I'm a co-founder at WonderProxy, we didn't make their list (we target people doing application testing, not consumer VPNs).
We're in 100+ countries, and I'll stand by that claim. It's a huge pain in the neck. In our early years we had a lot of problems with suppliers claiming to be in Mexico or South America who were actually just in Texas. I almost flew to Peru with a rackmount server in my luggage after weeks of problems, that plan died when we realized I'd need to figure out how to pay Peruvian income tax on the money I made in country before I could leave.
We've also had customers complaining that a given competitor had a country we'd had trouble sourcing in the Middle East. A little digging on our part and it's less than a ms away from our server in Germany.
I work for IPinfo. I have raised a ticket internally, but I think we focused on consumer VPNs for this test.
For our ProbeNet, we are attempting to reach 150 countries (by ISO 3166's definition). We are at around 530 cities. Server management is not an easy task. We do not ship hardware, but operate using dedicated servers, so this reduces one layer of complexity.
To maintain the authenticity of our server locations, we utilize cross-pings and network traffic behavior detection. If any abnormality is detected, the server will be immediately disabled to prevent polluting our data. There will be a ticket to investigate what went wrong.
We pay for each (excluding 3 to 4 servers where the owner and the team really likes us and insists on sponsoring) server. Expansion is an active effort for us, as there are 70k ASNs and about 100 more countries where we do not have a server.
We hope to partner with more ASNs, particularly residential ISPs and IXPs. So, a lot of effort is put into active outreach through WhatsApp, emails, social media and phone calls. We use a number of different data-based techniques to identify "leads".
Google, Apple, and Meta (maybe others?) have the data to build a complete GeoIP dataset. None of them will share because there are only downsides to doing so.
When FB was rolling out ipv6 in 2012, well meaning engineers proposed releasing a v6 only GeoIP db (at the time, the public dbs were shit). Not surprisingly, it was shot down.
We are always happy to work with large technology enterprises and streaming platforms, not necessarily to sell, but to share insights, data, and practical advice. We observe the entire internet through active measurements, and we are open to co-publishing research when it benefits the broader ecosystem.
Google/GCP is top of mind for me due to a recent engineering ticket. Some of our own infrastructure is hosted on GCP, and Google’s device-based IP geolocation model causes issues for internet users, particularly for IPv6 services.
From what we understand, when a large number of users from a censored country use a specific VPN provider, Google's device-based signals can bias the geolocation of entire IP ranges toward that country. This has direct consequences for accessibility to GCP-hosted services. We have seen cases where providers with German-based data centers were suddenly geolocated to a random country with strict internet censorship policies, purely due to device-based inference rather than network reality. Our focus is firmly on the geolocation of exit-node IPs, backed by network evidence.
We are actively looking to connect with someone at Google/GCP, Azure/Microsoft and others who would be willing to speak with us, or directly with our founder.
Our community consistently asks us to partner more deeply with enterprises because we are in constant contact with end users and network operators. To be honest, we do not even get many questions or issues. We are partners with a large CDN company, and I get one message about a month, which usually involves sharing evidence data and not fixing something.
From a large-scale organization's perspective, IP geolocation should not be treated as an internal project. It is a service. Delivering it properly requires the full range of engineering, sales, support, and personnel available around the clock to engage with users, evaluate evidence, and continuously incorporate feedback.
> From what we understand, when a large number of users from a censored country use a specific VPN provider, Google's device-based signals can bias the geolocation of entire IP ranges toward that country.
Yep, this is a known effect.
How it seems to work is: Google uses Android phones as data harvesting probes. And when it sees that a lot of devices in a given IP range pick up on GPS data, Wi-Fi APs or cell tower IDs that are known to be located in Iran, and possibly other cues like ping to client devices or client device languages, timezones, search request contents, then the system infers "there's a network wormhole there with Iran on the other end", and the entire IP range grows legs and drifts towards Iran.
The owner of those IP addresses can mitigate the issue, mostly by shaping traffic or doing things to Google's system, but I know of no way for anyone else to do it.
I talked to someone who bought a /24 from South America to be used in the United States for office use. I asked him to tell everyone to get on WiFi and keep Google Maps running. Apparently, that solved the issue.
Google's GeoIP is creepy good. I noticed a while ago that for fixed or technically dynamic but rarely actually changing IPs, their IP geolocation eventually converges on the exact street address, presumably due to Google crowdsourcing geolocation from devices with GPS or Wi-Fi geolocation access, which is in turn crowdsourced from devices with both GPS and Wi-Fi.
It's pretty slow to converge though, as it needs enough data points so they cross some certainty threshold. Especially in the context of VPN exit points as the traffic comes from all over the world.
At my previous company we had a subscription to Spur Intelligence. It is like Palantir for IP address info, and probably the closest to what you are talking about.
They recently added GeoIP to their data and in the bit of testing I was able to do before I left it was scary good. I also had an amusing chat with one of their engineers at a conference about how you can spoof IPInfo's location probes...
We are actually a sponsor of RIPE Atlas and have a bunch of credits.
But I am not sure if we use them extensively. I think, as we own and operate the ProbeNet, much of the data collection efforts can be done through that in a scalable manner.
I know multiple people who worked / working at Mullvad and they take their business, security and privacy _very_ seriously. Not surprised to see them shine here.
I'm a bit curious about how that works. I love Mullvad but routinely I find sites like Reddit completely block it. Even yesterday someone posted a Debian wiki link[0] and I was blocked. It's not all of them but Reddit is a big killer. So I thought China would block all of them (aren't they known?)
Use the Tor Onion Service [1] for Reddit instead. You never leave Tor so you don't have to deal with the usual exit node problems. No need for a commercial VPN.
I've found the "visit anonymously" functionality offered by Startpage gets around the problem in a pinch. It tends to break the site you're visiting a little, but masks your IP, allowing you access without shutting down your VPN.
There's a corollary to that question: why would China choose not to block Mullvad? We know every large nation with a capable online force maintains a fleet of ORBs, so maybe they consider Mullvad more useful for them as a functioning system?
Some of their own contractors may well depend on Mullvad. Perhaps as long as the overall "civilian" volume and user count remains acceptably low, the cost-benefit estimate may well be in favour of letting it slip by. (And for the civilians that do use a working variant, subject their connections to fine-grained traffic analysis.)
I'd also like to ask people not to block this way. It creates LOTS of false positives. There's much better ways to handle bots and this tactic seems particularly dumb for Reddit given they want users from places like China or elsewhere where a VPN might be required. Not to mention people using public WiFi. It's not like VPNs are uncommon these days.
If you must ban IPa then do so with a timeout and easing function. So that each hit results in a longer ban time. Bots want to move fast so even a few seconds ban time will make them switch IPs while not impacting most users (who will refresh)
Any proof or articles you could link to backup that claim seems unlikely given their size/reputation also would be surprised they’d get blocked this often using botnet traffic
Has anyone else from Europe noticed how Mullvad's speeds and latency have becoming worse and worse during peak times in the recent months? I now have to change servers regularly, which was never the case ~2 years ago.
When they wrote that 3 providers were honest about all locations I have to admit my first thought was "Mullvad, and who would the other two be?"
With their reputation and trackrecord they really can't do any shady tricks. Imagine if they weren't among the 3 honest providers? That would be HN frontpage news.
At risk of sounding sale pitch'y. Mullvad is the only VPN the longer I use the more I like it. I've tried MANY competitors first and all the other ones so far seem to only get worse over time.
I love that I can pay directly with a crypto wallet and have true anonymity.
I do really wish they still provided port forwarding, I understand why they don't but that was really useful and the only competitors that seem to don't exactly seem trustworthy to me.
That depends how you obtained the crypto in the first place.
In any case, its certainly better than visa, but if you dont trust your vpn provider the real issue is they have your IP address and at best just a pinky-promise they dont log.
> Mullvad ... security and privacy _very_ seriously. Not surprised to see them shine here.
? TFA reflects on dishonest marketing on part of public VPN providers more than privacy / security.
That said, VPNs don't add much security, though, they are useful for geo unblocking content and (at some level) anti-censorship. In my experience, the mainstream public VPNs don't really match up to dedicated censorship-resistant networks run by Psiphon, Lantern, Tor (and possibly others).
Advertising a VPN endpoint in country A which in reality is in country B is a security concern for users trying to reduce their visibility to country B’s authorities. You’re right about the more fit to purpose tools, of course, but they’re more of an impediment to normal internet usage.
This article fails to distinguish between false claims and true claims - VPN providers sometimes explicitly mark some locations as virtual, so there is no mismatch between the claim and the real exist as the title says, because the original claim was never "Bahamas is a physical exit"
I'm a big VPN user since I am the citizen of one country and the resident of another. Even for government services I have to use a VPN. I tried to access the bureau of statistics of my home country through my foreign residential IP and got 404s on all pages. Enabled VPN and everything magically started working. For watching the election result video stream I also had to VPN but at least that one gave me a clear message. For doing taxes in my home country I then have to disable VPN since all VPN access is blocked but it's OK to use a foreign residential IP.
I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.
Do you have friends or family in your home country that will run an AppleTV box with Tailscale for you as an exit node?
I can't get into work from a non-US IP, but I can Tailscale back to my house and it works just fine. I even gave my in-laws (who live several states away) an AppleTV box running TS just to have another endpoint if for some reason the power goes out at my house while I'm gone (rare, but happens).
Why do you need an AppleTV box and Tailscale for that? Use any PC (even a Raspberry Pi or any cheap "thin client") with Wireguard and you remove Apple and Tailscale from the equation entirely while keeping your setup 100% self-hosted.
Lots of people already have Apple TVs and the Tailscale integration is pretty good and can serve as an always online exit node. So no new hardware required. Could even remotely walk a non-techie through the process without too much effort.
personally, I've just upgraded my family's wifi to Ubiquiti and can then use Tailscale Wireguard running on the gateway as a proxy! (with their permission)
They’re not insanely common even in the US, since Roku and Android sticks are cheaper and I don’t live in a wealthy area, but they’re not hard to get or unheard of.
The distinction between AppleTV, the hardware, and Apple TV+, the streaming service, was lost on many. Now that they are “Apple TV 4K” hardware and “Apple TV” service, it’s even harder to convey the correct meaning.
I don’t work in technology, so my knowledge base is almost certainly in the bottom 10% (or lower) of HN readers. I can install Linux, or a BSD, and following guides I can be reasonably certain that I am doing so safely, which puts me comfortably in the top 10% of all users out there.
It’s not what I’m comfortable setting up for myself that is the issue; I am willing to put up with oddities for something that is just for my convenience and amusement. The problem is what I am knowledgeable enough to fix from far away if and when it goes wrong, and how to explain to my very non-technical family how to access it.
I have a NAS, and I could roll my own with that (in fact it’s my exit node at home, because I’m fairly sure it has better encryption speed than the AppleTV), but when something I’m in charge of maintaining goes in someone else’s house, the last thing I want to spend my spare time doing is trying to diagnose and fix issues over the phone with people who don’t own a computer.
It’s not the perfect solution to every situation. It is reliant on Tailscale and Apple, and there are cheaper, more capable systems (like the RPi) out there if you have the knowledge and inclination to set them up. But it’s a very, very straightforward solution that is unobtrusive and easy to maintain and thus is extremely well-suited for my needs. I thought it might be for OP as well. Anyone who is willing to shell out €360 a year for a truly residential-IP VPN should at least be made aware that it’s an option.
> Wireguard and remove Apple and Tailscale from the equation entirely
I agree you could send them a preconfigured pi, but can we stop pretending talescale is just wireguard - there is a lot of convenience in the NAT traversal that you otherwise need router config and/or a publically routable server to achieve.
Doesn’t have to be an apple box either. A raspberry pi is what I’m using. I’m in the exact same situation, living in one country temporarily but citizen of another, and I have an exit point in my home country at my parents place on a raspberry pi. Basically any computer will work.
The advantage of the AppleTV is that it's basic consumer hardware that a lot of people have, that you can provide for them at a reasonably low cost if they don't, and that doesn't really require much in the way of tech skill for the person whose house it's in to keep it up to date. You don't even have to do anything to update versions - tvOS will do it automatically.
I can't find it right now but there was a post announcing the port to tvOS on their blog where a developer from the UK (but living in the US) talked about how it let him buy, configure, and ship a simple consumer box that uses little power and needs minimal hands-on maintenance to his parents' house as a replacement for a server he had been running in their house as a VPN endpoint for this sort of thing - so he could watch BBC, etc.
I wouldn't want to update a RPi that's in someone else's house on the other side of the ocean.
Android TV works great as well. I have it running on an old Chromecast that cost less than $50 new.
While I still prefer running a plain Wireguard VPN if possible (i.e. when there's a publicly reachable UDP port), the really big advantage of Tailscale over other solutions is that it has great NAT traversal, so it's possible to run a routing node behind all kinds of nasty topologies (CG-NAT, double NAT, restrictive firewalls etc.)
I have run into the firewall problems before. Even seen them that block authentication but -if already connected to the tailnet before joining the WiFi in question - will continue to pass data. OpenVPN would not connect and couldn’t handle the IP address switch.
At worst, I turn on phone hotspot, authenticate, then switch back to WiFi. A purely serendipitous discovery on my part, but a very welcome one.
Interesting, maybe they block the orchestration servers of Tailscale, but not the actual data plane (which is almost always P2P, i.e., it usually does not involve Tailscale servers/IPs at all)?
I built TunnelBuddy (tunnnelbuddy.net) just for this. I am the same: citizen of one country and resident of another. I have multiple friends and family where I am from. I get them to open tunnelbuddy (nobody needs to sign up), to share a one-off password (like TeamViewer) and I get to access the internet as if I was at their place.
Underneath, it uses WebRTC (the same tech as Google Meet). It is free to use, I just built to fix this problem that I have... I am quite surprised expats only get by using a traditional VPN whose IPs are known by online services...
AppleTV is pretty random and only vaguely incidental to the solution. Tailscale runs on computers. Basically anything will do. If you don't have a home server, just grab a cheap RPi or an old laptop. Or in a pinch drop it onto an old phone from your old phone drawer.
I have been thinking about it but it is tricky from a legal standpoint. What I'm trying to arrange next time I visit is to have a secondary line installed at my parents place that is in my name. So that when I pull heavy traffic from that line it doesn't impact them and I can't get them in trouble for posting a message that isn't government approved.
> I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.
For residential IPs you can't even pay per month like normal VPNs, normally they charge per GB, usually over $2 usd per GB.
Damn, I’m throwing away hundreds of dollars per month.
And I can get a semi-anonymous cable internet connection too (if your line is “hot”, you could sign up with any address… not sure if it has to be under the same node or just the same city). Would be difficult, but not impossible, to track down which residence the shadow connection is coming from.
Most of the people whose devices and connections are being used as residential proxy exit nodes are not aware of it.
They likely charge per GB because these residential connections are slow and limited compared to datacenter connections (doesn't help that they're often located in third world countries), and are often used for aggressive scraping, so charging a fixed monthly price would not be viable.
Interesting to learn you can identify the real country/area of origin using probe latency. Though could this be simulated? Like what if the VPN IP just added 100ms-300ms of latency to all of its outgoing traffic? Ideally vary the latency based on the requesting IP's location. And also just ignore typical probe requests like ICMP (ping). And ideally all the IPs near the end of the traceroute would do all this too.
To use an example, 74.118.126.204 claims to be a Somalian IP address, but ipinfo.io identifies it as being from London based on latency. Compare `curl ipinfo.io/74.118.126.204/json` vs `curl ipwhois.app/json/74.118.126.204` to see. If that IP ignored pings and added latency to all outgoing packets, I wonder if that would stymie ipinfo's ability to identify its true origin.
In my first job out of school, I did security work adjacent to fortune 50 banks and the (now defunct) startup I worked at partnered some folks working on Pindrop (https://www.pindrop.com/).
Their whole thing at the time was detecting when it was likely that a support call was coming from a region other than the one the customer was supposed to be in (read: fraudulent) by observing latency and noise on the line (the name is a play on "We're listening closely enough to hear a pin drop".)
Long story short, it's a lot more than just the latency that can clue someone in on the actual source location, and even if you introduce enough false signal to make it hard to identify where you actually are, it's easy to spot that and flag you as fake, even if it's hard to say exactly what the real source is.
Latency is only one dimension of the data we process.
We are pinging IP addresses from 1,200+ servers from 530 cities, so if you add synthetic latency, chances are we can detect that. Then the latency-related location hints score will go down, and we will prioritize our dozens of other location hints we have.
But we do welcome to see if anyone can fool us in that way. We would love to investigate that!
