BolehVPN Security Decisions and Configuration Update Plan
November 4, 2014
BolehVPN now accepts DarkCoin on top of BitCoin and DogeCoin (10% Discount)
November 24, 2014
Show all

Important: Configuration Updates

As per our previous post, we have decided on a schedule for our server changes. Unfortunately this means that we will have to reboot the servers and your connection may be interrupted. Please be advised if you use the servers mentioned below during the times they are scheduled for changes, you may face difficulties in getting connected or maintaining a connection. The schedule will be as below

Thursday (13th November 2014)

1000-1200 GMT +8 – All USA and Canada servers.

1400-1600 GMT +8 – UK, Sweden, Luxembourg servers.

Friday (14th November 2014)

1000-1200 GMT +8 – Germany, France, Italy servers

1400-1600 GMT +8 – Japan, Switzerland, Netherlands, China servers


Accessing the updated servers

For users on our BolehVPN client, just head over to the Settings tab and hit Update Configurations. For users on OpenVPN-GUI or Tunnelblick.

  1. Head over to our user portal and login.
  2. Click on Download Configurations.
  3. Go to /Program Files/OpenVPN/Configs (OpenVPN GUI) or ~/Library/Application Support/Tunnelblick/Configurations (Tunnelblick)
  4. Delete all the .ovpn files.
  5. Open the .zip file you just downloaded from our user portal.
  6. Extract the contents into the Configs or Configurations folder.
  7. Restart OpenVPN-GUI / Tunnelblick.
  8. Connect!

For users on iOS or Android, just delete all the servers in OpenVPN Connect. Then, follow the setup guide from our website (link) and you should have no problems. For users on Linux or DDWRT, here are the settings for the different servers after these changes.:

auth sha512 cipher AES-256-CBC tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA
auth sha512 cipher AES-256-CBC tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA
cipher AES-128-CBC tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA


cipher AES-128-CBC tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Edit: updated the Linux / DDWRT section with the latest details from our network admin. These are the latest details, not the email announcement. Apologies for any confusion.


  1. Matt says:

    Thanks for the update. What will the most secure and private protocol be? How private and secure will it be?

  2. krasnal says:

    Some clarification please:

    1. When the new configuration files be available? I’m seeing no changes yet.
    2. Are you sure the Linux/DD-WRT details are correct? I thought AES-256 was going to be used only for the Cloak system and most would use AES-128 as the data channel cipher.
    3. Are you reverting the TLS-cipher to TLS-DHE-RSA-WITH-AES-128-CBC-SHA for every service?

  3. krasnal says:

    I’m confused by your update/clarification. This latest post (Nov 10) does not agree with details in your November 4 post regarding ciphers (and, possibly, HMAC). Are you changing policy again?

  4. krasnal says:

    I’m using Luxembourg and can confirm that the update took place successfully, which is positive.

    But… you have indeed changed your policy from the one clearly laid out on November 4.

    You said in your October 29 post: “Feedback is greatly appreciated and thank you for your patience and understanding as we move to improve our service and achieve a balance between performance and security”. While you were first-class in explaining your decision in the post of November 4, you then provided no feedback or explanation at all about the apparently contradictory post of November 10. I tried to clarify with you if the Nov 10 post was an error, but received no reply. In the end, it was left to trial-and-error to see which worked.

    While you could reasonably argue that the November 4 post achieved “a balance between performance and security” where is the explanation about the reversal (back) to AES-256?

    To sum up, important clarification and feedback that should have been provided were, as far as I can see, instead neglected. After such a promising start, I’m sorry but I think you dropped the ball.

  5. Sigh says:

    You guys need to update the client configs now as krasnal said. I can only connect to one server.

  6. schuc says:

    I am trying to use Luxembourg with my DD-WRT router, but have so far been unsuccessful. I see above that krasnal is successful but I’m not sure if he is using DD-WRT.

    I have updated the certs, key, and cipher but it still is not connecting through. One message I see in the log is “WARNING: No server certificate verification method has been enabled.”.

    Please advise as I need to get this up and working with my DD-WRT.


Leave a Reply

Your email address will not be published. Required fields are marked *