We have been considering the issue of DNS servers that we use in our VPN servers and thank all users who have provided valuable feedback to us. DNS servers translate the easy to remember word addresses (such as bolehvpn.net) into IP addresses which is a bunch of numbers. Previously we used the default DNS servers that were provided by each server provider’s ISP but due to some unreliability, we then moved to Google’s DNS servers (which wipes its logs every few days) and then we dabbled for a while with OpenNIC’s no log servers. OpenNIC’s servers being hosted independently kept on going down and so we reverted to Google and/or OpenDNS.
Is there a a Problem?
Even using this setup, an ISP cannot see what you’re surfing as all queries are going through the encrypted tunnel. However the administrator running the DNS server (Google or OpenDNS) is able to capture some info which are the following:
- Our VPN server’s IP
- The time of the DNS query
- The destination address of the query
For example if you were trying to access minecraft.com through your internet browser while on our VPN, the DNS server admin would be able to know that our VPN server made a query to minecraft.com at a certain time. Besides that, no other information about the end user is given out and you also have plausible deniability as many users use a server at one time. Therefore although your ISP does not know what you’re doing if someone is very determined in trying to unmask your identity and has the legal resources to do it, they theoretically can get the DNS server admin to help narrow down their search. It’s still a long way to go to unmasking your identity since they would be unable to identify which user within the VPN server at that time but assuming the site you visit is very unique and they have other information tying to you accessing such a site (for example if they have seized your computer) it is further evidence that can be used against you. Yes, this is quite an extreme situation and for the average user, it isn’t important but we realized that if we can take steps to improve the privacy of our customers, we should.
How BolehVPN is Improving
Many other VPN providers also use Google DNS or OpenDNS or their server provider’s own DNS but we are taking the step of hosting our own DNS servers so that none of your information goes to third parties you may not trust. Meaning, any potential identifying data is only kept within BolehVPN and not to any other third party provider. Also, any DNS leak test would also not show our company’s name but the original server provider’s one which further doesn’t reveal that you’re using a VPN.
These changes are not trivial as we do have to properly secure these DNS servers and ensure they can handle any loads thrown at it but we are already deploying this on a few of our servers to test performance and will be rolling out these changes over the coming weeks and will post an announcement once it’s completed.. We don’t forsee any major difficulties with this.
Also for those asking why don’t we use DNSCrypt, it doesn’t really add any advantage to the way we are setting it up. You are still free to use DNSCrypt independently if you prefer to continue using that.
What Do You Need to Do?
Nothing, the changes will roll out and you may experience a very brief disconnection and upon re-establishing of the connection, the new DNS servers will be pushed to you unless you chose to specify them manually. Do feel free to share your opinions and comments!
We are happy to bring you our BolehVPN Beta Client for Android that is ready for testing
The BolehVPN Beta Client is not our original work but modified with permission from Arne Schwabe’s OpenVPN for Android and patched to work with our xCloak servers. Credits to haggismn for the patch. We have not fully customized the client yet but just thought we’ll get it out first so that everyone can use it.
Please note that you would have to uninstall any previous versions of the OpenVPN for Android app before installing ours.
- Download the APK here. You might need to go to your Android Security Settings to “Allow Installation of apps from unknown sources”.
- Go to BolehVPN Customer Portal and login. Click on Inline Format Download and save it to your internal storage card.
- Use the Folder icon in the VPN client to import the configuration file.
- Click on the Save symbol to add the imported VPN to your VPN list.
- Click on Connect the VPN and you should be ready to go!
Please give us feedback!
We’ve had a few users ask us what is xCloak and why a modified version of OpenVPN is required to run it.
Why do you need xCloak?
In certain countries, ISPs or government employ advanced deep packet inspection techniques that will identify VPN traffic and block it. This doesn’t mean they can look inside your VPN traffic but it just means they have identified your traffic as a VPN and lock it down.
xCloak scrambles the packet payload of the VPN connection so that the VPN traffic doesn’t look like VPN traffic anymore! This makes it harder to block and adds another layer of encryption protection over the standard OpenVPN. It uses the open source patch coded by haggismn and is freely available here and open for inspection.
Why doesn’t xCloak work in certain countries?
Beyond deep packet inspection, there are other ways to block VPN access. The simplest and possibly the most effective is just identifying our VPN server’s IP and just blacklisting it. There’s not much that can be done in such a case beyond changing the IP of the server. Also such DPI techniques evolve, learn and adapt and if a pattern is detected, then it will be added to their detection lists. Of course we can adapt the xCloak to change its behaviour again but there will be a slight delay between recognizing that the system has been blocked. We therefore have a few choices of xCloak servers that you can use so you have some choice.
What further complicates issues is that different ISPs even within the same country seem to employ different blocking mechanisms so we rely heavily on user feedback to identify problems. Help us help you guys! We do have a test server in some of these restrictive countries to test it out but it seems end users are affected differently than servers within datacenters. So let us know what works (or doesn’t) and we’ll be happy to work together with you and give you account extensions for your help!
New Name for xCloak
The name xCloak isn’t particularly inventive and sounds kinda nerdy. But we’re nerds and haven’t been able to come up with a good name for this. We are open to suggestions on what to rename xCloak to! Let us know in the comments on what you want it to be called!
DD-WRT has some issues in pushing DNS so we’re recommending Asus-WRT Merlin instead and will be supporting that fully with xCloak.
We will maintain DD-WRT support but it will not be able to connect to the xCloak servers. A modified version of the Asus-WRT Merlin firmwares will be available for download soon.
List of Supported Routers
- RT-N66 (U and R)
- RT-AC66 (U and R)
- RT-AC56 (U and R)
- RT-AC68 (U and R)
They’re all excellent routers in any case 😀
Many of you asked us on whether we accepted BitCoins.
One of the main problems with BitCoins was that in Malaysia, exchanging BitCoins into Malaysian Ringgit was a very troublesome process and involves massive transactional fees which did not make it viable.
We think we finally found an acceptable solution to this and we’re pleased to accept BitCoins as a trial run and see how it all pans out.
BitCoins main advantage is that it is anonymous which is ideal for those seeking privacy from even payment processors for buying a VPN service.
To encourage use of BitCoins during this trial period, we’ll be giving an extra day free for any account purchased using BitCoin for the month of January 2013. We’ll still have to process Bit Coin payments manually like Liberty Reserve for this time until we see how popular it is :D.