Do you run traceroutes and pings in both directions?
In the case of a ping you might think it shouldn't matter but I can imagine a world where a VPN provider configures a server in London to route traffic via Somalia only when a user establishes a connection to the "Somalia" address of the server. You could only test this if you did a traceroute/ping through the VPN.
And I'm not saying this is what's happening but if you just ping the IP from your infra, couldn't stuff like anycast potentially mess you up?
In the case of traceroutes, you only see the route your traffic takes to the VPN, you don't see the route it takes to get back to you, which I think is really important.
We run traceroutes and latency measurements from many different locations, so we are looking at aggregate behavior rather than any single path. When you combine data from hundreds of ProbeNet PoPs over time, asymmetric routing mostly shows up as noise. When that happens, latency based hints lose weight and we lean more on other signals.
We have seen this in practice. For example, when we deployed servers in Gambia, even traffic between local networks often left the country and came back due to limited peering and little use of the national IXP. Stil, the overall routing patterns were still learnable once you look at enough paths.
For VPNs, we are measuring the location of the endpoint IP itself, not user traffic inside a tunnel. If routing only changes after a tunnel is established, that is a service level behavior, not the network location of the IP.
Anycast and tunneling are things we explicitly detect. They tend to create clear patterns like latency clustering or unstable paths, and when we see those and flag them as anycast IPs by defaulting to their geofeed location.
This can fool someone from one location and only in one way (if you are near Somalia and expect a 10ms latency, a virtual VPN can't reduce latency to simulate been in Somalia).
So it have to be dynamic to fool multiple locations to stay probable.
But anyway, *you can't fool the last-hop latency* (unless you control it, but you can control all of it), and basically it impossible to fool that.
Does this really work? I would think the ping time would not be dominated by speed of light, but by number of hops, and connection quality.
As a hypothetical example, an IP in a New York City data center is likely to have a shorted ping to a London data center, than a rural New York IP address.
It's possible to deduce password hashes by timing responses over the internet if the server isn't using constant time comparison. Noise is just that, a noise.
[IPinfo] pings an IP address from multiple servers across the world and identify the location of the IP address through a process called multilateration. Pinging an IP address from one server gives us one dimension of location information meaning that based on certain parameters the IP address could be in any place within a certain radius on the globe. Then as we ping that IP from our other servers, the location information becomes more precise. After enough pings, we have a very precise IP location information that almost reaches zip code level precision with a high degree of accuracy. Currently, we have more than 600 probe servers across the world and it is expanding.
Only if the detection mechanism is looking at that single IP and from a single location.
Find the ASN(s) advertising that network and figure out their location.
Even within the ASN there may still be multiple hops, and those IPs may be owned by others (eg the hosting facility) who are not playing the same latency games.
We operate servers for the purpose of measuring the internet using a wide variety of methods. We have more than 1,200 of these servers distributed across 530 cities, running not only ping but traceroute and many other types of active measurements.
In addition to active measurement and research, there are many other sources of data we use. Also, we are actively investing in R&D to develop new sources. Adding just 300ms of latency at the end of an IP address would simply appear as noise to us. We have dozens of locations, hints cut through the noise.
We welcome people to try to break the system. Perhaps it is possible to dupe this system.
You could vary the additional latency based on the location of the IP you're replying to? Or just hash the requesting IP and use that as a seed to generate that particular IP's random extra latency that always stays the same for that IP. Which feels like enough to make triangulation hard. Though I'm just spitballing.
That seems reasonable, but they seem to be suffering their own problem with UI and UX design by not making that inherently clearer.
I was getting a bit disappointed about Proton based on this evaluation even though the only problem I’ve had is their really lacking client UI/UX. They should make that visualization clearer. I don’t know the answer, but maybe offering a toggle or expansion for virtualized servers, might be a step in the right direction.
The design issues seems to be a common challenge with proton. The VPN client functions, but it is really grating how basic it is. You can’t even sort, let alone filter servers by load, let alone performance; so you’re scrolling through hundreds of servers. You can’t add regions or even several servers to create a profile with a priority, you have to pick a single server, among hundreds if not thousands in some countries. Oh, and as you’re scrolling through hundreds of servers for a single country, it’s a view of something like 10 lines high.
In summary, the location at which an IP egresses Cloudflare network has nothing to do with the geo-ip mapping of that IP. In some cases the decision on where to egress is optimised for "location closest to the user", but this is also not always true.
And then there is the Internet. Often some country (say Iran) egresses from a totally different place (like Frankfurt) due to geopolitics and just location of cables.
So, there is a dashboard internally for that. When we do ProbeNet PoP assessment, we have a high-level overview of the frequent and favored connections. We have a ton of servers in Africa, and there is a strong routing bias towards France, Germany, and the UK instead of neighboring connections.
Everyone in our engineering and leadership is very close with various CDN companies. We do echo this idea to them. It is not IP geolocation; we actually have a ton of routing data they can use.
I searched VPN which payed in crypto and OSS friendly. Mullvad and IVPN were in list, and these also do not lie about exits.
IVPN bought me with very deep transparency into company and WRT support, on top of Linux and Android.
I get maximal longest sub in one payment.
Mullvad is under North EU jury, IPVN under Gibraltar(which is nor exactly UK). So decided offshore like place also more safe against VPN control attempts.
Searched for decentralized VPNs(like TOR, but you pay for speed and do not care onions) some time ago too, we are not there yet.
Just an aside, and not trying to excuse the potential VPN operator's misrepresentation.
Regulatory accepted establishment of "country" location might not always be what layman think.
I knew of a server rack physically in a Brussels Belgium datacenter that was for regulatory purposes declared to be Luxemburg territory (as Luxemburg at the time had specific rules on domestic data processing).
I tried to use ProtonVPN when I switched over to ProtonMail a year ago. But so much of the web does not work when you're on a VPN. For example even HackerNews has VPN restrictions. More and more sites know where VPN endpoints originate. How will VPNs prevent this in the future without them just become easy to block?
It’s better than most VPNs, but the amount of Cloudflare challenges I get is really annoying.
It’s a little weird because Apple has device attestation which is run via Cloudflare and Fastly. You’d think that would get you around the challenges, but that doesn’t seem to happen.
You should only get more challenges with VPN if the VPN users are abusing the websites. I actually get fewer CF challenges with NordVPN than without it.
It’s not a VPN service in the usual sense, and does not allow you to change locations, and they also have a mapping of IP addresses and the served geographical users.
I also assume being a service that requires an expensive device and that the browsing happen through Safari limits the abuse somewhat.
There are working end-points and they tend to be stable. If you find a Mullvad server which works with Reddit, you can configure a socks5 proxy for a Firefox container assigned to Reddit (or any domain). This way, Reddit will always use the connection of the working route and your general internet experience isn't affected otherwise. Eg. you can still switch around connections to find a working one for Youtube... Don't forget about this setting, since sometimes a Mullvad server is down temporarily and the container's assigned domains won't resolve (usually enough to count up/down the Mullvad proxy id). This will also prevent you from accessing Reddit without a Mullvad VPN connection.
My bank app forces me to turn my VPN off. I’m not going to change my bank over that and I imagine most others do the same anyway or will eventually. I imagine many sites and services will just continue go “we’re gonna break this thing you need until you turn the vpn off.”
They can ban VPNs and Tor because it's affordable. Most of their users aren't using VPNs or Tor. Get enough people to use VPNs and Tor and they'll suddenly become unable to drop the traffic.
The ideal world is one where everyone is using Tor. They can only discriminate against you if you're different from others. The idea behind Tor is to make everyone look like the same user. The anonymity set must be maximized for that to work.
Even worse is the Reddit approach, where leaving your VPN on will get your account shadow banned permanently. But you are not notified of that, so if you are wondering why nobody is replying to your comments, check in a private session if you can visit your profile page.
I wasn’t even aware of that, but it does not at all surprise me, since it fits right in with the trajectory Reddit has long been on; from freedom of information, to full spectrum thought control and digital psychological reprogramming dungeon.
Something like that happened to me, my 10+ year account and everything I've ever written just vanishing one morning. Even posts to a subreddit I moderate were repeatedly removed after every approval.
No idea why, (the "wrong" public Wi-fi?) but my appeal was granted and nothing was fixed.
Now I can't contact anyone, and the appeals page falsely claims that my account is in good standing and refuses to operate.
When I went looking for help from a throwaway account that I made many years ago for resume reviews, the exact same thing happened.
So at this point, I only lurk occasionally, because I'm not going to go through that social hell again, and it sounds like moderation failures have only gotten worse in the years since.
i can live without reddit and hackernews. i can't live without online banking, bill paying, insurance, healtchare portals, etc.
it is funny i have been probing HN for years, and i've found a number of cases when everything is normal, but i check the account from another device and it isn't there, or is free of posts despite having made many. yet i would do the same if i was an admin trying to keep a walled-garden free of trolls.
A better metaphor would be that Tor and VPNs are like wearing a mask in public. It's obvious that you're trying to be anonymous, but you're still wearing a mask, so no one knows who you are.
You may be denied entry to certain establishments, but some of the bouncers don't block all masks and if you're persistent with changing your mask (Tor or VPN exit node), there's a good chance you'll get in. CTRL+SHIFT+L works on Tor Browser to change your circuit. The linked article blocks Tor, but after pressing CTRL+SHIFT+L a few times, I was able to read it.
For the sites that don't let me view them via Tor, I can install FoxyProxy and try some IPs from the free public lists. Lots of sites that block Tor don't block these IPs, although it's a bit of a pain. Another option is to load an archived version of the site on archive.org or archive.md (or .is or the various different TLDs it uses).
As for HN - it sometimes gives a "Sorry." if you try to access a certain comment directly, but after a few tries it works. This account was created over Tor and I've only accessed it through Tor. I think my first comment was dead and someone vouched for it, but now my comments appear instantly.
I've heard that banking sites don't work over Tor, but I haven't had a need to use Tor for banking, as the bank already knows who I am pretty well.
Most of the big social media sites don't allow Tor, but if I wanted to create a fake account, I'd most likely buy a residential proxy.
So it's not that bad, considering what you get from Tor (and with some VPNs, depending on your threat model) - no tracking, anonymity and so on.
To continue on the analogy, many people using a VPN wear a mask but they also keep the same unique combination of clothes that they were wearing a few minutes earlier without a mask.
Pretty much for everything, except for things that are already tied to my real world identity like email and a few sites that know who I am.
It accomplishes 2 things:
* I'm not tracked as much. Less data points for the companies to gobble up.
* More Tor users lead to better anonymity for everyone as it's easier to blend in - you won't be the only one wearing a mask at the club every weekend.
I got used to the latency. It's not that bad. Some sites load instantly, others take 1-2 seconds. A few take a while.
Sites from one regional hosting provider in my country just don't load at all. I get "Server not found". I'm not sure how that works - are they blackholing an ASN or using something else with BGP?
The main issue for me is not the latency, though, but the CAPTCHAs and 403's (HTTP Forbidden). If I were to search for a recipe, for example, I'd open 5-10 of the results in new tabs (with the middle mouse button; idk why people use CTRL+click), then close the ones with "Attention Required" or "Forbidden" so I'm left with 3-5 usable sites. That way I always have something to read. When I open a few sites one after the other, at least one will usually load instantly.
I haven't used Tor without Whonix on Qubes OS for a while, so I'm not sure if the latency is different on a standard OS with just Tor Browser installed. My workflow is that I use disposable VMs for different things I do. Right now I have a VM with HN and a few links I've opened from it and another VM with other research I started earlier today that I plan on finishing a bit later. When I'm done with my HN session, I'll close this VM, which will destroy it. For me this compartmentalization is good not only for security and privacy, but for productivity, as well.
there was a talk about this at defcon maybe 7 years ago how even going to a tor entry node could get you disappeared in türkiye. same in china (it was something about ethically exploring networks in authoritarian regimes where even pinging a chinese address from the united states could get someone arrested... methinks harvard student was presenting it?)
As VPN usage proliferates such discrimination starts hurting sites more. For example, a VPN may be left on by a user for whatever reason and when the site they visit doesn't work or makes them jump through hoops they are less likely to visit the site in the future or view it with contempt and abandon it a soon as they are made aware of an alternative.
It takes time for sites to realize the danger, especially with mobile users where fiddling with a VPN is often more hassle than its worth and its just left always on. It's often a good idea to impersonate a mobile user agent for this reason as some sites (or perhaps cloudflare?) started treating them differently. The impersonation needs to be done well (SSL and HTTP fingerprints should also match mobile).
Usually, the more expensive the VPN offering the better the reputation of their IP's. Avoid VPNs that have any kind of free tier like the plague.
> less likely to visit the site in the future or view it with contempt and abandon it a soon
> fiddling with a VPN is often more hassle than its worth and its just left always on.
Not to saying this is wholly preferable, but I have often found this to be beneficial for me in that it tends to deter me from wasting disproportionate amounts of time on crap web content (either that, or HN wins over that remaining browsing time when it's not blocking me :)
The consumer VPN heyday has long passed. Most Mullvad endpoints i use are blocked in increasingly more places, including and especially reddit.
It's the only VPN I've tried thoroughly, so i don't know how they and Proton compare today (or, really, ever). The landscape has been degenerating across the board, I reckon.
From a datacenter IP, if the IP address is not shared with other users, you still get blocked from sites like Reddit, but you don't get most annoying captchas (for example on Google).
Yes and No. The internet sees it as a datacenter ip and some will degrade the experience based on that. Other are more strict and use a service like ipinfo.io (the op) to know exactly which Ip are used by a VPN provider and block access based on that list.
I am not sure that I really understand what they did. I am also missing some major VPNs in the list.
I currently use AirVPN but this has something to do with my use case and pricing.
> I am not sure that I really understand what they did.
They checked where the VPN exit nodes are physically located. A lot of them are only setting a country in the whois data for the IP, but do not actually put the exit node in that country.
Yes, I don't understand the advantage or disadvantage of this. Let's say I need a Colombian IP address, I would figure it out pretty quickly it this was not genuine, except if the geo-block protection would be fooled too.
Most of the "problem" countries are tiny places. Monaco, Andorra etc. It might be tough to rent a server there. And your list of clients should be minimal.
You can easily test this, of course -- the problem isn't that you, the user, cannot find out, it's that you pay for being able to use an endpoint in those countries and can't, because they don't exist.
It's not only small countries either, it affects much of Latin America, including Brazil (PIA's servers were in Miami for BR as well last time I checked). I've occasionally seen it also affect US states where e.g. Massachusetts would be served from Trenton, NJ.
> I would figure it out pretty quickly it this was not genuine, except if the geo-block protection would be fooled too.
It would (unless the blockers use this company's database I guess):
> The IP registry data also says “Country X” — because the provider self-declared it that way.
That could be good or bad depending on what you're using the VPN for. E.g. if you only care about evading stupid local laws like the UK's recent Think of the Children Act, then it's actually great because you can convince websites you're in Mauritius while actually getting London data centre speeds.
But if you want to legally be sending your traffic from another country then it's less great because you actually aren't. To be honest I can't really think of many situations where this would really make a difference since the exit point of your network traffic doesn't really matter legally. E.g. if a Chinese person insults their dear leader from a VPN exit node in the UK, the Chinese authorities are going to sentence them to just as much slavery as if they did it from a local exit point.
If the government is using the same fake data as the rest of the Internet you want to be using that fake data too. You want to be precise, not accurate. If the FBI records your endpoint as Iran and you say "I wasn't actually sending traffic from Iran, where there are sanctions, I was sending from London but my VPN provider lied on their WHOIS record", you will be in just as much trouble as if you were actually sending data from Iran.
Contrasting take: RTT and a service providing black box knowledge is not equivalent to knowledge of the backbone. To assume traffic is always efficiently routed seems dubious when considering a global scale. The supporting infrastructure of telecom is likely shaped by volume/size of traffic and not shortest paths. I'll confess my evaluation here might be overlooking some details. I'm curious on others' thoughts on this.
They don't have to assume that traffic is efficiently routed, on the contrary if they can have a <1ms RTT from London to a server, the speed of light guarantees that that server is not in Mauritius EVEN if the traffic was efficiently routed.
It just can't be outside England, just one 0.4ms RTT as seen here is enough to be certain that the server is less then 120 km away from London (or wherever their probe was, they don't actually say, just the UK).
RTT from a known vantage point gives an absolute maximum distance, and if that maximum distance is too short then that absolutely is enough to ascertain that a server is not in the country it claims to be.
