We're in 100+ countries, and I'll stand by that claim. It's a huge pain in the neck. In our early years we had a lot of problems with suppliers claiming to be in Mexico or South America who were actually just in Texas. I almost flew to Peru with a rackmount server in my luggage after weeks of problems, that plan died when we realized I'd need to figure out how to pay Peruvian income tax on the money I made in country before I could leave.

We've also had customers complaining that a given competitor had a country we'd had trouble sourcing in the Middle East. A little digging on our part and it's less than a ms away from our server in Germany.

For our ProbeNet, we are attempting to reach 150 countries (by ISO 3166's definition). We are at around 530 cities. Server management is not an easy task. We do not ship hardware, but operate using dedicated servers, so this reduces one layer of complexity.

To maintain the authenticity of our server locations, we utilize cross-pings and network traffic behavior detection. If any abnormality is detected, the server will be immediately disabled to prevent polluting our data. There will be a ticket to investigate what went wrong.

We pay for each (excluding 3 to 4 servers where the owner and the team really likes us and insists on sponsoring) server. Expansion is an active effort for us, as there are 70k ASNs and about 100 more countries where we do not have a server.

We hope to partner with more ASNs, particularly residential ISPs and IXPs. So, a lot of effort is put into active outreach through WhatsApp, emails, social media and phone calls. We use a number of different data-based techniques to identify "leads".

When FB was rolling out ipv6 in 2012, well meaning engineers proposed releasing a v6 only GeoIP db (at the time, the public dbs were shit). Not surprisingly, it was shot down.

They recently added GeoIP to their data and in the bit of testing I was able to do before I left it was scary good. I also had an amusing chat with one of their engineers at a conference about how you can spoof IPInfo's location probes...

Google/GCP is top of mind for me due to a recent engineering ticket. Some of our own infrastructure is hosted on GCP, and Google’s device-based IP geolocation model causes issues for internet users, particularly for IPv6 services.

From what we understand, when a large number of users from a censored country use a specific VPN provider, Google's device-based signals can bias the geolocation of entire IP ranges toward that country. This has direct consequences for accessibility to GCP-hosted services. We have seen cases where providers with German-based data centers were suddenly geolocated to a random country with strict internet censorship policies, purely due to device-based inference rather than network reality. Our focus is firmly on the geolocation of exit-node IPs, backed by network evidence.

https://community.ipinfo.io/t/getting-403-forbidden-when-acc...

We are actively looking to connect with someone at Google/GCP, Azure/Microsoft and others who would be willing to speak with us, or directly with our founder.

Our community consistently asks us to partner more deeply with enterprises because we are in constant contact with end users and network operators. To be honest, we do not even get many questions or issues. We are partners with a large CDN company, and I get one message about a month, which usually involves sharing evidence data and not fixing something.

From a large-scale organization's perspective, IP geolocation should not be treated as an internal project. It is a service. Delivering it properly requires the full range of engineering, sales, support, and personnel available around the clock to engage with users, evaluate evidence, and continuously incorporate feedback.

Seems like there are VPNs, and then there are VPNs.

Fwiw I'm not switching from mullvad

[0] https://news.ycombinator.com/item?id=46252366

[1]: https://www.reddittorjg6rue252oqsxryoxengawnmo46qy4kyii5wtqn...

I finally hit the point of searching for mirrors yesterday and turns out, they exist.[0]

It’s really only suitable for lurking or being able to view search results, but it has eased the pain a bit.

0: reddit-viewer.com

If you're not just lurking, log in and reddit doesn't block you.

So, login without mullvad, turn it on after that and it should work.

The question is "if reddit can block mullvad why can't China".

I'd also like to ask people not to block this way. It creates LOTS of false positives. There's much better ways to handle bots and this tactic seems particularly dumb for Reddit given they want users from places like China or elsewhere where a VPN might be required. Not to mention people using public WiFi. It's not like VPNs are uncommon these days.

If you must ban IPa then do so with a timeout and easing function. So that each hit results in a longer ban time. Bots want to move fast so even a few seconds ban time will make them switch IPs while not impacting most users (who will refresh)

Mullvad is pretty good overall though.

