VPN location claims don't match real traffic exits

Original Article ↗ Hacker News Discussion ↗

GeoIP, CGNAT, and IPv6

  • Some see the GeoIP industry itself as harmful: “good service” shouldn’t require revealing fine-grained location. Others argue it’s now essential infrastructure for compliance and fraud.
  • There’s speculation CGNATs might map different ports on a shared IP to different cities, but multiple commenters doubt this is common or useful.
  • Several blame CGNAT’s existence on failure to force IPv6 deployment; others note ISPs were already doing CGNAT before it was standardized.
  • Question raised whether IPv6, by enabling stable device-level identifiers, might actually make location/anonymity problems worse.

Regulation, Sanctions, and Geo‑Blocking

  • Businesses dealing with sanctions (e.g. OFAC) say GeoIP is one of the few practical tools to avoid ruinous fines or prison, even if imperfect.
  • Others argue these laws are performative and easily bypassed (residential proxies, botnets), leading to overblocking, “security theater,” and collateral damage.
  • Using ASNs or allowlists instead of GeoIP is discussed; participants say ASNs span countries and don’t solve the problem.

VPN “Virtual Locations” and Honesty

  • Core finding discussed: many VPNs advertise exits in country X while traffic actually exits from data centers elsewhere; some locations are off by thousands of kilometers.
  • Some see this as outright fraud; others note many providers do label such endpoints as “virtual” or “smart routing.” Proton, Nord, PIA are cited as at least partly transparent, though UIs aren’t always clear.
  • A competing geolocation service says customers often want the “claimed” VPN country, not the physical server location, and so they report the virtual location by design.

Trust and Use Cases for VPNs

  • Mullvad, IVPN, and Windscribe get repeated praise for honest locations and privacy posture; Mullvad especially for anonymous payment (cash, Monero, scratch cards) and minimal accounts.
  • Several note that consumer VPNs are increasingly blocked (Reddit, Google CAPTCHAs, banks, some CDNs). Some say the “VPN heyday” is over; others argue mass adoption would eventually force sites to accept VPN/Tor.
  • Residential IP VPN/proxy services are desired for “looking normal” but are expensive, often shady, and sometimes built on unaware users’ devices.

IPinfo’s Methods and Technical Debate

  • IPinfo staff describe using a large “ProbeNet” (≈1,200 servers in 530 cities) for multilateration, traceroutes, ASN analysis, and many other hints; latency is only one signal.
  • Commenters note speed-of-light bounds: sub‑millisecond RTT from London can’t be Mauritius or Somalia. Some ask whether jitter or artificial delay could fool this; IPinfo claims added latency mostly appears as noise when aggregating many paths and signals.
  • Others point out anycast, Cloudflare‑style floating egress IPs, and odd routing (e.g. African traffic via Europe, Middle East via Germany) complicate location, but generally don’t explain the extreme mismatches seen.

When Mismatches Matter (and When They Don’t)

  • Some argue mismatched exits rarely matter: if both site and VPN believe an IP is “Country X,” you still bypass geo‑locks and legal risk is tied to user jurisdiction, not exit country.
  • Others strongly disagree, citing:
    • Censorship and surveillance: thinking you exit in a safer jurisdiction when you’re actually inside an authoritarian one.
    • Compliance and data‑domicile promises (e.g. traffic expected to stay in a specific country/region).
  • There’s disagreement on how often such high‑stakes cases occur, but consensus that at minimum, VPN marketing and geolocation data should be accurate and clearly labeled.