FRESH

Hacker News

Home

VPN location claims don't match real traffic exits

480 points by mmaia

by preinheimer

1 subcomments

I'm a co-founder at WonderProxy, we didn't make their list (we target people doing application testing, not consumer VPNs).
We're in 100+ countries, and I'll stand by that claim. It's a huge pain in the neck. In our early years we had a lot of problems with suppliers claiming to be in Mexico or South America who were actually just in Texas. I almost flew to Peru with a rackmount server in my luggage after weeks of problems, that plan died when we realized I'd need to figure out how to pay Peruvian income tax on the money I made in country before I could leave.
We've also had customers complaining that a given competitor had a country we'd had trouble sourcing in the Middle East. A little digging on our part and it's less than a ms away from our server in Germany.

by reimertz

6 subcomments

I know multiple people who worked / working at Mullvad and they take their business, security and privacy _very_ seriously. Not surprised to see them shine here.

by systemtest

5 subcomments

I'm a big VPN user since I am the citizen of one country and the resident of another. Even for government services I have to use a VPN. I tried to access the bureau of statistics of my home country through my foreign residential IP and got 404s on all pages. Enabled VPN and everything magically started working. For watching the election result video stream I also had to VPN but at least that one gave me a clear message. For doing taxes in my home country I then have to disable VPN since all VPN access is blocked but it's OK to use a foreign residential IP.
I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.

by varenc

12 subcomments

Interesting to learn you can identify the real country/area of origin using probe latency. Though could this be simulated? Like what if the VPN IP just added 100ms-300ms of latency to all of its outgoing traffic? Ideally vary the latency based on the requesting IP's location. And also just ignore typical probe requests like ICMP (ping). And ideally all the IPs near the end of the traceroute would do all this too.
To use an example, 74.118.126.204 claims to be a Somalian IP address, but ipinfo.io identifies it as being from London based on latency. Compare `curl ipinfo.io/74.118.126.204/json` vs `curl ipwhois.app/json/74.118.126.204` to see. If that IP ignored pings and added latency to all outgoing packets, I wonder if that would stymie ipinfo's ability to identify its true origin.

by why-o-why

9 subcomments

I tried to use ProtonVPN when I switched over to ProtonMail a year ago. But so much of the web does not work when you're on a VPN. For example even HackerNews has VPN restrictions. More and more sites know where VPN endpoints originate. How will VPNs prevent this in the future without them just become easy to block?

by ericdiao

1 subcomments

Another related but non-VPN story related to IP geolocation:
Big techs (most notably Google) is using the location permission they have from the apps / websites on the user's phones / browsers to silently update their internal IP geolocation database instead of relying on external databases and claims of IP owners (geofeed etc). And this can be hyper-sensitive.
I was traveling back home in China last year and was using a convoluted setup to use my US apartment IP for US based services, LLM and streaming. Days into the trip and after coming back, I found that Google has been consistently redirecting me to their .hk subdomain (serving HK and (blocked by gov) mainland China), regardless of if I was logged in or not. The Gmail security and login history page also shows my hometown city for the IP. I realized that I have been using Google's apps including YouTube, Maps and so on while granting them geolocation permission (which I should not do for YouTube) in my iPhone while on the IP and in my hometown.
After using the same IP again in the US with Maps and so on for weeks and submitting a correction request to Google, it comes back to the correct city. (The tricks of restarting the modem / gateway, changing MAC address to get a new IP is not working somehow this time with my IS.

by fguerraz

2 subcomments

ProtonVPN clearly marks these “virtual locations” in their UIs as “smart routing”, so there really isn’t any deception here https://protonvpn.com/support/how-smart-routing-works

by majke

1 subcomments

Back in 2022 I published a doc on how the egress IPs work at Cloudflare:
https://blog.cloudflare.com/cloudflare-servers-dont-own-ips-...
In summary, the location at which an IP egresses Cloudflare network has nothing to do with the geo-ip mapping of that IP. In some cases the decision on where to egress is optimised for "location closest to the user", but this is also not always true.
And then there is the Internet. Often some country (say Iran) egresses from a totally different place (like Frankfurt) due to geopolitics and just location of cables.

