I'm a co-founder at WonderProxy, we didn't make their list (we target people doing application testing, not consumer VPNs).
We're in 100+ countries, and I'll stand by that claim. It's a huge pain in the neck. In our early years we had a lot of problems with suppliers claiming to be in Mexico or South America who were actually just in Texas. I almost flew to Peru with a rackmount server in my luggage after weeks of problems, that plan died when we realized I'd need to figure out how to pay Peruvian income tax on the money I made in country before I could leave.
We've also had customers complaining that a given competitor had a country we'd had trouble sourcing in the Middle East. A little digging on our part and it's less than a ms away from our server in Germany.
I work for IPinfo. I have raised a ticket internally, but I think we focused on consumer VPNs for this test.
For our ProbeNet, we are attempting to reach 150 countries (by ISO 3166's definition). We are at around 530 cities. Server management is not an easy task. We do not ship hardware, but operate using dedicated servers, so this reduces one layer of complexity.
To maintain the authenticity of our server locations, we utilize cross-pings and network traffic behavior detection. If any abnormality is detected, the server will be immediately disabled to prevent polluting our data. There will be a ticket to investigate what went wrong.
We pay for each (excluding 3 to 4 servers where the owner and the team really likes us and insists on sponsoring) server. Expansion is an active effort for us, as there are 70k ASNs and about 100 more countries where we do not have a server.
We hope to partner with more ASNs, particularly residential ISPs and IXPs. So, a lot of effort is put into active outreach through WhatsApp, emails, social media and phone calls. We use a number of different data-based techniques to identify "leads".
I know multiple people who worked / working at Mullvad and they take their business, security and privacy _very_ seriously. Not surprised to see them shine here.
When they wrote that 3 providers were honest about all locations I have to admit my first thought was "Mullvad, and who would the other two be?"
With their reputation and trackrecord they really can't do any shady tricks. Imagine if they weren't among the 3 honest providers? That would be HN frontpage news.
At risk of sounding sale pitch'y. Mullvad is the only VPN the longer I use the more I like it. I've tried MANY competitors first and all the other ones so far seem to only get worse over time.
I love that I can pay directly with a crypto wallet and have true anonymity.
Has anyone else from Europe noticed how Mullvad's speeds and latency have becoming worse and worse during peak times in the recent months? I now have to change servers regularly, which was never the case ~2 years ago.
> Mullvad ... security and privacy _very_ seriously. Not surprised to see them shine here.
? TFA reflects on dishonest marketing on part of public VPN providers more than privacy / security.
That said, VPNs don't add much security, though, they are useful for geo unblocking content and (at some level) anti-censorship. In my experience, the mainstream public VPNs don't really match up to dedicated censorship-resistant networks run by Psiphon, Lantern, Tor (and possibly others).
I'm a big VPN user since I am the citizen of one country and the resident of another. Even for government services I have to use a VPN. I tried to access the bureau of statistics of my home country through my foreign residential IP and got 404s on all pages. Enabled VPN and everything magically started working. For watching the election result video stream I also had to VPN but at least that one gave me a clear message. For doing taxes in my home country I then have to disable VPN since all VPN access is blocked but it's OK to use a foreign residential IP.
I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.
Do you have friends or family in your home country that will run an AppleTV box with Tailscale for you as an exit node?
I can't get into work from a non-US IP, but I can Tailscale back to my house and it works just fine. I even gave my in-laws (who live several states away) an AppleTV box running TS just to have another endpoint if for some reason the power goes out at my house while I'm gone (rare, but happens).
I built TunnelBuddy (tunnnelbuddy.net) just for this. I am the same: citizen of one country and resident of another. I have multiple friends and family where I am from. I get them to open tunnelbuddy (nobody needs to sign up), to share a one-off password (like TeamViewer) and I get to access the internet as if I was at their place.
Underneath, it uses WebRTC (the same tech as Google Meet). It is free to use, I just built to fix this problem that I have... I am quite surprised expats only get by using a traditional VPN whose IPs are known by online services...
> I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.
For residential IPs you can't even pay per month like normal VPNs, normally they charge per GB, usually over $2 usd per GB.
Interesting to learn you can identify the real country/area of origin using probe latency. Though could this be simulated? Like what if the VPN IP just added 100ms-300ms of latency to all of its outgoing traffic? Ideally vary the latency based on the requesting IP's location. And also just ignore typical probe requests like ICMP (ping). And ideally all the IPs near the end of the traceroute would do all this too.
To use an example, 74.118.126.204 claims to be a Somalian IP address, but ipinfo.io identifies it as being from London based on latency. Compare `curl ipinfo.io/74.118.126.204/json` vs `curl ipwhois.app/json/74.118.126.204` to see. If that IP ignored pings and added latency to all outgoing packets, I wonder if that would stymie ipinfo's ability to identify its true origin.
[IPinfo] pings an IP address from multiple servers across the world and identify the location of the IP address through a process called multilateration. Pinging an IP address from one server gives us one dimension of location information meaning that based on certain parameters the IP address could be in any place within a certain radius on the globe. Then as we ping that IP from our other servers, the location information becomes more precise. After enough pings, we have a very precise IP location information that almost reaches zip code level precision with a high degree of accuracy. Currently, we have more than 600 probe servers across the world and it is expanding.
In my first job out of school, I did security work adjacent to fortune 50 banks and the (now defunct) startup I worked at partnered some folks working on Pindrop (https://www.pindrop.com/).
Their whole thing at the time was detecting when it was likely that a support call was coming from a region other than the one the customer was supposed to be in (read: fraudulent) by observing latency and noise on the line (the name is a play on "We're listening closely enough to hear a pin drop".)
Long story short, it's a lot more than just the latency that can clue someone in on the actual source location, and even if you introduce enough false signal to make it hard to identify where you actually are, it's easy to spot that and flag you as fake, even if it's hard to say exactly what the real source is.
Latency is only one dimension of the data we process.
We are pinging IP addresses from 1,200+ servers from 530 cities, so if you add synthetic latency, chances are we can detect that. Then the latency-related location hints score will go down, and we will prioritize our dozens of other location hints we have.
But we do welcome to see if anyone can fool us in that way. We would love to investigate that!
