VPN location claims don't match real traffic exits
76 comments
·December 13, 2025reimertz
ignoramous
Windscribe and iVPN up there with Mullvad in TFA.
> Mullvad ... security and privacy _very_ seriously. Not surprised to see them shine here.
? TFA reflects on dishonest marketing on part of public VPN providers more than privacy / security.
That said, VPNs don't add much security, though, they are useful for geo unblocking content and (at some level) anti-censorship. Though, in my experience, the mainstream public VPNs don't really match up to dedicated censorship-resistant networks run by Psiphon, Lantern (and possibly others).
systemtest
I'm a big VPN user since I am the citizen of one country and the resident of another. Even for government services I have to use a VPN. I tried to access the bureau of statistics of my home country through my foreign residential IP and got 404s on all pages. Enabled VPN and everything magically started working. For watching the election result video stream I also had to VPN but at least that one gave me a clear message. For doing taxes in my home country I then have to disable VPN since all VPN access is blocked but it's OK to use a foreign residential IP.
I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.
devilbunny
Do you have friends or family in your home country that will run an AppleTV box with Tailscale for you as an exit node?
I can't get into work from a non-US IP, but I can Tailscale back to my house and it works just fine. I even gave my in-laws (who live several states away) an AppleTV box running TS just to have another endpoint if for some reason the power goes out at my house while I'm gone (rare, but happens).
simlevesque
> I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.
For residential IPs you can't even pay per month like normal VPNs, normally they charge per GB, usually over $2 usd per GB.
nemomarx
Is this be cause they're paying the residential proxy owners some of it?
chmod775
Do you know anyone in that country who will let you stick an rPI behind their modem?
systemtest
I have been thinking about it but it is tricky from a legal standpoint. What I'm trying to arrange next time I visit is to have a secondary line installed at my parents place that is in my name. So that when I pull heavy traffic from that line it doesn't impact them and I can't get them in trouble for posting a message that isn't government approved.
varenc
Very interesting to learn you can identify the real country/area of origin using probe latency. Though could this be simulated? Like what if the VPN IP just added 100ms-300ms of latency to all of its outgoing traffic? And also just ignore typical probe requests like ICMP. And ideally all the IPs near the end of the traceroute would do all this too.
To use an example, 74.118.126.204 claims to be a Somalian IP address, but ipinfo.io identifies it as being from London based on latency. Compare `curl ipinfo.io/74.118.126.204/json` vs `curl ipwhois.app/json/74.118.126.204` to see. If that IP ignored pings and added latency to all outgoing packets, I wonder if that would stymie ipinfo's ability to identify its true origin.
deegles
with enough packets you can trilaterate an approximate locatuon. adding random jitter will just delay it a bit.
ignoramous
It isn't just latency, but "triangulation".
[IPinfo] pings an IP address from multiple servers across the world and identify the location of the IP address through a process called multilateration. Pinging an IP address from one server gives us one dimension of location information meaning that based on certain parameters the IP address could be in any place within a certain radius on the globe. Then as we ping that IP from our other servers, the location information becomes more precise. After enough pings, we have a very precise IP location information that almost reaches zip code level precision with a high degree of accuracy. Currently, we have more than 600 probe servers across the world and it is expanding.
why-o-why
I tried to use ProtonVPN when I switched over to ProtonMail a year ago. But so much of the web does not work when you're on a VPN. For example even HackerNews has VPN restrictions. More and more sites know where VPN endpoints originate. How will VPNs prevent this in the future without them just become easy to block?
HotGarbage
Apple, for better or worse, has been able to use their size to pressure sites into accepting connections from their Private Relay service.
If VPN usage becomes the norm, sites will have to give in eventually.
dansmith1919
Only one I have issues with is Ticketmaster, other than that I forget that it’s even on all the time
simonklitj
I can’t access Reddit on Mullvad via Tailscale
matheusmoreira
They can ban VPNs and Tor because it's affordable. Most of their users aren't using VPNs or Tor. Get enough people to use VPNs and Tor and they'll suddenly become unable to drop the traffic.