One of our competitors was claiming a server in a middle eastern country we could not find any hosting in. So I figured out what that server's hostname was to do a little digging. It was >1ms away from my server in Germany.
I see I was mistaken, but I'm tempted to continue poking holes. Trying a different angle, though it may be a stretch, but could a caching layer within the VPN provider cause these sort of "too fast" RTTs?
Let's say you're a global VPN provider and you want to reduce as much traffic as possible. A user accesses the entry point of your service to access a website that's blocked in their country. For the benefit of this thought experiment, let's say the content is static/easily cacheable or because the user is testing multiple times, that dynamic content becomes cached. Could this play into the results presented in this article? Again, I know I'm moving goalposts here, but I'm just trying to be critical of how the author arrived at their conclusion.
This is about ping though, so presumably ICMP packets. There is no content to cache as the request is sent with random data that must be sent back in the reply.
It is very unlikely that VPN providers use convoluted caching systems just to make their ping replies appear to come from a different region than the one they claim to be in. It would be much more likely for them to add a little latency to their responses to make them more plausible, instead.
The speed of light provides a limit on distance for a given RTT, and taking the examples in the article which are less than 0.5ms and considering the speed of light (300km/ms) the measured exit countries must be accurate.
The speed of light in fiber which probably covers most of the distance is also even slower due to refraction (about 2/3).
Thanks for your informative reply. I see now I was approaching this incorrectly. I was considering drawing conclusions from a high RTT rather than a RTT so small it would be impossible to have gone the distance.
We (I work for IPinfo) talk about latency because it is a thread that you can start from when exploring our full depth of data.
We are the internet data company and our ProbeNet only represents a fraction of our investment. Through our ProbeNet, we run ping, traceoute, and other active measurements. Even with traceroute we understand global network topology. There are dozens and dozens of hints of data.
We are tapping into every aspect on the internet data possible. We are modeling every piece of data that is out there, and through research, we are coming up with new sources of data. IP geolocation is only product for us. Our business is mapping internet network topology.
We are hoping to work with national telecoms, ISPs, IXPs, and RIRs to partner with them, guiding and advising them about data-driven internet infrastructure mapping.
It was a great session and we received a lot of questions. We attend different NOG conferences regularly. ISPs are incentivized to help us by providing good data. Although we are agnostic about adversarial geofeeds, ISPs themselves need to work with us to ensure good quality of service to their users.
We already do quite a lot of outreach, in fact, most network engineers in the ISP industry across the world are familiar with us. But if any ISP operator has any feedback for us, we are only an email (or even a social media comment) away.
> ISPs are incentivized to help us by providing good data.
That's the entire problem in a nutshell. Good quality of service should not depend on every site I visit knowing my geographic location at the ZIP code or even street level (I've actually seen the latter occasionally).
I can somewhat understand the need for country-wide geoip blocking due to per-country distribution rights for media and whatnot, but when my bank does it, it just screams security theater to me.
That is why we have the IP to country level data available for free. As you have recognized the fact that country level data is good for security, we are willing to take a massive hit on potential revenue to allow everyone to use our country level data for free, even for commercial purposes. We literally built separate dedicated infrastructure that provides unlimited queries for our IP to Country data. We want to ensure that everyone has access to reliable data.
For us, based on active measurements, what we do is distribute IP addresses to more densely populated areas. The issue is that we are good at zip code level accuracy, but it is impossible for us to get street addresses correct for residential internet connections. Even if we get geographic coordinates fairly close to you, it is largely coincidental. Our accuracy radius goes as low as 5 KM.
However, consider hotels, conference centers, airports, train stations, etc., where large numbers of people gather and where there are a few public WiFi hotspots that usually remain in the same location. We can identify the exact building from those WiFi hotspot IP addresses.
We have approximately 1,200 servers in operation. Simply by knowing which data centers house our servers, we can reliably identify neighboring hosting IP addresses to the exact data center.
Can really spot someone who has never had to deal with OFAC with a comment like this. Even if I don't necessarily agree with the concept, or who is actually being blocked, my business is dead in the water if I'm a) sent to prison or b) fined out of existence.
Geographic IP information is one of our best tools to defend against those outcomes, and if anything it should be better.
On the other hand, GeoIP is arguably the reason you are in this situation in the first place, i.e., having to use it since it's there and everybody else is doing so as well.
Intentionally ambiguous regulations (in terms of how companies and individuals are expected to comply) backed by the existential threat of huge fines often lead to a race to the bottom in terms of false positives and collateral damage to non-sanctioned users.
If you were serious about limiting who uses your services you'd use an allowlist of ASNs. Even then, what about users using US-based residential proxies?
ASNs can obviously span multiple countries, and aren't a great way to gate this at all. While we block ASNs we KNOW are owned/operated by companies in limited countries, but I couldn't imagine a worse way to approach it at scale. Hate doing it, it's heavy-handed and wrong.
> Even if I don't necessarily agree with the concept, or who is actually being blocked, my business is dead in the water if I'm a) sent to prison or b) fined out of existence.
Is there some specific way we can get the laws like this to be gone? They're obviously useless (witness this very thread of people describing ways for anyone to get around them) and threatening people with destruction for not doing something asinine isn't the sort of thing any decent government should be doing.
With CGNAT becoming more widespread, formats like this might need expansion to include location data for ports. Ie. Port 10,000-20,000 are consumers in New york, port numbers 20000-30000 are in Boston, etc.
That is really interesting. I wonder if we have any internal data on this. I will check.
We are trying to work with ISPs everywhere, so if port level geolocation of the IP address is common, we surely need to account for that. I will flag this to the data team. To get the ball rolling, I would love to talk to an ISP operator who operates like this. If you know someone please kindly introduce me to them.
IPv4 addresses are not that scarce yet, and realistically any CG-NAT will have several IPv4 addresses per metro area, if only to allow for reasonable levels of geolocation (e.g. to not break the "pizza near me" search use case).
The ietf standardization was irrelevant so I would give them some slack. ISPs were using CGNAT already in a widespread fashion. The ietf just said, “if we’re gonna do this shit, at least stay out of the blocks used by private networks”.
Another related but non-VPN story related to IP geolocation:
Big techs (most notably Google) is using the location permission they have from the apps / websites on the user's phones / browsers to silently update their internal IP geolocation database instead of relying on external databases and claims of IP owners (geofeed etc). And this can be hyper-sensitive.
I was traveling back home in China last year and was using a convoluted setup to use my US apartment IP for US based services, LLM and streaming. Days into the trip and after coming back, I found that Google has been consistently redirecting me to their .hk subdomain (serving HK and (blocked by gov) mainland China), regardless of if I was logged in or not. The Gmail security and login history page also shows my hometown city for the IP. I realized that I have been using Google's apps including YouTube, Maps and so on while granting them geolocation permission (which I should not do for YouTube) in my iPhone while on the IP and in my hometown.
After using the same IP again in the US with Maps and so on for weeks and submitting a correction request to Google, it comes back to the correct city. (The tricks of restarting the modem / gateway, changing MAC address to get a new IP is not working somehow this time with my ISP)
Some of our (IPinfo) services are hosted on GCP, and because our service is widely used (with 2 trillion requests processed in 2024) people sometimes say they cannot access our service. It is usually due to how Google's device-based IP geolocation is used. The user's IP address is often mistakenly identified as being located in a country where Google does not offer service.
I have seen a Europe-based cloud hosting provider's IP ranges located in countries where Google does not provide service. This is because these IP ranges are used as exit nodes by VPN users in that country.
Device-based IP geolocation is strange. We prefer IP geolocation based on the last node's IP geolocation. We hope to collaborate with Google, Azure, and other big tech on this if they reach out to us.
Yeah happens to other “vpn” solutions like zero trust solutions like zscalar. Logs says the user in Buffalo, IP is in Toronto. Same for users on the southern border, us location and Mexican ip.
Zscaler enrages me with their use of the term "zero trust" in marketing, because due to their MitM-ing of TLS, they become a single-point-of-interception for all your organisation's traffic. "100%-trust" would better describe it for me, as you have to have 100% trust of Zscaler and anyone who has admin access to your organisation's admin account.
I use Mullvad through Tailscale’s exit‑node integration, and it’s awesome. They are the only provider I trust these days.
To highlight virtual routing: it’s useful in scenarios where a country blocks VPNs but you still need an IP from that country to browse local websites. In such cases, virtual routing comes in handy. For example, when India required all VPN servers in the country to log user traffic, Proton moved its Indian server to Singapore and used virtual networking tricks to continue offering an Indian IP address.
I work for IPinfo. I am not sure what routing tricks Proton uses. I have looked into the smart routing and stealth protocol related documentation. I am not sure if Proton does anything unique when it comes to IP location. I am not saying this officially, but I am just curious here.
'Virtual' VPN server geolocation involves informing IP geolocation providers that their Singaporean servers are located in India. We looked into data and latency-based locations, but the industry at large uses self-reported location information for their data. So, if you use a service that uses IP geolocation provider (that is not us) they will just tell them that the Singaporean IP address is located in India, because that is the information they have and they do not have any other ways to verify it. But at the end of the day, the location information is coming from the VPN itself.
I could be wrong, and there could be technology and technique I am missing, so I am happy to learn. The blog is written by our founder who is accessible to the Proton team if they want to share their feedback with us.
Most of these providers are in fact open about the fact that these locations are “virtual”, so it’s misleading to say they don’t match where they claim to be.
There is however an interesting question about how VPNs should be considered from a geolocation perspective.
Should they record where the exit server is located, or the country claimed by the VPN (even if this is a “virtual” location)? In my view there is useful information in where the user wanted to be located in the latter case, which you lose if you only ever report the location of servers.
(disclaimer: I run a competing service. we currently provide the VPN reported locations because the majority of our customers expect it to work that way, as well as clearly flagging them as VPNs)
Our product philosophy is centered on accuracy and reliability. We intentionally diverge from the broader IP geolocation industry's trust-based model. Instead of relying primarily on "aggregation and echo", we focus on evidence-backed geolocation.
Like others in the industry, we do ingest self-reported IP geolocation data, and we do that well. Given our scale and reputation, we receive a significant volume of feedback and guidance from network operators worldwide. We actively conduct outreach, and exchange ideas with ISPs, IXPs, and ASNs. We attend NOG events, participate in research conferences, and collaborate with academia. We have a community and launch hackathon events, which allow us to talk to all the stakeholders involved.
Where we differ is in who our core users are. Our primary user base operates at a critical scale, where compromises on data accuracy are simply not acceptable. For these users, IP geolocation cannot be a trust-based model. It must be backed by verifiable data and evidence.
We believe the broader internet ecosystem benefits from this approach. That belief is reflected in our decision to provide free data downloads, a free API with unlimited requests, and active collaboration with multiple platforms to make our data widely accessible. Our free datasets are licensed under CC-BY-SA 4.0, without an EULA, which makes integration, even for commercial use straightforward.
I appreciate you recognizing that our product philosophy is different. We are intentionally trying to differentiate ourselves from the industry at large, and it is encouraging to see competing services acknowledge that they are focused on a different model.
I can't connect to this site because my adblocker doesn't like it. It seems to be on the bad-domain-list https://www.cromite.org/filters/badblock_lite.txt.
Now is the question: is ipinfo.io on this list for a good reason?
That was actually a great article. For us, that is like a crowdsourced bug hunting program. We actually got duped ourselves, and we appreciate the author.
We added additional features for location hint modeling and selection for IPv6 networks. There are a handful of open engineering tickets to understand more about the entire internet infrastructure of the country. Of course, hosting a probe server out there would be helpful.
Using FreeBSD dummynet it’s possible to modify the characteristics of network traffic and emulate e.g. Somalia performance from a datacenter in France.
Extremely disappointed to see ProtonVPN in this list. Despite others claiming about their smart routing as being a disclaimer of sorts, I am still disappointed that it was never explicitly clear that our privacy was still at stake.
Is there any real-life situation in which this matters, though?
If you're picking a country so you can access a Netflix show that geolimits to that country, but Netflix is also using this same faulty list... then you still get to watch your show.
If you're picking a country for latency reasons, you're still getting a real location "close enough". Plus latency is affected by tons of things such as VPN server saturation, so exact geography isn't always what matters most anyways.
And if your main interest is privacy from your ISP or local WiFi network, then any location will do.
I'm trying to think if there's ever a legal reason why e.g. a political dissident would need to control the precise country their traffic exited from, but I'm struggling. If you need to make sure a particular government can't de-anonymize your traffic, it seems like the legal domicile of the VPN provider is what matters most, and whether the government you're worried about has subpoena power over them. Not where the exit node is.
Am I missing anything?
I mean, obviously truth in advertising is important. I'm just wondering if there's any actual harm here, or if this is ultimately nothing more than a curiosity.
Attempting to use a VPN location in Somalia and actually getting routed to an exit in Paris or London is not what I would consider "close enough". That's off by 3000 miles. That's like claiming to be in the Amazon Rainforest in Brazil while being in Montreal, Canada. And apparently 28% of locations are off by at least this much
And if I do it for privacy, the actual exit location seems very relevant. Even if I trust the VPN provider to keep my data safe (which for the record I wouldn't with the majority of this list), I still have to consider what happens to the data on either end of the VPN connection. I'm willing to bet money that any VPN data exiting in London is monitored by GCHQ, while an exit in Russia probably wouldn't be in direct view of NSA and GCHQ
> Is there any real-life situation in which this matters, though?
You’d be shocked at the number of people in regulated industries that thinks a VPN inherently makes them more secure. If you think your traffic exits in the US and it exits in Canada — or really anywhere that isn’t the US — that can cause problems with compliance, and possibly data domicile promises made to clients and regulators.
At minimum, not being able to rely on the provider that you are routing your client’s data through is a big deal.
Yes. Let’s take an extreme example: you think you exit in Japan, but you’re actually exiting in China. This means your traffic will be analyzed and censored by China.
The routers don’t care about where the provider says the IP comes from. If the packet travels through the router, it gets processed. So it very much matters if you do things that are legal in one country, but might not be in another. You know, one of the main reasons for using VPNs.
A more general case is for legal and SLAs. If a company uses one of these vpns to make sure their traffic only travels through a specific legal path, and then it's found that their traffic entered a different territory, there can be a lot of consequences.
The case I can think of most accessible would be anything that streams copywriten video.
I've wondered about jurisdiction in copyright for a while -- if I access a USA website from a Swedish server, make a copy on that server, then stream it to a French location for viewing all the while being in UK. Where has any crime/infringement occurred; which courts have jurisdiction?
Anyone know of any caselaw addressing these issues.
Are any VPN's getting China wrong? It would be pretty obvious. In fact, common VPN's I'm looking at don't even support China as an option. Obviously no VPN's are mixing countries up where it becomes clear from what you're allowed to browse.
But so "if you do things that are legal in one country, but might not be in another" is what I'm specifically asking about. Ultimately, legality is determined by the laws that apply to you, not the country your packets come out of. So I'm asking for a specific example.
And I already said, that if a site is attempting to determine permissions based on the country, it's doing so via the same list. E.g. when the country is actually Greenland, but you think it's the UK, and Netflix also thinks it's the UK. Which is why I'm saying, at the end of the day, is there any real consequence here? If both sender and receiver think it's the UK, what does it matter if it's actually Greenland?
China was just an example. Try to extrapolate on your own.
Take someone from Russia, Iran, wherever, trying to access information they aren't allowed to access, or sharing information they aren't allowed to share. They think they're connected to a neighboring country, but in reality are exiting from their own country. Therefore, the traffic gets analyzed and they fall out a window.
Imagine Snowden sharing information about the NSA while using a VPN that actually exited from the US. Things might have developed differently.
Yes, it won't matter for most services. But as soon as states or ISPs are involved, you're fucked if you get it wrong.
No need for the snark. Obviously we're not talking about somebody in Iran or Russia connecting to a VPN that just leads back into their own country, that would be idiotic. None of the VPN providers are providing anything like that. Those don't even make sense conceptually. A Western VPN provider that an Iranian or Russian is using isn't even legally allowed to operate nodes inside of Iran or Russia due to sanctions.
I'm talking about the realistic mix-ups that the article is using as examples. Where Somalia is actually going to France or something. That's why my original comment started with "Is there any real-life situation..."
No VPN providers are accidentally routing into an oppressive dictatorship.
Never heard of Windscribe but their homepage has "Become American" as a feature.
> Are you sick of not having access to foreign oil? Do you love using advanced weapons to fuck up someone’s day? Obsessed with manipulating your financial records to make yourself look more successful than you are?
Oh wow, I had no idea that “virtual location” is even a thing. Imo it should not, I don’t even see a use case for that, it just seems like straight-up lying about the traffic exit location.