This can fool someone from one location and only in one way (if you are near Somalia and expect a 10ms latency, a virtual VPN can't reduce latency to simulate been in Somalia).
So it have to be dynamic to fool multiple locations to stay probable.
But anyway, *you can't fool the last-hop latency* (unless you control it, but you can control all of it), and basically it impossible to fool that.
Does this really work? I would think the ping time would not be dominated by speed of light, but by number of hops, and connection quality.
As a hypothetical example, an IP in a New York City data center is likely to have a shorted ping to a London data center, than a rural New York IP address.
It's possible to deduce password hashes by timing responses over the internet if the server isn't using constant time comparison. Noise is just that, a noise.
I tried to use ProtonVPN when I switched over to ProtonMail a year ago. But so much of the web does not work when you're on a VPN. For example even HackerNews has VPN restrictions. More and more sites know where VPN endpoints originate. How will VPNs prevent this in the future without them just become easy to block?
They can ban VPNs and Tor because it's affordable. Most of their users aren't using VPNs or Tor. Get enough people to use VPNs and Tor and they'll suddenly become unable to drop the traffic.
The ideal world is one where everyone is using Tor. They can only discriminate against you if you're different from others. The idea behind Tor is to make everyone look like the same user. The anonymity set must be maximized for that to work.
Even worse is the Reddit approach, where leaving your VPN on will get your account shadow banned permanently. But you are not notified of that, so if you are wondering why nobody is replying to your comments, check in a private session if you can visit your profile page.
As VPN usage proliferates such discrimination starts hurting sites more. For example, a VPN may be left on by a user for whatever reason and when the site they visit doesn't work or makes them jump through hoops they are less likely to visit the site in the future or view it with contempt and abandon it a soon as they are made aware of an alternative.
It takes time for sites to realize the danger, especially with mobile users where fiddling with a VPN is often more hassle than its worth and its just left always on. It's often a good idea to impersonate a mobile user agent for this reason as some sites (or perhaps cloudflare?) started treating them differently. The impersonation needs to be done well (SSL and HTTP fingerprints should also match mobile).
Usually, the more expensive the VPN offering the better the reputation of their IP's. Avoid VPNs that have any kind of free tier like the plague.
Another related but non-VPN story related to IP geolocation:
Big techs (most notably Google) is using the location permission they have from the apps / websites on the user's phones / browsers to silently update their internal IP geolocation database instead of relying on external databases and claims of IP owners (geofeed etc). And this can be hyper-sensitive.
I was traveling back home in China last year and was using a convoluted setup to use my US apartment IP for US based services, LLM and streaming. Days into the trip and after coming back, I found that Google has been consistently redirecting me to their .hk subdomain (serving HK and (blocked by gov) mainland China), regardless of if I was logged in or not. The Gmail security and login history page also shows my hometown city for the IP. I realized that I have been using Google's apps including YouTube, Maps and so on while granting them geolocation permission (which I should not do for YouTube) in my iPhone while on the IP and in my hometown.
After using the same IP again in the US with Maps and so on for weeks and submitting a correction request to Google, it comes back to the correct city. (The tricks of restarting the modem / gateway, changing MAC address to get a new IP is not working somehow this time with my IS.
Some of our (IPinfo) services are hosted on GCP, and because our service is widely used (with 2 trillion requests processed in 2024) people sometimes say they cannot access our service. It is usually due to how Google's device-based IP geolocation is used. The user's IP address is often mistakenly identified as being located in a country where Google does not offer service.
I have seen a Europe-based cloud hosting provider's IP ranges located in countries where Google does not provide service. This is because these IP ranges are used as exit nodes by VPN users in that country.
Device-based IP geolocation is strange. We prefer IP geolocation based on the last node's IP geolocation. We hope to collaborate with Google, Azure, and other big tech on this if they reach out to us.
That seems reasonable, but they seem to be suffering their own problem with UI and UX design by not making that inherently clearer.
I was getting a bit disappointed about Proton based on this evaluation even though the only problem I’ve had is their really lacking client UI/UX. They should make that visualization clearer. I don’t know the answer, but maybe offering a toggle or expansion for virtualized servers, might be a step in the right direction.
The design issues seems to be a common challenge with proton. The VPN client functions, but it is really grating how basic it is. You can’t even sort, let alone filter servers by load, let alone performance; so you’re scrolling through hundreds of servers. You can’t add regions or even several servers to create a profile with a priority, you have to pick a single server, among hundreds if not thousands in some countries. Oh, and as you’re scrolling through hundreds of servers for a single country, it’s a view of something like 10 lines high.
In summary, the location at which an IP egresses Cloudflare network has nothing to do with the geo-ip mapping of that IP. In some cases the decision on where to egress is optimised for "location closest to the user", but this is also not always true.
And then there is the Internet. Often some country (say Iran) egresses from a totally different place (like Frankfurt) due to geopolitics and just location of cables.
So, there is a dashboard internally for that. When we do ProbeNet PoP assessment, we have a high-level overview of the frequent and favored connections. We have a ton of servers in Africa, and there is a strong routing bias towards France, Germany, and the UK instead of neighboring connections.
Everyone in our engineering and leadership is very close with various CDN companies. We do echo this idea to them. It is not IP geolocation; we actually have a ton of routing data they can use.
I am not sure that I really understand what they did. I am also missing some major VPNs in the list.
I currently use AirVPN but this has something to do with my use case and pricing.
> I am not sure that I really understand what they did.
They checked where the VPN exit nodes are physically located. A lot of them are only setting a country in the whois data for the IP, but do not actually put the exit node in that country.
Can really spot someone who has never had to deal with OFAC with a comment like this. Even if I don't necessarily agree with the concept, or who is actually being blocked, my business is dead in the water if I'm a) sent to prison or b) fined out of existence.
Geographic IP information is one of our best tools to defend against those outcomes, and if anything it should be better.
It was a great session and we received a lot of questions. We attend different NOG conferences regularly. ISPs are incentivized to help us by providing good data. Although we are agnostic about adversarial geofeeds, ISPs themselves need to work with us to ensure good quality of service to their users.
