VPN Location Claims Don't Match Real Traffic Exits
Posted28 days agoActive21 days ago
ipinfo.ioTech DiscussionstoryHigh profile
informativeneutral
Debate
20/100
Online SafetyNetworkingData-Privacy
Key topics
Online Safety
Networking
Data-Privacy
Discussion Activity
Very active discussionFirst comment
27m
Peak period
115
0-12h
Avg / period
26.7
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Dec 13, 2025 at 2:46 PM EST
28 days ago
Step 01 - 02First comment
Dec 13, 2025 at 3:13 PM EST
27m after posting
Step 02 - 03Peak activity
115 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Dec 20, 2025 at 10:11 AM EST
21 days ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 46257339Type: storyLast synced: 12/16/2025, 7:40:42 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
If an ISP wants to help their users avoid geoblocking via https://www.rfc-editor.org/rfc/rfc8805.html more power to them.
If that had happened, IPv4 would likely already could be regarded as a relic of the past.
It has been a non-existent problem for roughly 20 years now. Why do people still keep pulling out "uniquely identified down to the device" as an argument?
Windows, macOS and most Linux distros by default rotate SLAAC addresses every 24 hours.
We are trying to work with ISPs everywhere, so if port level geolocation of the IP address is common, we surely need to account for that. I will flag this to the data team. To get the ball rolling, I would love to talk to an ISP operator who operates like this. If you know someone please kindly introduce me to them.
Geographic IP information is one of our best tools to defend against those outcomes, and if anything it should be better.
Is there some specific way we can get the laws like this to be gone? They're obviously useless (witness this very thread of people describing ways for anyone to get around them) and threatening people with destruction for not doing something asinine isn't the sort of thing any decent government should be doing.
Intentionally ambiguous regulations (in terms of how companies and individuals are expected to comply) backed by the existential threat of huge fines often lead to a race to the bottom in terms of false positives and collateral damage to non-sanctioned users.
It was a great session and we received a lot of questions. We attend different NOG conferences regularly. ISPs are incentivized to help us by providing good data. Although we are agnostic about adversarial geofeeds, ISPs themselves need to work with us to ensure good quality of service to their users.
We already do quite a lot of outreach, in fact, most network engineers in the ISP industry across the world are familiar with us. But if any ISP operator has any feedback for us, we are only an email (or even a social media comment) away.
That's the entire problem in a nutshell. Good quality of service should not depend on every site I visit knowing my geographic location at the ZIP code or even street level (I've actually seen the latter occasionally).
I can somewhat understand the need for country-wide geoip blocking due to per-country distribution rights for media and whatnot, but when my bank does it, it just screams security theater to me.
That is why we have the IP to country level data available for free. As you have recognized the fact that country level data is good for security, we are willing to take a massive hit on potential revenue to allow everyone to use our country level data for free, even for commercial purposes. We literally built separate dedicated infrastructure that provides unlimited queries for our IP to Country data. We want to ensure that everyone has access to reliable data.
For us, based on active measurements, what we do is distribute IP addresses to more densely populated areas. The issue is that we are good at zip code level accuracy, but it is impossible for us to get street addresses correct for residential internet connections. Even if we get geographic coordinates fairly close to you, it is largely coincidental. Our accuracy radius goes as low as 5 KM.
However, consider hotels, conference centers, airports, train stations, etc., where large numbers of people gather and where there are a few public WiFi hotspots that usually remain in the same location. We can identify the exact building from those WiFi hotspot IP addresses.
We have approximately 1,200 servers in operation. Simply by knowing which data centers house our servers, we can reliably identify neighboring hosting IP addresses to the exact data center.
That's the opposite of what I said. I think blocking entire countries is largely security theater. Bad actors will just use botnets or other residential proxies wherever needed, while legitimate users traveling abroad get locked out.
I can see it make sense for login-free distribution of media with limited regional rights (e.g., some public broadcasters offer their streams for free but are only allowed to do so domestically), or to provide a best guess for region-specific services (weather forecasts, shipping rate estimates etc.), although I'd also love to see that handled via the user agent instead, e.g. via granting coarse location access, to prevent false positives.
I also wouldn't mind it as much as one of many input signals into some risk calculation, e.g. for throttling password (but not passkey) attempts, to be overridden by login status, but outright bans are incredibly annoying, and unfortunately that's what I see many companies doing with GeoIP data.
Almost as annoying: Companies insisting on serving me a different language just because I traveled abroad, even though my "Accept-Language" header is right there.
No, the article does not make this conclusion at all! It was carefully written to highlight the nature of virtual locations of VPN exit nodes and does not make such conclusions.
The article is written by our founder, who is accessible to the VPN industry at large and is open to feedback and comments.
