56 comments

[ 8.8 ms ] story [ 73.0 ms ] thread
While exits matter to avoid countries with a nation-wide firewall, the geoip industry is a scourge.

If an ISP wants to help their users avoid geoblocking via https://www.rfc-editor.org/rfc/rfc8805.html more power to them.

We (IPinfo) attended the IETF 3-day workshop on IP geolocation. Our presentation was about geofeed that can be viewed here: https://youtu.be/l8PR7VCmA3Q?si=dG-00UqljTopBquF&t=372.

It was a great session and we received a lot of questions. We attend different NOG conferences regularly. ISPs are incentivized to help us by providing good data. Although we are agnostic about adversarial geofeeds, ISPs themselves need to work with us to ensure good quality of service to their users.

We already do quite a lot of outreach, in fact, most network engineers in the ISP industry across the world are familiar with us. But if any ISP operator has any feedback for us, we are only an email (or even a social media comment) away.

Cool, even our privacy protection is fraught with scammers and liars.
I work for IPinfo.

No, the article does not make this conclusion at all! It was carefully written to highlight the nature of virtual locations of VPN exit nodes and does not make such conclusions.

The article is written by our founder, who is accessible to the VPN industry at large and is open to feedback and comments.

I am not sure that I really understand what they did. I am also missing some major VPNs in the list. I currently use AirVPN but this has something to do with my use case and pricing.

Why do you want to use a VPN?

- Privacy

- Anonymity (hint: don't!)

- unblock geolocation

- torrents

- GFC

The last point is the hardest.

https://expatcircle.com/cms/privacy/vpn-services/

I work at IPinfo, thanks for your comment/feedback. We will be expanding this research to include more VPNs next year.
Mullvad is the only VPN I will ever trust. Yet again they ace the test.
I tried to use ProtonVPN when I switched over to ProtonMail a year ago. But so much of the web does not work when you're on a VPN. For example even HackerNews has VPN restrictions. More and more sites know where VPN endpoints originate. How will VPNs prevent this in the future without them just become easy to block?
I know multiple people who worked / working at Mullvad and they take their business, security and privacy _very_ seriously. Not surprised to see them shine here.
When they wrote that 3 providers were honest about all locations I have to admit my first thought was "Mullvad, and who would the other two be?"

With their reputation and trackrecord they really can't do any shady tricks. Imagine if they weren't among the 3 honest providers? That would be HN frontpage news.

While I pay for Mullvad directly through my bank, their account number approach built a lot of trust for me. "Here's your number, use whatever to fund it. 5 euro a month, no sales."
Has anyone else from Europe noticed how Mullvad's speeds and latency have becoming worse and worse during peak times in the recent months? I now have to change servers regularly, which was never the case ~2 years ago.
This was a dumb study, and if they'd asked the VPN providers, I'm sure someone would tell them why.

All the VPN providers I've used let you select the endpoint from a dropdown menu. I'm not using a VPN to make it appear I'm in Russia, I'm using it as one of many tools to help further my browsing privacy.

My endpoint is one of 2 major cities that are close to me. Could I pick some random 3rd world country? Sure! That isn't the goal. The goal is to prevent my mostly static IP address from being tied to sites I use every day.

EDIT:

Small point of clarification:

All the VPN providers I use have custom or 3rd party software that allows you to select a location for the VPN. All of the VPN providers I've used also select the location with the lowest ping times as a default. I suspect most folks are just sticking with the defaults. I certainly haven't strayed outside the US/EU for any of my attempts. I have occasionally selected an EU location for specific sites not available in the US, where I live, but beyond that?

I get advertisements for VPN providers almost everywhere. I've never been interested, but I do subscribe to Mullvad via Tailscale. So, I'm thankful and appreciative that they did their due diligence and partnered with a reputable provider. I've been very happy with the service.

Edit: Welp. How could this possibly be my most downvoted comment. Am I not entitled to an opinion? I ain't no AI.

I work for IPinfo. We provide IP geolocation and VPN detection services. We identify which IP addresses are associated with a VPN and the actual location of the IP address.

We have not collaborated with any VPN companies for the report and have not even requested permission or pre-draft approvals. We had the data of what we were seeing and published a report based on that. We have published a ton of resources around the nature of VPN location in the past. Our focus is on data accuracy and transparency.

After the article was published, we received feedback from only a single VPN provider - Windscribe (https://x.com/ipinfo/status/1998440767170212025). I do not think anyone from Mullvad, iVPN, or any other VPN company has reached out to our team or our founder yet.

We are happy to take feedback and comments and are even open to a follow-up!