We already do quite a lot of outreach, in fact, most network engineers in the ISP industry across the world are familiar with us. But if any ISP operator has any feedback for us, we are only an email (or even a social media comment) away.
With CGNAT becoming more widespread, formats like this might need expansion to include location data for ports. Ie. Port 10,000-20,000 are consumers in New york, port numbers 20000-30000 are in Boston, etc.
Contrasting take: RTT and a service providing black box knowledge is not equivalent to knowledge of the backbone. To assume traffic is always efficiently routed seems dubious when considering a global scale. The supporting infrastructure of telecom is likely shaped by volume/size of traffic and not shortest paths. I'll confess my evaluation here might be overlooking some details. I'm curious on others' thoughts on this.
They don't have to assume that traffic is efficiently routed, on the contrary if they can have a <1ms RTT from London to a server, the speed of light guarantees that that server is not in Mauritius EVEN if the traffic was efficiently routed.
It just can't be outside England, just one 0.4ms RTT as seen here is enough to be certain that the server is less then 120 km away from London (or wherever their probe was, they don't actually say, just the UK).
RTT from a known vantage point gives an absolute maximum distance, and if that maximum distance is too short then that absolutely is enough to ascertain that a server is not in the country it claims to be.
The speed of light provides a limit on distance for a given RTT, and taking the examples in the article which are less than 0.5ms and considering the speed of light (300km/ms) the measured exit countries must be accurate.
The speed of light in fiber which probably covers most of the distance is also even slower due to refraction (about 2/3).
We (I work for IPinfo) talk about latency because it is a thread that you can start from when exploring our full depth of data.
We are the internet data company and our ProbeNet only represents a fraction of our investment. Through our ProbeNet, we run ping, traceoute, and other active measurements. Even with traceroute we understand global network topology. There are dozens and dozens of hints of data.
We are tapping into every aspect on the internet data possible. We are modeling every piece of data that is out there, and through research, we are coming up with new sources of data. IP geolocation is only product for us. Our business is mapping internet network topology.
We are hoping to work with national telecoms, ISPs, IXPs, and RIRs to partner with them, guiding and advising them about data-driven internet infrastructure mapping.
This article fails to distinguish between false claims and true claims - VPN providers sometimes explicitly mark some locations as virtual, so there is no mismatch between the claim and the real exist as the title says, because the original claim was never "Bahamas is a physical exit"
I use Mullvad through Tailscale’s exit‑node integration, and it’s awesome. They are the only provider I trust these days.
To highlight virtual routing: it’s useful in scenarios where a country blocks VPNs but you still need an IP from that country to browse local websites. In such cases, virtual routing comes in handy. For example, when India required all VPN servers in the country to log user traffic, Proton moved its Indian server to Singapore and used virtual networking tricks to continue offering an Indian IP address.
I work for IPinfo. I am not sure what routing tricks Proton uses. I have looked into the smart routing and stealth protocol related documentation. I am not sure if Proton does anything unique when it comes to IP location. I am not saying this officially, but I am just curious here.
'Virtual' VPN server geolocation involves informing IP geolocation providers that their Singaporean servers are located in India. We looked into data and latency-based locations, but the industry at large uses self-reported location information for their data. So, if you use a service that uses IP geolocation provider (that is not us) they will just tell them that the Singaporean IP address is located in India, because that is the information they have and they do not have any other ways to verify it. But at the end of the day, the location information is coming from the VPN itself.
I could be wrong, and there could be technology and technique I am missing, so I am happy to learn. The blog is written by our founder who is accessible to the Proton team if they want to share their feedback with us.
Just an aside, and not trying to excuse the potential VPN operator's misrepresentation.
Regulatory accepted establishment of "country" location might not always be what layman think.
I knew of a server rack physically in a Brussels Belgium datacenter that was for regulatory purposes declared to be Luxemburg territory (as Luxemburg at the time had specific rules on domestic data processing).
I searched VPN which payed in crypto and OSS friendly. Mullvad and IVPN were in list, and these also do not lie about exits.
IVPN bought me with very deep transparency into company and WRT support, on top of Linux and Android.
I get maximal longest sub in one payment.
Mullvad is under North EU jury, IPVN under Gibraltar(which is nor exactly UK). So decided offshore like place also more safe against VPN control attempts.
Searched for decentralized VPNs(like TOR, but you pay for speed and do not care onions) some time ago too, we are not there yet.
I can't connect to this site because my adblocker doesn't like it. It seems to be on the bad-domain-list https://www.cromite.org/filters/badblock_lite.txt.
Now is the question: is ipinfo.io on this list for a good reason?
This is interesting because for some people, it would be a feature to be operating with, say, a US VPN tunnel that is “on paper” in the Bahamas. Better latency. For instance, the average person downloading Torrents.
Of course, for the most high-stakes stuff if you were worried about some kind of major state level actors or something, you want to keep a very tight control over where your actual traffic is physically transiting. So it seems only proper that they disclose these discrepancies to customers.
Even still, I suspect encryption and proper lack of logs provides sufficient cover for most people for most actually likely threats.
Is there any real-life situation in which this matters, though?
If you're picking a country so you can access a Netflix show that geolimits to that country, but Netflix is also using this same faulty list... then you still get to watch your show.
If you're picking a country for latency reasons, you're still getting a real location "close enough". Plus latency is affected by tons of things such as VPN server saturation, so exact geography isn't always what matters most anyways.
And if your main interest is privacy from your ISP or local WiFi network, then any location will do.
I'm trying to think if there's ever a legal reason why e.g. a political dissident would need to control the precise country their traffic exited from, but I'm struggling. If you need to make sure a particular government can't de-anonymize your traffic, it seems like the legal domicile of the VPN provider is what matters most, and whether the government you're worried about has subpoena power over them. Not where the exit node is.
Am I missing anything?
I mean, obviously truth in advertising is important. I'm just wondering if there's any actual harm here, or if this is ultimately nothing more than a curiosity.