by Beijinger

2 subcomments

I am not sure that I really understand what they did. I am also missing some major VPNs in the list. I currently use AirVPN but this has something to do with my use case and pricing.
Why do you want to use a VPN?
- Privacy
- Anonymity (hint: don't!)
- unblock geolocation
- torrents
- GFC
The last point is the hardest.
https://expatcircle.com/cms/privacy/vpn-services/

by HotGarbage

4 subcomments

While exits matter to avoid countries with a nation-wide firewall, the geoip industry is a scourge.
If an ISP wants to help their users avoid geoblocking via https://www.rfc-editor.org/rfc/rfc8805.html more power to them.

by eviks

0 subcomment

This article fails to distinguish between false claims and true claims - VPN providers sometimes explicitly mark some locations as virtual, so there is no mismatch between the claim and the real exist as the title says, because the original claim was never "Bahamas is a physical exit"

by ramity

4 subcomments

Contrasting take: RTT and a service providing black box knowledge is not equivalent to knowledge of the backbone. To assume traffic is always efficiently routed seems dubious when considering a global scale. The supporting infrastructure of telecom is likely shaped by volume/size of traffic and not shortest paths. I'll confess my evaluation here might be overlooking some details. I'm curious on others' thoughts on this.

by drewfax

1 subcomments

I use Mullvad through Tailscale’s exit‑node integration, and it’s awesome. They are the only provider I trust these days.
To highlight virtual routing: it’s useful in scenarios where a country blocks VPNs but you still need an IP from that country to browse local websites. In such cases, virtual routing comes in handy. For example, when India required all VPN servers in the country to log user traffic, Proton moved its Indian server to Singapore and used virtual networking tricks to continue offering an Indian IP address.

by PeterStuer

0 subcomment

Just an aside, and not trying to excuse the potential VPN operator's misrepresentation.
Regulatory accepted establishment of "country" location might not always be what layman think.
I knew of a server rack physically in a Brussels Belgium datacenter that was for regulatory purposes declared to be Luxemburg territory (as Luxemburg at the time had specific rules on domestic data processing).

0 subcomment

by dlahoda

0 subcomment

As per report, 3 providers do not lie.
I searched VPN which payed in crypto and OSS friendly. Mullvad and IVPN were in list, and these also do not lie about exits.
IVPN bought me with very deep transparency into company and WRT support, on top of Linux and Android.
I get maximal longest sub in one payment.
Mullvad is under North EU jury, IPVN under Gibraltar(which is nor exactly UK). So decided offshore like place also more safe against VPN control attempts.
Searched for decentralized VPNs(like TOR, but you pay for speed and do not care onions) some time ago too, we are not there yet.

by xp84

0 subcomment

This is interesting because for some people, it would be a feature to be operating with, say, a US VPN tunnel that is “on paper” in the Bahamas. Better latency. For instance, the average person downloading Torrents.
Of course, for the most high-stakes stuff if you were worried about some kind of major state level actors or something, you want to keep a very tight control over where your actual traffic is physically transiting. So it seems only proper that they disclose these discrepancies to customers.
Even still, I suspect encryption and proper lack of logs provides sufficient cover for most people for most actually likely threats.

by snickerer

1 subcomments

I can't connect to this site because my adblocker doesn't like it. It seems to be on the bad-domain-list https://www.cromite.org/filters/badblock_lite.txt. Now is the question: is ipinfo.io on this list for a good reason?

by crazygringo

3 subcomments

Is there any real-life situation in which this matters, though?
If you're picking a country so you can access a Netflix show that geolimits to that country, but Netflix is also using this same faulty list... then you still get to watch your show.
If you're picking a country for latency reasons, you're still getting a real location "close enough". Plus latency is affected by tons of things such as VPN server saturation, so exact geography isn't always what matters most anyways.
And if your main interest is privacy from your ISP or local WiFi network, then any location will do.
I'm trying to think if there's ever a legal reason why e.g. a political dissident would need to control the precise country their traffic exited from, but I'm struggling. If you need to make sure a particular government can't de-anonymize your traffic, it seems like the legal domicile of the VPN provider is what matters most, and whether the government you're worried about has subpoena power over them. Not where the exit node is.
Am I missing anything?
I mean, obviously truth in advertising is important. I'm just wondering if there's any actual harm here, or if this is ultimately nothing more than a curiosity.

by atmosx

0 subcomment

Using FreeBSD dummynet it’s possible to modify the characteristics of network traffic and emulate e.g. Somalia performance from a datacenter in France.

