
Lies vs. Statistics: VPN Virtual Server Locations - mirimir
https://restoreprivacy.com/virtual-server-locations/
======
mirimir
This is an article that I wrote recently for Restore Privacy.

The focus is identifying the undisclosed use of virtual locations by some
popular VPN services. But that's not why I've submitted it to HN.

I'd appreciate comment and criticism about the criterion that I've used for
virtual locations. That is, where apparent signal velocity is greater than the
speed of light, I conclude that the disclosed server location is implausible.
And so it must be a virtual location.

I calculate apparent signal velocity by dividing twice the calculated great
circle distance between server and ping probe, by the minimum round-trip time
(minrtt). For server locations, I rely primarily on whatever the VPN service
has disclosed.

I'd also appreciate comment and criticism about my explanation of how VPN
services achieve virtual locations ("How Virtual Server Locations Are
Possible"). Basically that they exploit discrepancies between location
information that's associated with IP addresses, and BGP advertisements based
on address announcements.

Finally, for 195 servers that are apparently located near Nuland, I found an
interesting pattern in the ping data.[0]

For ping probes in Europe, minrtt is 1-30 msec. Then there’s a gap in observed
minrtt across the Atlantic, with apparently much faster transmission. I’m
guessing that's because trans-Atlantic cables don’t have many routers. Next
there are groups for eastern and western North America, with faster
transmission than within Europe, but slower than across the Atlantic. That
probably also reflects router density. Last, there's a jump to Asia and
Australia.

Does that make sense?

0) [https://cdn-resprivacy.pressidium.com/wp-
content/uploads/201...](https://cdn-resprivacy.pressidium.com/wp-
content/uploads/2019/12/IPv4-Clusters-Colocation-Near-Nuland-by-City-and-
Region.png)

~~~
donavanm
I spent quite a few years working in the isp/cdn/dns space. Is “virtual
location” an idiomatic term for VPN users? The more general industry would
probably say youre looking at Points of Presence (“PoPs”).

The core of the article is one of (mis)representation. The VPN providers are
trying to present broad network coverage with a minimum of expenditure, and
the clients are concerned with actual geophysical location. Virtual Locations
seems to be a term designed to comingle the concepts, and obfuscate actual
location and connectivity.

The clustering is because there simply arent that many physical locations with
connectivity to various networks (Internet Exchange Points “IXPs”). Those IXPs
are themselves often clustered and associated with a few nearby physical
facilities (DCs or Colo(cation) for hosting general compute servers.

You mention companies “leasing” address blocks. Thats probably more correct to
say theyre “delegated” from NSPs to clients like the vpn companies.

In general Id find whois/rir data to be of very little use. Theres little to
no association or restriction for either of those and where the IP addresses
are actually announced or used.

It may not matter for your use/methodology but latency for ICMP is unreliable.
Many networks will use a lower traffic priority for it, introducing variable
loss/jitter/delay. If at all possible actual TCP or UDP is better for
evaluating RTT.

One thing you might look at is the vpn provider network adjacencies in
different locations. Many/most NSPs handily include some sort of location
identifier (like iata code) in their device names. From those adjacent devices
you can probably infer city at least. PeeringDB and/or looking glass portals
are another way to deduce network topology and connectivity, possibly
narrowing it down to specific facilities.

Lastly your ICMP replies are inherently limited in what you see. Its very
likely that there are underlying networks (ie MPLS, or GRE tunnels) that you
cant see. Itd be very easy to have an interconnect in AMSIX and tunnel it over
to belgium or germany. You wouldnt see that in DNS or ICMP replies, but could
infer it through latency.

~~~
hug
> the clients are concerned with actual geophysical location.

Are they, though? This is, of course, completely anecdotal, but the only real
reason I will change the 'location' of my VPN endpoint is exactly that. My
suspicion is that most of the VPN users concerns about geography match mine
and _actually_ boil down to whether or not it will trick a geofence.

There's going to be some ways in which you can conflate those concepts, since
obviously 'virtual locations' will be detectable by some means, as evidenced
by the fact that mirmir managed it, but I suspect for a lot of consumers good
enough is good enough.

~~~
donavanm
I probably should have said “geo-political.” Youve noted the contractual
aspect, which bubbles up in regional content restrictions.

I was thinking more along the lines of law enforcement as well. Where civil &
criminal law, data retention, LEO access, and due process may vary
significantly in different countries.

~~~
mirimir
Huh. I wonder how law enforcement deals with this.