The ideal world is one where everyone is using Tor. They can only discriminate against you if you're different from others. The idea behind Tor is to make everyone look like the same user. The anonymity set must be maximized for that to work.
mbesto
Same. If this is the situation then what is the use case for most "average" consumers?
systemtest
Even worse is the Reddit approach, where leaving your VPN on will get your account shadow banned permanently. But you are not notified of that, so if you are wondering why nobody is replying to your comments, check in a private session if you can visit your profile page.
barfoure
Same issue exists with Tor exit nodes. It’s anonymous in that you have a hoodie on with a giant spotlight right on you.
bgbntty2
A better metaphor would be that Tor and VPNs are like wearing a mask in public. It's obvious that you're trying to be anonymous, but you're still wearing a mask, so no one knows who you are.
You may be denied entry to certain establishments, but some of the bouncers don't block all masks and if you're persistent with changing your mask (Tor or VPN exit node), there's a good chance you'll get in. CTRL+SHIFT+L works on Tor Browser to change your circuit. The linked article blocks Tor, but after pressing CTRL+SHIFT+L a few times, I was able to read it.
For the sites that don't let me view them via Tor, I can install FoxyProxy and try some IPs from the free public lists. Lots of sites that block Tor don't block these IPs, although it's a bit of a pain. Another option is to load an archived version of the site on archive.org or archive.md (or .is or the various different TLDs it uses).
As for HN - it sometimes gives a "Sorry." if you try to access a certain comment directly, but after a few tries it works. This account was created over Tor and I've only accessed it through Tor. I think my first comment was dead and someone vouched for it, but now my comments appear instantly.
I've heard that banking sites don't work over Tor, but I haven't had a need to use Tor for banking, as the bank already knows who I am pretty well.
Most of the big social media sites don't allow Tor, but if I wanted to create a fake account, I'd most likely buy a residential proxy.
So it's not that bad, considering what you get from Tor (and with some VPNs, depending on your threat model) - no tracking, anonymity and so on.
rynn
Do you use Tor for everything? How do you deal with the latency?
speedgoose
To continue on the analogy, many people using a VPN wear a mask but they also keep the same unique combination of clothes that they were wearing a few minutes earlier without a mask.
coppsilgold
As VPN usage proliferates such discrimination starts hurting sites more. For example, a VPN may be left on by a user for whatever reason and when the site they visit doesn't work or makes them jump through hoops they are less likely to visit the site in the future or view it with contempt and abandon it a soon as they are made aware of an alternative.
It takes time for sites to realize the danger, especially with mobile users where fiddling with a VPN is often more hassle than its worth and its just left always on. It's often a good idea to impersonate a mobile user agent for this reason as some sites (or perhaps cloudflare?) started treating them differently. The impersonation needs to be done well (SSL and HTTP fingerprints should also match mobile).
Usually, the more expensive the VPN offering the better the reputation of their IP's. Avoid VPNs that have any kind of free tier like the plague.
null
yieldcrv
I wonder if using the wifi at a data center has the same broken browsing experience as using a VPN
null
ramity
Contrasting take: RTT and a service providing black box knowledge is not equivalent to knowledge of the backbone. To assume traffic is always efficiently routed seems dubious when considering a global scale. The supporting infrastructure of telecom is likely shaped by volume/size of traffic and not shortest paths. I'll confess my evaluation here might be overlooking some details. I'm curious on others' thoughts on this.
seszett
They don't have to assume that traffic is efficiently routed, on the contrary if they can have a <1ms RTT from London to a server, the speed of light guarantees that that server is not in Mauritius EVEN if the traffic was efficiently routed.
It just can't be outside England, just one 0.4ms RTT as seen here is enough to be certain that the server is less then 120 km away from London (or wherever their probe was, they don't actually say, just the UK).
RTT from a known vantage point gives an absolute maximum distance, and if that maximum distance is too short then that absolutely is enough to ascertain that a server is not in the country it claims to be.
ramity
I see I was mistaken, but I'm tempted to continue poking holes. Trying a different angle, though it may be a stretch, but could a caching layer within the VPN provider cause these sort of "too fast" RTTs?