Attempting to use a VPN location in Somalia and actually getting routed to an exit in Paris or London is not what I would consider "close enough". That's off by 3000 miles. That's like claiming to be in the Amazon Rainforest in Brazil while being in Montreal, Canada. And apparently 28% of locations are off by at least this much
And if I do it for privacy, the actual exit location seems very relevant. Even if I trust the VPN provider to keep my data safe (which for the record I wouldn't with the majority of this list), I still have to consider what happens to the data on either end of the VPN connection. I'm willing to bet money that any VPN data exiting in London is monitored by GCHQ, while an exit in Russia probably wouldn't be in direct view of NSA and GCHQ
Yes. Let’s take an extreme example: you think you exit in Japan, but you’re actually exiting in China. This means your traffic will be analyzed and censored by China.
The routers don’t care about where the provider says the IP comes from. If the packet travels through the router, it gets processed. So it very much matters if you do things that are legal in one country, but might not be in another. You know, one of the main reasons for using VPNs.
> Is there any real-life situation in which this matters, though?
You’d be shocked at the number of people in regulated industries that thinks a VPN inherently makes them more secure. If you think your traffic exits in the US and it exits in Canada — or really anywhere that isn’t the US — that can cause problems with compliance, and possibly data domicile promises made to clients and regulators.
At minimum, not being able to rely on the provider that you are routing your client’s data through is a big deal.
Using FreeBSD dummynet it’s possible to modify the characteristics of network traffic and emulate e.g. Somalia performance from a datacenter in France.
That was actually a great article. For us, that is like a crowdsourced bug hunting program. We actually got duped ourselves, and we appreciate the author.
We added additional features for location hint modeling and selection for IPv6 networks. There are a handful of open engineering tickets to understand more about the entire internet infrastructure of the country. Of course, hosting a probe server out there would be helpful.
And it's super easy to do. I had my own ASN and my own IPv4 and IPv6 address space, you basically just write whatever you want into RIPE Database objects (or ARIN, APNIC etc.) Today your IP space can be in one country, and tomorrow in a different one.
Yeah happens to other “vpn” solutions like zero trust solutions like zscalar. Logs says the user in Buffalo, IP is in Toronto. Same for users on the southern border, us location and Mexican ip.
Zscaler enrages me with their use of the term "zero trust" in marketing, because due to their MitM-ing of TLS, they become a single-point-of-interception for all your organisation's traffic. "100%-trust" would better describe it for me, as you have to have 100% trust of Zscaler and anyone who has admin access to your organisation's Zscaler account.
Most of these providers are in fact open about the fact that these locations are “virtual”, so it’s misleading to say they don’t match where they claim to be.
There is however an interesting question about how VPNs should be considered from a geolocation perspective.
Should they record where the exit server is located, or the country claimed by the VPN (even if this is a “virtual” location)? In my view there is useful information in where the user wanted to be located in the latter case, which you lose if you only ever report the location of servers.
(disclaimer: I run a competing service. we currently provide the VPN reported locations because the majority of our customers expect it to work that way, as well as clearly flagging them as VPNs)
Our product philosophy is centered on accuracy and reliability. We intentionally diverge from the broader IP geolocation industry's trust-based model. Instead of relying primarily on "aggregation and echo", we focus on evidence-backed geolocation.
Like others in the industry, we do ingest self-reported IP geolocation data, and we do that well. Given our scale and reputation, we receive a significant volume of feedback and guidance from network operators worldwide. We actively conduct outreach, and exchange ideas with ISPs, IXPs, and ASNs. We attend NOG events, participate in research conferences, and collaborate with academia. We have a community and launch hackathon events, which allow us to talk to all the stakeholders involved.
Where we differ is in who our core users are. Our primary user base operates at a critical scale, where compromises on data accuracy are simply not acceptable. For these users, IP geolocation cannot be a trust-based model. It must be backed by verifiable data and evidence.
We believe the broader internet ecosystem benefits from this approach. That belief is reflected in our decision to provide free data downloads, a free API with unlimited requests, and active collaboration with multiple platforms to make our data widely accessible. Our free datasets are licensed under CC-BY-SA 4.0, without an EULA, which makes integration, even for commercial use straightforward.
I appreciate you recognizing that our product philosophy is different. We are intentionally trying to differentiate ourselves from the industry at large, and it is encouraging to see competing services acknowledge that they are focused on a different model.
The one I noticed was after the Texas porn age verification laws went into effect. Setting my VPN to be in Texas was different than when actually connecting to Texas when I visited.
Oh wow, I had no idea that “virtual location” is even a thing. Imo it should not, I don’t even see a use case for that, it just seems like straight-up lying about the traffic exit location.
Glad to see the provider I occasionally use, Mullvad, passed the test.
Many providers in the list, such as PIA, warn the user when a virtual location is chosen. The point is to get a wider range of countries. Most websites, such as YouTube and Netflix, are fooled by the virtual locations, so it works!
I used a VPN that had a virtual location of China for a while, which avoided ads on some websites; China blocks those sites, so those sites don't have any ads in China, but the VPN exit wasn't actually in China so it could reach the sites fine.
Extremely disappointed to see ProtonVPN in this list. Despite others claiming about their smart routing as being a disclaimer of sorts, I am still disappointed that it was never explicitly clear that our privacy was still at stake.
Never heard of Windscribe but their homepage has "Become American" as a feature.
> Are you sick of not having access to foreign oil? Do you love using advanced weapons to fuck up someone’s day? Obsessed with manipulating your financial records to make yourself look more successful than you are?
I seriously don't quite understand the point of using a VPN that doesn't offer you clean residential IPs somehow (and I don't really know good VPN like that). Most services where I really want to use VPN are well aware of VPN IP blocks and just won't allow any of these famous VPNs (that I am aware of, at least). And services that don't care if it's my real IP or not… well, usually I don't really care about exposing them to my real IP either?
I mean, ok, there are use-cases. But commercial VPNs exist under specific premise, you know, and they just don't offer what they claim to be offering. Unfortunately.
I also use Mullvad VPN exclusively for my VPN needs. The fact I can get 6 months of access with a scratch card bought from a store & my account is just a random integer number is an example of privacy by design: no email, no phone numbers, no credit cards. I don't even do anything illegal, I'd just rather have a (what I feel) trusted option when I want to browse the Internet anonymously.
This seems like circumstantial evidence for most VPN providers mostly serving customers who are in the business of spreading targeted misinformation on social media.