I love that I can pay directly with a crypto wallet and have true anonymity.

> We accept the following currencies: EUR, USD, GBP, SEK, NOK, CHF, CAD, AUD, NZD.

Not a bad way to get rid of some spare currency lying about that you’ll incur a fee to localize anyway.

In any case, its certainly better than visa, but if you dont trust your vpn provider the real issue is they have your IP address and at best just a pinky-promise they dont log.

I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.

I can't get into work from a non-US IP, but I can Tailscale back to my house and it works just fine. I even gave my in-laws (who live several states away) an AppleTV box running TS just to have another endpoint if for some reason the power goes out at my house while I'm gone (rare, but happens).

personally, I've just upgraded my family's wifi to Ubiquiti and can then use Tailscale Wireguard running on the gateway as a proxy! (with their permission)

It’s not what I’m comfortable setting up for myself that is the issue; I am willing to put up with oddities for something that is just for my convenience and amusement. The problem is what I am knowledgeable enough to fix from far away if and when it goes wrong, and how to explain to my very non-technical family how to access it.

I have a NAS, and I could roll my own with that (in fact it’s my exit node at home, because I’m fairly sure it has better encryption speed than the AppleTV), but when something I’m in charge of maintaining goes in someone else’s house, the last thing I want to spend my spare time doing is trying to diagnose and fix issues over the phone with people who don’t own a computer.

It’s not the perfect solution to every situation. It is reliant on Tailscale and Apple, and there are cheaper, more capable systems (like the RPi) out there if you have the knowledge and inclination to set them up. But it’s a very, very straightforward solution that is unobtrusive and easy to maintain and thus is extremely well-suited for my needs. I thought it might be for OP as well. Anyone who is willing to shell out €360 a year for a truly residential-IP VPN should at least be made aware that it’s an option.

I agree you could send them a preconfigured pi, but can we stop pretending talescale is just wireguard - there is a lot of convenience in the NAT traversal that you otherwise need router config and/or a publically routable server to achieve.

That's precisely the issue. It introduces additional centralized dependencies and closed source components.

Wish I’d read this a few hours ago and the AppleTV would be coming with me.

I can't find it right now but there was a post announcing the port to tvOS on their blog where a developer from the UK (but living in the US) talked about how it let him buy, configure, and ship a simple consumer box that uses little power and needs minimal hands-on maintenance to his parents' house as a replacement for a server he had been running in their house as a VPN endpoint for this sort of thing - so he could watch BBC, etc.

I wouldn't want to update a RPi that's in someone else's house on the other side of the ocean.

While I still prefer running a plain Wireguard VPN if possible (i.e. when there's a publicly reachable UDP port), the really big advantage of Tailscale over other solutions is that it has great NAT traversal, so it's possible to run a routing node behind all kinds of nasty topologies (CG-NAT, double NAT, restrictive firewalls etc.)

Underneath, it uses WebRTC (the same tech as Google Meet). It is free to use, I just built to fix this problem that I have... I am quite surprised expats only get by using a traditional VPN whose IPs are known by online services...

I love my Pi but sometimes I want life to be mindless easy.

I'd say, anything heavy and random, use the general VPN and the rest use an rpi at your parents' home.

They used government websites as an example, not to say that all of their traffic was to government websites.

For residential IPs you can't even pay per month like normal VPNs, normally they charge per GB, usually over $2 usd per GB.

And I can get a semi-anonymous cable internet connection too (if your line is “hot”, you could sign up with any address… not sure if it has to be under the same node or just the same city). Would be difficult, but not impossible, to track down which residence the shadow connection is coming from.

They likely charge per GB because these residential connections are slow and limited compared to datacenter connections (doesn't help that they're often located in third world countries), and are often used for aggressive scraping, so charging a fixed monthly price would not be viable.

Regulatory accepted establishment of "country" location might not always be what layman think.

I knew of a server rack physically in a Brussels Belgium datacenter that was for regulatory purposes declared to be Luxemburg territory (as Luxemburg at the time had specific rules on domestic data processing).