by mmwelt

1 subcomments

There was an article on HN not too long ago about how to get a North Korea / Antarctica VPS[1], so this isn't entirely surprising!
[1] https://news.ycombinator.com/item?id=45922850

by nizbit

1 subcomments

Yeah happens to other “vpn” solutions like zero trust solutions like zscalar. Logs says the user in Buffalo, IP is in Toronto. Same for users on the southern border, us location and Mexican ip.

by lossolo

0 subcomment

And it's super easy to do. I had my own ASN and my own IPv4 and IPv6 address space, you basically just write whatever you want into RIPE Database objects (or ARIN, APNIC etc.) Today your IP space can be in one country, and tomorrow in a different one.

by fragmede

0 subcomment

The one I noticed was after the Texas porn age verification laws went into effect. Setting my VPN to be in Texas was different than when actually connecting to Texas when I visited.

by tallytarik

3 subcomments

Most of these providers are in fact open about the fact that these locations are “virtual”, so it’s misleading to say they don’t match where they claim to be.
There is however an interesting question about how VPNs should be considered from a geolocation perspective.
Should they record where the exit server is located, or the country claimed by the VPN (even if this is a “virtual” location)? In my view there is useful information in where the user wanted to be located in the latter case, which you lose if you only ever report the location of servers.
(disclaimer: I run a competing service. we currently provide the VPN reported locations because the majority of our customers expect it to work that way, as well as clearly flagging them as VPNs)

by radicality

3 subcomments

Oh wow, I had no idea that “virtual location” is even a thing. Imo it should not, I don’t even see a use case for that, it just seems like straight-up lying about the traffic exit location. Glad to see the provider I occasionally use, Mullvad, passed the test.

0 subcomment

by neya

0 subcomment

Extremely disappointed to see ProtonVPN in this list. Despite others claiming about their smart routing as being a disclaimer of sorts, I am still disappointed that it was never explicitly clear that our privacy was still at stake.
https://protonvpn.com/support/how-smart-routing-works

by drnick1

1 subcomments

Looks like the link is dead.

by zdc1

0 subcomment

Never heard of Windscribe but their homepage has "Become American" as a feature.
> Are you sick of not having access to foreign oil? Do you love using advanced weapons to fuck up someone’s day? Obsessed with manipulating your financial records to make yourself look more successful than you are?
Got a chuckle out of me.

by krick

1 subcomments

I seriously don't quite understand the point of using a VPN that doesn't offer you clean residential IPs somehow (and I don't really know good VPN like that). Most services where I really want to use VPN are well aware of VPN IP blocks and just won't allow any of these famous VPNs (that I am aware of, at least). And services that don't care if it's my real IP or not… well, usually I don't really care about exposing them to my real IP either?
I mean, ok, there are use-cases. But commercial VPNs exist under specific premise, you know, and they just don't offer what they claim to be offering. Unfortunately.

0 subcomment

by illusive4080

3 subcomments

Mullvad is the only VPN I will ever trust. Yet again they ace the test.

by cluckindan

0 subcomment

This seems like circumstantial evidence for most VPN providers mostly serving customers who are in the business of spreading targeted misinformation on social media.

by Papazsazsa

3 subcomments

Cool, even our privacy protection is fraught with scammers and liars.

by ctippett

1 subcomments

I get advertisements for VPN providers almost everywhere. I've never been interested, but I do subscribe to Mullvad via Tailscale. So, I'm thankful and appreciative that they did their due diligence and partnered with a reputable provider. I've been very happy with the service.
Edit: Welp. How could this possibly be my most downvoted comment. Am I not entitled to an opinion? I ain't no AI.

by eek2121

4 subcomments

This was a dumb study, and if they'd asked the VPN providers, I'm sure someone would tell them why.
All the VPN providers I've used let you select the endpoint from a dropdown menu. I'm not using a VPN to make it appear I'm in Russia, I'm using it as one of many tools to help further my browsing privacy.
My endpoint is one of 2 major cities that are close to me. Could I pick some random 3rd world country? Sure! That isn't the goal. The goal is to prevent my mostly static IP address from being tied to sites I use every day.
EDIT:
Small point of clarification:
All the VPN providers I use have custom or 3rd party software that allows you to select a location for the VPN. All of the VPN providers I've used also select the location with the lowest ping times as a default. I suspect most folks are just sticking with the defaults. I certainly haven't strayed outside the US/EU for any of my attempts. I have occasionally selected an EU location for specific sites not available in the US, where I live, but beyond that?