Glad to see the provider I occasionally use, Mullvad, passed the test.
Many providers in the list, such as PIA, warn the user when a virtual location is chosen. The point is to get a wider range of countries. Most websites, such as YouTube and Netflix, are fooled by the virtual locations, so it works!
It depends on whether the VPN is lying to you. Proton, for example, makes them quite explicit in the software and even lists them for you here: https://protonvpn.com/support/how-smart-routing-works and seems like NordVPN also has a page explaining that.
I used a VPN that had a virtual location of China for a while, which avoided ads on some websites; China blocks those sites, so those sites don't have any ads in China, but the VPN exit wasn't actually in China so it could reach the sites fine.
I seriously don't quite understand the point of using a VPN that doesn't offer you clean residential IPs somehow (and I don't really know good VPN like that). Most services where I really want to use VPN are well aware of VPN IP blocks and just won't allow any of these famous VPNs (that I am aware of, at least). And services that don't care if it's my real IP or not… well, usually I don't really care about exposing them to my real IP either?
I mean, ok, there are use-cases. But commercial VPNs exist under specific premise, you know, and they just don't offer what they claim to be offering. Unfortunately.
I also use Mullvad VPN exclusively for my VPN needs. The fact I can get 6 months of access with a scratch card bought from a store & my account is just a random integer number is an example of privacy by design: no email, no phone numbers, no credit cards. I don't even do anything illegal, I'd just rather have a (what I feel) trusted option when I want to browse the Internet anonymously.
It doesn't defeat the point in my threat model. No one in the position to log my traffic knows who I am other than my source IP address (which is already enough to link it back to me anyway). So let's take Mullvad at their word that they don't log anything, what's the threat now?
Maybe Amazon are x-raying the card numbers before shipping them out to customers, but that would require Mullvad giving up the card number -> account number -> account number traffic logs. Not much of a threat there.
Maybe all amazon orders are funnelled somewhere and they correlate the fact I bought a VPN card with my home address, and then correlate my bandwidth into Mullvad IPs (gained from my ISP logs) with data leaving Mullvad but that's all very unlikely and very circumstantial.
I'm also not doing anything illegal so perhaps my threat model/level is lower than the 'average' VPN user.
Anyway, not to be a shill but honestly I am just completely won over with how Mullvad do business. I know that a VPN does not make you automatically 'private'/'anonymous' but just the way they do business makes me happy.
You can even just randomly generate such an ID number, write it on a piece of paper and enclose it with cash in one of several currencies, and post it to them.
But you have to get money into your crypto wallet somehow, which makes it relatively easy to deanonymize for most users (serious crypto privacy enthusiasts could of course pay cash for their crypto or perhaps mine it themselves) if they're looking at your traffic specifically, but hard if you're only worried about bulk collection.
IMO the coolest privacy option they have is to literally mail them an envelope full of cash with just your account's cash payment ID.
Back when I was doing that uber-shady business of torrenting, and this kind of VPN was much less-common than it is today, I paid for VPN access with crypto.
I'd gather a small amount of that up (however I did that), keep it in an offline wallet, and spend it on VPN service every now and then.
It just seemed like the right way to go about things.
(And then I lost that wallet, because of course I did, with about $14 worth of BTC in it. I didn't care enough at that time to see if I'd backed it up properly; I wasn't planning on using it for anything anymore anyway. That was in 2014 and those backups are waaaay gone now, but it'd be around $2k worth of BTC today -- plenty to buy some DDR5 RAM. Whoopsie-doodle!)
I know of links and have used it, but I don't think I've ever used links2.
Am I correct to assume that links2 is more of the same/better?
(Also: Your comment seems perfectly sane, but it was already marked as "flagged" by the time I saw it 18 minutes after it was submitted. I vouched for it.
But I wonder: Whose ruffles did you panty in order for your comments to land this way?)
The one I noticed was after the Texas porn age verification laws went into effect. Setting my VPN to be in Texas was different than when actually connecting to Texas when I visited.
And it's super easy to do. I had my own ASN and my own IPv4 and IPv6 address space, you basically just write whatever you want into RIPE Database objects (or ARIN, APNIC etc.) Today your IP space can be in one country, and tomorrow in a different one.
This seems like circumstantial evidence for most VPN providers mostly serving customers who are in the business of spreading targeted misinformation on social media.
Actually, most VPN providers explicitly label the virtual locations as such, I think the famous ones at least do it (ex: Proton and NordVPN even explain them in their respective docs).
No, the article does not make this conclusion at all! It was carefully written to highlight the nature of virtual locations of VPN exit nodes and does not make such conclusions.
The article is written by our founder, who is accessible to the VPN industry at large and is open to feedback and comments.
Ngl, I never knew that those IP location tools are actual companies with full time employees. I always assumed they were just made by some random guy in an afternoon by wrapping maxmind API. Interesting to hear that that's not the case (at least for ipinfo; maybe some of the consumer-oriented IP lookup websites are like that)
Our headcount is approximately 70 right now. Most of engineering consists of data engineers, researchers, and data scientists because data is our product. Then we have infrastructure engineering, software engineering, integration engineering, support engineering, solutions architects, mobile application engineering, UX/UI designers, website engineering, API engineering (separate from the website because of the volume of traffic we receive), a full commercial team with partnerships and sales, finance/accounting, legal and a marketing team. I think I am still forgetting some people. We also work closely with consultants who are foundational to the internet as a whole. We have an open hiring policy for the right talent.
More than a decade ago, when IPinfo launched, a lot of community interaction was done by our founder. Now, you have me in a full-time role talking to people. My role is literally called Developer Relations.
We are not just a IP geolocation company; we are an internet data company. IP geolocation and VPN detection are only products to us; the team and goal are actually quite huge.
well to be fair it's not always important to have the server at the geoip since a lot of the time you can measure the real latency of a user behind an ip address anyway.
the only important bit is that it is made clear whenever a given country falls under some category that allows things such as traffic analysis and cataloging.
it's actually often times preferrable to lie about the server location for lower latency access geo-blocked content, particulary when accessing US geo-restricted content in europe.
if you want true privacy you have to use special tools that not only obfuscate the true origin, but also bounce your traffic around (which most of these vpns provide as an option)
I get advertisements for VPN providers almost everywhere. I've never been interested, but I do subscribe to Mullvad via Tailscale. So, I'm thankful and appreciative that they did their due diligence and partnered with a reputable provider. I've been very happy with the service.
Edit: Welp. How could this possibly be my most downvoted comment. Am I not entitled to an opinion? I ain't no AI.
I work for IPinfo. We provide IP geolocation and VPN detection services. We identify which IP addresses are associated with a VPN and the actual location of the IP address.
We have not collaborated with any VPN companies for the report and have not even requested permission or pre-draft approvals. We had the data of what we were seeing and published a report based on that. We have published a ton of resources around the nature of VPN location in the past. Our focus is on data accuracy and transparency.
After the article was published, we received feedback from only a single VPN provider - Windscribe (https://x.com/ipinfo/status/1998440767170212025). I do not think anyone from Mullvad, iVPN, or any other VPN company has reached out to our team or our founder yet.
We are happy to take feedback and comments and are even open to a follow-up!
This was a dumb study, and if they'd asked the VPN providers, I'm sure someone would tell them why.
All the VPN providers I've used let you select the endpoint from a dropdown menu. I'm not using a VPN to make it appear I'm in Russia, I'm using it as one of many tools to help further my browsing privacy.
My endpoint is one of 2 major cities that are close to me. Could I pick some random 3rd world country? Sure! That isn't the goal. The goal is to prevent my mostly static IP address from being tied to sites I use every day.
EDIT:
Small point of clarification:
All the VPN providers I use have custom or 3rd party software that allows you to select a location for the VPN. All of the VPN providers I've used also select the location with the lowest ping times as a default. I suspect most folks are just sticking with the defaults. I certainly haven't strayed outside the US/EU for any of my attempts. I have occasionally selected an EU location for specific sites not available in the US, where I live, but beyond that?
That's great for you. But some people need to pick a specific country. People in different countries often get different prices for things like airline tickets or online subscriptions. Maybe you need to appear from a particular country to access certain media.
I mostly use it to avoid exposing my IP address too, but if I knew my VPN was comfortable with a little light fraud, I'd be concerned about what else they're comfortable with.
NordVPN calls out when a location is virtual, so unless ipinfo is claiming they have virtual locations that are not labelled as such, they are at least transparent about it. They did document the physical server locations of their virtual locations at launch, but I'm not sure if there's a live doc for new locations. https://nordvpn.com/blog/new-nordvpn-virtual-servers/
That may be your use case, but it by no means it's reflective of anyone else's. I live in a country that actively blocks and limits your connectivity to (ordinarily) public websites. Choosing an exit point that's in a different country is very relevant and important.
You are in the minority. Most folks that subscribe to VPNs are folks in the US, Canada, EU, and other "First World" countries. (I had a source a while back for something completely unrelated, however I didn't save it)
I'm not discounting you at ALL, I'm simply stating that the majority of traffic originate from these countries. Most of these folks just want to hide their IP address for various reasons. Privacy, Piracy, etc. Most don't care if it's in the next largest city, they just don't want it to appear to come from them.
Folks in countries like yours will likely pick endpoints to bypass the government. Folks up to nefarious stuff like cracking web sites, social media influencing, etc. will likely pick the target country more carefully. Anyone else? Whatever is the default.
I recognize this is a hard concept to understand for folks on this site, but the average joe signing up for a VPN doesn't even remotely understand what they are doing and why. They were pitched an idea as a way to solve privacy issues, block ads, etc. and they signed up for it. The software suggested a low latency link, and they went with the default.
The ads for a lot of VPN providers literally use scare tactics to sell the masses on the idea.
> I recognize this is a hard concept to understand for folks on this site, but the average joe signing up for a VPN doesn't even remotely understand what they are doing and why.
So what? This article isn’t for them and this isn’t a major news site for the general public, it’s a site for people who want or need to know how things work.
Last time I checked the UK was considered a first world country.
Edit: I commented earlier that I never considered myself part of the market that VPN companies hawk their services to. I've been living in the UK for 5 years now and the number of sites that have become unavailable to me are material and concerning for what their abolishment means for free speech. I'm as square as they come, if I feel this strongly you bet others do too.
> I recognize this is a hard concept to understand for folks on this site, but the average joe signing up for a VPN doesn't even remotely understand what they are doing and why.
Really this is the answer to half of the comments on this thread.
Re: random countries, sometimes with PIA the Panama exit has a crazily low ping time (I'm physically in California). I wonder what leads to it? Hawaii I can understand, there's a cable landing not far from my physical location, but Panama is a mystery to me.
I'm a co-founder at WonderProxy, we didn't make their list (we target people doing application testing, not consumer VPNs).
We're in 100+ countries, and I'll stand by that claim. It's a huge pain in the neck. In our early years we had a lot of problems with suppliers claiming to be in Mexico or South America who were actually just in Texas. I almost flew to Peru with a rackmount server in my luggage after weeks of problems, that plan died when we realized I'd need to figure out how to pay Peruvian income tax on the money I made in country before I could leave.
We've also had customers complaining that a given competitor had a country we'd had trouble sourcing in the Middle East. A little digging on our part and it's less than a ms away from our server in Germany.
I work for IPinfo. I have raised a ticket internally, but I think we focused on consumer VPNs for this test.
For our ProbeNet, we are attempting to reach 150 countries (by ISO 3166's definition). We are at around 530 cities. Server management is not an easy task. We do not ship hardware, but operate using dedicated servers, so this reduces one layer of complexity.
To maintain the authenticity of our server locations, we utilize cross-pings and network traffic behavior detection. If any abnormality is detected, the server will be immediately disabled to prevent polluting our data. There will be a ticket to investigate what went wrong.
We pay for each (excluding 3 to 4 servers where the owner and the team really likes us and insists on sponsoring) server. Expansion is an active effort for us, as there are 70k ASNs and about 100 more countries where we do not have a server.
We hope to partner with more ASNs, particularly residential ISPs and IXPs. So, a lot of effort is put into active outreach through WhatsApp, emails, social media and phone calls. We use a number of different data-based techniques to identify "leads".
Google, Apple, and Meta (maybe others?) have the data to build a complete GeoIP dataset. None of them will share because there are only downsides to doing so.
When FB was rolling out ipv6 in 2012, well meaning engineers proposed releasing a v6 only GeoIP db (at the time, the public dbs were shit). Not surprisingly, it was shot down.
We are always happy to work with large technology enterprises and streaming platforms, not necessarily to sell, but to share insights, data, and practical advice. We observe the entire internet through active measurements, and we are open to co-publishing research when it benefits the broader ecosystem.
Google/GCP is top of mind for me due to a recent engineering ticket. Some of our own infrastructure is hosted on GCP, and Google’s device-based IP geolocation model causes issues for internet users, particularly for IPv6 services.
From what we understand, when a large number of users from a censored country use a specific VPN provider, Google's device-based signals can bias the geolocation of entire IP ranges toward that country. This has direct consequences for accessibility to GCP-hosted services. We have seen cases where providers with German-based data centers were suddenly geolocated to a random country with strict internet censorship policies, purely due to device-based inference rather than network reality. Our focus is firmly on the geolocation of exit-node IPs, backed by network evidence.
https://community.ipinfo.io/t/getting-403-forbidden-when-acc...
We are actively looking to connect with someone at Google/GCP, Azure/Microsoft and others who would be willing to speak with us, or directly with our founder.
Our community consistently asks us to partner more deeply with enterprises because we are in constant contact with end users and network operators. To be honest, we do not even get many questions or issues. We are partners with a large CDN company, and I get one message about a month, which usually involves sharing evidence data and not fixing something.
From a large-scale organization's perspective, IP geolocation should not be treated as an internal project. It is a service. Delivering it properly requires the full range of engineering, sales, support, and personnel available around the clock to engage with users, evaluate evidence, and continuously incorporate feedback.
Do Cloudflare's floating egress IPs probe in a way where you can easily geolocate them?
https://blog.cloudflare.com/cloudflare-servers-dont-own-ips-...
> From what we understand, when a large number of users from a censored country use a specific VPN provider, Google's device-based signals can bias the geolocation of entire IP ranges toward that country.
Yep, this is a known effect.
How it seems to work is: Google uses Android phones as data harvesting probes. And when it sees that a lot of devices in a given IP range pick up on GPS data, Wi-Fi APs or cell tower IDs that are known to be located in Iran, and possibly other cues like ping to client devices or client device languages, timezones, search request contents, then the system infers "there's a network wormhole there with Iran on the other end", and the entire IP range grows legs and drifts towards Iran.
The owner of those IP addresses can mitigate the issue, mostly by shaping traffic or doing things to Google's system, but I know of no way for anyone else to do it.
They have a correction form but I am not sure if it is super robust: https://support.google.com/websearch/workflow/9308722?hl=en
I talked to someone who bought a /24 from South America to be used in the United States for office use. I asked him to tell everyone to get on WiFi and keep Google Maps running. Apparently, that solved the issue.
Google's GeoIP is creepy good. I noticed a while ago that for fixed or technically dynamic but rarely actually changing IPs, their IP geolocation eventually converges on the exact street address, presumably due to Google crowdsourcing geolocation from devices with GPS or Wi-Fi geolocation access, which is in turn crowdsourced from devices with both GPS and Wi-Fi.
It's pretty slow to converge though, as it needs enough data points so they cross some certainty threshold. Especially in the context of VPN exit points as the traffic comes from all over the world.
Google's GeoIP is rubbish for me. Often it's hundreds of kilometres off, and varies a lot even for a fixed IP.
As always with big corporations, if the experience is OK for 90% of people but absolutely sucks for 10% of people, then that's totally fine!
At my previous company we had a subscription to Spur Intelligence. It is like Palantir for IP address info, and probably the closest to what you are talking about.
They recently added GeoIP to their data and in the bit of testing I was able to do before I left it was scary good. I also had an amusing chat with one of their engineers at a conference about how you can spoof IPInfo's location probes...
> how you can spoof IPInfo's location probes...
Interesting. I would love to know how this is possible. Like with Geofeed or something else?
Could you use RIPE Atlas and its network of probes, at least to fill in areas where it's difficult to get your own probes?
That way everyone benefits.
We are actually a sponsor of RIPE Atlas and have a bunch of credits.
But I am not sure if we use them extensively. I think, as we own and operate the ProbeNet, much of the data collection efforts can be done through that in a scalable manner.