No, the article does not make this conclusion at all! It was carefully written to highlight the nature of virtual locations of VPN exit nodes and does not make such conclusions.
The article is written by our founder, who is accessible to the VPN industry at large and is open to feedback and comments.
well to be fair it's not always important to have the server at the geoip since a lot of the time you can measure the real latency of a user behind an ip address anyway.
the only important bit is that it is made clear whenever a given country falls under some category that allows things such as traffic analysis and cataloging.
it's actually often times preferrable to lie about the server location for lower latency access geo-blocked content, particulary when accessing US geo-restricted content in europe.
if you want true privacy you have to use special tools that not only obfuscate the true origin, but also bounce your traffic around (which most of these vpns provide as an option)
Actually, most VPN providers explicitly label the virtual locations as such, I think the famous ones at least do it (ex: Proton and NordVPN even explain them in their respective docs).
I get advertisements for VPN providers almost everywhere. I've never been interested, but I do subscribe to Mullvad via Tailscale. So, I'm thankful and appreciative that they did their due diligence and partnered with a reputable provider. I've been very happy with the service.
Edit: Welp. How could this possibly be my most downvoted comment. Am I not entitled to an opinion? I ain't no AI.
I work for IPinfo. We provide IP geolocation and VPN detection services. We identify which IP addresses are associated with a VPN and the actual location of the IP address.
We have not collaborated with any VPN companies for the report and have not even requested permission or pre-draft approvals. We had the data of what we were seeing and published a report based on that. We have published a ton of resources around the nature of VPN location in the past. Our focus is on data accuracy and transparency.
After the article was published, we received feedback from only a single VPN provider - Windscribe (https://x.com/ipinfo/status/1998440767170212025). I do not think anyone from Mullvad, iVPN, or any other VPN company has reached out to our team or our founder yet.
We are happy to take feedback and comments and are even open to a follow-up!
This was a dumb study, and if they'd asked the VPN providers, I'm sure someone would tell them why.
All the VPN providers I've used let you select the endpoint from a dropdown menu. I'm not using a VPN to make it appear I'm in Russia, I'm using it as one of many tools to help further my browsing privacy.
My endpoint is one of 2 major cities that are close to me. Could I pick some random 3rd world country? Sure! That isn't the goal. The goal is to prevent my mostly static IP address from being tied to sites I use every day.
EDIT:
Small point of clarification:
All the VPN providers I use have custom or 3rd party software that allows you to select a location for the VPN. All of the VPN providers I've used also select the location with the lowest ping times as a default. I suspect most folks are just sticking with the defaults. I certainly haven't strayed outside the US/EU for any of my attempts. I have occasionally selected an EU location for specific sites not available in the US, where I live, but beyond that?
That's great for you. But some people need to pick a specific country. People in different countries often get different prices for things like airline tickets or online subscriptions. Maybe you need to appear from a particular country to access certain media.
I mostly use it to avoid exposing my IP address too, but if I knew my VPN was comfortable with a little light fraud, I'd be concerned about what else they're comfortable with.
That may be your use case, but it by no means it's reflective of anyone else's. I live in a country that actively blocks and limits your connectivity to (ordinarily) public websites. Choosing an exit point that's in a different country is very relevant and important.
Re: random countries, sometimes with PIA the Panama exit has a crazily low ping time (I'm physically in California). I wonder what leads to it? Hawaii I can understand, there's a cable landing not far from my physical location, but Panama is a mystery to me.
preinheimer|2 months ago
We're in 100+ countries, and I'll stand by that claim. It's a huge pain in the neck. In our early years we had a lot of problems with suppliers claiming to be in Mexico or South America who were actually just in Texas. I almost flew to Peru with a rackmount server in my luggage after weeks of problems, that plan died when we realized I'd need to figure out how to pay Peruvian income tax on the money I made in country before I could leave.
We've also had customers complaining that a given competitor had a country we'd had trouble sourcing in the Middle East. A little digging on our part and it's less than a ms away from our server in Germany.
reincoder|2 months ago
For our ProbeNet, we are attempting to reach 150 countries (by ISO 3166's definition). We are at around 530 cities. Server management is not an easy task. We do not ship hardware, but operate using dedicated servers, so this reduces one layer of complexity.
To maintain the authenticity of our server locations, we utilize cross-pings and network traffic behavior detection. If any abnormality is detected, the server will be immediately disabled to prevent polluting our data. There will be a ticket to investigate what went wrong.
We pay for each (excluding 3 to 4 servers where the owner and the team really likes us and insists on sponsoring) server. Expansion is an active effort for us, as there are 70k ASNs and about 100 more countries where we do not have a server.
We hope to partner with more ASNs, particularly residential ISPs and IXPs. So, a lot of effort is put into active outreach through WhatsApp, emails, social media and phone calls. We use a number of different data-based techniques to identify "leads".
reimertz|2 months ago
pzmarzly|2 months ago
Seems like there are VPNs, and then there are VPNs.
t0mas88|2 months ago
With their reputation and trackrecord they really can't do any shady tricks. Imagine if they weren't among the 3 honest providers? That would be HN frontpage news.
citizenpaul|2 months ago
I love that I can pay directly with a crypto wallet and have true anonymity.
spiffytech|2 months ago
super256|2 months ago
ignoramous|2 months ago
> Mullvad ... security and privacy _very_ seriously. Not surprised to see them shine here.
? TFA reflects on dishonest marketing on part of public VPN providers more than privacy / security.