Looks like the link is dead.
Contrasting take: RTT and a service providing black box knowledge is not equivalent to knowledge of the backbone. To assume traffic is always efficiently routed seems dubious when considering a global scale. The supporting infrastructure of telecom is likely shaped by volume/size of traffic and not shortest paths. I'll confess my evaluation here might be overlooking some details. I'm curious on others' thoughts on this.
We (I work for IPinfo) talk about latency because it is a thread that you can start from when exploring our full depth of data.

We are the internet data company and our ProbeNet only represents a fraction of our investment. Through our ProbeNet, we run ping, traceoute, and other active measurements. Even with traceroute we understand global network topology. There are dozens and dozens of hints of data.

We are tapping into every aspect on the internet data possible. We are modeling every piece of data that is out there, and through research, we are coming up with new sources of data. IP geolocation is only product for us. Our business is mapping internet network topology.

We are hoping to work with national telecoms, ISPs, IXPs, and RIRs to partner with them, guiding and advising them about data-driven internet infrastructure mapping.

Using FreeBSD dummynet it’s possible to modify the characteristics of network traffic and emulate e.g. Somalia performance from a datacenter in France.
(comment deleted)
(comment deleted)
I'm a big VPN user since I am the citizen of one country and the resident of another. Even for government services I have to use a VPN. I tried to access the bureau of statistics of my home country through my foreign residential IP and got 404s on all pages. Enabled VPN and everything magically started working. For watching the election result video stream I also had to VPN but at least that one gave me a clear message. For doing taxes in my home country I then have to disable VPN since all VPN access is blocked but it's OK to use a foreign residential IP.

I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.

Is there any real-life situation in which this matters, though?

If you're picking a country so you can access a Netflix show that geolimits to that country, but Netflix is also using this same faulty list... then you still get to watch your show.

If you're picking a country for latency reasons, you're still getting a real location "close enough". Plus latency is affected by tons of things such as VPN server saturation, so exact geography isn't always what matters most anyways.

And if your main interest is privacy from your ISP or local WiFi network, then any location will do.

I'm trying to think if there's ever a legal reason why e.g. a political dissident would need to control the precise country their traffic exited from, but I'm struggling. If you need to make sure a particular government can't de-anonymize your traffic, it seems like the legal domicile of the VPN provider is what matters most, and whether the government you're worried about has subpoena power over them. Not where the exit node is.

Am I missing anything?

I mean, obviously truth in advertising is important. I'm just wondering if there's any actual harm here, or if this is ultimately nothing more than a curiosity.

Interesting to learn you can identify the real country/area of origin using probe latency. Though could this be simulated? Like what if the VPN IP just added 100ms-300ms of latency to all of its outgoing traffic? Ideally vary the latency based on the requesting IP's location. And also just ignore typical probe requests like ICMP (ping). And ideally all the IPs near the end of the traceroute would do all this too.

To use an example, 74.118.126.204 claims to be a Somalian IP address, but ipinfo.io identifies it as being from London based on latency. Compare `curl ipinfo.io/74.118.126.204/json` vs `curl ipwhois.app/json/74.118.126.204` to see. If that IP ignored pings and added latency to all outgoing packets, I wonder if that would stymie ipinfo's ability to identify its true origin.

This can fool someone from one location and only in one way (if you are near Somalia and expect a 10ms latency, a virtual VPN can't reduce latency to simulate been in Somalia). So it have to be dynamic to fool multiple locations to stay probable.

But anyway, *you can't fool the last-hop latency* (unless you control it, but you can control all of it), and basically it impossible to fool that.

I work for IPinfo.

We also run traceroutes. Actually, we run a ton of active measurements from our ProbeNet. The amount of location data we process is staggering.

https://ipinfo.io/probenet

Latency is only one dimension of the data we process.

We are pinging IP addresses from 1,200+ servers from 530 cities, so if you add synthetic latency, chances are we can detect that. Then the latency-related location hints score will go down, and we will prioritize our dozens of other location hints we have.

But we do welcome to see if anyone can fool us in that way. We would love to investigate that!

There's quite a bit of effort in this space.

In my first job out of school, I did security work adjacent to fortune 50 banks and the (now defunct) startup I worked at partnered some folks working on Pindrop (https://www.pindrop.com/).

Their whole thing at the time was detecting when it was likely that a support call was coming from a region other than the one the customer was supposed to be in (read: fraudulent) by observing latency and noise on the line (the name is a play on "We're listening closely enough to hear a pin drop".)

Long story short, it's a lot more than just the latency that can clue someone in on the actual source location, and even if you introduce enough false signal to make it hard to identify where you actually are, it's easy to spot that and flag you as fake, even if it's hard to say exactly what the real source is.

