VPN location claims don't match real traffic exits

For our ProbeNet, we are attempting to reach 150 countries (by ISO 3166's definition). We are at around 530 cities. Server management is not an easy task. We do not ship hardware, but operate using dedicated servers, so this reduces one layer of complexity.

To maintain the authenticity of our server locations, we utilize cross-pings and network traffic behavior detection. If any abnormality is detected, the server will be immediately disabled to prevent polluting our data. There will be a ticket to investigate what went wrong.

We pay for each (excluding 3 to 4 servers where the owner and the team really likes us and insists on sponsoring) server. Expansion is an active effort for us, as there are 70k ASNs and about 100 more countries where we do not have a server.

We hope to partner with more ASNs, particularly residential ISPs and IXPs. So, a lot of effort is put into active outreach through WhatsApp, emails, social media and phone calls. We use a number of different data-based techniques to identify "leads".

Seems like there are VPNs, and then there are VPNs.

With their reputation and trackrecord they really can't do any shady tricks. Imagine if they weren't among the 3 honest providers? That would be HN frontpage news.

I love that I can pay directly with a crypto wallet and have true anonymity.

> Mullvad ... security and privacy _very_ seriously. Not surprised to see them shine here.

? TFA reflects on dishonest marketing on part of public VPN providers more than privacy / security.

That said, VPNs don't add much security, though, they are useful for geo unblocking content and (at some level) anti-censorship. In my experience, the mainstream public VPNs don't really match up to dedicated censorship-resistant networks run by Psiphon, Lantern, Tor (and possibly others).

I can't get into work from a non-US IP, but I can Tailscale back to my house and it works just fine. I even gave my in-laws (who live several states away) an AppleTV box running TS just to have another endpoint if for some reason the power goes out at my house while I'm gone (rare, but happens).

Underneath, it uses WebRTC (the same tech as Google Meet). It is free to use, I just built to fix this problem that I have... I am quite surprised expats only get by using a traditional VPN whose IPs are known by online services...

For residential IPs you can't even pay per month like normal VPNs, normally they charge per GB, usually over $2 usd per GB.

In my first job out of school, I did security work adjacent to fortune 50 banks and the (now defunct) startup I worked at partnered some folks working on Pindrop (https://www.pindrop.com/).

Their whole thing at the time was detecting when it was likely that a support call was coming from a region other than the one the customer was supposed to be in (read: fraudulent) by observing latency and noise on the line (the name is a play on "We're listening closely enough to hear a pin drop".)

Long story short, it's a lot more than just the latency that can clue someone in on the actual source location, and even if you introduce enough false signal to make it hard to identify where you actually are, it's easy to spot that and flag you as fake, even if it's hard to say exactly what the real source is.

We also run traceroutes. Actually, we run a ton of active measurements from our ProbeNet. The amount of location data we process is staggering.

https://ipinfo.io/probenet

Latency is only one dimension of the data we process.

We are pinging IP addresses from 1,200+ servers from 530 cities, so if you add synthetic latency, chances are we can detect that. Then the latency-related location hints score will go down, and we will prioritize our dozens of other location hints we have.

But we do welcome to see if anyone can fool us in that way. We would love to investigate that!

But anyway, *you can't fool the last-hop latency* (unless you control it, but you can control all of it), and basically it impossible to fool that.

As a hypothetical example, an IP in a New York City data center is likely to have a shorted ping to a London data center, than a rural New York IP address.

  [IPinfo] pings an IP address from multiple servers across the world and identify the location of the IP address through a process called multilateration. Pinging an IP address from one server gives us one dimension of location information meaning that based on certain parameters the IP address could be in any place within a certain radius on the globe. Then as we ping that IP from our other servers, the location information becomes more precise. After enough pings, we have a very precise IP location information that almost reaches zip code level precision with a high degree of accuracy. Currently, we have more than 600 probe servers across the world and it is expanding.

The VPN provider only controls their network, not their upstream.

So you can set minimum latency on your responses. But your upstream networks won't be doing this.

If they added latency to all packets then London would still have the lowest latency.

