes TunSafe even more interesting is the fact that the developer provides a free VPN service available in 11 locations, which can be used without any registration by using either the TunSafe client or connecting using WireGuard, directly, by generating the required configuration file(s).
To sum up, TunSafe provides:
- a very easy to use open-source VPN client app for all major operating systems
- user friendliness, making it quick & easy to get a WireGuard connection up and running, so no need to worry about going through the terminal configuration steps if you’re not familiar with it
- a free, no-log, multi-location WireGuard based VPN service. This feature alone puts the project steps ahead of many commercial and free VPN services.
Does it sound too good to be true? it certainly does. And the obvious question is: who is behind the TunSafe project? Is it some shady, unknown entity registered off-shore? The answer is no, it’s not some shady or anonymous entity behind this promising project, but the Swedish programmer Ludvig Strigeus, who is best known for developing µTorrent and Spotify.
In this review we will cover the TunSafe application, tested on different platforms, but also the free VPN service provided.
TunSafe for Windows
Some of the key features of the TunSafe VPN app:
- implements the new WireGuard VPN protocol
- is completely free and open-source, available for all major platforms
- written in C++, so it’s fast and lightweight
- it is service independent, meaning that you can use it with any WireGuard server/service, not only with the TunSafe free VPN service
- it includes built-in kill-switch capabilities
- supports both IPv4 and IPv6
In this review, we will use the TunSafe free VPN servers for our tests. After downloading and installing the TunSafe software for Windows, a conf file must be generated on TunSafe website. The conf file includes the authentication keys and server settings for the selected server location. Once generated, the conf file must be downloaded and its content copy & pasted into the ‘Edit Config’ window in TunSafe software. Then the connection can be established almost instantly.
The software interface is bare-bone and there are no eye candy effects or graphics like you would get with most commercial VPN apps. But this is something you would expect from a project that’s focusing 100% on the task it’s been designed for.
Upon the initial connection, the software will display some basic routing info and the connection establishment confirmation. Other useful information displayed is a traffic chart for download and upload speed, time since the connection was made and the total traffic transferred for the session.
In the Advanced tab, you can see your public key, information about handshakes, overhead and traffic transfered.
An indication of VPN connection status (connected or disconnected) is visible in the System Tray area, by showing a green or gray shield-like icon. The icon can also be used for quick connecting/disconnecting on its right click menu.
What’s really nice about this basic VPN client software is that it has built-in kill-switch capabilities, which is a key feature implemented in most apps provided by commercial VPN providers. What’s different about TunSafe’s killswitch compared to many commercial implementations we’ve tested, is that it’s fully effective and is based on two methods for blocking traffic from leaking your real IP: one is using firewall-based rules and the second one is based on routing rules. So you can choose which one you prefer or have both methods enabled at the same time to reduce the risk of IP exposure even more.
After enabling the kill switch, a warning is displayed so that the user know what to do in case of something going wrong. A system reboot would restore connectivity by disabling either the firewall or routing blocking rules. That can be done, of course, from the TunSafe software without rebooting the system, by disabling the kill switch option.
We tested the kill switch in different scenarios, one by establishing a VPN connection then killing the TunSafe process in the task manager. After killing the process, the WireGuard connection went down as expected, but no traffic was possible through the physical connection. Starting up the TunSafe client also fired-up the VPN connection instantly. Rebooting the system disabled the kill switch as promised, although not needed unless the TunSafe software can’t be started for some reason.
Protection against DNS leaks is also included, DNS requests outside of WireGuard tunnel being blocked by default.
Adding new servers is very easy and similar to OpenVPN GUI. All you have to do is to get a new conf file and copy it to Tunsafe’s config folder, default on Windows being C:\Program Files\TunSafe\Config. You can get to the folder quickly by making use of the “Browse in Explorer” option in the File menu.
TunSafe for Android
The Android TunSafe VPN app is simplistic, yet it comes with pretty much everything you need to get connected immediately. It comes with a built-in list of servers provided for free by TunSafe, and you can easily add your own by importing the config file(s), if you are running your own WireGuard server and are familiar with setting it up. What we like about using it with TunSafe servers is that you can generate the conf files on TunSafe website on your computer, and instead of downloading the config file you can scan a QR code to import it directly into TunSafe for Android.
In the Options menu, it has an “Exclude Apps” menu you might be familiar with from other VPN apps such as OpenVPN for Android, StrongSwan VPN app and commercial VPN apps based on OpenVPN for Android. This feature comes handy if you don’t want all apps to use the VPN connection.
In Settings, there’s a Kill Switch toggle, options to connect automatically when app is started and when the Android device is powered-on, allow traffic to LAN devices, show the ping latency to servers as well as displaying the IP address (real or VPN).
Unlike OpenVPN based connections and similar to the desktop VPN app, the connection is established almost instantly.
TunSafe free VPN service
While the project is in test phase, the developer provides a free VPN service which you can use. It is pretty obvious that the service won’t remain free forever, but while it’s there in “experimental” stage you can benefit from its privacy-conscious features and become familiar with the new WireGuard protocol.
As for January 2019, TunSafe VPN service can be used for free with high-speed dedicated servers located in the following locations: Netherlands, UK, US, Sweden and Germany.
It’s worth adding that a multi-hop setup is also available with the free VPN service from TunSafe, and you can configure the hops when you generate a config file. The multihop setup can use the following locations as a 1st hop: Netherlands, UK, US and the 2nd hop can be located in any of the same 3 locations.
Other interesting feature of the free VPN service is that the WireGuard server ports can be chosen from the entire 1-65535 range, thus helping in by-passing firewalls and ISP restrictions in some cases by establishing the WireGuard VPN connection over widely-used / allowed ports (for example, port 53).
Testing connection speed wasn’t really a priority in this review, since it’s a free service one could benefit from for privacy/security purposes and – mainly – to test-drive the new WireGuard VPN protocol. Nonetheless, overall the speed we experienced with TunSafe free VPN was satisfactory as compared to commercial VPN services. In some cases, depending on time of day and the servers used, the speed surpassed what we would normally expect from a commercial VPN, so that’s a plus for this free service. Yet there were times when some servers were painfully slow (less than 1-5 Mbps), so that we had to cycle through them in order to find one providing good speed.
Everything about TunSafe is very well documented and community support is available on IRC and a forum. Browsing through the forum’s threads, we noticed that it is quite active and many issues have been addressed in a helpful manner either by other users or by the project owner.
TunSafe is a solid project in active development, already in a strong position to succeed as a commercial VPN service in the future. As for the TunSafe VPN app, it’s almost perfect and we are confident that it can only get better.
- Solid, well-made VPN client apps supporting WireGuard protocol
- bullet-proof killswitch implementation in TunSafe VPN app for Windows
- open-source and free to use
- no shady or unknown entity behind the project, but a well-known developer
- free VPN service (experimental) available, with multiple high-speed servers
- very well documented, community support available
- TunSafe app under very active development, new features added frequently
- a few times we experienced problematic re-connections when switching network, resuming from sleep in some cases, but we’re not sure if this was related to TunSafe or WireGuard itself or the Tap network adapter
- Google DNS (22.214.171.124) is used by default on the free VPN service. It would be nice to make use of a more private service or implement its own on the VPN servers
Bottom line, TunSafe VPN app is the way to go either if you are using WireGuard with TunSafe free VPN, a different VPN service supporting WireGuard or your own WireGuard server(s). TunSafe’s experimental VPN service is recommended to anyone looking to become more familiar with the WireGuard VPN protocol, as well as replacing shady/not-to-be-trusted free VPN services with a free VPN that is backed by a well-known developer.