Ngl, I never knew that those IP location tools are actual companies with full time employees. I always assumed they were just made by some random guy in an afternoon by wrapping maxmind API. Interesting to hear that that's not the case (at least for ipinfo; maybe some of the consumer-oriented IP lookup websites are like that)
During our offsite, we had to rent out a small ship (ferry?) to host everyone: https://x.com/coderholic/status/1975333382604398702/photo/4
More than a decade ago, when IPinfo launched, a lot of community interaction was done by our founder. Now, you have me in a full-time role talking to people. My role is literally called Developer Relations.
We are not just a IP geolocation company; we are an internet data company. IP geolocation and VPN detection are only products to us; the team and goal are actually quite huge.
the only important bit is that it is made clear whenever a given country falls under some category that allows things such as traffic analysis and cataloging.
it's actually often times preferrable to lie about the server location for lower latency access geo-blocked content, particulary when accessing US geo-restricted content in europe.
if you want true privacy you have to use special tools that not only obfuscate the true origin, but also bounce your traffic around (which most of these vpns provide as an option)
Why do you want to use a VPN?
- Privacy
- Anonymity (hint: don't!)
- unblock geolocation
- torrents
- GFC
The last point is the hardest.
https://expatcircle.com/cms/privacy/vpn-services/
They checked where the VPN exit nodes are physically located. A lot of them are only setting a country in the whois data for the IP, but do not actually put the exit node in that country.
Most of the "problem" countries are tiny places. Monaco, Andorra etc. It might be tough to rent a sercer thvre. And your list of clients should be minimal.
It would (unless the blockers use this company's database I guess):
> The IP registry data also says “Country X” — because the provider self-declared it that way.
That could be good or bad depending on what you're using the VPN for. E.g. if you only care about evading stupid local laws like the UK's recent Think of the Children Act, then it's actually great because you can convince websites you're in Mauritius while actually getting London data centre speeds.
But if you want to legally be sending your traffic from another country then it's less great because you actually aren't. To be honest I can't really think of many situations where this would really make a difference since the exit point of your network traffic doesn't really matter legally. E.g. if a Chinese person insults their dear leader from a VPN exit node in the UK, the Chinese authorities are going to sentence them to just as much slavery as if they did it from a local exit point.
It's not only small countries either, it affects much of Latin America, including Brazil (PIA's servers were in Miami for BR as well last time I checked). I've occasionally seen it also affect US states where e.g. Massachusetts would be served from Trenton, NJ.
But again, it depends on your use case. Very few can drill thought the GFW
I’ve been paying for Mullvad with Monero for years. Love it
I think you can still mail them cash?
Maybe Amazon are x-raying the card numbers before shipping them out to customers, but that would require Mullvad giving up the card number -> account number -> account number traffic logs. Not much of a threat there.
Maybe all amazon orders are funnelled somewhere and they correlate the fact I bought a VPN card with my home address, and then correlate my bandwidth into Mullvad IPs (gained from my ISP logs) with data leaving Mullvad but that's all very unlikely and very circumstantial.
I'm also not doing anything illegal so perhaps my threat model/level is lower than the 'average' VPN user.
Anyway, not to be a shill but honestly I am just completely won over with how Mullvad do business. I know that a VPN does not make you automatically 'private'/'anonymous' but just the way they do business makes me happy.
The simple fact they go out of their way to buy their services in this way makes me believe them even more when they say they don't log user traffic, unlike other VPNs.
IMO the coolest privacy option they have is to literally mail them an envelope full of cash with just your account's cash payment ID.
Wow, you must be using the VPN for some seriously shady stuff.
I'd gather a small amount of that up (however I did that), keep it in an offline wallet, and spend it on VPN service every now and then.
It just seemed like the right way to go about things.
(And then I lost that wallet, because of course I did, with about $14 worth of BTC in it. I didn't care enough at that time to see if I'd backed it up properly; I wasn't planning on using it for anything anymore anyway. That was in 2014 and those backups are waaaay gone now, but it'd be around $2k worth of BTC today -- plenty to buy some DDR5 RAM. Whoopsie-doodle!)
(I'm sure that browsers like lynx still work just like they did in 2001, and that pine can still read mail. Shouldn't be a problem, right?)
You may be denied entry to certain establishments, but some of the bouncers don't block all masks and if you're persistent with changing your mask (Tor or VPN exit node), there's a good chance you'll get in. CTRL+SHIFT+L works on Tor Browser to change your circuit. The linked article blocks Tor, but after pressing CTRL+SHIFT+L a few times, I was able to read it.
For the sites that don't let me view them via Tor, I can install FoxyProxy and try some IPs from the free public lists. Lots of sites that block Tor don't block these IPs, although it's a bit of a pain. Another option is to load an archived version of the site on archive.org or archive.md (or .is or the various different TLDs it uses).