Ideally, there'd be a way to subtract lag. (A non-causal network switch? Would be big business...)
This seems like circumstantial evidence for most VPN providers mostly serving customers who are in the business of spreading targeted misinformation on social media.
And it's super easy to do. I had my own ASN and my own IPv4 and IPv6 address space, you basically just write whatever you want into RIPE Database objects (or ARIN, APNIC etc.) Today your IP space can be in one country, and tomorrow in a different one.
Most of these providers are in fact open about the fact that these locations are “virtual”, so it’s misleading to say they don’t match where they claim to be.

There is however an interesting question about how VPNs should be considered from a geolocation perspective.

Should they record where the exit server is located, or the country claimed by the VPN (even if this is a “virtual” location)? In my view there is useful information in where the user wanted to be located in the latter case, which you lose if you only ever report the location of servers.

(disclaimer: I run a competing service. we currently provide the VPN reported locations because the majority of our customers expect it to work that way, as well as clearly flagging them as VPNs)

I work for IPinfo, and I appreciate your comment.

Our product philosophy is centered on accuracy and reliability. We intentionally diverge from the broader IP geolocation industry's trust-based model. Instead of relying primarily on "aggregation and echo", we focus on evidence-backed geolocation.

Like others in the industry, we do ingest self-reported IP geolocation data, and we do that well. Given our scale and reputation, we receive a significant volume of feedback and guidance from network operators worldwide. We actively conduct outreach, and exchange ideas with ISPs, IXPs, and ASNs. We attend NOG events, participate in research conferences, and collaborate with academia. We have a community and launch hackathon events, which allow us to talk to all the stakeholders involved.

Where we differ is in who our core users are. Our primary user base operates at a critical scale, where compromises on data accuracy are simply not acceptable. For these users, IP geolocation cannot be a trust-based model. It must be backed by verifiable data and evidence.

We believe the broader internet ecosystem benefits from this approach. That belief is reflected in our decision to provide free data downloads, a free API with unlimited requests, and active collaboration with multiple platforms to make our data widely accessible. Our free datasets are licensed under CC-BY-SA 4.0, without an EULA, which makes integration, even for commercial use straightforward.

I appreciate you recognizing that our product philosophy is different. We are intentionally trying to differentiate ourselves from the industry at large, and it is encouraging to see competing services acknowledge that they are focused on a different model.

If we can pay them in virtual dollars, no problem
I'm a co-founder at WonderProxy, we didn't make their list (we target people doing application testing, not consumer VPNs).

We're in 100+ countries, and I'll stand by that claim. It's a huge pain in the neck. In our early years we had a lot of problems with suppliers claiming to be in Mexico or South America who were actually just in Texas. I almost flew to Peru with a rackmount server in my luggage after weeks of problems, that plan died when we realized I'd need to figure out how to pay Peruvian income tax on the money I made in country before I could leave.

We've also had customers complaining that a given competitor had a country we'd had trouble sourcing in the Middle East. A little digging on our part and it's less than a ms away from our server in Germany.

Oh wow, I had no idea that “virtual location” is even a thing. Imo it should not, I don’t even see a use case for that, it just seems like straight-up lying about the traffic exit location. Glad to see the provider I occasionally use, Mullvad, passed the test.
Many providers in the list, such as PIA, warn the user when a virtual location is chosen. The point is to get a wider range of countries. Most websites, such as YouTube and Netflix, are fooled by the virtual locations, so it works!
I used a VPN that had a virtual location of China for a while, which avoided ads on some websites; China blocks those sites, so those sites don't have any ads in China, but the VPN exit wasn't actually in China so it could reach the sites fine.
I seriously don't quite understand the point of using a VPN that doesn't offer you clean residential IPs somehow (and I don't really know good VPN like that). Most services where I really want to use VPN are well aware of VPN IP blocks and just won't allow any of these famous VPNs (that I am aware of, at least). And services that don't care if it's my real IP or not… well, usually I don't really care about exposing them to my real IP either?

I mean, ok, there are use-cases. But commercial VPNs exist under specific premise, you know, and they just don't offer what they claim to be offering. Unfortunately.

You can pay for a static residential IP on Windscribe, but it's quite expensive.
I use Mullvad through Tailscale’s exit‑node integration, and it’s awesome. They are the only provider I trust these days.

To highlight virtual routing: it’s useful in scenarios where a country blocks VPNs but you still need an IP from that country to browse local websites. In such cases, virtual routing comes in handy. For example, when India required all VPN servers in the country to log user traffic, Proton moved its Indian server to Singapore and used virtual networking tricks to continue offering an Indian IP address.

Never heard of Windscribe but their homepage has "Become American" as a feature.

> Are you sick of not having access to foreign oil? Do you love using advanced weapons to fuck up someone’s day? Obsessed with manipulating your financial records to make yourself look more successful than you are?

Got a chuckle out of me.