Tunnelbear users get access to more than 8,000 servers in 46 countries. The company’s coverage is right around the average compared with the services I have tested. Global country coverage is adequate, though you’ll find that the service does not offer servers in certain countries with restrictive internet policies, like Russia, Turkey, and Vietnam. TunnelBear also moved its servers out of Hong Kong and Ukraine. 

You can pick from a handful of city-level servers in the United States and Canada. While the other countries don’t offer city-level connections, it would be nice to know the general area of the server you are connecting to. For example, there is no geographical information for the Australia server. It’s a huge country, so knowing even the general region of the server would help to set expectations for performance. 

Many VPN companies use virtual servers, which are single hardware servers that host multiple virtual locations. Some servers can also be configured to appear as if they are in a different country—what we call virtual locations. Neither is inherently problematic, but I like to see companies be transparent about their use.

(Credit: PCMag/TunnelBear)

TunnelBear’s commitment to physical infrastructure impresses me. I spoke with a representative, and they clarified that, “Our entire network takes place in the country the user connects to. This is in part why we have a smaller/more contained number of locations compared to other VPN providers, as we think it’s important that users are connecting from the countries we say they are, rather than simulating the country from somewhere else.”

If you’re using TunnelBear VPN, your data is exactly where it’s supposed to be. The representative told me that it uses a mix of physical and cloud-based servers. It also does not own all of its server infrastructure, which is not unusual. They explained that TunnelBear VPN builds and provisions its servers and that third-party providers do not have access to server code or data.

I was also told that the company has taken steps to limit the damage a successful attack on its server infrastructure might cause. The servers contain no identifiable user information, and the drives are encrypted. Some companies, including Nord and Surfshark, now run their servers on RAM-only settings, which do not write any data to disk.

A representative had the following to say when asked why TunnelBear doesn’t use RAM-based servers:

… The security benefits of RAM-based servers really comes down to encryption (rather than data resetting on server shutdown – since servers don’t necessarily reboot often). If an attacker compromises a running server, for instance, it doesn’t matter if it’s running in RAM. With disk encryption, if a server is rebooted, the data is encrypted and the drive must be unlocked before the OS can load. So really, it comes down more to perception of risk – a server being RAM-based doesn’t necessarily mean it’s any more or less secure than our approach, it depends more on what other steps are taken to secure a server by the providers.

I’m sure other providers would potentially debate this point, but ultimately, if a provider isn’t logging user data, then the risk to a user of an infrastructure being compromised is the same irrespective of what is being wiped on reboot.

To TunnelBear’s point, it truly is about the perception of privacy and the additional measures taken to secure user data. While RAM-based server infrastructure is a popular solution, it is not the only one that works.