[dead]
I know multiple people who worked / working at Mullvad and they take their business, security and privacy _very_ seriously. Not surprised to see them shine here.
Coincidentally, Mullvad, Windscribe and IVPN all worked when I was in China behind GFW, while more popular options did not.
Seems like there are VPNs, and then there are VPNs.
I'm a bit curious about how that works. I love Mullvad but routinely I find sites like Reddit completely block it. Even yesterday someone posted a Debian wiki link[0] and I was blocked. It's not all of them but Reddit is a big killer. So I thought China would block all of them (aren't they known?)
Fwiw I'm not switching from mullvad
[0] https://news.ycombinator.com/item?id=46252366
Use the Tor Onion Service [1] for Reddit instead. You never leave Tor so you don't have to deal with the usual exit node problems. No need for a commercial VPN.
[1]: https://www.reddittorjg6rue252oqsxryoxengawnmo46qy4kyii5wtqn...
I've found the "visit anonymously" functionality offered by Startpage gets around the problem in a pinch. It tends to break the site you're visiting a little, but masks your IP, allowing you access without shutting down your VPN.
Yeah reddits weird because last I checked you can access it on TOR but not Mullvad ( though if you server hop enough you can usually slip through )
perhaps I shouldn't share my workaround, but I've found that Mullvad's Norway nodes consistently get past Reddit's IP-blocking :)
I use obscura—which routes through mullvad—and the reddit problem is very annoying.
I finally hit the point of searching for mirrors yesterday and turns out, they exist.[0]
It’s really only suitable for lurking or being able to view search results, but it has eased the pain a bit.
0: reddit-viewer.com
> It’s really only suitable for lurking
If you're not just lurking, log in and reddit doesn't block you.
While using mullvad reddit doesn’t block access if you’re signed in.
So, login without mullvad, turn it on after that and it should work.
The question is not "how do you make reddit work over mullvad".
The question is "if reddit can block mullvad why can't China".
There's a corollary to that question: why would China choose not to block Mullvad? We know every large nation with a capable online force maintains a fleet of ORBs, so maybe they consider Mullvad more useful for them as a functioning system?
Some of their own contractors may well depend on Mullvad. Perhaps as long as the overall "civilian" volume and user count remains acceptably low, the cost-benefit estimate may well be in favour of letting it slip by. (And for the civilians that do use a working variant, subject their connections to fine-grained traffic analysis.)
my current mullvad endpoint seems to be blocked by flathub (blocking package updates). nixos wiki is also blocked
How do other providers avoid this issue? Do they keep changing IPs or is the traffic that comes out of Mullvad worse in quality somehow?
I'd also like to know.
I'd also like to ask people not to block this way. It creates LOTS of false positives. There's much better ways to handle bots and this tactic seems particularly dumb for Reddit given they want users from places like China or elsewhere where a VPN might be required. Not to mention people using public WiFi. It's not like VPNs are uncommon these days.
If you must ban IPa then do so with a timeout and easing function. So that each hit results in a longer ban time. Bots want to move fast so even a few seconds ban time will make them switch IPs while not impacting most users (who will refresh)
From my experience, PIA VPN and Proton VPN also get blocked everywhere, from Reddit to captchas on Google Search.
PIA it’s one of the least trustworthy VPNs, highly recommend getting a different one.
They purchase residential traffic exit from botnets.
Any proof or articles you could link to backup that claim seems unlikely given their size/reputation also would be surprised they’d get blocked this often using botnet traffic
The person you're replying to is claiming that providers other than Mullvad avoid the being-blocked-by-reddit issue by using residential IPs.
It sort of worked for me, but it was very unreliable. I tried Proton and Astrill, both of which worked much better.
Mullvad is pretty good overall though.
Has anyone else from Europe noticed how Mullvad's speeds and latency have becoming worse and worse during peak times in the recent months? I now have to change servers regularly, which was never the case ~2 years ago.
When they wrote that 3 providers were honest about all locations I have to admit my first thought was "Mullvad, and who would the other two be?"
With their reputation and trackrecord they really can't do any shady tricks. Imagine if they weren't among the 3 honest providers? That would be HN frontpage news.
I knew they were going to pass the test before I even clicked the article link.
At risk of sounding sale pitch'y. Mullvad is the only VPN the longer I use the more I like it. I've tried MANY competitors first and all the other ones so far seem to only get worse over time.
I love that I can pay directly with a crypto wallet and have true anonymity.
I do really wish they still provided port forwarding, I understand why they don't but that was really useful and the only competitors that seem to don't exactly seem trustworthy to me.
Can also mail cash. But you get a 10% discount only on crypto.
> We accept the following currencies: EUR, USD, GBP, SEK, NOK, CHF, CAD, AUD, NZD.
Not a bad way to get rid of some spare currency lying about that you’ll incur a fee to localize anyway.
crypto is a public ledger. If someone wanted to find you, that's pretty easy target.
That depends how you obtained the crypto in the first place.
In any case, its certainly better than visa, but if you dont trust your vpn provider the real issue is they have your IP address and at best just a pinky-promise they dont log.
They can find your wallet, but if your wallet is not linked to you in an obvious way...
Not all digital currencies work that way.
They accept Monero too
Depending on crypto, and even on public ledger ones, there are ways to on-ramp cash to a new cold wallet.
For payments, a cold wallet affects only its security, never its transparency. When you pay from it, you expose an IP.
Windscribe and iVPN up there with Mullvad in TFA.
> Mullvad ... security and privacy _very_ seriously. Not surprised to see them shine here.
? TFA reflects on dishonest marketing on part of public VPN providers more than privacy / security.
That said, VPNs don't add much security, though, they are useful for geo unblocking content and (at some level) anti-censorship. In my experience, the mainstream public VPNs don't really match up to dedicated censorship-resistant networks run by Psiphon, Lantern, Tor (and possibly others).
Advertising a VPN endpoint in country A which in reality is in country B is a security concern for users trying to reduce their visibility to country B’s authorities. You’re right about the more fit to purpose tools, of course, but they’re more of an impediment to normal internet usage.
This article fails to distinguish between false claims and true claims - VPN providers sometimes explicitly mark some locations as virtual, so there is no mismatch between the claim and the real exist as the title says, because the original claim was never "Bahamas is a physical exit"
I'm a big VPN user since I am the citizen of one country and the resident of another. Even for government services I have to use a VPN. I tried to access the bureau of statistics of my home country through my foreign residential IP and got 404s on all pages. Enabled VPN and everything magically started working. For watching the election result video stream I also had to VPN but at least that one gave me a clear message. For doing taxes in my home country I then have to disable VPN since all VPN access is blocked but it's OK to use a foreign residential IP.
I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.
Do you have friends or family in your home country that will run an AppleTV box with Tailscale for you as an exit node?
I can't get into work from a non-US IP, but I can Tailscale back to my house and it works just fine. I even gave my in-laws (who live several states away) an AppleTV box running TS just to have another endpoint if for some reason the power goes out at my house while I'm gone (rare, but happens).
Why do you need an AppleTV box and Tailscale for that? Use any PC (even a Raspberry Pi or any cheap "thin client") with Wireguard and you remove Apple and Tailscale from the equation entirely while keeping your setup 100% self-hosted.
Lots of people already have Apple TVs and the Tailscale integration is pretty good and can serve as an always online exit node. So no new hardware required. Could even remotely walk a non-techie through the process without too much effort.
personally, I've just upgraded my family's wifi to Ubiquiti and can then use Tailscale Wireguard running on the gateway as a proxy! (with their permission)
Is it that common outside the us? I know of exactly one family here in Germany having Apple TV.
They’re not insanely common even in the US, since Roku and Android sticks are cheaper and I don’t live in a wealthy area, but they’re not hard to get or unheard of.
The distinction between AppleTV, the hardware, and Apple TV+, the streaming service, was lost on many. Now that they are “Apple TV 4K” hardware and “Apple TV” service, it’s even harder to convey the correct meaning.
I've never seen one in Poland.
It is in the UK, but I don’t think it is on the continent.
I don’t work in technology, so my knowledge base is almost certainly in the bottom 10% (or lower) of HN readers. I can install Linux, or a BSD, and following guides I can be reasonably certain that I am doing so safely, which puts me comfortably in the top 10% of all users out there.
It’s not what I’m comfortable setting up for myself that is the issue; I am willing to put up with oddities for something that is just for my convenience and amusement. The problem is what I am knowledgeable enough to fix from far away if and when it goes wrong, and how to explain to my very non-technical family how to access it.
I have a NAS, and I could roll my own with that (in fact it’s my exit node at home, because I’m fairly sure it has better encryption speed than the AppleTV), but when something I’m in charge of maintaining goes in someone else’s house, the last thing I want to spend my spare time doing is trying to diagnose and fix issues over the phone with people who don’t own a computer.
It’s not the perfect solution to every situation. It is reliant on Tailscale and Apple, and there are cheaper, more capable systems (like the RPi) out there if you have the knowledge and inclination to set them up. But it’s a very, very straightforward solution that is unobtrusive and easy to maintain and thus is extremely well-suited for my needs. I thought it might be for OP as well. Anyone who is willing to shell out €360 a year for a truly residential-IP VPN should at least be made aware that it’s an option.
> Wireguard and remove Apple and Tailscale from the equation entirely
I agree you could send them a preconfigured pi, but can we stop pretending talescale is just wireguard - there is a lot of convenience in the NAT traversal that you otherwise need router config and/or a publically routable server to achieve.
> but can we stop pretending talescale is just wireguard
That's precisely the issue. It introduces additional centralized dependencies and closed source components.
Good thing there’s headscale.
What is this AppleTV box running TS that you speak of? Sounds awesome.
Check out the instructions from Tailscale: https://tailscale.com/kb/1280/appletv
I’m reading that from a departure lounge.
Wish I’d read this a few hours ago and the AppleTV would be coming with me.
Doesn’t have to be an apple box either. A raspberry pi is what I’m using. I’m in the exact same situation, living in one country temporarily but citizen of another, and I have an exit point in my home country at my parents place on a raspberry pi. Basically any computer will work.
The advantage of the AppleTV is that it's basic consumer hardware that a lot of people have, that you can provide for them at a reasonably low cost if they don't, and that doesn't really require much in the way of tech skill for the person whose house it's in to keep it up to date. You don't even have to do anything to update versions - tvOS will do it automatically.
I can't find it right now but there was a post announcing the port to tvOS on their blog where a developer from the UK (but living in the US) talked about how it let him buy, configure, and ship a simple consumer box that uses little power and needs minimal hands-on maintenance to his parents' house as a replacement for a server he had been running in their house as a VPN endpoint for this sort of thing - so he could watch BBC, etc.
I wouldn't want to update a RPi that's in someone else's house on the other side of the ocean.
Android TV works great as well. I have it running on an old Chromecast that cost less than $50 new.
While I still prefer running a plain Wireguard VPN if possible (i.e. when there's a publicly reachable UDP port), the really big advantage of Tailscale over other solutions is that it has great NAT traversal, so it's possible to run a routing node behind all kinds of nasty topologies (CG-NAT, double NAT, restrictive firewalls etc.)
I have run into the firewall problems before. Even seen them that block authentication but -if already connected to the tailnet before joining the WiFi in question - will continue to pass data. OpenVPN would not connect and couldn’t handle the IP address switch.
At worst, I turn on phone hotspot, authenticate, then switch back to WiFi. A purely serendipitous discovery on my part, but a very welcome one.
Interesting, maybe they block the orchestration servers of Tailscale, but not the actual data plane (which is almost always P2P, i.e., it usually does not involve Tailscale servers/IPs at all)?
I built TunnelBuddy (tunnnelbuddy.net) just for this. I am the same: citizen of one country and resident of another. I have multiple friends and family where I am from. I get them to open tunnelbuddy (nobody needs to sign up), to share a one-off password (like TeamViewer) and I get to access the internet as if I was at their place.
Underneath, it uses WebRTC (the same tech as Google Meet). It is free to use, I just built to fix this problem that I have... I am quite surprised expats only get by using a traditional VPN whose IPs are known by online services...
Do you know anyone in that country who will let you stick an rPI behind their modem?
AppleTV has a Tailscale client that you can use an exit node. That's what I do to VPN back to home when I'm traveling.
AppleTV is pretty random and only vaguely incidental to the solution. Tailscale runs on computers. Basically anything will do. If you don't have a home server, just grab a cheap RPi or an old laptop. Or in a pinch drop it onto an old phone from your old phone drawer.
I think most here know that. What interests me is how easy to setup and maintain an appleTV is - you do nothing.
I love my Pi but sometimes I want life to be mindless easy.
I have been thinking about it but it is tricky from a legal standpoint. What I'm trying to arrange next time I visit is to have a secondary line installed at my parents place that is in my name. So that when I pull heavy traffic from that line it doesn't impact them and I can't get them in trouble for posting a message that isn't government approved.
Heavy traffic to access a bunch of gov websites? There's definitely more to your story then.
I'd say, anything heavy and random, use the general VPN and the rest use an rpi at your parents' home.
> Heavy traffic to access a bunch of gov websites? There's definitely more to your story then
They used government websites as an example, not to say that all of their traffic was to government websites.
No it’s his parents who don’t want him interfering with their thriving warez empire
Video. Live video
> I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.
For residential IPs you can't even pay per month like normal VPNs, normally they charge per GB, usually over $2 usd per GB.
Damn, I’m throwing away hundreds of dollars per month.
And I can get a semi-anonymous cable internet connection too (if your line is “hot”, you could sign up with any address… not sure if it has to be under the same node or just the same city). Would be difficult, but not impossible, to track down which residence the shadow connection is coming from.
Prices are more in the 0.30$-0.45$ range if you know where to go, from my experience.
Is this be cause they're paying the residential proxy owners some of it?
Most of the people whose devices and connections are being used as residential proxy exit nodes are not aware of it.
They likely charge per GB because these residential connections are slow and limited compared to datacenter connections (doesn't help that they're often located in third world countries), and are often used for aggressive scraping, so charging a fixed monthly price would not be viable.
Probably safe to assume that yours is. Especially if a teenager is using your wifi.
I can assure you they are not.
Just get a sim card from home with roaming and use that data to access govt things?
Interesting to learn you can identify the real country/area of origin using probe latency. Though could this be simulated? Like what if the VPN IP just added 100ms-300ms of latency to all of its outgoing traffic? Ideally vary the latency based on the requesting IP's location. And also just ignore typical probe requests like ICMP (ping). And ideally all the IPs near the end of the traceroute would do all this too.
To use an example, 74.118.126.204 claims to be a Somalian IP address, but ipinfo.io identifies it as being from London based on latency. Compare `curl ipinfo.io/74.118.126.204/json` vs `curl ipwhois.app/json/74.118.126.204` to see. If that IP ignored pings and added latency to all outgoing packets, I wonder if that would stymie ipinfo's ability to identify its true origin.
There's quite a bit of effort in this space.
In my first job out of school, I did security work adjacent to fortune 50 banks and the (now defunct) startup I worked at partnered some folks working on Pindrop (https://www.pindrop.com/).
Their whole thing at the time was detecting when it was likely that a support call was coming from a region other than the one the customer was supposed to be in (read: fraudulent) by observing latency and noise on the line (the name is a play on "We're listening closely enough to hear a pin drop".)
Long story short, it's a lot more than just the latency that can clue someone in on the actual source location, and even if you introduce enough false signal to make it hard to identify where you actually are, it's easy to spot that and flag you as fake, even if it's hard to say exactly what the real source is.
I work for IPinfo.
We also run traceroutes. Actually, we run a ton of active measurements from our ProbeNet. The amount of location data we process is staggering.
https://ipinfo.io/probenet
Latency is only one dimension of the data we process.
We are pinging IP addresses from 1,200+ servers from 530 cities, so if you add synthetic latency, chances are we can detect that. Then the latency-related location hints score will go down, and we will prioritize our dozens of other location hints we have.
But we do welcome to see if anyone can fool us in that way. We would love to investigate that!
Do you run traceroutes and pings in both directions?
In the case of a ping you might think it shouldn't matter but I can imagine a world where a VPN provider configures a server in London to route traffic via Somalia only when a user establishes a connection to the "Somalia" address of the server. You could only test this if you did a traceroute/ping through the VPN.
And I'm not saying this is what's happening but if you just ping the IP from your infra, couldn't stuff like anycast potentially mess you up?
In the case of traceroutes, you only see the route your traffic takes to the VPN, you don't see the route it takes to get back to you, which I think is really important.
We run traceroutes and latency measurements from many different locations, so we are looking at aggregate behavior rather than any single path. When you combine data from hundreds of ProbeNet PoPs over time, asymmetric routing mostly shows up as noise. When that happens, latency based hints lose weight and we lean more on other signals.