To use an example, 74.118.126.204 claims to be a Somalian IP address, but ipinfo.io identifies it as being from London based on latency. Compare `curl ipinfo.io/74.118.126.204/json` vs `curl ipwhois.app/json/74.118.126.204` to see. If that IP ignored pings and added latency to all outgoing packets, I wonder if that would stymie ipinfo's ability to identify its true origin.

We also run traceroutes. Actually, we run a ton of active measurements from our ProbeNet. The amount of location data we process is staggering.

https://ipinfo.io/probenet

Latency is only one dimension of the data we process.

We are pinging IP addresses from 1,200+ servers from 530 cities, so if you add synthetic latency, chances are we can detect that. Then the latency-related location hints score will go down, and we will prioritize our dozens of other location hints we have.

But we do welcome to see if anyone can fool us in that way. We would love to investigate that!

But anyway, *you can't fool the last-hop latency* (unless you control it, but you can control all of it), and basically it impossible to fool that.

As a hypothetical example, an IP in a New York City data center is likely to have a shorted ping to a London data center, than a rural New York IP address.

It also reminds me of this old story: https://web.mit.edu/jemorris/humor/500-miles

The VPN provider only controls their network, not their upstream.

So you can set minimum latency on your responses. But your upstream networks won't be doing this.

  [IPinfo] pings an IP address from multiple servers across the world and identify the location of the IP address through a process called multilateration. Pinging an IP address from one server gives us one dimension of location information meaning that based on certain parameters the IP address could be in any place within a certain radius on the globe. Then as we ping that IP from our other servers, the location information becomes more precise. After enough pings, we have a very precise IP location information that almost reaches zip code level precision with a high degree of accuracy. Currently, we have more than 600 probe servers across the world and it is expanding.

If they added latency to all packets then London would still have the lowest latency.

In addition to active measurement and research, there are many other sources of data we use. Also, we are actively investing in R&D to develop new sources. Adding just 300ms of latency at the end of an IP address would simply appear as noise to us. We have dozens of locations, hints cut through the noise.

We welcome people to try to break the system. Perhaps it is possible to dupe this system.

Find the ASN(s) advertising that network and figure out their location.

Even within the ASN there may still be multiple hops, and those IPs may be owned by others (eg the hosting facility) who are not playing the same latency games.

https://blog.cloudflare.com/cloudflare-servers-dont-own-ips-...

In summary, the location at which an IP egresses Cloudflare network has nothing to do with the geo-ip mapping of that IP. In some cases the decision on where to egress is optimised for "location closest to the user", but this is also not always true.

And then there is the Internet. Often some country (say Iran) egresses from a totally different place (like Frankfurt) due to geopolitics and just location of cables.

If VPN usage becomes the norm, sites will have to give in eventually.

It’s a little weird because Apple has device attestation which is run via Cloudflare and Fastly. You’d think that would get you around the challenges, but that doesn’t seem to happen.

I also assume being a service that requires an expensive device and that the browsing happen through Safari limits the abuse somewhat.

Socks5 proxy addresses can be found here: https://mullvad.net/en/servers

You need to prefix them with 'socks://'.

The ideal world is one where everyone is using Tor. They can only discriminate against you if you're different from others. The idea behind Tor is to make everyone look like the same user. The anonymity set must be maximized for that to work.

No idea why, (the "wrong" public Wi-fi?) but my appeal was granted and nothing was fixed.

Now I can't contact anyone, and the appeals page falsely claims that my account is in good standing and refuses to operate.

When I went looking for help from a throwaway account that I made many years ago for resume reviews, the exact same thing happened.

So at this point, I only lurk occasionally, because I'm not going to go through that social hell again, and it sounds like moderation failures have only gotten worse in the years since.

it is funny i have been probing HN for years, and i've found a number of cases when everything is normal, but i check the account from another device and it isn't there, or is free of posts despite having made many. yet i would do the same if i was an admin trying to keep a walled-garden free of trolls.

You may be denied entry to certain establishments, but some of the bouncers don't block all masks and if you're persistent with changing your mask (Tor or VPN exit node), there's a good chance you'll get in. CTRL+SHIFT+L works on Tor Browser to change your circuit. The linked article blocks Tor, but after pressing CTRL+SHIFT+L a few times, I was able to read it.