As for HN - it sometimes gives a "Sorry." if you try to access a certain comment directly, but after a few tries it works. This account was created over Tor and I've only accessed it through Tor. I think my first comment was dead and someone vouched for it, but now my comments appear instantly.
I've heard that banking sites don't work over Tor, but I haven't had a need to use Tor for banking, as the bank already knows who I am pretty well.
Most of the big social media sites don't allow Tor, but if I wanted to create a fake account, I'd most likely buy a residential proxy.
So it's not that bad, considering what you get from Tor (and with some VPNs, depending on your threat model) - no tracking, anonymity and so on.
I cannot overstate how much of a pain it was to share 51Gbps of peering with 40M other homes and 60M mobile customers. Luckily they now have made generous upgrades, shoving an additional 15M to 20M customers through a whopping 371Gbps.
Unless of course the network your traffic is headed to has deep, widely open and sufficiently climatized pockets.
It accomplishes 2 things: * I'm not tracked as much. Less data points for the companies to gobble up. * More Tor users lead to better anonymity for everyone as it's easier to blend in - you won't be the only one wearing a mask at the club every weekend.
I got used to the latency. It's not that bad. Some sites load instantly, others take 1-2 seconds. A few take a while.
Sites from one regional hosting provider in my country just don't load at all. I get "Server not found". I'm not sure how that works - are they blackholing an ASN or using something else with BGP?
The main issue for me is not the latency, though, but the CAPTCHAs and 403's (HTTP Forbidden). If I were to search for a recipe, for example, I'd open 5-10 of the results in new tabs (with the middle mouse button; idk why people use CTRL+click), then close the ones with "Attention Required" or "Forbidden" so I'm left with 3-5 usable sites. That way I always have something to read. When I open a few sites one after the other, at least one will usually load instantly.
I haven't used Tor without Whonix on Qubes OS for a while, so I'm not sure if the latency is different on a standard OS with just Tor Browser installed. My workflow is that I use disposable VMs for different things I do. Right now I have a VM with HN and a few links I've opened from it and another VM with other research I started earlier today that I plan on finishing a bit later. When I'm done with my HN session, I'll close this VM, which will destroy it. For me this compartmentalization is good not only for security and privacy, but for productivity, as well.
If VPN usage becomes the norm, sites will have to give in eventually.
Socks5 proxy addresses can be found here: https://mullvad.net/en/servers
You need to prefix them with 'socks://'.
It’s a little weird because Apple has device attestation which is run via Cloudflare and Fastly. You’d think that would get you around the challenges, but that doesn’t seem to happen.
I also assume being a service that requires an expensive device and that the browsing happen through Safari limits the abuse somewhat.
I feel ya. Sad thing is, there really isn't anywhere else to go for niche interests, or really much any particular information. AI fallout has finally killed the struggling web and online community. I think, there isn't much left besides cutting losses, resetting your dopamine receptors and finding community in the real world and all...
Well, now that's gonna be a bit of a challenge living outside big cities, where you can't afford rent, of course. I guess, if meeting other people is out, you can still always watch brain rot TV, or strap in the amyl nitrite inhaler and goon away for the time between work shifts. Until things are worth remembering again. When those investment trillions finally paid off and humanity accelerates into the new age of blissful meaning.
it is funny i have been probing HN for years, and i've found a number of cases when everything is normal, but i check the account from another device and it isn't there, or is free of posts despite having made many. yet i would do the same if i was an admin trying to keep a walled-garden free of trolls.
The ideal world is one where everyone is using Tor. They can only discriminate against you if you're different from others. The idea behind Tor is to make everyone look like the same user. The anonymity set must be maximized for that to work.
It takes time for sites to realize the danger, especially with mobile users where fiddling with a VPN is often more hassle than its worth and its just left always on. It's often a good idea to impersonate a mobile user agent for this reason as some sites (or perhaps cloudflare?) started treating them differently. The impersonation needs to be done done however (SSL and HTTP fingerprints should also match).
Usually, the more expensive the VPN offering the better the reputation of their IP's. Avoid VPNs that have any kind of free tier like the plague.
> fiddling with a VPN is often more hassle than its worth and its just left always on.
Not to saying this is wholly preferable, but I have often found this to be beneficial for me in that it tends to deter me from wasting disproportionate amounts of time on crap web content (either that, or HN wins over that remaining browsing time when it's not blocking me :)
Mullvad just worked everywhere. I'm going back when my year plan on Proton ends.
It's the only VPN I've tried thoroughly, so i don't know how they and Proton compare today (or, really, ever). The landscape has been degenerating across the board, I reckon.