We have seen this in practice. For example, when we deployed servers in Gambia, even traffic between local networks often left the country and came back due to limited peering and little use of the national IXP. Stil, the overall routing patterns were still learnable once you look at enough paths.
For VPNs, we are measuring the location of the endpoint IP itself, not user traffic inside a tunnel. If routing only changes after a tunnel is established, that is a service level behavior, not the network location of the IP.
Anycast and tunneling are things we explicitly detect. They tend to create clear patterns like latency clustering or unstable paths, and when we see those and flag them as anycast IPs by defaulting to their geofeed location.
See the classic: https://ipinfo.io/1.1.1.1
Ideally, there'd be a way to subtract lag. (A non-causal network switch? Would be big business...)
This can fool someone from one location and only in one way (if you are near Somalia and expect a 10ms latency, a virtual VPN can't reduce latency to simulate been in Somalia). So it have to be dynamic to fool multiple locations to stay probable.
But anyway, *you can't fool the last-hop latency* (unless you control it, but you can control all of it), and basically it impossible to fool that.
Does this really work? I would think the ping time would not be dominated by speed of light, but by number of hops, and connection quality.
As a hypothetical example, an IP in a New York City data center is likely to have a shorted ping to a London data center, than a rural New York IP address.
The speed of light sets a minimum bound even if you don't account for that, and these are coming up less than the minimum bound.
It also reminds me of this old story: https://web.mit.edu/jemorris/humor/500-miles
Would be even slower as the light will travel slower in the optical fiber and there will be time associated with each repeater as well.
That is a great one!
It's possible to deduce password hashes by timing responses over the internet if the server isn't using constant time comparison. Noise is just that, a noise.
It isn't just latency, but "triangulation".
u/reincoder, https://news.ycombinator.com/item?id=37507355Once you know the exit IP you can just find network(s) advertising it.
The VPN provider only controls their network, not their upstream.
So you can set minimum latency on your responses. But your upstream networks won't be doing this.
with enough packets you can trilaterate an approximate locatuon. adding random jitter will just delay it a bit.
More than a bit!
If you 300ms latency then yes, you defeat this detection mechanism.
Only if the detection mechanism is looking at that single IP and from a single location.
Find the ASN(s) advertising that network and figure out their location.
Even within the ASN there may still be multiple hops, and those IPs may be owned by others (eg the hosting facility) who are not playing the same latency games.
We operate servers for the purpose of measuring the internet using a wide variety of methods. We have more than 1,200 of these servers distributed across 530 cities, running not only ping but traceroute and many other types of active measurements.
In addition to active measurement and research, there are many other sources of data we use. Also, we are actively investing in R&D to develop new sources. Adding just 300ms of latency at the end of an IP address would simply appear as noise to us. We have dozens of locations, hints cut through the noise.
We welcome people to try to break the system. Perhaps it is possible to dupe this system.
Not that simple.
If they added latency to all packets then London would still have the lowest latency.
If you ping it from UK and it ping >10ms then you know its there. And you are triangulating from multiple countries.
You could vary the additional latency based on the location of the IP you're replying to? Or just hash the requesting IP and use that as a seed to generate that particular IP's random extra latency that always stays the same for that IP. Which feels like enough to make triangulation hard. Though I'm just spitballing.
ProtonVPN clearly marks these “virtual locations” in their UIs as “smart routing”, so there really isn’t any deception here https://protonvpn.com/support/how-smart-routing-works
It's not marked in the Chrome extension UI.
That seems reasonable, but they seem to be suffering their own problem with UI and UX design by not making that inherently clearer.
I was getting a bit disappointed about Proton based on this evaluation even though the only problem I’ve had is their really lacking client UI/UX. They should make that visualization clearer. I don’t know the answer, but maybe offering a toggle or expansion for virtualized servers, might be a step in the right direction.
The design issues seems to be a common challenge with proton. The VPN client functions, but it is really grating how basic it is. You can’t even sort, let alone filter servers by load, let alone performance; so you’re scrolling through hundreds of servers. You can’t add regions or even several servers to create a profile with a priority, you have to pick a single server, among hundreds if not thousands in some countries. Oh, and as you’re scrolling through hundreds of servers for a single country, it’s a view of something like 10 lines high.
It’s bonkers
Back in 2022 I published a doc on how the egress IPs work at Cloudflare:
https://blog.cloudflare.com/cloudflare-servers-dont-own-ips-...
In summary, the location at which an IP egresses Cloudflare network has nothing to do with the geo-ip mapping of that IP. In some cases the decision on where to egress is optimised for "location closest to the user", but this is also not always true.
And then there is the Internet. Often some country (say Iran) egresses from a totally different place (like Frankfurt) due to geopolitics and just location of cables.
So, there is a dashboard internally for that. When we do ProbeNet PoP assessment, we have a high-level overview of the frequent and favored connections. We have a ton of servers in Africa, and there is a strong routing bias towards France, Germany, and the UK instead of neighboring connections.
Everyone in our engineering and leadership is very close with various CDN companies. We do echo this idea to them. It is not IP geolocation; we actually have a ton of routing data they can use.
As per report, 3 providers do not lie.
I searched VPN which payed in crypto and OSS friendly. Mullvad and IVPN were in list, and these also do not lie about exits.
IVPN bought me with very deep transparency into company and WRT support, on top of Linux and Android.
I get maximal longest sub in one payment.
Mullvad is under North EU jury, IPVN under Gibraltar(which is nor exactly UK). So decided offshore like place also more safe against VPN control attempts.
Searched for decentralized VPNs(like TOR, but you pay for speed and do not care onions) some time ago too, we are not there yet.
Just an aside, and not trying to excuse the potential VPN operator's misrepresentation.
Regulatory accepted establishment of "country" location might not always be what layman think.
I knew of a server rack physically in a Brussels Belgium datacenter that was for regulatory purposes declared to be Luxemburg territory (as Luxemburg at the time had specific rules on domestic data processing).
I tried to use ProtonVPN when I switched over to ProtonMail a year ago. But so much of the web does not work when you're on a VPN. For example even HackerNews has VPN restrictions. More and more sites know where VPN endpoints originate. How will VPNs prevent this in the future without them just become easy to block?
Apple, for better or worse, has been able to use their size to pressure sites into accepting connections from their Private Relay service.
If VPN usage becomes the norm, sites will have to give in eventually.
It’s better than most VPNs, but the amount of Cloudflare challenges I get is really annoying.
It’s a little weird because Apple has device attestation which is run via Cloudflare and Fastly. You’d think that would get you around the challenges, but that doesn’t seem to happen.
You should only get more challenges with VPN if the VPN users are abusing the websites. I actually get fewer CF challenges with NordVPN than without it.
Presumably Cloudflare's answer to that would be to use Cloudflare warp. (i.e. they're not a neutral party.)
It’s not a VPN service in the usual sense, and does not allow you to change locations, and they also have a mapping of IP addresses and the served geographical users.
I also assume being a service that requires an expensive device and that the browsing happen through Safari limits the abuse somewhat.
Only one I have issues with is Ticketmaster, other than that I forget that it’s even on all the time
I can’t access Reddit on Mullvad via Tailscale
There are working end-points and they tend to be stable. If you find a Mullvad server which works with Reddit, you can configure a socks5 proxy for a Firefox container assigned to Reddit (or any domain). This way, Reddit will always use the connection of the working route and your general internet experience isn't affected otherwise. Eg. you can still switch around connections to find a working one for Youtube... Don't forget about this setting, since sometimes a Mullvad server is down temporarily and the container's assigned domains won't resolve (usually enough to count up/down the Mullvad proxy id). This will also prevent you from accessing Reddit without a Mullvad VPN connection.
Socks5 proxy addresses can be found here: https://mullvad.net/en/servers
You need to prefix them with 'socks://'.
This is a good shout. Thanks!
[dead]
My bank app forces me to turn my VPN off. I’m not going to change my bank over that and I imagine most others do the same anyway or will eventually. I imagine many sites and services will just continue go “we’re gonna break this thing you need until you turn the vpn off.”
You can split tunnel most VPNs to let the bank through.
Not sure I can on an iPhone but yes on my desktop I’ve done that
They can ban VPNs and Tor because it's affordable. Most of their users aren't using VPNs or Tor. Get enough people to use VPNs and Tor and they'll suddenly become unable to drop the traffic.
The ideal world is one where everyone is using Tor. They can only discriminate against you if you're different from others. The idea behind Tor is to make everyone look like the same user. The anonymity set must be maximized for that to work.
thank you. that is a really good point. the economic incentive! i will keep using mine!
Even worse is the Reddit approach, where leaving your VPN on will get your account shadow banned permanently. But you are not notified of that, so if you are wondering why nobody is replying to your comments, check in a private session if you can visit your profile page.
Had exactly this with reddit.
I wasn’t even aware of that, but it does not at all surprise me, since it fits right in with the trajectory Reddit has long been on; from freedom of information, to full spectrum thought control and digital psychological reprogramming dungeon.
Check reddit.com/appeals some time after creating an account. If you are auto shadow banned, you can appeal.
Something like that happened to me, my 10+ year account and everything I've ever written just vanishing one morning. Even posts to a subreddit I moderate were repeatedly removed after every approval.
No idea why, (the "wrong" public Wi-fi?) but my appeal was granted and nothing was fixed.
Now I can't contact anyone, and the appeals page falsely claims that my account is in good standing and refuses to operate.
When I went looking for help from a throwaway account that I made many years ago for resume reviews, the exact same thing happened.
So at this point, I only lurk occasionally, because I'm not going to go through that social hell again, and it sounds like moderation failures have only gotten worse in the years since.
It happened to me too. I'm better off without Reddit, I decided.
i can live without reddit and hackernews. i can't live without online banking, bill paying, insurance, healtchare portals, etc.
it is funny i have been probing HN for years, and i've found a number of cases when everything is normal, but i check the account from another device and it isn't there, or is free of posts despite having made many. yet i would do the same if i was an admin trying to keep a walled-garden free of trolls.
How about not using Reddit at all? It's awful.
Same issue exists with Tor exit nodes. It’s anonymous in that you have a hoodie on with a giant spotlight right on you.
A better metaphor would be that Tor and VPNs are like wearing a mask in public. It's obvious that you're trying to be anonymous, but you're still wearing a mask, so no one knows who you are.
You may be denied entry to certain establishments, but some of the bouncers don't block all masks and if you're persistent with changing your mask (Tor or VPN exit node), there's a good chance you'll get in. CTRL+SHIFT+L works on Tor Browser to change your circuit. The linked article blocks Tor, but after pressing CTRL+SHIFT+L a few times, I was able to read it.
For the sites that don't let me view them via Tor, I can install FoxyProxy and try some IPs from the free public lists. Lots of sites that block Tor don't block these IPs, although it's a bit of a pain. Another option is to load an archived version of the site on archive.org or archive.md (or .is or the various different TLDs it uses).
As for HN - it sometimes gives a "Sorry." if you try to access a certain comment directly, but after a few tries it works. This account was created over Tor and I've only accessed it through Tor. I think my first comment was dead and someone vouched for it, but now my comments appear instantly.
I've heard that banking sites don't work over Tor, but I haven't had a need to use Tor for banking, as the bank already knows who I am pretty well.
Most of the big social media sites don't allow Tor, but if I wanted to create a fake account, I'd most likely buy a residential proxy.
So it's not that bad, considering what you get from Tor (and with some VPNs, depending on your threat model) - no tracking, anonymity and so on.
To continue on the analogy, many people using a VPN wear a mask but they also keep the same unique combination of clothes that they were wearing a few minutes earlier without a mask.
Do you use Tor for everything? How do you deal with the latency?
Pretty much for everything, except for things that are already tied to my real world identity like email and a few sites that know who I am.
It accomplishes 2 things:
* I'm not tracked as much. Less data points for the companies to gobble up.
* More Tor users lead to better anonymity for everyone as it's easier to blend in - you won't be the only one wearing a mask at the club every weekend.
I got used to the latency. It's not that bad. Some sites load instantly, others take 1-2 seconds. A few take a while.
Sites from one regional hosting provider in my country just don't load at all. I get "Server not found". I'm not sure how that works - are they blackholing an ASN or using something else with BGP?
The main issue for me is not the latency, though, but the CAPTCHAs and 403's (HTTP Forbidden). If I were to search for a recipe, for example, I'd open 5-10 of the results in new tabs (with the middle mouse button; idk why people use CTRL+click), then close the ones with "Attention Required" or "Forbidden" so I'm left with 3-5 usable sites. That way I always have something to read. When I open a few sites one after the other, at least one will usually load instantly.
I haven't used Tor without Whonix on Qubes OS for a while, so I'm not sure if the latency is different on a standard OS with just Tor Browser installed. My workflow is that I use disposable VMs for different things I do. Right now I have a VM with HN and a few links I've opened from it and another VM with other research I started earlier today that I plan on finishing a bit later. When I'm done with my HN session, I'll close this VM, which will destroy it. For me this compartmentalization is good not only for security and privacy, but for productivity, as well.
there was a talk about this at defcon maybe 7 years ago how even going to a tor entry node could get you disappeared in türkiye. same in china (it was something about ethically exploring networks in authoritarian regimes where even pinging a chinese address from the united states could get someone arrested... methinks harvard student was presenting it?)
As VPN usage proliferates such discrimination starts hurting sites more. For example, a VPN may be left on by a user for whatever reason and when the site they visit doesn't work or makes them jump through hoops they are less likely to visit the site in the future or view it with contempt and abandon it a soon as they are made aware of an alternative.
It takes time for sites to realize the danger, especially with mobile users where fiddling with a VPN is often more hassle than its worth and its just left always on. It's often a good idea to impersonate a mobile user agent for this reason as some sites (or perhaps cloudflare?) started treating them differently. The impersonation needs to be done well (SSL and HTTP fingerprints should also match mobile).
Usually, the more expensive the VPN offering the better the reputation of their IP's. Avoid VPNs that have any kind of free tier like the plague.
> less likely to visit the site in the future or view it with contempt and abandon it a soon
> fiddling with a VPN is often more hassle than its worth and its just left always on.
Not to saying this is wholly preferable, but I have often found this to be beneficial for me in that it tends to deter me from wasting disproportionate amounts of time on crap web content (either that, or HN wins over that remaining browsing time when it's not blocking me :)
ProtonVPN stinks. Websites refuse to load and I get autobanned on Reddit etc.
Mullvad just worked everywhere. I'm going back when my year plan on Proton ends.
The consumer VPN heyday has long passed. Most Mullvad endpoints i use are blocked in increasingly more places, including and especially reddit.
It's the only VPN I've tried thoroughly, so i don't know how they and Proton compare today (or, really, ever). The landscape has been degenerating across the board, I reckon.
Same. If this is the situation then what is the use case for most "average" consumers?
I wonder if using the wifi at a data center has the same broken browsing experience as using a VPN
From a datacenter IP, if the IP address is not shared with other users, you still get blocked from sites like Reddit, but you don't get most annoying captchas (for example on Google).
Yes and No. The internet sees it as a datacenter ip and some will degrade the experience based on that. Other are more strict and use a service like ipinfo.io (the op) to know exactly which Ip are used by a VPN provider and block access based on that list.
I am not sure that I really understand what they did. I am also missing some major VPNs in the list. I currently use AirVPN but this has something to do with my use case and pricing.
Why do you want to use a VPN?
- Privacy
- Anonymity (hint: don't!)
- unblock geolocation
- torrents
- GFC
The last point is the hardest.
https://expatcircle.com/cms/privacy/vpn-services/
I work at IPinfo, thanks for your comment/feedback. We will be expanding this research to include more VPNs next year.
> I am not sure that I really understand what they did.
They checked where the VPN exit nodes are physically located. A lot of them are only setting a country in the whois data for the IP, but do not actually put the exit node in that country.
Yes, I don't understand the advantage or disadvantage of this. Let's say I need a Colombian IP address, I would figure it out pretty quickly it this was not genuine, except if the geo-block protection would be fooled too.
Most of the "problem" countries are tiny places. Monaco, Andorra etc. It might be tough to rent a server there. And your list of clients should be minimal.
You can easily test this, of course -- the problem isn't that you, the user, cannot find out, it's that you pay for being able to use an endpoint in those countries and can't, because they don't exist.
It's not only small countries either, it affects much of Latin America, including Brazil (PIA's servers were in Miami for BR as well last time I checked). I've occasionally seen it also affect US states where e.g. Massachusetts would be served from Trenton, NJ.