For the sites that don't let me view them via Tor, I can install FoxyProxy and try some IPs from the free public lists. Lots of sites that block Tor don't block these IPs, although it's a bit of a pain. Another option is to load an archived version of the site on archive.org or archive.md (or .is or the various different TLDs it uses).

As for HN - it sometimes gives a "Sorry." if you try to access a certain comment directly, but after a few tries it works. This account was created over Tor and I've only accessed it through Tor. I think my first comment was dead and someone vouched for it, but now my comments appear instantly.

I've heard that banking sites don't work over Tor, but I haven't had a need to use Tor for banking, as the bank already knows who I am pretty well.

Most of the big social media sites don't allow Tor, but if I wanted to create a fake account, I'd most likely buy a residential proxy.

So it's not that bad, considering what you get from Tor (and with some VPNs, depending on your threat model) - no tracking, anonymity and so on.

It accomplishes 2 things:

* I'm not tracked as much. Less data points for the companies to gobble up.

* More Tor users lead to better anonymity for everyone as it's easier to blend in - you won't be the only one wearing a mask at the club every weekend.

I got used to the latency. It's not that bad. Some sites load instantly, others take 1-2 seconds. A few take a while.

Sites from one regional hosting provider in my country just don't load at all. I get "Server not found". I'm not sure how that works - are they blackholing an ASN or using something else with BGP?

The main issue for me is not the latency, though, but the CAPTCHAs and 403's (HTTP Forbidden). If I were to search for a recipe, for example, I'd open 5-10 of the results in new tabs (with the middle mouse button; idk why people use CTRL+click), then close the ones with "Attention Required" or "Forbidden" so I'm left with 3-5 usable sites. That way I always have something to read. When I open a few sites one after the other, at least one will usually load instantly.

I haven't used Tor without Whonix on Qubes OS for a while, so I'm not sure if the latency is different on a standard OS with just Tor Browser installed. My workflow is that I use disposable VMs for different things I do. Right now I have a VM with HN and a few links I've opened from it and another VM with other research I started earlier today that I plan on finishing a bit later. When I'm done with my HN session, I'll close this VM, which will destroy it. For me this compartmentalization is good not only for security and privacy, but for productivity, as well.

It takes time for sites to realize the danger, especially with mobile users where fiddling with a VPN is often more hassle than its worth and its just left always on. It's often a good idea to impersonate a mobile user agent for this reason as some sites (or perhaps cloudflare?) started treating them differently. The impersonation needs to be done well (SSL and HTTP fingerprints should also match mobile).

Usually, the more expensive the VPN offering the better the reputation of their IP's. Avoid VPNs that have any kind of free tier like the plague.

> fiddling with a VPN is often more hassle than its worth and its just left always on.

Not to saying this is wholly preferable, but I have often found this to be beneficial for me in that it tends to deter me from wasting disproportionate amounts of time on crap web content (either that, or HN wins over that remaining browsing time when it's not blocking me :)

Mullvad just worked everywhere. I'm going back when my year plan on Proton ends.

Why do you want to use a VPN?

- Privacy

- Anonymity (hint: don't!)

- unblock geolocation

- torrents

- GFC

The last point is the hardest.

https://expatcircle.com/cms/privacy/vpn-services/

They checked where the VPN exit nodes are physically located. A lot of them are only setting a country in the whois data for the IP, but do not actually put the exit node in that country.

Most of the "problem" countries are tiny places. Monaco, Andorra etc. It might be tough to rent a server there. And your list of clients should be minimal.

It's not only small countries either, it affects much of Latin America, including Brazil (PIA's servers were in Miami for BR as well last time I checked). I've occasionally seen it also affect US states where e.g. Massachusetts would be served from Trenton, NJ.

It would (unless the blockers use this company's database I guess):

> The IP registry data also says “Country X” — because the provider self-declared it that way.

That could be good or bad depending on what you're using the VPN for. E.g. if you only care about evading stupid local laws like the UK's recent Think of the Children Act, then it's actually great because you can convince websites you're in Mauritius while actually getting London data centre speeds.

