Disclaimer: The below review is my opinion, which I will try to provide as many examples for and as much evidence as possible to support. Readers can learn more about how I conduct my reviews, my methodology, etc – here. More information on review badges here.
This review’s roll was #16 (at the time of the roll, BolehVPN)
Last Updated Mar 20, 2017
Signing up for the service: While signing up for BolehVPN service, I was pleased to see a healthy number of options available for service duration. The selection included a 1 day free trial, a paid 7 day trial, 1, 2, 6, and 12 months of service.
The 1 day free trial is unfortunately only available upon request after providing a description of your intended use of the service. This is silly and I can’t think of any other service that asks for this information. The website it self felt fairly typical – fairly noisy with lots of features listed briefly throughout. Sign-up required providing user’s full name, email address, and a phone number. This is unacceptable from the standpoint of privacy. BolehVPN’s system requires you to manually activate your account after submitting payment, but after doing both, the user portal still indicated that my account was unpaid and not activated. I refreshed the page and the payment status showed properly, but I had to “activate” my account a second time by clicking a button next to the payment status indicator. It worked the second time, but I thought it was strange and worth a mention.
Configuring the service: The user panel on the site felt just a little bit cluttered, but I was able to find the download link for config files fairly quickly still. There were two links for downloading ovpn files, one with separate certs and key files, the other with them inline. This saved me from having to break them out or combine them manually for the Android tests, which was nice. It was no config file generator, but it was in the realm of “good enough”. To BolehVPN’s credit, the config files were descriptively named according to their primary function (streaming, proxying, etc). There were no US-based “Fully Routed” (BolehVPN’s term, aka what you and I would think of as a security/privacy use servers). I sent an email to support with further questioning on why this is the case. Config files were also not consistent, with some having LZO compression enabled by default and others not. Additional configuration of this and levels of encryption were required.
Speed & Stability tests: All tests were run using UDP AES-256.
3 of the 4 servers repeatedly failed speed tests on desktop. Had Switzerland not connected, I would have assumed there was something more generally wrong, but as it did, I have to believe it lies on BolehVPN’s end or with their broken out configs. There’s always a chance the problem lies in some strange conflict between the speed test and VPN server, but for 3 of the 4 servers tested to fail was not a good sign.
|Speed Tests – BolehVPN – Desktop|
|No VPN||Trial 1||21||ms||89.11||mbps||7.01||mbps|
|Comp to Bench||-21||ms||0.00%||0.00%|
|Comp to Bench||-21||ms||0.00%||0.00%|
|Comp to Bench||+297||ms||35.54%||11.12%|
|Comp to Bench||-21||ms||0.00%||0.00%|
|Speed Tests – BolehVPN – Mobile|
|No VPN||Trial 1||23||ms||64.71||mbps||7.38||mbps|
|Comp to Bench||+127||ms||13.64%||22.00%|
|Comp to Bench||+277||ms||8.68%||16.72%|
|Comp to Bench||+298||ms||13.48%||12.88%|
|Comp to Bench||+301||ms||19.54%||13.76%|
Getting support: BolehVPN appeared to have a live chat tool on the website, but it was unavailable (“Leave a message”) when I checked. I sent an email to support questioning their lack of US based servers for “Fully Routed” configurations. I received a response not long after indicating that I should use a streaming server if I need an exit node in the US as abuse of P2P gets BolehVPN servers taken down. I don’t see this as being a good solution to the problem as there are many legitimate uses for P2P ports. Having to only use a foreign server for general use isn’t reasonable in my opinion. While it might still be a challenge, many other VPN companies manage to keep this under control and make it available to their users in the States.
Getting a refund: After hearing back from support, I requested a refund of the service, which was granted very quickly and without any questions.
After scraping 169 VPN services’ ToS, I can’t even tell you how sick of hearing this I am. Tell me this BY your terms, not IN your terms. I swear, if I had a dollar for every time a VPN company told me they valued my privacy and then trampled their own statement…
Depending on the payment method, all that is required is a valid e-mail address and you are free to use placeholder names and nicknames when signing up.
Asking for my name is still asking for my name. If it’s okay to provide a fake one, why bother?
We may use analytics on our website to help us to understand where our customers are coming from however no personally identifiable information is captured (such as a name, email address or billing information).
Why would it be a big deal to capture my name, email address, and billing info here if you don’t mind capturing it elsewhere?
However, please note that although we do not log… if you have used a non-anonymous payment method… details being recorded by the payment processor… may be made available in the event if required by law…
Above: your privacy being valued.
Although we do not impose strict bandwidth or speed limits on our servers, this is subject to fair use and shall be within reasonable bandwidth limits of normal residential/light commercial use. We reserve the right to suspend users and inquire if we note any excessive bandwidth usage especially if continuous use. Without limiting the generality of the foregoing as a rule of thumb, anything below 1TB (up and down) per month is reasonable as long as max speed usage is not sustained over days on end.