That said, VPNs don't add much security, though, they are useful for geo unblocking content and (at some level) anti-censorship. In my experience, the mainstream public VPNs don't really match up to dedicated censorship-resistant networks run by Psiphon, Lantern, Tor (and possibly others).
systemtest|2 months ago
I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.
devilbunny|2 months ago
I can't get into work from a non-US IP, but I can Tailscale back to my house and it works just fine. I even gave my in-laws (who live several states away) an AppleTV box running TS just to have another endpoint if for some reason the power goes out at my house while I'm gone (rare, but happens).
xrmagnum|2 months ago
Underneath, it uses WebRTC (the same tech as Google Meet). It is free to use, I just built to fix this problem that I have... I am quite surprised expats only get by using a traditional VPN whose IPs are known by online services...
chmod775|2 months ago
simlevesque|2 months ago
For residential IPs you can't even pay per month like normal VPNs, normally they charge per GB, usually over $2 usd per GB.
jddj|2 months ago
varenc|2 months ago
To use an example, 74.118.126.204 claims to be a Somalian IP address, but ipinfo.io identifies it as being from London based on latency. Compare `curl ipinfo.io/74.118.126.204/json` vs `curl ipwhois.app/json/74.118.126.204` to see. If that IP ignored pings and added latency to all outgoing packets, I wonder if that would stymie ipinfo's ability to identify its true origin.
ignoramous|2 months ago
horsawlarway|2 months ago
In my first job out of school, I did security work adjacent to fortune 50 banks and the (now defunct) startup I worked at partnered some folks working on Pindrop (https://www.pindrop.com/).
Their whole thing at the time was detecting when it was likely that a support call was coming from a region other than the one the customer was supposed to be in (read: fraudulent) by observing latency and noise on the line (the name is a play on "We're listening closely enough to hear a pin drop".)
Long story short, it's a lot more than just the latency that can clue someone in on the actual source location, and even if you introduce enough false signal to make it hard to identify where you actually are, it's easy to spot that and flag you as fake, even if it's hard to say exactly what the real source is.
reincoder|2 months ago
We also run traceroutes. Actually, we run a ton of active measurements from our ProbeNet. The amount of location data we process is staggering.
https://ipinfo.io/probenet
Latency is only one dimension of the data we process.
We are pinging IP addresses from 1,200+ servers from 530 cities, so if you add synthetic latency, chances are we can detect that. Then the latency-related location hints score will go down, and we will prioritize our dozens of other location hints we have.
But we do welcome to see if anyone can fool us in that way. We would love to investigate that!
justinsaccount|2 months ago
If they added latency to all packets then London would still have the lowest latency.
_ache_|2 months ago
But anyway, *you can't fool the last-hop latency* (unless you control it, but you can control all of it), and basically it impossible to fool that.
____tom____|2 months ago
As a hypothetical example, an IP in a New York City data center is likely to have a shorted ping to a London data center, than a rural New York IP address.
rplnt|2 months ago
deegles|2 months ago
paranoidrobot|2 months ago
The VPN provider only controls their network, not their upstream.
So you can set minimum latency on your responses. But your upstream networks won't be doing this.
oncallthrow|2 months ago
debian3|2 months ago
dtgriscom|2 months ago
why-o-why|2 months ago
HotGarbage|2 months ago
If VPN usage becomes the norm, sites will have to give in eventually.
matheusmoreira|2 months ago
The ideal world is one where everyone is using Tor. They can only discriminate against you if you're different from others. The idea behind Tor is to make everyone look like the same user. The anonymity set must be maximized for that to work.
systemtest|2 months ago
coppsilgold|2 months ago
It takes time for sites to realize the danger, especially with mobile users where fiddling with a VPN is often more hassle than its worth and its just left always on. It's often a good idea to impersonate a mobile user agent for this reason as some sites (or perhaps cloudflare?) started treating them differently. The impersonation needs to be done well (SSL and HTTP fingerprints should also match mobile).
Usually, the more expensive the VPN offering the better the reputation of their IP's. Avoid VPNs that have any kind of free tier like the plague.
unknown|2 months ago
[deleted]
khannn|2 months ago
Mullvad just worked everywhere. I'm going back when my year plan on Proton ends.
yieldcrv|2 months ago
mbesto|2 months ago
barfoure|2 months ago
ericdiao|2 months ago
Big techs (most notably Google) is using the location permission they have from the apps / websites on the user's phones / browsers to silently update their internal IP geolocation database instead of relying on external databases and claims of IP owners (geofeed etc). And this can be hyper-sensitive.
I was traveling back home in China last year and was using a convoluted setup to use my US apartment IP for US based services, LLM and streaming. Days into the trip and after coming back, I found that Google has been consistently redirecting me to their .hk subdomain (serving HK and (blocked by gov) mainland China), regardless of if I was logged in or not. The Gmail security and login history page also shows my hometown city for the IP. I realized that I have been using Google's apps including YouTube, Maps and so on while granting them geolocation permission (which I should not do for YouTube) in my iPhone while on the IP and in my hometown.
After using the same IP again in the US with Maps and so on for weeks and submitting a correction request to Google, it comes back to the correct city. (The tricks of restarting the modem / gateway, changing MAC address to get a new IP is not working somehow this time with my IS.
reincoder|2 months ago
I have seen a Europe-based cloud hosting provider's IP ranges located in countries where Google does not provide service. This is because these IP ranges are used as exit nodes by VPN users in that country.
Device-based IP geolocation is strange. We prefer IP geolocation based on the last node's IP geolocation. We hope to collaborate with Google, Azure, and other big tech on this if they reach out to us.
fguerraz|2 months ago
hopelite|2 months ago
I was getting a bit disappointed about Proton based on this evaluation even though the only problem I’ve had is their really lacking client UI/UX. They should make that visualization clearer. I don’t know the answer, but maybe offering a toggle or expansion for virtualized servers, might be a step in the right direction.
The design issues seems to be a common challenge with proton. The VPN client functions, but it is really grating how basic it is. You can’t even sort, let alone filter servers by load, let alone performance; so you’re scrolling through hundreds of servers. You can’t add regions or even several servers to create a profile with a priority, you have to pick a single server, among hundreds if not thousands in some countries. Oh, and as you’re scrolling through hundreds of servers for a single country, it’s a view of something like 10 lines high.
It’s bonkers
fauigerzigerk|2 months ago
majke|2 months ago
https://blog.cloudflare.com/cloudflare-servers-dont-own-ips-...
In summary, the location at which an IP egresses Cloudflare network has nothing to do with the geo-ip mapping of that IP. In some cases the decision on where to egress is optimised for "location closest to the user", but this is also not always true.
And then there is the Internet. Often some country (say Iran) egresses from a totally different place (like Frankfurt) due to geopolitics and just location of cables.
reincoder|2 months ago
Everyone in our engineering and leadership is very close with various CDN companies. We do echo this idea to them. It is not IP geolocation; we actually have a ton of routing data they can use.