Let's say you're a global VPN provider and you want to reduce as much traffic as possible. A user accesses the entry point of your service to access a website that's blocked in their country. For the benefit of this thought experiment, let's say the content is static/easily cacheable or because the user is testing multiple times, that dynamic content becomes cached. Could this play into the results presented in this article? Again, I know I'm moving goalposts here, but I'm just trying to be critical of how the author arrived at their conclusion.
Pyrolol
The speed of light provides a limit on distance for a given RTT, and taking the examples in the article which are less than 0.5ms and considering the speed of light (300km/ms) the measured exit countries must be accurate.
The speed of light in fiber which probably covers most of the distance is also even slower due to refraction (about 2/3).
ramity
Thanks for your informative reply. I see now I was approaching this incorrectly. I was considering drawing conclusions from a high RTT rather than a RTT so small it would be impossible to have gone the distance.
IshKebab
> I'll confess my evaluation here might be overlooking some details.
Yeah like... physics. If you're getting sub-millisecond ping times from London you aren't talking to Mauritius.
HotGarbage
While exits matter to avoid countries with a nation-wide firewall, the geoip industry is a scourge.
If an ISP wants to help their users avoid geoblocking via https://www.rfc-editor.org/rfc/rfc8805.html more power to them.
londons_explore
With CGNAT becoming more widespread, formats like this might need expansion to include location data for ports. Ie. Port 10,000-20,000 are consumers in New york, port numbers 20000-30000 are in Boston, etc.
raggi
Do you have actual evidence of this? What ASN operates this way?
kalaksi
Sounds awful, though. Maybe we should get more widespread usage for IPv6 instead.
sgjohnson
Yes. I’ll never forgive IETF for standardizing CGNAT back in 2013. They should have just said “no, deploy IPv6 with a transition technology”.
If that had happened, IPv4 would likely already could be regarded as a relic of the past.
dustywusty
Can really spot someone who has never had to deal with OFAC with a comment like this. Even if I don't necessarily agree with the concept, or who is actually being blocked, my business is dead in the water if I'm a) sent to prison or b) fined out of existence.
Geographic IP information is one of our best tools to defend against those outcomes, and if anything it should be better.
HotGarbage
If you were serious about limiting who uses your services you'd use an allowlist of ASNs. Even then, what about users using US-based residential proxies?
dustywusty
ASNs can obviously span multiple countries, and aren't a great way to gate this at all. While we block ASNs we KNOW are owned/operated by companies in limited countries, but I couldn't imagine a worse way to approach it at scale. Hate doing it, it's heavy-handed and wrong.
Beijinger
I am not sure that I really understand what they did. I am also missing some major VPNs in the list. I currently use AirVPN but this has something to do with my use case and pricing.
Why do you want to use a VPN?
- Privacy
- Anonymity (hint: don't!)
- unblock geolocation
- torrents
- GFC
The last point is the hardest.
luckylion
> I am not sure that I really understand what they did.
They checked where the VPN exit nodes are physically located. A lot of them are only setting a country in the whois data for the IP, but do not actually put the exit node in that country.
Beijinger
Yes, I don't understand the advantage or disadvantage of this. Let's say I need a Colombian IP address, I would figure it out pretty quickly it this was not genuine, except if the geo-block protection would be fooled too.
Most of the "problem" countries are tiny places. Monaco, Andorra etc. It might be tough to rent a server there. And your list of clients should be minimal.
luckylion
You can easily test this, of course -- the problem isn't that you, the user, cannot find out, it's that you pay for being able to use an endpoint in those countries and can't, because they don't exist.
It's not only small countries either, it affects much of Latin America, including Brazil (PIA's servers were in Miami for BR as well last time I checked). I've occasionally seen it also affect US states where e.g. Massachusetts would be served from Trenton, NJ.
IshKebab
> I would figure it out pretty quickly it this was not genuine, except if the geo-block protection would be fooled too.