> Mullvad ... security and privacy _very_ seriously. Not surprised to see them shine here.
? TFA reflects on dishonest marketing on part of public VPN providers more than privacy / security.
That said, VPNs don't add much security, though, they are useful for geo unblocking content and (at some level) anti-censorship. Though, in my experience, the mainstream public VPNs don't really match up to dedicated censorship-resistant networks run by Psiphon, Lantern (and possibly others).
Mullvad in their Terms of Service say they'll abide by Swedish and EU laws. This, among other things, means a VPN is in no way going to save your bacon from "authorities".
Seems like there are VPNs, and then there are VPNs.
Fwiw I'm not switching from mullvad
[0] https://news.ycombinator.com/item?id=46252366
I'd also like to ask people not to block this way. It creates LOTS of false positives. There's much better ways to handle bots and this tactic seems particularly dumb for Reddit given they want users from places like China or elsewhere where a VPN might be required. Not to mention people using public WiFi. It's not like VPNs are uncommon these days.
If you must ban IPa then do so with a timeout and easing function. So that each hit results in a longer ban time. Bots want to move fast so even a few seconds ban time will make them switch IPs while not impacting most users (who will refresh)
I finally hit the point of searching for mirrors yesterday and turns out, they exist[0].
It’s really only suitable for lurking or being able to view search results, but it has eased the pain a bit.
0: reddit-viewer.com
If you're not just lurking, log in and reddit doesn't block you.
So, login without mullvad, turn it on after that and it should work.
The question is "if reddit can block mullvad why can't China".
Some of their own contractors may well depend on Mullvad. Perhaps as long as the overall "civilian" volume and user count remains acceptably low, the cost-benefit estimate may well be in favour of letting it slip by. (And for the civilians that do use a working variant, subject their connections to fine-grained traffic analysis.)
[1]: https://www.reddittorjg6rue252oqsxryoxengawnmo46qy4kyii5wtqn...
The Tor service does not work. It's been unmaintained for years.
Mullvad is pretty good overall though.
I love that I can pay directly with a crypto wallet and have true anonymity.
I am aware most crypto is not anon without extra effort.
In any case, its certainly better than visa, but if you dont trust your vpn provider the real issue is they have your IP address and at best just a pinky-promise they dont log.
> We accept the following currencies: EUR, USD, GBP, SEK, NOK, CHF, CAD, AUD, NZD.
Not a bad way to get rid of some spare currency lying about that you’ll incur a fee to localize anyway.
With their reputation and trackrecord they really can't do any shady tricks. Imagine if they weren't among the 3 honest providers? That would be HN frontpage news.
All the VPN providers I've used let you select the endpoint from a dropdown menu. I'm not using a VPN to make it appear I'm in Russia, I'm using it as one of many tools to help further my browsing privacy.
My endpoint is one of 2 major cities that are close to me. Could I pick some random 3rd world country? Sure! That isn't the goal. The goal is to prevent my mostly static IP address from being tied to sites I use every day.
I mostly use it to avoid exposing my IP address too, but if I knew my VPN was comfortable with a little light fraud, I'd be concerned about what else they're comfortable with.
I'm not discounting you at ALL, I'm simply stating that the majority of traffic originate from these countries. Most of these folks just want to hide their IP address for various reasons. Privacy, Piracy, etc. Most don't care if it's in the next largest city, they just don't want it to appear to come from them.
Folks in countries like yours will likely pick endpoints to bypass the government. Folks up to nefarious stuff like cracking web sites, social media influencing, etc. will likely pick the target country more carefully. Anyone else? Whatever is the default.
I recognize this is a hard concept to understand for folks on this site, but the average joe signing up for a VPN doesn't even remotely understand what they are doing and why. They were pitched an idea as a way to solve privacy issues, block ads, etc. and they signed up for it. The software suggested a low latency link, and they went with the default.
The ads for a lot of VPN providers literally use scare tactics to sell the masses on the idea.
So what? This article isn’t for them and this isn’t a major news site for the general public, it’s a site for people who want or need to know how things work.
Really this is the answer to half of the comments on this thread.
We have not collaborated with any VPN companies for the report and have not even requested permission or pre-draft approvals. We had the data of what we were seeing and published a report based on that. We have published a ton of resources around the nature of VPN location in the past. Our focus is on data accuracy and transparency.
After the article was published, we received feedback from only a single VPN provider - Windscribe (https://x.com/ipinfo/status/1998440767170212025). I do not think anyone from Mullvad, iVPN, or any other VPN company has reached out to our team or our founder yet.
We are happy to take feedback and comments and are even open to a follow-up!
Turn off your VPN?
Yeah like... physics. If you're getting sub-millisecond ping times from London you aren't talking to Mauritius.
157 more comments available on Hacker News