> I would figure it out pretty quickly it this was not genuine, except if the geo-block protection would be fooled too.
It would (unless the blockers use this company's database I guess):
> The IP registry data also says “Country X” — because the provider self-declared it that way.
That could be good or bad depending on what you're using the VPN for. E.g. if you only care about evading stupid local laws like the UK's recent Think of the Children Act, then it's actually great because you can convince websites you're in Mauritius while actually getting London data centre speeds.
But if you want to legally be sending your traffic from another country then it's less great because you actually aren't. To be honest I can't really think of many situations where this would really make a difference since the exit point of your network traffic doesn't really matter legally. E.g. if a Chinese person insults their dear leader from a VPN exit node in the UK, the Chinese authorities are going to sentence them to just as much slavery as if they did it from a local exit point.
If the government is using the same fake data as the rest of the Internet you want to be using that fake data too. You want to be precise, not accurate. If the FBI records your endpoint as Iran and you say "I wasn't actually sending traffic from Iran, where there are sanctions, I was sending from London but my VPN provider lied on their WHOIS record", you will be in just as much trouble as if you were actually sending data from Iran.
Contrasting take: RTT and a service providing black box knowledge is not equivalent to knowledge of the backbone. To assume traffic is always efficiently routed seems dubious when considering a global scale. The supporting infrastructure of telecom is likely shaped by volume/size of traffic and not shortest paths. I'll confess my evaluation here might be overlooking some details. I'm curious on others' thoughts on this.
They don't have to assume that traffic is efficiently routed, on the contrary if they can have a <1ms RTT from London to a server, the speed of light guarantees that that server is not in Mauritius EVEN if the traffic was efficiently routed.
It just can't be outside England, just one 0.4ms RTT as seen here is enough to be certain that the server is less then 120 km away from London (or wherever their probe was, they don't actually say, just the UK).
RTT from a known vantage point gives an absolute maximum distance, and if that maximum distance is too short then that absolutely is enough to ascertain that a server is not in the country it claims to be.
We've got detailed global ping data here: https://wondernetwork.com/pings
One of our competitors was claiming a server in a middle eastern country we could not find any hosting in. So I figured out what that server's hostname was to do a little digging. It was >1ms away from my server in Germany.
I see I was mistaken, but I'm tempted to continue poking holes. Trying a different angle, though it may be a stretch, but could a caching layer within the VPN provider cause these sort of "too fast" RTTs?
Let's say you're a global VPN provider and you want to reduce as much traffic as possible. A user accesses the entry point of your service to access a website that's blocked in their country. For the benefit of this thought experiment, let's say the content is static/easily cacheable or because the user is testing multiple times, that dynamic content becomes cached. Could this play into the results presented in this article? Again, I know I'm moving goalposts here, but I'm just trying to be critical of how the author arrived at their conclusion.
This is about ping though, so presumably ICMP packets. There is no content to cache as the request is sent with random data that must be sent back in the reply.
It is very unlikely that VPN providers use convoluted caching systems just to make their ping replies appear to come from a different region than the one they claim to be in. It would be much more likely for them to add a little latency to their responses to make them more plausible, instead.
Assuming a secure connection this isn't possible without terminating TLS and re-negotiating.
The speed of light provides a limit on distance for a given RTT, and taking the examples in the article which are less than 0.5ms and considering the speed of light (300km/ms) the measured exit countries must be accurate.
The speed of light in fiber which probably covers most of the distance is also even slower due to refraction (about 2/3).
Thanks for your informative reply. I see now I was approaching this incorrectly. I was considering drawing conclusions from a high RTT rather than a RTT so small it would be impossible to have gone the distance.
We (I work for IPinfo) talk about latency because it is a thread that you can start from when exploring our full depth of data.
We are the internet data company and our ProbeNet only represents a fraction of our investment. Through our ProbeNet, we run ping, traceoute, and other active measurements. Even with traceroute we understand global network topology. There are dozens and dozens of hints of data.
We are tapping into every aspect on the internet data possible. We are modeling every piece of data that is out there, and through research, we are coming up with new sources of data. IP geolocation is only product for us. Our business is mapping internet network topology.
We are hoping to work with national telecoms, ISPs, IXPs, and RIRs to partner with them, guiding and advising them about data-driven internet infrastructure mapping.
> I'll confess my evaluation here might be overlooking some details.
Yeah like... physics. If you're getting sub-millisecond ping times from London you aren't talking to Mauritius.
While exits matter to avoid countries with a nation-wide firewall, the geoip industry is a scourge.
If an ISP wants to help their users avoid geoblocking via https://www.rfc-editor.org/rfc/rfc8805.html more power to them.
We (IPinfo) attended the IETF 3-day workshop on IP geolocation. Our presentation was about geofeed that can be viewed here: https://youtu.be/l8PR7VCmA3Q?si=dG-00UqljTopBquF&t=372.
It was a great session and we received a lot of questions. We attend different NOG conferences regularly. ISPs are incentivized to help us by providing good data. Although we are agnostic about adversarial geofeeds, ISPs themselves need to work with us to ensure good quality of service to their users.
We already do quite a lot of outreach, in fact, most network engineers in the ISP industry across the world are familiar with us. But if any ISP operator has any feedback for us, we are only an email (or even a social media comment) away.
> ISPs are incentivized to help us by providing good data.
That's the entire problem in a nutshell. Good quality of service should not depend on every site I visit knowing my geographic location at the ZIP code or even street level (I've actually seen the latter occasionally).
I can somewhat understand the need for country-wide geoip blocking due to per-country distribution rights for media and whatnot, but when my bank does it, it just screams security theater to me.
That is an excellent point!
That is why we have the IP to country level data available for free. As you have recognized the fact that country level data is good for security, we are willing to take a massive hit on potential revenue to allow everyone to use our country level data for free, even for commercial purposes. We literally built separate dedicated infrastructure that provides unlimited queries for our IP to Country data. We want to ensure that everyone has access to reliable data.
For us, based on active measurements, what we do is distribute IP addresses to more densely populated areas. The issue is that we are good at zip code level accuracy, but it is impossible for us to get street addresses correct for residential internet connections. Even if we get geographic coordinates fairly close to you, it is largely coincidental. Our accuracy radius goes as low as 5 KM.
However, consider hotels, conference centers, airports, train stations, etc., where large numbers of people gather and where there are a few public WiFi hotspots that usually remain in the same location. We can identify the exact building from those WiFi hotspot IP addresses.
We have approximately 1,200 servers in operation. Simply by knowing which data centers house our servers, we can reliably identify neighboring hosting IP addresses to the exact data center.
Can really spot someone who has never had to deal with OFAC with a comment like this. Even if I don't necessarily agree with the concept, or who is actually being blocked, my business is dead in the water if I'm a) sent to prison or b) fined out of existence.
Geographic IP information is one of our best tools to defend against those outcomes, and if anything it should be better.
On the other hand, GeoIP is arguably the reason you are in this situation in the first place, i.e., having to use it since it's there and everybody else is doing so as well.
Intentionally ambiguous regulations (in terms of how companies and individuals are expected to comply) backed by the existential threat of huge fines often lead to a race to the bottom in terms of false positives and collateral damage to non-sanctioned users.
If you were serious about limiting who uses your services you'd use an allowlist of ASNs. Even then, what about users using US-based residential proxies?
ASNs can obviously span multiple countries, and aren't a great way to gate this at all. While we block ASNs we KNOW are owned/operated by companies in limited countries, but I couldn't imagine a worse way to approach it at scale. Hate doing it, it's heavy-handed and wrong.
ASNs aren’t going to cut it. Google “residential proxies”
> Even if I don't necessarily agree with the concept, or who is actually being blocked, my business is dead in the water if I'm a) sent to prison or b) fined out of existence.
Is there some specific way we can get the laws like this to be gone? They're obviously useless (witness this very thread of people describing ways for anyone to get around them) and threatening people with destruction for not doing something asinine isn't the sort of thing any decent government should be doing.
With CGNAT becoming more widespread, formats like this might need expansion to include location data for ports. Ie. Port 10,000-20,000 are consumers in New york, port numbers 20000-30000 are in Boston, etc.
That is really interesting. I wonder if we have any internal data on this. I will check.
We are trying to work with ISPs everywhere, so if port level geolocation of the IP address is common, we surely need to account for that. I will flag this to the data team. To get the ball rolling, I would love to talk to an ISP operator who operates like this. If you know someone please kindly introduce me to them.
Do you have actual evidence of this? What ASN operates this way?
Why would any CG-NAT split their volume that way?
IPv4 addresses are not that scarce yet, and realistically any CG-NAT will have several IPv4 addresses per metro area, if only to allow for reasonable levels of geolocation (e.g. to not break the "pizza near me" search use case).
Sounds awful, though. Maybe we should get more widespread usage for IPv6 instead.
Surely IPv6 makes location spoofing harder, you're not identified by just location anymore but uniquely identified down to the device?
Yes. I’ll never forgive IETF for standardizing CGNAT back in 2013. They should have just said “no, deploy IPv6 with a transition technology”.
If that had happened, IPv4 would likely already could be regarded as a relic of the past.
The ietf standardization was irrelevant so I would give them some slack. ISPs were using CGNAT already in a widespread fashion. The ietf just said, “if we’re gonna do this shit, at least stay out of the blocks used by private networks”.
I hope they can use DNS for this instead like they do PTR entries
Another related but non-VPN story related to IP geolocation:
Big techs (most notably Google) is using the location permission they have from the apps / websites on the user's phones / browsers to silently update their internal IP geolocation database instead of relying on external databases and claims of IP owners (geofeed etc). And this can be hyper-sensitive.
I was traveling back home in China last year and was using a convoluted setup to use my US apartment IP for US based services, LLM and streaming. Days into the trip and after coming back, I found that Google has been consistently redirecting me to their .hk subdomain (serving HK and (blocked by gov) mainland China), regardless of if I was logged in or not. The Gmail security and login history page also shows my hometown city for the IP. I realized that I have been using Google's apps including YouTube, Maps and so on while granting them geolocation permission (which I should not do for YouTube) in my iPhone while on the IP and in my hometown.
After using the same IP again in the US with Maps and so on for weeks and submitting a correction request to Google, it comes back to the correct city. (The tricks of restarting the modem / gateway, changing MAC address to get a new IP is not working somehow this time with my ISP)
Some of our (IPinfo) services are hosted on GCP, and because our service is widely used (with 2 trillion requests processed in 2024) people sometimes say they cannot access our service. It is usually due to how Google's device-based IP geolocation is used. The user's IP address is often mistakenly identified as being located in a country where Google does not offer service.
I have seen a Europe-based cloud hosting provider's IP ranges located in countries where Google does not provide service. This is because these IP ranges are used as exit nodes by VPN users in that country.
Device-based IP geolocation is strange. We prefer IP geolocation based on the last node's IP geolocation. We hope to collaborate with Google, Azure, and other big tech on this if they reach out to us.
Yeah happens to other “vpn” solutions like zero trust solutions like zscalar. Logs says the user in Buffalo, IP is in Toronto. Same for users on the southern border, us location and Mexican ip.
Zscaler enrages me with their use of the term "zero trust" in marketing, because due to their MitM-ing of TLS, they become a single-point-of-interception for all your organisation's traffic. "100%-trust" would better describe it for me, as you have to have 100% trust of Zscaler and anyone who has admin access to your organisation's admin account.
I use Mullvad through Tailscale’s exit‑node integration, and it’s awesome. They are the only provider I trust these days.
To highlight virtual routing: it’s useful in scenarios where a country blocks VPNs but you still need an IP from that country to browse local websites. In such cases, virtual routing comes in handy. For example, when India required all VPN servers in the country to log user traffic, Proton moved its Indian server to Singapore and used virtual networking tricks to continue offering an Indian IP address.
I work for IPinfo. I am not sure what routing tricks Proton uses. I have looked into the smart routing and stealth protocol related documentation. I am not sure if Proton does anything unique when it comes to IP location. I am not saying this officially, but I am just curious here.
Smart routing documentation: https://protonvpn.com/support/how-smart-routing-works
'Virtual' VPN server geolocation involves informing IP geolocation providers that their Singaporean servers are located in India. We looked into data and latency-based locations, but the industry at large uses self-reported location information for their data. So, if you use a service that uses IP geolocation provider (that is not us) they will just tell them that the Singaporean IP address is located in India, because that is the information they have and they do not have any other ways to verify it. But at the end of the day, the location information is coming from the VPN itself.
I could be wrong, and there could be technology and technique I am missing, so I am happy to learn. The blog is written by our founder who is accessible to the Proton team if they want to share their feedback with us.
Most of these providers are in fact open about the fact that these locations are “virtual”, so it’s misleading to say they don’t match where they claim to be.
There is however an interesting question about how VPNs should be considered from a geolocation perspective.
Should they record where the exit server is located, or the country claimed by the VPN (even if this is a “virtual” location)? In my view there is useful information in where the user wanted to be located in the latter case, which you lose if you only ever report the location of servers.
(disclaimer: I run a competing service. we currently provide the VPN reported locations because the majority of our customers expect it to work that way, as well as clearly flagging them as VPNs)
Yeah, Proton is quite explicit about that: https://protonvpn.com/support/how-smart-routing-works
I work for IPinfo, and I appreciate your comment.
Our product philosophy is centered on accuracy and reliability. We intentionally diverge from the broader IP geolocation industry's trust-based model. Instead of relying primarily on "aggregation and echo", we focus on evidence-backed geolocation.
Like others in the industry, we do ingest self-reported IP geolocation data, and we do that well. Given our scale and reputation, we receive a significant volume of feedback and guidance from network operators worldwide. We actively conduct outreach, and exchange ideas with ISPs, IXPs, and ASNs. We attend NOG events, participate in research conferences, and collaborate with academia. We have a community and launch hackathon events, which allow us to talk to all the stakeholders involved.
Where we differ is in who our core users are. Our primary user base operates at a critical scale, where compromises on data accuracy are simply not acceptable. For these users, IP geolocation cannot be a trust-based model. It must be backed by verifiable data and evidence.
We believe the broader internet ecosystem benefits from this approach. That belief is reflected in our decision to provide free data downloads, a free API with unlimited requests, and active collaboration with multiple platforms to make our data widely accessible. Our free datasets are licensed under CC-BY-SA 4.0, without an EULA, which makes integration, even for commercial use straightforward.
I appreciate you recognizing that our product philosophy is different. We are intentionally trying to differentiate ourselves from the industry at large, and it is encouraging to see competing services acknowledge that they are focused on a different model.
If we can pay them in virtual dollars, no problem
I can't connect to this site because my adblocker doesn't like it. It seems to be on the bad-domain-list https://www.cromite.org/filters/badblock_lite.txt. Now is the question: is ipinfo.io on this list for a good reason?
I can not access https://www.cromite.org/
It redirects to a dead link hosted on aruba.it. I can investigate it.
Is it not Bromite?
Bromite is unmaintained anymore, Cromite is the current fork.
There was an article on HN not too long ago about how to get a North Korea / Antarctica VPS[1], so this isn't entirely surprising!
[1] https://news.ycombinator.com/item?id=45922850
That was actually a great article. For us, that is like a crowdsourced bug hunting program. We actually got duped ourselves, and we appreciate the author.
We added additional features for location hint modeling and selection for IPv6 networks. There are a handful of open engineering tickets to understand more about the entire internet infrastructure of the country. Of course, hosting a probe server out there would be helpful.
https://ipinfo.io/countries/kp
We always appreciate feedback like that.
Using FreeBSD dummynet it’s possible to modify the characteristics of network traffic and emulate e.g. Somalia performance from a datacenter in France.
Extremely disappointed to see ProtonVPN in this list. Despite others claiming about their smart routing as being a disclaimer of sorts, I am still disappointed that it was never explicitly clear that our privacy was still at stake.
https://protonvpn.com/support/how-smart-routing-works
Is there any real-life situation in which this matters, though?
If you're picking a country so you can access a Netflix show that geolimits to that country, but Netflix is also using this same faulty list... then you still get to watch your show.
If you're picking a country for latency reasons, you're still getting a real location "close enough". Plus latency is affected by tons of things such as VPN server saturation, so exact geography isn't always what matters most anyways.
And if your main interest is privacy from your ISP or local WiFi network, then any location will do.
I'm trying to think if there's ever a legal reason why e.g. a political dissident would need to control the precise country their traffic exited from, but I'm struggling. If you need to make sure a particular government can't de-anonymize your traffic, it seems like the legal domicile of the VPN provider is what matters most, and whether the government you're worried about has subpoena power over them. Not where the exit node is.