It would (unless the blockers use this company's database I guess):
> The IP registry data also says “Country X” — because the provider self-declared it that way.
That could be good or bad depending on what you're using the VPN for. E.g. if you only care about evading stupid local laws like the UK's recent Think of the Children Act, then it's actually great because you can convince websites you're in Mauritius while actually getting London data centre speeds.
But if you want to legally be sending your traffic from another country then it's less great because you actually aren't. To be honest I can't really think of many situations where this would really make a difference since the exit point of your network traffic doesn't really matter legally. E.g. if a Chinese person insults their dear leader from a VPN exit node in the UK, the Chinese authorities are going to sentence them to just as much slavery as if they did it from a local exit point.
crazygringo
Is there any real-life situation in which this matters, though?
If you're picking a country so you can access a Netflix show that geolimits to that country, but Netflix is also using this same faulty list... then you still get to watch your show.
If you're picking a country for latency reasons, you're still getting a real location "close enough". Plus latency is affected by tons of things such as VPN server saturation, so exact geography isn't always what matters most anyways.
And if your main interest is privacy from your ISP or local WiFi network, then any location will do.
I'm trying to think if there's ever a legal reason why e.g. a political dissident would need to control the precise country their traffic exited from, but I'm struggling. If you need to make sure a particular government can't de-anonymize your traffic, it seems like the legal domicile of the VPN provider is what matters most, and whether the government you're worried about has subpoena power over them. Not where the exit node is.
Am I missing anything?
I mean, obviously truth in advertising is important. I'm just wondering if there's any actual harm here, or if this is ultimately nothing more than a curiosity.
wongarsu
Attempting to use a VPN location in Somalia and actually getting routed to an exit in Paris or London is not what I would consider "close enough". That's off by 3000 miles. That's like claiming to be in the Amazon Rainforest in Brazil while being in Montreal, Canada. And apparently 28% of locations are off by at least this much
And if I do it for privacy, the actual exit location seems very relevant. Even if I trust the VPN provider to keep my data safe (which for the record I wouldn't with the majority of this list), I still have to consider what happens to the data on either end of the VPN connection. I'm willing to bet money that any VPN data exiting in London is monitored by GCHQ, while an exit in Russia probably wouldn't be in direct view of NSA and GCHQ
rynn
> Is there any real-life situation in which this matters, though?
You’d be shocked at the number of people in regulated industries that thinks a VPN inherently makes them more secure. If you think your traffic exits in the US and it exits in Canada — or really anywhere that isn’t the US — that can cause problems with compliance, and possibly data domicile promises made to clients and regulators.
At minimum, not being able to rely on the provider that you are routing your client’s data through is a big deal.
AndroTux
Yes. Let’s take an extreme example: you think you exit in Japan, but you’re actually exiting in China. This means your traffic will be analyzed and censored by China.
The routers don’t care about where the provider says the IP comes from. If the packet travels through the router, it gets processed. So it very much matters if you do things that are legal in one country, but might not be in another. You know, one of the main reasons for using VPNs.
crazygringo
Are any VPN's getting China wrong? It would be pretty obvious. In fact, common VPN's I'm looking at don't even support China as an option. Obviously no VPN's are mixing countries up where it becomes clear from what you're allowed to browse.
But so "if you do things that are legal in one country, but might not be in another" is what I'm specifically asking about. Ultimately, legality is determined by the laws that apply to you, not the country your packets come out of. So I'm asking for a specific example.
And I already said, that if a site is attempting to determine permissions based on the country, it's doing so via the same list. E.g. when the country is actually Greenland, but you think it's the UK, and Netflix also thinks it's the UK. Which is why I'm saying, at the end of the day, is there any real consequence here? If both sender and receiver think it's the UK, what does it matter if it's actually Greenland?
atmosx
Using FreeBSD dummynet it’s possible to modify the characteristics of network traffic and emulate e.g. Somalia performance from a datacenter in France.
null
I know multiple people who worked / working at Mullvad and they take their business, security and privacy _very_ seriously. Not surprised to see them shine here.