But if you want to legally be sending your traffic from another country then it's less great because you actually aren't. To be honest I can't really think of many situations where this would really make a difference since the exit point of your network traffic doesn't really matter legally. E.g. if a Chinese person insults their dear leader from a VPN exit node in the UK, the Chinese authorities are going to sentence them to just as much slavery as if they did it from a local exit point.

It just can't be outside England, just one 0.4ms RTT as seen here is enough to be certain that the server is less then 120 km away from London (or wherever their probe was, they don't actually say, just the UK).

RTT from a known vantage point gives an absolute maximum distance, and if that maximum distance is too short then that absolutely is enough to ascertain that a server is not in the country it claims to be.

One of our competitors was claiming a server in a middle eastern country we could not find any hosting in. So I figured out what that server's hostname was to do a little digging. It was >1ms away from my server in Germany.

Let's say you're a global VPN provider and you want to reduce as much traffic as possible. A user accesses the entry point of your service to access a website that's blocked in their country. For the benefit of this thought experiment, let's say the content is static/easily cacheable or because the user is testing multiple times, that dynamic content becomes cached. Could this play into the results presented in this article? Again, I know I'm moving goalposts here, but I'm just trying to be critical of how the author arrived at their conclusion.

We are the internet data company and our ProbeNet only represents a fraction of our investment. Through our ProbeNet, we run ping, traceoute, and other active measurements. Even with traceroute we understand global network topology. There are dozens and dozens of hints of data.

We are tapping into every aspect on the internet data possible. We are modeling every piece of data that is out there, and through research, we are coming up with new sources of data. IP geolocation is only product for us. Our business is mapping internet network topology.

We are hoping to work with national telecoms, ISPs, IXPs, and RIRs to partner with them, guiding and advising them about data-driven internet infrastructure mapping.

The speed of light in fiber which probably covers most of the distance is also even slower due to refraction (about 2/3).

Yeah like... physics. If you're getting sub-millisecond ping times from London you aren't talking to Mauritius.

If an ISP wants to help their users avoid geoblocking via https://www.rfc-editor.org/rfc/rfc8805.html more power to them.

It was a great session and we received a lot of questions. We attend different NOG conferences regularly. ISPs are incentivized to help us by providing good data. Although we are agnostic about adversarial geofeeds, ISPs themselves need to work with us to ensure good quality of service to their users.

We already do quite a lot of outreach, in fact, most network engineers in the ISP industry across the world are familiar with us. But if any ISP operator has any feedback for us, we are only an email (or even a social media comment) away.

That's the entire problem in a nutshell. Good quality of service should not depend on every site I visit knowing my geographic location at the ZIP code or even street level (I've actually seen the latter occasionally).

I can somewhat understand the need for country-wide geoip blocking due to per-country distribution rights for media and whatnot, but when my bank does it, it just screams security theater to me.

We are trying to work with ISPs everywhere, so if port level geolocation of the IP address is common, we surely need to account for that. I will flag this to the data team. To get the ball rolling, I would love to talk to an ISP operator who operates like this. If you know someone please kindly introduce me to them.

IPv4 addresses are not that scarce yet, and realistically any CG-NAT will have several IPv4 addresses per metro area, if only to allow for reasonable levels of geolocation (e.g. to not break the "pizza near me" search use case).

If that had happened, IPv4 would likely already could be regarded as a relic of the past.

Geographic IP information is one of our best tools to defend against those outcomes, and if anything it should be better.

Intentionally ambiguous regulations (in terms of how companies and individuals are expected to comply) backed by the existential threat of huge fines often lead to a race to the bottom in terms of false positives and collateral damage to non-sanctioned users.

Is there some specific way we can get the laws like this to be gone? They're obviously useless (witness this very thread of people describing ways for anyone to get around them) and threatening people with destruction for not doing something asinine isn't the sort of thing any decent government should be doing.

Big techs (most notably Google) is using the location permission they have from the apps / websites on the user's phones / browsers to silently update their internal IP geolocation database instead of relying on external databases and claims of IP owners (geofeed etc). And this can be hyper-sensitive.