Am I missing anything?
I mean, obviously truth in advertising is important. I'm just wondering if there's any actual harm here, or if this is ultimately nothing more than a curiosity.
Attempting to use a VPN location in Somalia and actually getting routed to an exit in Paris or London is not what I would consider "close enough". That's off by 3000 miles. That's like claiming to be in the Amazon Rainforest in Brazil while being in Montreal, Canada. And apparently 28% of locations are off by at least this much
And if I do it for privacy, the actual exit location seems very relevant. Even if I trust the VPN provider to keep my data safe (which for the record I wouldn't with the majority of this list), I still have to consider what happens to the data on either end of the VPN connection. I'm willing to bet money that any VPN data exiting in London is monitored by GCHQ, while an exit in Russia probably wouldn't be in direct view of NSA and GCHQ
> Is there any real-life situation in which this matters, though?
You’d be shocked at the number of people in regulated industries that thinks a VPN inherently makes them more secure. If you think your traffic exits in the US and it exits in Canada — or really anywhere that isn’t the US — that can cause problems with compliance, and possibly data domicile promises made to clients and regulators.
At minimum, not being able to rely on the provider that you are routing your client’s data through is a big deal.
Yes. Let’s take an extreme example: you think you exit in Japan, but you’re actually exiting in China. This means your traffic will be analyzed and censored by China.
The routers don’t care about where the provider says the IP comes from. If the packet travels through the router, it gets processed. So it very much matters if you do things that are legal in one country, but might not be in another. You know, one of the main reasons for using VPNs.
A more general case is for legal and SLAs. If a company uses one of these vpns to make sure their traffic only travels through a specific legal path, and then it's found that their traffic entered a different territory, there can be a lot of consequences.
The case I can think of most accessible would be anything that streams copywriten video.
I've wondered about jurisdiction in copyright for a while -- if I access a USA website from a Swedish server, make a copy on that server, then stream it to a French location for viewing all the while being in UK. Where has any crime/infringement occurred; which courts have jurisdiction?
Anyone know of any caselaw addressing these issues.
Are any VPN's getting China wrong? It would be pretty obvious. In fact, common VPN's I'm looking at don't even support China as an option. Obviously no VPN's are mixing countries up where it becomes clear from what you're allowed to browse.
But so "if you do things that are legal in one country, but might not be in another" is what I'm specifically asking about. Ultimately, legality is determined by the laws that apply to you, not the country your packets come out of. So I'm asking for a specific example.
And I already said, that if a site is attempting to determine permissions based on the country, it's doing so via the same list. E.g. when the country is actually Greenland, but you think it's the UK, and Netflix also thinks it's the UK. Which is why I'm saying, at the end of the day, is there any real consequence here? If both sender and receiver think it's the UK, what does it matter if it's actually Greenland?
China was just an example. Try to extrapolate on your own.
Take someone from Russia, Iran, wherever, trying to access information they aren't allowed to access, or sharing information they aren't allowed to share. They think they're connected to a neighboring country, but in reality are exiting from their own country. Therefore, the traffic gets analyzed and they fall out a window.
Imagine Snowden sharing information about the NSA while using a VPN that actually exited from the US. Things might have developed differently.
Yes, it won't matter for most services. But as soon as states or ISPs are involved, you're fucked if you get it wrong.
> Try to extrapolate on your own.
No need for the snark. Obviously we're not talking about somebody in Iran or Russia connecting to a VPN that just leads back into their own country, that would be idiotic. None of the VPN providers are providing anything like that. Those don't even make sense conceptually. A Western VPN provider that an Iranian or Russian is using isn't even legally allowed to operate nodes inside of Iran or Russia due to sanctions.
I'm talking about the realistic mix-ups that the article is using as examples. Where Somalia is actually going to France or something. That's why my original comment started with "Is there any real-life situation..."
No VPN providers are accidentally routing into an oppressive dictatorship.
Never heard of Windscribe but their homepage has "Become American" as a feature.
> Are you sick of not having access to foreign oil? Do you love using advanced weapons to fuck up someone’s day? Obsessed with manipulating your financial records to make yourself look more successful than you are?
Got a chuckle out of me.
Oh wow, I had no idea that “virtual location” is even a thing. Imo it should not, I don’t even see a use case for that, it just seems like straight-up lying about the traffic exit location. Glad to see the provider I occasionally use, Mullvad, passed the test.
Many providers in the list, such as PIA, warn the user when a virtual location is chosen. The point is to get a wider range of countries. Most websites, such as YouTube and Netflix, are fooled by the virtual locations, so it works!
Yeah, I'm really not seeing how a "virtual location" is any different from outright fraud.
It depends on whether the VPN is lying to you. Proton, for example, makes them quite explicit in the software and even lists them for you here: https://protonvpn.com/support/how-smart-routing-works and seems like NordVPN also has a page explaining that.
I used a VPN that had a virtual location of China for a while, which avoided ads on some websites; China blocks those sites, so those sites don't have any ads in China, but the VPN exit wasn't actually in China so it could reach the sites fine.
I seriously don't quite understand the point of using a VPN that doesn't offer you clean residential IPs somehow (and I don't really know good VPN like that). Most services where I really want to use VPN are well aware of VPN IP blocks and just won't allow any of these famous VPNs (that I am aware of, at least). And services that don't care if it's my real IP or not… well, usually I don't really care about exposing them to my real IP either?
I mean, ok, there are use-cases. But commercial VPNs exist under specific premise, you know, and they just don't offer what they claim to be offering. Unfortunately.
You can pay for a static residential IP on Windscribe, but it's quite expensive.
Mullvad is the only VPN I will ever trust. Yet again they ace the test.
I also use Mullvad VPN exclusively for my VPN needs. The fact I can get 6 months of access with a scratch card bought from a store & my account is just a random integer number is an example of privacy by design: no email, no phone numbers, no credit cards. I don't even do anything illegal, I'd just rather have a (what I feel) trusted option when I want to browse the Internet anonymously.
Can you buy those in US stores?
I’ve been paying for Mullvad with Monero for years. Love it
Amazon, but that kind of defeats the point.
It doesn't defeat the point in my threat model. No one in the position to log my traffic knows who I am other than my source IP address (which is already enough to link it back to me anyway). So let's take Mullvad at their word that they don't log anything, what's the threat now?
Maybe Amazon are x-raying the card numbers before shipping them out to customers, but that would require Mullvad giving up the card number -> account number -> account number traffic logs. Not much of a threat there.
Maybe all amazon orders are funnelled somewhere and they correlate the fact I bought a VPN card with my home address, and then correlate my bandwidth into Mullvad IPs (gained from my ISP logs) with data leaving Mullvad but that's all very unlikely and very circumstantial.
I'm also not doing anything illegal so perhaps my threat model/level is lower than the 'average' VPN user.
Anyway, not to be a shill but honestly I am just completely won over with how Mullvad do business. I know that a VPN does not make you automatically 'private'/'anonymous' but just the way they do business makes me happy.
Buy amazon gift card in cash, setup new account, ship scratch card to locker? (Idk if they’d let you do that).
I think you can still mail them cash?
You can even just randomly generate such an ID number, write it on a piece of paper and enclose it with cash in one of several currencies, and post it to them.
The best thing is that they accept crypto. I wouldn't want to pay for a VPN with a credit card in my name.
But you have to get money into your crypto wallet somehow, which makes it relatively easy to deanonymize for most users (serious crypto privacy enthusiasts could of course pay cash for their crypto or perhaps mine it themselves) if they're looking at your traffic specifically, but hard if you're only worried about bulk collection.
IMO the coolest privacy option they have is to literally mail them an envelope full of cash with just your account's cash payment ID.
> I wouldn't want to pay for a VPN with a credit card in my name.
Wow, you must be using the VPN for some seriously shady stuff.
Back when I was doing that uber-shady business of torrenting, and this kind of VPN was much less-common than it is today, I paid for VPN access with crypto.
I'd gather a small amount of that up (however I did that), keep it in an offline wallet, and spend it on VPN service every now and then.
It just seemed like the right way to go about things.
(And then I lost that wallet, because of course I did, with about $14 worth of BTC in it. I didn't care enough at that time to see if I'd backed it up properly; I wasn't planning on using it for anything anymore anyway. That was in 2014 and those backups are waaaay gone now, but it'd be around $2k worth of BTC today -- plenty to buy some DDR5 RAM. Whoopsie-doodle!)
Enough to buy like 512MB of DDR5 RAM maybe
...then I'll just have to learn how to get stuff done with 512MB of RAM.
(I'm sure that browsers like lynx still work just like they did in 2001, and that pine can still read mail. Shouldn't be a problem, right?)
links2 is still a work horse in 2025 for occasional debugging.
I know of links and have used it, but I don't think I've ever used links2.
Am I correct to assume that links2 is more of the same/better?
(Also: Your comment seems perfectly sane, but it was already marked as "flagged" by the time I saw it 18 minutes after it was submitted. I vouched for it.
But I wonder: Whose ruffles did you panty in order for your comments to land this way?)
What actual extra privacy does that add though? You still need to connect to them from your IP address, which can be traced back to you.
Not sure why you've been downvoted. Somebody protecting their business?
Looks like the link is dead.
Looks like the link is dead.
Turn off your VPN?
The one I noticed was after the Texas porn age verification laws went into effect. Setting my VPN to be in Texas was different than when actually connecting to Texas when I visited.
And it's super easy to do. I had my own ASN and my own IPv4 and IPv6 address space, you basically just write whatever you want into RIPE Database objects (or ARIN, APNIC etc.) Today your IP space can be in one country, and tomorrow in a different one.
This seems like circumstantial evidence for most VPN providers mostly serving customers who are in the business of spreading targeted misinformation on social media.
Cool, even our privacy protection is fraught with scammers and liars.
Actually, most VPN providers explicitly label the virtual locations as such, I think the famous ones at least do it (ex: Proton and NordVPN even explain them in their respective docs).
I work for IPinfo.
No, the article does not make this conclusion at all! It was carefully written to highlight the nature of virtual locations of VPN exit nodes and does not make such conclusions.
The article is written by our founder, who is accessible to the VPN industry at large and is open to feedback and comments.
> I work for IPinfo
Ngl, I never knew that those IP location tools are actual companies with full time employees. I always assumed they were just made by some random guy in an afternoon by wrapping maxmind API. Interesting to hear that that's not the case (at least for ipinfo; maybe some of the consumer-oriented IP lookup websites are like that)
Our headcount is approximately 70 right now. Most of engineering consists of data engineers, researchers, and data scientists because data is our product. Then we have infrastructure engineering, software engineering, integration engineering, support engineering, solutions architects, mobile application engineering, UX/UI designers, website engineering, API engineering (separate from the website because of the volume of traffic we receive), a full commercial team with partnerships and sales, finance/accounting, legal and a marketing team. I think I am still forgetting some people. We also work closely with consultants who are foundational to the internet as a whole. We have an open hiring policy for the right talent.
During our offsite, we had to rent out a small ship (ferry?) to host everyone: https://x.com/coderholic/status/1975333382604398702/photo/4
More than a decade ago, when IPinfo launched, a lot of community interaction was done by our founder. Now, you have me in a full-time role talking to people. My role is literally called Developer Relations.
We are not just a IP geolocation company; we are an internet data company. IP geolocation and VPN detection are only products to us; the team and goal are actually quite huge.
well to be fair it's not always important to have the server at the geoip since a lot of the time you can measure the real latency of a user behind an ip address anyway.
the only important bit is that it is made clear whenever a given country falls under some category that allows things such as traffic analysis and cataloging.
it's actually often times preferrable to lie about the server location for lower latency access geo-blocked content, particulary when accessing US geo-restricted content in europe.
if you want true privacy you have to use special tools that not only obfuscate the true origin, but also bounce your traffic around (which most of these vpns provide as an option)
I get advertisements for VPN providers almost everywhere. I've never been interested, but I do subscribe to Mullvad via Tailscale. So, I'm thankful and appreciative that they did their due diligence and partnered with a reputable provider. I've been very happy with the service.
Edit: Welp. How could this possibly be my most downvoted comment. Am I not entitled to an opinion? I ain't no AI.
I work for IPinfo. We provide IP geolocation and VPN detection services. We identify which IP addresses are associated with a VPN and the actual location of the IP address.
We have not collaborated with any VPN companies for the report and have not even requested permission or pre-draft approvals. We had the data of what we were seeing and published a report based on that. We have published a ton of resources around the nature of VPN location in the past. Our focus is on data accuracy and transparency.
After the article was published, we received feedback from only a single VPN provider - Windscribe (https://x.com/ipinfo/status/1998440767170212025). I do not think anyone from Mullvad, iVPN, or any other VPN company has reached out to our team or our founder yet.
We are happy to take feedback and comments and are even open to a follow-up!
This was a dumb study, and if they'd asked the VPN providers, I'm sure someone would tell them why.
All the VPN providers I've used let you select the endpoint from a dropdown menu. I'm not using a VPN to make it appear I'm in Russia, I'm using it as one of many tools to help further my browsing privacy.
My endpoint is one of 2 major cities that are close to me. Could I pick some random 3rd world country? Sure! That isn't the goal. The goal is to prevent my mostly static IP address from being tied to sites I use every day.
EDIT:
Small point of clarification:
All the VPN providers I use have custom or 3rd party software that allows you to select a location for the VPN. All of the VPN providers I've used also select the location with the lowest ping times as a default. I suspect most folks are just sticking with the defaults. I certainly haven't strayed outside the US/EU for any of my attempts. I have occasionally selected an EU location for specific sites not available in the US, where I live, but beyond that?
That's great for you. But some people need to pick a specific country. People in different countries often get different prices for things like airline tickets or online subscriptions. Maybe you need to appear from a particular country to access certain media.
I mostly use it to avoid exposing my IP address too, but if I knew my VPN was comfortable with a little light fraud, I'd be concerned about what else they're comfortable with.
NordVPN calls out when a location is virtual, so unless ipinfo is claiming they have virtual locations that are not labelled as such, they are at least transparent about it. They did document the physical server locations of their virtual locations at launch, but I'm not sure if there's a live doc for new locations. https://nordvpn.com/blog/new-nordvpn-virtual-servers/
All the ones I use pick one for you, it is up for you to change it, and you play a fat rate per month or year regardless of what you pick.
That may be your use case, but it by no means it's reflective of anyone else's. I live in a country that actively blocks and limits your connectivity to (ordinarily) public websites. Choosing an exit point that's in a different country is very relevant and important.
You are in the minority. Most folks that subscribe to VPNs are folks in the US, Canada, EU, and other "First World" countries. (I had a source a while back for something completely unrelated, however I didn't save it)
I'm not discounting you at ALL, I'm simply stating that the majority of traffic originate from these countries. Most of these folks just want to hide their IP address for various reasons. Privacy, Piracy, etc. Most don't care if it's in the next largest city, they just don't want it to appear to come from them.
Folks in countries like yours will likely pick endpoints to bypass the government. Folks up to nefarious stuff like cracking web sites, social media influencing, etc. will likely pick the target country more carefully. Anyone else? Whatever is the default.
I recognize this is a hard concept to understand for folks on this site, but the average joe signing up for a VPN doesn't even remotely understand what they are doing and why. They were pitched an idea as a way to solve privacy issues, block ads, etc. and they signed up for it. The software suggested a low latency link, and they went with the default.
The ads for a lot of VPN providers literally use scare tactics to sell the masses on the idea.
> I recognize this is a hard concept to understand for folks on this site, but the average joe signing up for a VPN doesn't even remotely understand what they are doing and why.
So what? This article isn’t for them and this isn’t a major news site for the general public, it’s a site for people who want or need to know how things work.
Last time I checked the UK was considered a first world country.
Edit: I commented earlier that I never considered myself part of the market that VPN companies hawk their services to. I've been living in the UK for 5 years now and the number of sites that have become unavailable to me are material and concerning for what their abolishment means for free speech. I'm as square as they come, if I feel this strongly you bet others do too.
> I recognize this is a hard concept to understand for folks on this site, but the average joe signing up for a VPN doesn't even remotely understand what they are doing and why.
Really this is the answer to half of the comments on this thread.
Re: random countries, sometimes with PIA the Panama exit has a crazily low ping time (I'm physically in California). I wonder what leads to it? Hawaii I can understand, there's a cable landing not far from my physical location, but Panama is a mystery to me.
If you look at the list in the PIA menu, you'll see Panama has the "geo-located region" icon, which means that it's a virtual one and isn't in Panama.
TIL, thanks!