If VPN usage becomes the norm, sites will have to give in eventually.

The ideal world is one where everyone is using Tor. They can only discriminate against you if you're different from others. The idea behind Tor is to make everyone look like the same user. The anonymity set must be maximized for that to work.

It takes time for sites to realize the danger, especially with mobile users where fiddling with a VPN is often more hassle than its worth and its just left always on. It's often a good idea to impersonate a mobile user agent for this reason as some sites (or perhaps cloudflare?) started treating them differently. The impersonation needs to be done well (SSL and HTTP fingerprints should also match mobile).

Usually, the more expensive the VPN offering the better the reputation of their IP's. Avoid VPNs that have any kind of free tier like the plague.

Mullvad just worked everywhere. I'm going back when my year plan on Proton ends.

I was getting a bit disappointed about Proton based on this evaluation even though the only problem I’ve had is their really lacking client UI/UX. They should make that visualization clearer. I don’t know the answer, but maybe offering a toggle or expansion for virtualized servers, might be a step in the right direction.

The design issues seems to be a common challenge with proton. The VPN client functions, but it is really grating how basic it is. You can’t even sort, let alone filter servers by load, let alone performance; so you’re scrolling through hundreds of servers. You can’t add regions or even several servers to create a profile with a priority, you have to pick a single server, among hundreds if not thousands in some countries. Oh, and as you’re scrolling through hundreds of servers for a single country, it’s a view of something like 10 lines high.

It’s bonkers

Everyone in our engineering and leadership is very close with various CDN companies. We do echo this idea to them. It is not IP geolocation; we actually have a ton of routing data they can use.

They checked where the VPN exit nodes are physically located. A lot of them are only setting a country in the whois data for the IP, but do not actually put the exit node in that country.

It was a great session and we received a lot of questions. We attend different NOG conferences regularly. ISPs are incentivized to help us by providing good data. Although we are agnostic about adversarial geofeeds, ISPs themselves need to work with us to ensure good quality of service to their users.

We already do quite a lot of outreach, in fact, most network engineers in the ISP industry across the world are familiar with us. But if any ISP operator has any feedback for us, we are only an email (or even a social media comment) away.

Geographic IP information is one of our best tools to defend against those outcomes, and if anything it should be better.

It just can't be outside England, just one 0.4ms RTT as seen here is enough to be certain that the server is less then 120 km away from London (or wherever their probe was, they don't actually say, just the UK).

RTT from a known vantage point gives an absolute maximum distance, and if that maximum distance is too short then that absolutely is enough to ascertain that a server is not in the country it claims to be.

The speed of light in fiber which probably covers most of the distance is also even slower due to refraction (about 2/3).

We are the internet data company and our ProbeNet only represents a fraction of our investment. Through our ProbeNet, we run ping, traceoute, and other active measurements. Even with traceroute we understand global network topology. There are dozens and dozens of hints of data.

We are tapping into every aspect on the internet data possible. We are modeling every piece of data that is out there, and through research, we are coming up with new sources of data. IP geolocation is only product for us. Our business is mapping internet network topology.

We are hoping to work with national telecoms, ISPs, IXPs, and RIRs to partner with them, guiding and advising them about data-driven internet infrastructure mapping.

Yeah like... physics. If you're getting sub-millisecond ping times from London you aren't talking to Mauritius.

Smart routing documentation: https://protonvpn.com/support/how-smart-routing-works

'Virtual' VPN server geolocation involves informing IP geolocation providers that their Singaporean servers are located in India. We looked into data and latency-based locations, but the industry at large uses self-reported location information for their data. So, if you use a service that uses IP geolocation provider (that is not us) they will just tell them that the Singaporean IP address is located in India, because that is the information they have and they do not have any other ways to verify it. But at the end of the day, the location information is coming from the VPN itself.

I could be wrong, and there could be technology and technique I am missing, so I am happy to learn. The blog is written by our founder who is accessible to the Proton team if they want to share their feedback with us.

I have seen a Europe-based cloud hosting provider's IP ranges located in countries where Google does not provide service. This is because these IP ranges are used as exit nodes by VPN users in that country.