I was traveling back home in China last year and was using a convoluted setup to use my US apartment IP for US based services, LLM and streaming. Days into the trip and after coming back, I found that Google has been consistently redirecting me to their .hk subdomain (serving HK and (blocked by gov) mainland China), regardless of if I was logged in or not. The Gmail security and login history page also shows my hometown city for the IP. I realized that I have been using Google's apps including YouTube, Maps and so on while granting them geolocation permission (which I should not do for YouTube) in my iPhone while on the IP and in my hometown.

After using the same IP again in the US with Maps and so on for weeks and submitting a correction request to Google, it comes back to the correct city. (The tricks of restarting the modem / gateway, changing MAC address to get a new IP is not working somehow this time with my ISP)

I have seen a Europe-based cloud hosting provider's IP ranges located in countries where Google does not provide service. This is because these IP ranges are used as exit nodes by VPN users in that country.

Device-based IP geolocation is strange. We prefer IP geolocation based on the last node's IP geolocation. We hope to collaborate with Google, Azure, and other big tech on this if they reach out to us.

To highlight virtual routing: it’s useful in scenarios where a country blocks VPNs but you still need an IP from that country to browse local websites. In such cases, virtual routing comes in handy. For example, when India required all VPN servers in the country to log user traffic, Proton moved its Indian server to Singapore and used virtual networking tricks to continue offering an Indian IP address.

Smart routing documentation: https://protonvpn.com/support/how-smart-routing-works

'Virtual' VPN server geolocation involves informing IP geolocation providers that their Singaporean servers are located in India. We looked into data and latency-based locations, but the industry at large uses self-reported location information for their data. So, if you use a service that uses IP geolocation provider (that is not us) they will just tell them that the Singaporean IP address is located in India, because that is the information they have and they do not have any other ways to verify it. But at the end of the day, the location information is coming from the VPN itself.

I could be wrong, and there could be technology and technique I am missing, so I am happy to learn. The blog is written by our founder who is accessible to the Proton team if they want to share their feedback with us.

There is however an interesting question about how VPNs should be considered from a geolocation perspective.

Should they record where the exit server is located, or the country claimed by the VPN (even if this is a “virtual” location)? In my view there is useful information in where the user wanted to be located in the latter case, which you lose if you only ever report the location of servers.

(disclaimer: I run a competing service. we currently provide the VPN reported locations because the majority of our customers expect it to work that way, as well as clearly flagging them as VPNs)

Our product philosophy is centered on accuracy and reliability. We intentionally diverge from the broader IP geolocation industry's trust-based model. Instead of relying primarily on "aggregation and echo", we focus on evidence-backed geolocation.

Like others in the industry, we do ingest self-reported IP geolocation data, and we do that well. Given our scale and reputation, we receive a significant volume of feedback and guidance from network operators worldwide. We actively conduct outreach, and exchange ideas with ISPs, IXPs, and ASNs. We attend NOG events, participate in research conferences, and collaborate with academia. We have a community and launch hackathon events, which allow us to talk to all the stakeholders involved.

Where we differ is in who our core users are. Our primary user base operates at a critical scale, where compromises on data accuracy are simply not acceptable. For these users, IP geolocation cannot be a trust-based model. It must be backed by verifiable data and evidence.

We believe the broader internet ecosystem benefits from this approach. That belief is reflected in our decision to provide free data downloads, a free API with unlimited requests, and active collaboration with multiple platforms to make our data widely accessible. Our free datasets are licensed under CC-BY-SA 4.0, without an EULA, which makes integration, even for commercial use straightforward.

I appreciate you recognizing that our product philosophy is different. We are intentionally trying to differentiate ourselves from the industry at large, and it is encouraging to see competing services acknowledge that they are focused on a different model.

It redirects to a dead link hosted on aruba.it. I can investigate it.

[1] https://news.ycombinator.com/item?id=45922850

We added additional features for location hint modeling and selection for IPv6 networks. There are a handful of open engineering tickets to understand more about the entire internet infrastructure of the country. Of course, hosting a probe server out there would be helpful.

https://ipinfo.io/countries/kp

We always appreciate feedback like that.