Naively, I'd expect that it's where the VPN service is incorporated that
determines that stuff. But on the other hand, they would need to find a server
to impound it. So I suppose that PoPs could be used strategically to impede
investigations.

~~~
donavanm
I'll prefix this by saying its probably pretty far out on the spectrum of
practicality. More paranoia or legal problems than wanting access to region
restricted entertainment content.

I dont have adversarial experience with law enforcement, but from what Ive
seen it's normally around incorporation, assets, and where the principals are.
The government gets access by serving you papers, restricting your assets, or
restricting your freedoms.

That side the physical location of the servers will matter for teh same
reasons. Two adjacent countries may have different standards of evidence, due
process, compelled information, data retention, 'know your customer', etc.
Both the country of physical location and the country of incorporation will
effectively have access; one directly and one via compulsion.

------
hnews_account_1
Tangential to this article, can someone clarify on what's good / bad about
NordVPN? I've been trusting their services for 2 years now, and I signed up on
some ridiculously good offer of 3 years for <$100 a year ago, so I'm locked in
for 4 full years. I did this because I trusted the service from reading
reviews, but places like reddit are always shitting on NordVPN, both due to
their ads (obv not the issue for me) and because of some nebulous "concerns"
that no one has been able to articulate properly for me.

I know about the recent hack, but it seems like all of their precautions
actually worked in protecting the consumers, and no logs were ever shown to
have existed or been stolen.

~~~
the_pwner224
They showed with the recent hack that, to them, maintaining their marketing &
reputation is a higher priority than informing their users of possible
security incidents, and that they would rather try to cover stuff up than be
upfront about matters.

Or at least that's what I gathered reading the recent HN threads.

~~~
hellcow
They knew about a vulnerability for MONTHS. They did not fix it and kept it
secret. It only came out because of a whistleblower.

This is not the behavior of an organization deserving ANY level of trust.

------
dannyw
What's the best VPN provider now that PIA got acquired by an Israeli spyware
company?

~~~
xvector
Source [1]. Truly insane. I'd never have expected this from a company that
cares so much about privacy. Just cancelled my ProtonVPN subscription.

I was going to recommend ProtonVPN but they have a pretty sketch
background/history too. [2]

Cloudflare's WireGuard-based Warp VPN [3] might be worth keeping an eye on,
but Cloudflare makes it clear that users should not be expecting the privacy
guarantees of a "traditional VPN" [4]:

> WARP is not designed to allow you to access geo-restricted content when
> you’re traveling. It will not hide your IP address from the websites you
> visit. If you’re looking for that kind of high-security protection then a
> traditional VPN or a service like Tor are likely better choices for you.

Perhaps we simply shouldn't use VPN services. [5]

[1]:
[https://news.ycombinator.com/item?id=21679682](https://news.ycombinator.com/item?id=21679682)

[2]:
[https://news.ycombinator.com/item?id=19266078](https://news.ycombinator.com/item?id=19266078)

[3]:
[https://news.ycombinator.com/item?id=19542835](https://news.ycombinator.com/item?id=19542835)

[4]: [https://blog.cloudflare.com/announcing-warp-
plus/](https://blog.cloudflare.com/announcing-warp-plus/)

[5]:
[https://news.ycombinator.com/item?id=16371030](https://news.ycombinator.com/item?id=16371030)

~~~
mirimir
Not to put too fine a point on it, they lost money for too long, and ended up
needing a buyer.

I always did wonder how they could offer so much for so little money.

~~~
dannyw
How can VPN providers lose money, when a DO Droplet for $5 a month can
probably host 5 casual subscribers using things on and off?

------
xt00
It would seem that ultimately the only real way to get privacy is to either
create a verifiable end to end encryption including the content server not
having logs and not compromised and the other way would be pooling of user
data in a way that spreads the blame across many people. Otherwise basically
everything you do is trackable even if you use a vpn. Is there any other way?

~~~
dannyw
If you want real privacy at the consequence of slow speeds and unfortunately a
worse browsing UX, you should use Tor.

Every service that is widely available / permissionless AND offers real
privacy, will end up getting degraded, CAPTCHA'd or blocked. That shows it
works1

~~~
mirimir
Yes, agreed.

But I don't trust Tor either, so I'd first use a nested VPN chain. Just in
case the entry guard is malicious. And to complicate the traffic analysis a
little.

I could go on about this. But I'll be writing more about all this.

------
sdan
This is why I just use AlgoVPN. I know where my traffic is going and can
install it on any cloud instance I want. At the moment I'm running it on my
laptop, phone, and my RPI cluster.

~~~
pheug
But then you get no privacy benefits of VPNs: pretty much all cloud providers
will be to tell to law enforcement, given an IP address, who and when rented
it from them.

And since you're not, I suppose, reselling your traffic to other users, the
liability for problematic traffic will land on you.

~~~
Youden
You have no way of verifying that a VPN lacks that capability. If you want
anonymity, use Tor.

~~~
pheug
Correct. It's even more complicated than just trusting a "no logs" policy. You
have to also trust that noone with hardware access (rogue VPN company
employees, datacenter people, law enforcement and intelligence services)
intercepts your traffic or messes with the servers, and that the servers
themselves don't get hacked due to some vulnerabilities. Recall how NordVPN
recently got hacked because datacenter operator left vulnerable remote
management software exposed.

Tor might have its vulnerabilities as well, like all software. Not to forget
that pretty much anyone can run an entry guard today and at least associate
your IP with usage of Tor..