Device-based IP geolocation is strange. We prefer IP geolocation based on the last node's IP geolocation. We hope to collaborate with Google, Azure, and other big tech on this if they reach out to us.

It redirects to a dead link hosted on aruba.it. I can investigate it.

And if I do it for privacy, the actual exit location seems very relevant. Even if I trust the VPN provider to keep my data safe (which for the record I wouldn't with the majority of this list), I still have to consider what happens to the data on either end of the VPN connection. I'm willing to bet money that any VPN data exiting in London is monitored by GCHQ, while an exit in Russia probably wouldn't be in direct view of NSA and GCHQ

The routers don’t care about where the provider says the IP comes from. If the packet travels through the router, it gets processed. So it very much matters if you do things that are legal in one country, but might not be in another. You know, one of the main reasons for using VPNs.

You’d be shocked at the number of people in regulated industries that thinks a VPN inherently makes them more secure. If you think your traffic exits in the US and it exits in Canada — or really anywhere that isn’t the US — that can cause problems with compliance, and possibly data domicile promises made to clients and regulators.

At minimum, not being able to rely on the provider that you are routing your client’s data through is a big deal.

We added additional features for location hint modeling and selection for IPv6 networks. There are a handful of open engineering tickets to understand more about the entire internet infrastructure of the country. Of course, hosting a probe server out there would be helpful.

https://ipinfo.io/countries/kp

We always appreciate feedback like that.

Our product philosophy is centered on accuracy and reliability. We intentionally diverge from the broader IP geolocation industry's trust-based model. Instead of relying primarily on "aggregation and echo", we focus on evidence-backed geolocation.

Like others in the industry, we do ingest self-reported IP geolocation data, and we do that well. Given our scale and reputation, we receive a significant volume of feedback and guidance from network operators worldwide. We actively conduct outreach, and exchange ideas with ISPs, IXPs, and ASNs. We attend NOG events, participate in research conferences, and collaborate with academia. We have a community and launch hackathon events, which allow us to talk to all the stakeholders involved.

Where we differ is in who our core users are. Our primary user base operates at a critical scale, where compromises on data accuracy are simply not acceptable. For these users, IP geolocation cannot be a trust-based model. It must be backed by verifiable data and evidence.

We believe the broader internet ecosystem benefits from this approach. That belief is reflected in our decision to provide free data downloads, a free API with unlimited requests, and active collaboration with multiple platforms to make our data widely accessible. Our free datasets are licensed under CC-BY-SA 4.0, without an EULA, which makes integration, even for commercial use straightforward.

I appreciate you recognizing that our product philosophy is different. We are intentionally trying to differentiate ourselves from the industry at large, and it is encouraging to see competing services acknowledge that they are focused on a different model.

Turn off your VPN?

No, the article does not make this conclusion at all! It was carefully written to highlight the nature of virtual locations of VPN exit nodes and does not make such conclusions.

The article is written by our founder, who is accessible to the VPN industry at large and is open to feedback and comments.

the only important bit is that it is made clear whenever a given country falls under some category that allows things such as traffic analysis and cataloging.

it's actually often times preferrable to lie about the server location for lower latency access geo-blocked content, particulary when accessing US geo-restricted content in europe.

if you want true privacy you have to use special tools that not only obfuscate the true origin, but also bounce your traffic around (which most of these vpns provide as an option)

We have not collaborated with any VPN companies for the report and have not even requested permission or pre-draft approvals. We had the data of what we were seeing and published a report based on that. We have published a ton of resources around the nature of VPN location in the past. Our focus is on data accuracy and transparency.

After the article was published, we received feedback from only a single VPN provider - Windscribe (https://x.com/ipinfo/status/1998440767170212025). I do not think anyone from Mullvad, iVPN, or any other VPN company has reached out to our team or our founder yet.

We are happy to take feedback and comments and are even open to a follow-up!

I mostly use it to avoid exposing my IP address too, but if I knew my VPN was comfortable with a little light fraud, I'd be concerned about what else they're comfortable with.