Beijinger|2 months ago
Why do you want to use a VPN?
- Privacy
- Anonymity (hint: don't!)
- unblock geolocation
- torrents
- GFC
The last point is the hardest.
https://expatcircle.com/cms/privacy/vpn-services/
luckylion|2 months ago
They checked where the VPN exit nodes are physically located. A lot of them are only setting a country in the whois data for the IP, but do not actually put the exit node in that country.
Fernandadsc|2 months ago
HotGarbage|2 months ago
If an ISP wants to help their users avoid geoblocking via https://www.rfc-editor.org/rfc/rfc8805.html more power to them.
dustywusty|2 months ago
Geographic IP information is one of our best tools to defend against those outcomes, and if anything it should be better.
reincoder|2 months ago
It was a great session and we received a lot of questions. We attend different NOG conferences regularly. ISPs are incentivized to help us by providing good data. Although we are agnostic about adversarial geofeeds, ISPs themselves need to work with us to ensure good quality of service to their users.
We already do quite a lot of outreach, in fact, most network engineers in the ISP industry across the world are familiar with us. But if any ISP operator has any feedback for us, we are only an email (or even a social media comment) away.
londons_explore|2 months ago
boredatoms|2 months ago
ramity|2 months ago
seszett|2 months ago
It just can't be outside England, just one 0.4ms RTT as seen here is enough to be certain that the server is less then 120 km away from London (or wherever their probe was, they don't actually say, just the UK).
RTT from a known vantage point gives an absolute maximum distance, and if that maximum distance is too short then that absolutely is enough to ascertain that a server is not in the country it claims to be.
Pyrolol|2 months ago
The speed of light in fiber which probably covers most of the distance is also even slower due to refraction (about 2/3).
reincoder|2 months ago
We are the internet data company and our ProbeNet only represents a fraction of our investment. Through our ProbeNet, we run ping, traceoute, and other active measurements. Even with traceroute we understand global network topology. There are dozens and dozens of hints of data.
We are tapping into every aspect on the internet data possible. We are modeling every piece of data that is out there, and through research, we are coming up with new sources of data. IP geolocation is only product for us. Our business is mapping internet network topology.
We are hoping to work with national telecoms, ISPs, IXPs, and RIRs to partner with them, guiding and advising them about data-driven internet infrastructure mapping.
IshKebab|2 months ago
Yeah like... physics. If you're getting sub-millisecond ping times from London you aren't talking to Mauritius.
eviks|2 months ago
drewfax|2 months ago
To highlight virtual routing: it’s useful in scenarios where a country blocks VPNs but you still need an IP from that country to browse local websites. In such cases, virtual routing comes in handy. For example, when India required all VPN servers in the country to log user traffic, Proton moved its Indian server to Singapore and used virtual networking tricks to continue offering an Indian IP address.
reincoder|2 months ago
Smart routing documentation: https://protonvpn.com/support/how-smart-routing-works
'Virtual' VPN server geolocation involves informing IP geolocation providers that their Singaporean servers are located in India. We looked into data and latency-based locations, but the industry at large uses self-reported location information for their data. So, if you use a service that uses IP geolocation provider (that is not us) they will just tell them that the Singaporean IP address is located in India, because that is the information they have and they do not have any other ways to verify it. But at the end of the day, the location information is coming from the VPN itself.
I could be wrong, and there could be technology and technique I am missing, so I am happy to learn. The blog is written by our founder who is accessible to the Proton team if they want to share their feedback with us.
PeterStuer|2 months ago
Regulatory accepted establishment of "country" location might not always be what layman think.
I knew of a server rack physically in a Brussels Belgium datacenter that was for regulatory purposes declared to be Luxemburg territory (as Luxemburg at the time had specific rules on domestic data processing).
unknown|2 months ago
[deleted]
dlahoda|2 months ago
I searched VPN which payed in crypto and OSS friendly. Mullvad and IVPN were in list, and these also do not lie about exits.
IVPN bought me with very deep transparency into company and WRT support, on top of Linux and Android.
I get maximal longest sub in one payment.
Mullvad is under North EU jury, IPVN under Gibraltar(which is nor exactly UK). So decided offshore like place also more safe against VPN control attempts.
Searched for decentralized VPNs(like TOR, but you pay for speed and do not care onions) some time ago too, we are not there yet.
snickerer|2 months ago
reincoder|2 months ago
It redirects to a dead link hosted on aruba.it. I can investigate it.
xp84|2 months ago
Of course, for the most high-stakes stuff if you were worried about some kind of major state level actors or something, you want to keep a very tight control over where your actual traffic is physically transiting. So it seems only proper that they disclose these discrepancies to customers.
Even still, I suspect encryption and proper lack of logs provides sufficient cover for most people for most actually likely threats.
crazygringo|2 months ago
If you're picking a country so you can access a Netflix show that geolimits to that country, but Netflix is also using this same faulty list... then you still get to watch your show.
If you're picking a country for latency reasons, you're still getting a real location "close enough". Plus latency is affected by tons of things such as VPN server saturation, so exact geography isn't always what matters most anyways.
And if your main interest is privacy from your ISP or local WiFi network, then any location will do.
I'm trying to think if there's ever a legal reason why e.g. a political dissident would need to control the precise country their traffic exited from, but I'm struggling. If you need to make sure a particular government can't de-anonymize your traffic, it seems like the legal domicile of the VPN provider is what matters most, and whether the government you're worried about has subpoena power over them. Not where the exit node is.
Am I missing anything?
I mean, obviously truth in advertising is important. I'm just wondering if there's any actual harm here, or if this is ultimately nothing more than a curiosity.
wongarsu|2 months ago
And if I do it for privacy, the actual exit location seems very relevant. Even if I trust the VPN provider to keep my data safe (which for the record I wouldn't with the majority of this list), I still have to consider what happens to the data on either end of the VPN connection. I'm willing to bet money that any VPN data exiting in London is monitored by GCHQ, while an exit in Russia probably wouldn't be in direct view of NSA and GCHQ
AndroTux|2 months ago
The routers don’t care about where the provider says the IP comes from. If the packet travels through the router, it gets processed. So it very much matters if you do things that are legal in one country, but might not be in another. You know, one of the main reasons for using VPNs.
rynn|2 months ago
You’d be shocked at the number of people in regulated industries that thinks a VPN inherently makes them more secure. If you think your traffic exits in the US and it exits in Canada — or really anywhere that isn’t the US — that can cause problems with compliance, and possibly data domicile promises made to clients and regulators.