If you're picking a country so you can access a Netflix show that geolimits to that country, but Netflix is also using this same faulty list... then you still get to watch your show.

If you're picking a country for latency reasons, you're still getting a real location "close enough". Plus latency is affected by tons of things such as VPN server saturation, so exact geography isn't always what matters most anyways.

And if your main interest is privacy from your ISP or local WiFi network, then any location will do.

I'm trying to think if there's ever a legal reason why e.g. a political dissident would need to control the precise country their traffic exited from, but I'm struggling. If you need to make sure a particular government can't de-anonymize your traffic, it seems like the legal domicile of the VPN provider is what matters most, and whether the government you're worried about has subpoena power over them. Not where the exit node is.

Am I missing anything?

I mean, obviously truth in advertising is important. I'm just wondering if there's any actual harm here, or if this is ultimately nothing more than a curiosity.

And if I do it for privacy, the actual exit location seems very relevant. Even if I trust the VPN provider to keep my data safe (which for the record I wouldn't with the majority of this list), I still have to consider what happens to the data on either end of the VPN connection. I'm willing to bet money that any VPN data exiting in London is monitored by GCHQ, while an exit in Russia probably wouldn't be in direct view of NSA and GCHQ

You’d be shocked at the number of people in regulated industries that thinks a VPN inherently makes them more secure. If you think your traffic exits in the US and it exits in Canada — or really anywhere that isn’t the US — that can cause problems with compliance, and possibly data domicile promises made to clients and regulators.

At minimum, not being able to rely on the provider that you are routing your client’s data through is a big deal.

The routers don’t care about where the provider says the IP comes from. If the packet travels through the router, it gets processed. So it very much matters if you do things that are legal in one country, but might not be in another. You know, one of the main reasons for using VPNs.

The case I can think of most accessible would be anything that streams copywriten video.

But so "if you do things that are legal in one country, but might not be in another" is what I'm specifically asking about. Ultimately, legality is determined by the laws that apply to you, not the country your packets come out of. So I'm asking for a specific example.

And I already said, that if a site is attempting to determine permissions based on the country, it's doing so via the same list. E.g. when the country is actually Greenland, but you think it's the UK, and Netflix also thinks it's the UK. Which is why I'm saying, at the end of the day, is there any real consequence here? If both sender and receiver think it's the UK, what does it matter if it's actually Greenland?

Take someone from Russia, Iran, wherever, trying to access information they aren't allowed to access, or sharing information they aren't allowed to share. They think they're connected to a neighboring country, but in reality are exiting from their own country. Therefore, the traffic gets analyzed and they fall out a window.

Imagine Snowden sharing information about the NSA while using a VPN that actually exited from the US. Things might have developed differently.

Yes, it won't matter for most services. But as soon as states or ISPs are involved, you're fucked if you get it wrong.

No need for the snark. Obviously we're not talking about somebody in Iran or Russia connecting to a VPN that just leads back into their own country, that would be idiotic. None of the VPN providers are providing anything like that. Those don't even make sense conceptually. A Western VPN provider that an Iranian or Russian is using isn't even legally allowed to operate nodes inside of Iran or Russia due to sanctions.

I'm talking about the realistic mix-ups that the article is using as examples. Where Somalia is actually going to France or something. That's why my original comment started with "Is there any real-life situation..."

No VPN providers are accidentally routing into an oppressive dictatorship.

> Are you sick of not having access to foreign oil? Do you love using advanced weapons to fuck up someone’s day? Obsessed with manipulating your financial records to make yourself look more successful than you are?

Got a chuckle out of me.

I mean, ok, there are use-cases. But commercial VPNs exist under specific premise, you know, and they just don't offer what they claim to be offering. Unfortunately.

I’ve been paying for Mullvad with Monero for years. Love it

I think you can still mail them cash?

IMO the coolest privacy option they have is to literally mail them an envelope full of cash with just your account's cash payment ID.

Wow, you must be using the VPN for some seriously shady stuff.

