BolehVPN Review

Disclaimer: The below review is my opinion, which I will try to provide as many examples for and as much evidence as possible to support.  Readers can learn more about how I conduct my reviews, my methodology, etc – here.  More information on review badges here.

This review’s roll was #16 (at the time of the roll, BolehVPN)

 

Last Updated Mar 20, 2017

Signing up for the service: While signing up for BolehVPN service, I was pleased to see a healthy number of options available for service duration.  The selection included a 1 day free trial, a paid 7 day trial, 1, 2, 6, and 12 months of service.  The 1 day free trial is unfortunately only available upon request after providing a description of your intended use of the service.  This is silly and I can’t think of any other service that asks for this information.  The website it self felt fairly typical – fairly noisy with lots of features listed briefly throughout.  Sign-up required providing user’s full name, email address, and a phone number.  This is unacceptable from the standpoint of privacy.  BolehVPN’s system requires you to manually activate your account after submitting payment, but after doing both, the user portal still indicated that my account was unpaid and not activated.  I refreshed the page and the payment status showed properly, but I had to “activate” my account a second time by clicking a button next to the payment status indicator.  It worked the second time, but I thought it was strange and worth a mention.

 

Configuring the service: The user panel on the site felt just a little bit cluttered, but I was able to find the download link for config files fairly quickly still.  There were two links for downloading ovpn files, one with separate certs and key files, the other with them inline.  This saved me from having to break them out or combine them manually for the Android tests, which was nice.  It was no config file generator, but it was in the realm of “good enough”.  To BolehVPN’s credit, the config files were descriptively named according to their primary function (streaming, proxying, etc).  There were no US-based “Fully Routed” (BolehVPN’s term, aka what you and I would think of as a security/privacy use servers).  I sent an email to support with further questioning on why this is the case.  Config files were also not consistent, with some having LZO compression enabled by default and others not.  Additional configuration of this and levels of encryption were required.

 

Speed & Stability tests: All tests were run using UDP AES-256.  3 of the 4 servers repeatedly failed speed tests on desktop.  Had Switzerland not connected, I would have assumed there was something more generally wrong, but as it did, I have to believe it lies on BolehVPN’s end or with their broken out configs.  There’s always a chance the problem lies in some strange conflict between the speed test and VPN server, but for 3 of the 4 servers tested to fail was not a good sign.

 

Speed Tests – BolehVPN – Desktop
    Latency Download Upload
No VPN Trial 1 21 ms 89.11 mbps 7.01 mbps
Trial 2 21 ms 89.90 mbps 7.52 mbps
Trial 3 22 ms 83.59 mbps 6.88 mbps
Average 21 ms 87.53 mbps 7.14 mbps
               
Canada Trial 1 0 ms 0.00 mbps 0.00 mbps
Trial 2 0 ms 0.00 mbps 0.00 mbps
Trial 3 0 ms 0.00 mbps 0.00 mbps
Average 0 ms 0.00 mbps 0.00 mbps
Comp to Bench -21 ms 0.00% 0.00%
               
UK Trial 1 0 ms 0.00 mbps 0.00 mbps
Trial 2 0 ms 0.00 mbps 0.00 mbps
Trial 3 0 ms 0.00 mbps 0.00 mbps
Average 0 ms 0.00 mbps 0.00 mbps
Comp to Bench -21 ms 0.00% 0.00%
               
Switzerland Trial 1 318 ms 43.41 mbps 0.72 mbps
Trial 2 320 ms 31.46 mbps 0.78 mbps
Trial 3 318 ms 18.45 mbps 0.88 mbps
Average 319 ms 31.11 mbps 0.79 mbps
Comp to Bench +297 ms 35.54% 11.12%
               
Germany Trial 1 0 ms 0.00 mbps 0.00 mbps
Trial 2 0 ms 0.00 mbps 0.00 mbps
Trial 3 0 ms 0.00 mbps 0.00 mbps
Average 0 ms 0.00 mbps 0.00 mbps
Comp to Bench -21 ms 0.00% 0.00%

 

Speed Tests – BolehVPN – Mobile
    Latency Download Upload
No VPN Trial 1 23 ms 64.71 mbps 7.38 mbps
Trial 2 23 ms 68.35 mbps 6.97 mbps
Trial 3 22 ms 70.83 mbps 7.24 mbps
Average 23 ms 67.96 mbps 7.20 mbps
               