At minimum, not being able to rely on the provider that you are routing your client’s data through is a big deal.
atmosx|2 months ago
mmwelt|2 months ago
[1] https://news.ycombinator.com/item?id=45922850
reincoder|2 months ago
We added additional features for location hint modeling and selection for IPv6 networks. There are a handful of open engineering tickets to understand more about the entire internet infrastructure of the country. Of course, hosting a probe server out there would be helpful.
https://ipinfo.io/countries/kp
We always appreciate feedback like that.
lossolo|2 months ago
nizbit|2 months ago
ris|2 months ago
tallytarik|2 months ago
There is however an interesting question about how VPNs should be considered from a geolocation perspective.
Should they record where the exit server is located, or the country claimed by the VPN (even if this is a “virtual” location)? In my view there is useful information in where the user wanted to be located in the latter case, which you lose if you only ever report the location of servers.
(disclaimer: I run a competing service. we currently provide the VPN reported locations because the majority of our customers expect it to work that way, as well as clearly flagging them as VPNs)
balder1991|2 months ago
reincoder|2 months ago
Our product philosophy is centered on accuracy and reliability. We intentionally diverge from the broader IP geolocation industry's trust-based model. Instead of relying primarily on "aggregation and echo", we focus on evidence-backed geolocation.
Like others in the industry, we do ingest self-reported IP geolocation data, and we do that well. Given our scale and reputation, we receive a significant volume of feedback and guidance from network operators worldwide. We actively conduct outreach, and exchange ideas with ISPs, IXPs, and ASNs. We attend NOG events, participate in research conferences, and collaborate with academia. We have a community and launch hackathon events, which allow us to talk to all the stakeholders involved.
Where we differ is in who our core users are. Our primary user base operates at a critical scale, where compromises on data accuracy are simply not acceptable. For these users, IP geolocation cannot be a trust-based model. It must be backed by verifiable data and evidence.
We believe the broader internet ecosystem benefits from this approach. That belief is reflected in our decision to provide free data downloads, a free API with unlimited requests, and active collaboration with multiple platforms to make our data widely accessible. Our free datasets are licensed under CC-BY-SA 4.0, without an EULA, which makes integration, even for commercial use straightforward.
I appreciate you recognizing that our product philosophy is different. We are intentionally trying to differentiate ourselves from the industry at large, and it is encouraging to see competing services acknowledge that they are focused on a different model.
LunaSea|2 months ago
fragmede|2 months ago
radicality|2 months ago
timpera|2 months ago
kelvindegrees|2 months ago
MallocVoidstar|2 months ago
unknown|2 months ago
[deleted]
drnick1|2 months ago
reaperducer|2 months ago
Turn off your VPN?
neya|2 months ago
https://protonvpn.com/support/how-smart-routing-works
zdc1|2 months ago
> Are you sick of not having access to foreign oil? Do you love using advanced weapons to fuck up someone’s day? Obsessed with manipulating your financial records to make yourself look more successful than you are?
Got a chuckle out of me.
krick|2 months ago
I mean, ok, there are use-cases. But commercial VPNs exist under specific premise, you know, and they just don't offer what they claim to be offering. Unfortunately.
timpera|2 months ago
unknown|2 months ago
[deleted]
illusive4080|2 months ago
flumpcakes|2 months ago
drnick1|2 months ago
cedws|2 months ago
cluckindan|2 months ago
Papazsazsa|2 months ago
reincoder|2 months ago
No, the article does not make this conclusion at all! It was carefully written to highlight the nature of virtual locations of VPN exit nodes and does not make such conclusions.
The article is written by our founder, who is accessible to the VPN industry at large and is open to feedback and comments.
kachapopopow|2 months ago
the only important bit is that it is made clear whenever a given country falls under some category that allows things such as traffic analysis and cataloging.
it's actually often times preferrable to lie about the server location for lower latency access geo-blocked content, particulary when accessing US geo-restricted content in europe.
if you want true privacy you have to use special tools that not only obfuscate the true origin, but also bounce your traffic around (which most of these vpns provide as an option)
balder1991|2 months ago
ctippett|2 months ago
Edit: Welp. How could this possibly be my most downvoted comment. Am I not entitled to an opinion? I ain't no AI.
reincoder|2 months ago
We have not collaborated with any VPN companies for the report and have not even requested permission or pre-draft approvals. We had the data of what we were seeing and published a report based on that. We have published a ton of resources around the nature of VPN location in the past. Our focus is on data accuracy and transparency.
After the article was published, we received feedback from only a single VPN provider - Windscribe (https://x.com/ipinfo/status/1998440767170212025). I do not think anyone from Mullvad, iVPN, or any other VPN company has reached out to our team or our founder yet.
We are happy to take feedback and comments and are even open to a follow-up!
eek2121|2 months ago
All the VPN providers I've used let you select the endpoint from a dropdown menu. I'm not using a VPN to make it appear I'm in Russia, I'm using it as one of many tools to help further my browsing privacy.
My endpoint is one of 2 major cities that are close to me. Could I pick some random 3rd world country? Sure! That isn't the goal. The goal is to prevent my mostly static IP address from being tied to sites I use every day.
EDIT:
Small point of clarification:
All the VPN providers I use have custom or 3rd party software that allows you to select a location for the VPN. All of the VPN providers I've used also select the location with the lowest ping times as a default. I suspect most folks are just sticking with the defaults. I certainly haven't strayed outside the US/EU for any of my attempts. I have occasionally selected an EU location for specific sites not available in the US, where I live, but beyond that?
bloppe|2 months ago
I mostly use it to avoid exposing my IP address too, but if I knew my VPN was comfortable with a little light fraud, I'd be concerned about what else they're comfortable with.
ctippett|2 months ago
aerostable_slug|2 months ago
unknown|2 months ago
[deleted]