The Good Tech Companies - Should You Trust Your VPN Location?
Episode Date: December 20, 2025This story was originally published on HackerNoon at: https://hackernoon.com/should-you-trust-your-vpn-location. IPinfo reveals how most VPNs misrepresent locations and ...why real IP geolocation requires active measurement, not claims. Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity. You can also check exclusive content about #virtual-vpn-locations, #vpn-location-accuracy, #ip-geolocation-data, #probenet-measurement, #ip-data-accuracy, #vpn-country-mismatch, #ipinfo-geolocation-api, #good-company, and more. This story was written by: @ipinfo. Learn more about this writer by checking @ipinfo's about page, and for more stories, please visit hackernoon.com. IPinfo analyzed 20 major VPN providers and found most don’t route traffic through the countries they claim. Using ProbeNet’s real-time internet measurements, IPinfo uncovered widespread use of virtual locations, country mismatches spanning thousands of kilometers, and major inaccuracies in legacy IP datasets—showing why evidence-based IP geolocation matters for trust, security, and compliance.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
Should you trust your VPN location, by IPInfo, IP data provider?
In a large-scale analysis of 20 popular VPNs, IPInfo found that 17 of those VPN's exit traffic
from different countries than they claim.
Some claim 100 plus countries, but many of them point to the same handful of physical data
centers in the U.S. or Europe.
That means the majority of VPN providers we analyzed don't route.
your traffic via the countries they claim to, and they claim many more countries than they actually
support. Analyzing over 150,000 exit IPs across 137 possible exit countries, and comparing
what providers claim to what IP info measures, shows that 17 and 20 providers had traffic exiting
in a different country. 38 countries were, virtual only, in our dataset, claimed by at least one
provider, but never observed as the actual traffic exit country for any provider we tested. We
were only able to verify all provider announce locations for three providers out of the 20. Across
approximately 150,000 VPN exit IPs tested, ProBNet, our internet measurement platform, detected
roughly 8,000 cases where widely used IP datasets placed the server in the wrong country,
sometimes thousands of kilometers off. This report walks through what we saw across VPN and
IP data providers, Providesa closer look at two particularly interesting countries, explores why
measurement-based IP data matters if you care where your traffic really goes, and shares how
we ran the investigation. Which VPNs matched reality, and which didn't? Here is the overlap between
the number of listed countries each VPN provider claims to offer versus the countries with real
VPN traffic that we measured. Lower percentages indicate providers whose claimed lists best match our
data. It's important to note that we use the most commonly and widely supported technologies in
this research, to make comparison between providers as fair as possible while
while giving us significant data to analyze, so this will not be the full coverage for each provider.
These are some of the most visible names in the market. They also tend to have every long country
lists on their websites, notably three well-known provider shot zero mismatches across all the
countries we tested, Mulvod, IVPN, and Winscribe. Country mismatches doesn't automatically mean
some providers offer bad VPNs, but it does mean that if you're choosing a VPN because it claims
100 plus countries, you should know that a significant share of those flags may be labels
are virtual locations. What virtual locations really mean when a VPN lets you connect to,
for example, Bahamas or Somalia, that doesn't always mean traffic routes through there.
In many cases, it's somewhere entirely different, like Miami or London, but presented as if
traffic is in the country you picked. This setup is known as a virtual location. The VPN app shows
country X, E, G, Bahamas. The IP registry data also says, country X, because the provider self-declared
it that way. But the network measurements, latency and routing show the traffic actually exits in,
country Y, often thousands of kilometers away. The problem, without active network measurement,
most IP datasets will rely on with the IP's owner told the internet registry are published in
WHOIS, geo feeds, a self-reported country tag. If that record is a record is
wrong or outdated, the mistake spreads everywhere. That's where IPinfos probe net comes in. By running
live RTT tests from 1,200 plus points of presence worldwide, we anchor each IP to its real
world location, not just its declared one. Across the dataset, we found 97 countries where at least
one VPN brand only ever appeared as virtual or unmeasurable in our data. In other words,
for a noticeable slice of the world map, some locations, in VPN's never show up a true exit
in our measurements. We also found 38 countries where every mention behaved this way. At least
one VPN claimed them, but none ever produced a stable, measurable exit in that country in our
sample. You can think of these 38 as the unmeasurable countries in this study, places that
exist in server lists, config files, and IPGO feeds, but never once appeared as the actual exit
country in our measurements. They're not randomly scattered, they cluster in specific parts of the map.
By region, that includes, this doesn't prove there is zero VPN infrastructure in those countries
globally. It does show that, across the providers and locations we measured, the dominant
pattern is to serve those locations from elsewhere. Here are three of the most interesting
examples of how this looks at the IP level. Case studies. Two countries that only exist on the
map. To make this concrete, let's look at three countries where every provider in our data set
turned out to be virtual, Bahamas and Somalia. Bahamas, all-inclusive, hosted in the
Usen-R measurements, five providers offered locations labeled as Bahamas, NordVPN, ExpressVPN,
private internet access, fast VPN, and IP vanish. For all of them, measured traffic was in the
United States, usually with sub-millimeter RTT to U.S. probes. Somalia.