Canada Trial 1 149 ms 11.75 mbps 1.45 mbps
Trial 2 150 ms 7.89 mbps 1.70 mbps
Trial 3 151 ms 8.17 mbps 1.60 mbps
Average 150 ms 9.27 mbps 1.58 mbps
Comp to Bench +127 ms 13.64% 22.00%
               
UK Trial 1 276 ms 5.49 mbps 0.86 mbps
Trial 2 284 ms 8.13 mbps 1.59 mbps
Trial 3 338 ms 4.08 mbps 1.16 mbps
Average 299 ms 5.90 mbps 1.20 mbps
Comp to Bench +277 ms 8.68% 16.72%
               
Switzerland Trial 1 318 ms 6.98 mbps 0.70 mbps
Trial 2 322 ms 10.25 mbps 1.07 mbps
Trial 3 322 ms 10.26 mbps 1.01 mbps
Average 321 ms 9.16 mbps 0.93 mbps
Comp to Bench +298 ms 13.48% 12.88%
               
Germany Trial 1 332 ms 9.58 mbps 0.65 mbps
Trial 2 317 ms 14.88 mbps 0.95 mbps
Trial 3 322 ms 15.38 mbps 1.37 mbps
Average 324 ms 13.28 mbps 0.99 mbps
Comp to Bench +301 ms 19.54% 13.76%

 

Getting support:  BolehVPN appeared to have a live chat tool on the website, but it was unavailable (“Leave a message”) when I checked.  I sent an email to support questioning their lack of US based servers for “Fully Routed” configurations.  I received a response not long after indicating that I should use a streaming server if I need an exit node in the US as abuse of P2P gets BolehVPN servers taken down.  I don’t see this as being a good solution to the problem as there are many legitimate uses for P2P ports.  Having to only use a foreign server for general use isn’t reasonable in my opinion.  While it might still be a challenge, many other VPN companies manage to keep this under control and make it available to their users in the States.

 

Getting a refund: After hearing back from support, I requested a refund of the service, which was granted very quickly and without any questions.

 

Concerns in Terms & Conditions / Privacy Policy: BolehVPN’s terms were in the middle of the elegant/obtuse spectrum, which is to say, still fairly long.

 

We at BolehVPN value your privacy and therefore have a detailed privacy policy in place…  We take your privacy seriously and will take all reasonable measures to protect your personal information.

After scraping 169 VPN services’ ToS, I can’t even tell you how sick of hearing this I am.  Tell me this BY your terms, not IN your terms.  I swear, if I had a dollar for every time a VPN company told me they valued my privacy and then trampled their own statement…

 

Depending on the payment method, all that is required is a valid e-mail address and you are free to use placeholder names and nicknames when signing up.

Asking for my name is still asking for my name.  If it’s okay to provide a fake one, why bother?

 

We may use analytics on our website to help us to understand where our customers are coming from however no personally identifiable information is captured (such as a name, email address or billing information).

Why would it be a big deal to capture my name, email address, and billing info here if you don’t mind capturing it elsewhere?

 

However, please note that although we do not log… if you have used a non-anonymous payment method… details being recorded by the payment processor… may be made available in the event if required by law…

Above: your privacy being valued.

 

Although we do not impose strict bandwidth or speed limits on our servers, this is subject to fair use and shall be within reasonable bandwidth limits of normal residential/light commercial use. We reserve the right to suspend users and inquire if we note any excessive bandwidth usage especially if continuous use.  Without limiting the generality of the foregoing as a rule of thumb, anything below 1TB (up and down) per month is reasonable as long as max speed usage is not sustained over days on end.

But bandwidth is supposedly not logged.  Big contradiction here.

 

Final thoughts: While BolehVPN has specific requirements of their affiliates to provide full and prominent disclosure, they all but ignore this term.  When a company has such terms for their resellers but has no interest in enforcing them, it shows me that they want credit for an outside show of good faith, but the contradiction tells me a lot more about their intentions and business practices.  This shows that they are deeply involved with an affiliate business model.

 

BolehVPN strikes me as being just below average, which in the VPN industry means certainly nothing to write home about.  The degree of respect a company does or does not have for your privacy should be said with actions and enforced policies, not merely words and contradictions.  Requesting personal info and hinting at logging despite stating otherwise raises an eyebrow to me.  Several servers reliably not connecting also make me quite nervous.  Not having the kinds of servers I’m interested in available in the US is just unacceptable with almost every other VPN service manages to.