But bandwidth is supposedly not logged. Big contradiction here.
While BolehVPN has specific requirements of their affiliates to provide full and prominent disclosure, they all but ignore this term. When a company has such terms for their resellers but has no interest in enforcing them, it shows me that they want credit for an outside show of good faith, but the contradiction tells me a lot more about their intentions and business practices. This shows that they are deeply involved with an affiliate business model.
BolehVPN strikes me as being just below average, which in the VPN industry means certainly nothing to write home about. The degree of respect a company does or does not have for your privacy should be said with actions and enforced policies, not merely words and contradictions. Requesting personal info and hinting at logging despite stating otherwise raises an eyebrow to me. Several servers reliably not connecting also make me quite nervous. Not having the kinds of servers I’m interested in available in the US is just unacceptable with almost every other VPN service manages to.
On the flipside, support was quick to respond (even if I didn’t like what they had to say). I also give them points for quickly granting a refund without any hassle.
Overall, I can’t really recommend BolehVPN to anyone. I’ve definitely seen worse, but there are so many better services out there that take the world of privacy seriously.
Update (2-2-2017): BolehVPN reached out with several updates to their service, which are listed below:
- CloudFlare is no longer being used on the website.
- No more personal details needed, an email address is all that is needed to register unless paying with Crypto (in which case this can be done anonymously) – Exposed stamp removed.
- Streamlined subscription activation (I have not confirmed this).
- OVPN files tested in order to make sure they work – Broken stamp removed.
- Affiliates given an ultimatum to comply with terms in 30 days or have their accounts deactivated. (This is a big one and I’m anxious to see the results).
These changed have been noted on the appropriate charts! Kudos for taking the initiative and taking steps to improve your service, BolehVPN!
Update (2-3-2017): BolehVPN reached out with a few more updates.
- Clarified the number of countries and servers
- Raised the number of simultaneous connections from 2 to 3.
- Clarified handshake encryption (RSA-4096)
Update (3-20-2017): BolehVPN has again reached out with some more changes.
- IPv6 is now supported on their servers
- Their affiliate program has been overhauled, enforcing their existing policies and terminating the accounts of those who do not follow them. I will be occasionally checking to make sure this is being practiced.
As per BolehVPN, here is the timeline of events where these changes are concerned:
3 February: Affiliates e-mailed the compliance notice, with a deadline to reply before 5 March.
27 February: Affiliates with non-functional/dead sites were suspended.
10 March: Compliance deadline.
15 March: Suspension of non-compliant affiliates.
- 39 affiliates were suspended for not meeting the compliance deadline
- 21 complied with the affiliate disclosure policy
- 5 were unsuspended after meeting the disclosure policy. They were suspended on 15 March
- 33 were suspended earlier due to non-functional URLs
I have removed the “Shady” stamp as a result of their efforts.
|FROM THE VPN COMPARISON CHART|
|JURISDICTION||Based In (Country)||Seychelles|
|Enemy of the Internet||No|
|Logs DNS Requests||No|
|Logs IP Address||No|
|ACTIVISM||Anonymous Payment Method||Yes|
|PGP Key Available||Yes|
|Gives back to Privacy Causes||Yes|
|Meets PrivacyTools IO Criteria||Yes|
|LEAK PROTECTION||1st Party DNS Servers||Yes|
|IPv6 Supported / Blocked||Yes|
|Supports TCP Port 443||Yes|
|Supports SSL Tunnel|
|Supports SSH Tunnel|
|Other Proprietary Protocols||Yes|
|PORT BLOCKING||Auth SMTP|
|SPEEDS||US Server Average %||0|
|Int’l Server Average %||7.78|
|SERVERS||Dedicated or Virtual|
|SECURITY||Default Data Encryption||AES-128|
|Strongest Data Encryption||AES-256|
|Weakest Handshake Encryption||RSA-4096|
|Strongest Handshake Encryption||RSA-4096|
|AVAILABILITY||# of Connections||3|
|# of Countries||13|
|# of Servers||35|
|Linux Support (Manual)||Yes|
|WEBSITE||# of Persistent Cookies||6|
|# of External Trackers||2|
|# of Proprietary APIs||7|
|Server SSL Rating||A|
|SSL Cert issued to||Self|
|PRICING||$ / Month (Annual Pricing)||$6.67|
|$ / Connection / Month||$2.22|
|Refund Period (Days)||14|
|ETHICS||Contradictory Logging Policies|
|Falsely Claims 100% Effective|
|Incentivizes Social Media Spam|
|Requires Ethical Copy||Yes|
|Requires Full Disclosure||Yes|
|AFFILIATES||Practice Ethical Copy|
|Give Full Disclosure|
If you like the project and find my work useful, please consider donating – your generous contributions help pay for the hosting, tools, and time I need to do my research and keep the data fresh.