BolehVPN: Among the Top 5 rated VPN Providers in the World

Important: Configuration Updates

November 10th, 2014

As per our previous post, we have decided on a schedule for our server changes. Unfortunately this means that we will have to reboot the servers and your connection may be interrupted. Please be advised if you use the servers mentioned below during the times they are scheduled for changes, you may face difficulties in getting connected or maintaining a connection. The schedule will be as below

Thursday (13th November 2014)

1000-1200 GMT +8 – All USA and Canada servers.

1400-1600 GMT +8 – UK, Sweden, Luxembourg servers.

Friday (14th November 2014)

1000-1200 GMT +8 – Germany, France, Italy servers

1400-1600 GMT +8 – Japan, Switzerland, Netherlands, China servers


Accessing the updated servers

For users on our BolehVPN client, just head over to the Settings tab and hit Update Configurations. For users on OpenVPN-GUI or Tunnelblick.

  1. Head over to our user portal and login.
  2. Click on Download Configurations.
  3. Go to /Program Files/OpenVPN/Configs (OpenVPN GUI) or ~/Library/Application Support/Tunnelblick/Configurations (Tunnelblick)
  4. Delete all the .ovpn files.
  5. Open the .zip file you just downloaded from our user portal.
  6. Extract the contents into the Configs or Configurations folder.
  7. Restart OpenVPN-GUI / Tunnelblick.
  8. Connect!

For users on iOS or Android, just delete all the servers in OpenVPN Connect. Then, follow the setup guide from our website (link) and you should have no problems. For users on Linux or DDWRT, here are the settings for the different servers after these changes.:

auth sha512 cipher AES-256-CBC tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA
auth sha512 cipher AES-256-CBC tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA
cipher AES-128-CBC tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA


cipher AES-128-CBC tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Edit: updated the Linux / DDWRT section with the latest details from our network admin. These are the latest details, not the email announcement. Apologies for any confusion.

BolehVPN Security Decisions and Configuration Update Plan

November 4th, 2014

After extensive discussions as per our post here and waiting for everyone to give feedback, we have decided to change our security settings again to balance performance and security.

From our tests and feedback, the biggest performance hit comes from the implemention of SHA-512 for HMAC. However SHA-1 has been demonstrated to be insecure for quite a while now and although the vulnerability does not affect SHA-1’s implemention in HMAC we feel that it is in good security practice to upgrade this. To offset this performance hit, we are reducing AES-256 to AES-128 on select configurations and we still maintain our opinion that AES-128 is just as secure as AES-256 for the next few years (and in certain scenarios can be stronger due to its stronger key schedule).

In any case, all modern CPUs should be able to handle this with no hiccups.

Configuration Changes


This will be the most used configuration for a wide variety of purposes so this needs to be in the middle ground.

Data Channel: AES 128 bit (from AES 256 bit)


This configuration will have a lower security profile as most use it for geo-location purposes and therefore will be optimized for speed while retaining a good overall security.

Data Channel: AES 128 bit (from AES256 bit)
HMAC: SHA-1 (160 bit)


This will be our highest security profile but will be the slowest among all of them. On top of these, there is also a further layer of scrambling.

Data Channel: AES 256 bit

DD-WRT and Integrated Devices

This is still under discussion with our management and we will evaluate to see if the revised configurations will hold for routers with their weaker processing power. Unfortunately we won’t be able to support older under powered routers and we will release guidelines soon as to the supported builds of DD-WRT.

If required, we would implement a handful of servers just for integrated devices/DD-WRT with reduced security settings.

When is this change happening?

This change will happen sometime this week but we will get a 48 hour notice before we initiate the configuration change. We are still concluding testing on certain naming conventions that are unique to DD-WRT due to the OpenSSL version they use. Once the configuration change is finalized, we will post an announcement and effect the changes in several phases over a 24 hour period. All you would have to do is to redownload your configurations or update it via our client.

Germany going offline

October 30th, 2014

But it’s only temporary! Don’t panic!


We’re taking it offline for major maintenance. This will last 48 hours, starting from 0900, GMT+8 30th October 2014.

This will affect all Germany servers, from FullyRouted to Proxied to XCloak.

Reports on Slowdowns on Encryption Upgrade

October 29th, 2014

Since our upgrade to AES256 for the data channel (previously AES128) and SHA2-512bit (from SHA1-160 bit) for the HMAC authentication channel, we’ve been receiving reports on slowdowns especially for those using routers/integrated devices whereby CPU processing power is limited.

We had previously decided on this upgrade because of numerous complaints and several review sites marking us down for using AES128 only when the competition is using AES256. We have previously expressed that AES128 in many cases is just as good as AES256 and in certain cases better since AES128 implements a better key schedule. It is an opinion we still hold today and our opinion is that for the average VPN user, AES128 is pretty good.

However, after implementing AES256, our servers do not show any additional CPU impact and are therefore investigating the reports on slowdowns. It is also possible that the SHA-512 upgrade to the HMAC is causing the slowdown, however, SHA-1 is already considered insecure as it is vulnerable to collision attacks and therefore we believe it is prudent to upgrade this despite the performance hit.

Therefore, in light of this, before we decide on what to do, we would wish to monitor the situation for the next few days. If the speed issues persist and cannot be attributed to other causes we would be doing the following:

  • Announcing our decision via this blog, Facebook and an e-mail to all current users giving at least two days notice.
  • Moving back from AES256 to AES128 for the data channel for all configurations except xCloak configurations which will maintain AES256.
  • Maintaining SHA-512 for added security on the HMAC authentication channel despite the performance hits. It is noted that SHA-256 in many cases is slower than SHA-512 especially on modern PCs. This however still will have an impact on weaker routers.

The alternative would be to segregate high security servers and keep them as xCloaks with the highest protection while keeping the weaker SHA-1 for regular servers for maximum performance. The problem with this is that for most people it will reduce security and introduce inequal distribution of users. We probably would see heavily underutilized high security servers.

Feedback is greatly appreciated and thank you for your patience and understanding as we move to improve our service and achieve a balance between performance and security. Please note that comments especially for first time posters may take time to be moderated as they will need to be processed manually.

Servers overhauled, Italy is back!

October 27th, 2014

Hi guys!

We’ve just updated all our servers to use 256 bit AES encryption, with our HMAC auth changed to SHA512! This is a step up from our previous cypher, which was 128 bit AES. However this overhaul comes at a slight inconvenience, you will need to update your configurations. Thankfully this is pretty easy with the BolehVPN client. Just head to the Settings tab and hit Update Configurations. If you’re a custom user however, you’ll need to update manually.

We also listened to your feedback on the Italy server and brought it back! It’s waiting for you, just hit Update to see that old friend.

Let us know how everything goes! :)