I'd gather a small amount of that up (however I did that), keep it in an offline wallet, and spend it on VPN service every now and then.

It just seemed like the right way to go about things.

(And then I lost that wallet, because of course I did, with about $14 worth of BTC in it. I didn't care enough at that time to see if I'd backed it up properly; I wasn't planning on using it for anything anymore anyway. That was in 2014 and those backups are waaaay gone now, but it'd be around $2k worth of BTC today -- plenty to buy some DDR5 RAM. Whoopsie-doodle!)

(I'm sure that browsers like lynx still work just like they did in 2001, and that pine can still read mail. Shouldn't be a problem, right?)

Am I correct to assume that links2 is more of the same/better?

(Also: Your comment seems perfectly sane, but it was already marked as "flagged" by the time I saw it 18 minutes after it was submitted. I vouched for it.

But I wonder: Whose ruffles did you panty in order for your comments to land this way?)

Turn off your VPN?

No, the article does not make this conclusion at all! It was carefully written to highlight the nature of virtual locations of VPN exit nodes and does not make such conclusions.

The article is written by our founder, who is accessible to the VPN industry at large and is open to feedback and comments.

Ngl, I never knew that those IP location tools are actual companies with full time employees. I always assumed they were just made by some random guy in an afternoon by wrapping maxmind API. Interesting to hear that that's not the case (at least for ipinfo; maybe some of the consumer-oriented IP lookup websites are like that)

During our offsite, we had to rent out a small ship (ferry?) to host everyone: https://x.com/coderholic/status/1975333382604398702/photo/4

More than a decade ago, when IPinfo launched, a lot of community interaction was done by our founder. Now, you have me in a full-time role talking to people. My role is literally called Developer Relations.

We are not just a IP geolocation company; we are an internet data company. IP geolocation and VPN detection are only products to us; the team and goal are actually quite huge.

the only important bit is that it is made clear whenever a given country falls under some category that allows things such as traffic analysis and cataloging.

it's actually often times preferrable to lie about the server location for lower latency access geo-blocked content, particulary when accessing US geo-restricted content in europe.

if you want true privacy you have to use special tools that not only obfuscate the true origin, but also bounce your traffic around (which most of these vpns provide as an option)

Edit: Welp. How could this possibly be my most downvoted comment. Am I not entitled to an opinion? I ain't no AI.

We have not collaborated with any VPN companies for the report and have not even requested permission or pre-draft approvals. We had the data of what we were seeing and published a report based on that. We have published a ton of resources around the nature of VPN location in the past. Our focus is on data accuracy and transparency.

After the article was published, we received feedback from only a single VPN provider - Windscribe (https://x.com/ipinfo/status/1998440767170212025). I do not think anyone from Mullvad, iVPN, or any other VPN company has reached out to our team or our founder yet.

We are happy to take feedback and comments and are even open to a follow-up!

I mostly use it to avoid exposing my IP address too, but if I knew my VPN was comfortable with a little light fraud, I'd be concerned about what else they're comfortable with.

I'm not discounting you at ALL, I'm simply stating that the majority of traffic originate from these countries. Most of these folks just want to hide their IP address for various reasons. Privacy, Piracy, etc. Most don't care if it's in the next largest city, they just don't want it to appear to come from them.

Folks in countries like yours will likely pick endpoints to bypass the government. Folks up to nefarious stuff like cracking web sites, social media influencing, etc. will likely pick the target country more carefully. Anyone else? Whatever is the default.

I recognize this is a hard concept to understand for folks on this site, but the average joe signing up for a VPN doesn't even remotely understand what they are doing and why. They were pitched an idea as a way to solve privacy issues, block ads, etc. and they signed up for it. The software suggested a low latency link, and they went with the default.

The ads for a lot of VPN providers literally use scare tactics to sell the masses on the idea.

Edit: I commented earlier that I never considered myself part of the market that VPN companies hawk their services to. I've been living in the UK for 5 years now and the number of sites that have become unavailable to me are material and concerning for what their abolishment means for free speech. I'm as square as they come, if I feel this strongly you bet others do too.

Really this is the answer to half of the comments on this thread.