On the flipside, support was quick to respond (even if I didn’t like what they had to say).  I also give them points for quickly granting a refund without any hassle.  Overall, I can’t really recommend BolehVPN to anyone.  I’ve definitely seen worse, but there are so many better services out there that take the world of privacy seriously.

 

Update (2-2-2017): BolehVPN reached out with several updates to their service, which are listed below:

  • CloudFlare is no longer being used on the website.
  • No more personal details needed, an email address is all that is needed to register unless paying with Crypto (in which case this can be done anonymously) – Exposed stamp removed.
  • Streamlined subscription activation (I have not confirmed this).
  • OVPN files tested in order to make sure they work – Broken stamp removed.
  • Terms of Service and Privacy Policy updated.
  • Affiliates given an ultimatum to comply with terms in 30 days or have their accounts deactivated.  (This is a big one and I’m anxious to see the results).

These changed have been noted on the appropriate charts!  Kudos for taking the initiative and taking steps to improve your service, BolehVPN!

 

Update (2-3-2017): BolehVPN reached out with a few more updates.

  • Clarified the number of countries and servers
  • Raised the number of simultaneous connections from 2 to 3.
  • Clarified handshake encryption (RSA-4096)

 

Update (3-20-2017): BolehVPN has again reached out with some more changes.

  • IPv6 is now supported on their servers
  • Their affiliate program has been overhauled, enforcing their existing policies and terminating the accounts of those who do not follow them.  I will be occasionally checking to make sure this is being practiced.

As per BolehVPN, here is the timeline of events where these changes are concerned:

  •  3 February: Affiliates e-mailed the compliance notice, with a deadline to reply before 5 March.
  •  27 February: Affiliates with non-functional/dead sites were suspended.
  •  10 March: Compliance deadline.
  •  15 March: Suspension of non-compliant affiliates.
As of the time of this writing:
  •  39 affiliates were suspended for not meeting the compliance deadline
  •  21 complied with the affiliate disclosure policy
  •  5 were unsuspended after meeting the disclosure policy. They were suspended on 15 March
  •  33 were suspended earlier due to non-functional URLs

I have removed the “Shady” stamp as a result of their efforts.

 

FROM THE VPN COMPARISON CHART
CATEGORY VPN SERVICE BolehVPN
JURISDICTION Based In (Country) Seychelles
Fourteen Eyes? No
Enemy of the Internet No
LOGGING Logs Traffic No
Logs DNS Requests No
Logs Timestamps No
Logs Bandwidth No
Logs IP Address No
ACTIVISM Anonymous Payment Method Yes
Accepts Bitcoin Yes
PGP Key Available Yes
Gives back to Privacy Causes Yes
Meets PrivacyTools IO Criteria Yes
LEAK PROTECTION 1st Party DNS Servers Yes
IPv6 Supported / Blocked Yes
  Offers OpenVPN Yes
OBFUSCATION Supports Multihop
Supports TCP Port 443 Yes
Supports Obfsproxy
Supports SOCKS Yes
Supports SSL Tunnel
Supports SSH Tunnel
Other Proprietary Protocols Yes
PORT BLOCKING Auth SMTP
P2P Some
SPEEDS US Server Average % 0
Int’l Server Average % 7.78
SERVERS Dedicated or Virtual
SECURITY Default Data Encryption AES-128
Strongest Data Encryption AES-256
Weakest Handshake Encryption RSA-4096
Strongest Handshake Encryption RSA-4096
AVAILABILITY # of Connections 3
# of Countries 13
# of Servers 35
Linux Support (Manual) Yes
WEBSITE # of Persistent Cookies 6
# of External Trackers 2
# of Proprietary APIs 7
Server SSL Rating A
SSL Cert issued to Self
PRICING $ / Month (Annual Pricing) $6.67
$ / Connection / Month $2.22
Free Trial Yes
Refund Period (Days) 14
ETHICS Contradictory Logging Policies
Falsely Claims 100% Effective
Incentivizes Social Media Spam
POLICIES Forbids Spam Yes
Requires Ethical Copy Yes
Requires Full Disclosure Yes
AFFILIATES Practice Ethical Copy
Give Full Disclosure

 

If you like the project and find my work useful, please consider donating – your generous contributions help pay for the hosting, tools, and time I need to do my research and keep the data fresh.