Mogadishu, via France and the UK Somalia appears in our sample for only.
only two providers, NordVPN and ProtonVPN. Both label Mogadishu explicitly in their naming,
but these RTTs are exactly what you'd expect for traffic in Western Europe, and completely
inconsistent with traffic in East Africa. Both providers go out of their way in the labels,
eG. So, Mogadishu, but the actual traffic is in Nice and London, not Somalia. When legacy IP
providers agree with the wrong VPN locations. So far, we've talked about VPN claims.
versus our measurements. But other IP data providers don't run active RTT tests. They rely on
self-declared IP data sources, and often assume that if an IP is tagged as country X,
it must actually be there. In these cases, the IP legacy data sets typically follow the VPN
provider story. If the VPN markets the endpoint as country X, the legacy IP dataset
Alsoplaces it in country X. To quantify that, we looked at 736 VPN exits where probinase
measured country disagreed with one or more widely used legacy IP datasets. We then compared the
country ipinfos probe net measured, backed by RTT and routing, with the country reported by
these other IP datasets and computed the distance between them. The gaps are large. How far off
were the other IP datasets? The median error between ProbeNet and the legacy datasets was roughly
3,100 kilometers. On the probe net side, we have strong latency evidence that our measured country is the
right one. The median minimum RTT to a probe in the measured country was zero. 27 Ms. About 90% of these
locations had a sub- millisecond RTT from at least one probe. That's what you expect when
traffic is genuinely in that country, not thousands of kilometers away. Anip example you can
test yourself this behavior is much more tangible if you can see it on a single IP.
Here's one VPN exit IP where ProbeNet places the server in the United Kingdom, backed by sub- millisecond RTT from local probes, while other widely used legacy IP datasets place the same IP in Mauritius, 9,691 kilometers away.
United Kingdom United Kingdom v.S. Mauritius Moritious, ProtonVPN, if you want to check this yourself, you can plug it into a public measurement tool like htttps colon slash-ping SX and run ping.
or trace routes from different regions. Tools like this one provide a clear visual for where
latency is lowest. ProbeNet uses the same basic idea, but at a different scale, we maintain a
network of 1,200 plus points of presence, pops, around the world, so we can usually get even
closer to the real physical location than public tools with smaller networks. If you'd like to
play with more real IPs, not necessarily VPNs, where ProbeNet and IP info get the country right and other
datasets don't, you can find a fuller set of examples on our IP Geolocation accuracy page.
Why this happens and how it impacts trust. It's worth separating technical reasons from
trust issues. There are technical reasons to use virtual or hubbed infrastructure, risk and regulation.
Hosting in certain countries can expose both the provider and users to local surveillance or
seizure. Infrastructure quality. Some regions simply don't have the same density of reliable
data centers or high-capacity internet links, so running
servers there is harder and riskier. Performance and cost, serving Bahamas from Miami or Cambodia,
from Singapore can be cheaper, faster, and easier to maintain. From this perspective, a virtual
location can be a reasonable compromise. You get a regional IP and content unblocking without the
downsides of hosting in a fragile environment. Where it becomes a trust problem three things
change the picture, lack of disclosure. Marking something clearly as virtual Bahamas, U.S.-based,
is transparent. Listing, Bahamas, alongside, Germany, without any hint that one is virtual
and the other as physical blurs the line between marketing and reality. Scale of the mismatch,
it's one thing to have a few virtual locations in hard-to-host places. It's another when
dozens of countries exist only as labels across your entire footprint, or when more than half
of your tested locations are actually somewhere else. Downstream reliance, journalists,
activists, activists, and NGOs may pick locations based on safety assumptions. Fraud systems,
compliance workflows, and geo-restricted services may treat Somalia, VS, France, as a meaningful
difference. If both the VPN Nui and the IP data say, Somalia, while the traffic is physically
in France, everyone is making decisions on a false premise. That last point leads directly
into the IP data problem that we are focused on solving. So how much should you trust your VPN?
If you're a VPN user, here are some practical takeaways from this work. Treat 100 plus countries
as a marketing number, not a guarantee. In our sample, 97 countries existed only as claims,
not reality, across 17 providers. Check how your provider talks about locations. Do they clearly
label virtual servers, document where they're actually hosted, or do they quietly mix virtual
and physical locations in one long list? If you rely on IP data professionally,
Ask where it comes from. A static, 99, x% accurate worldwide claim doesn't tell you how an IP
data provider handles fast-moving, high-stakes environments like VPN infrastructure. Ultimately, this isn't an
argument against VPNs or even against virtual locations. It's an argument for honesty and
evidence. If a VPN provider wants you to trust that map of flags, they should be willing and able,
to show that it matches the real network underneath. How IP Info approaches IP data differently.
Most legacy IP data providers rely on regional internet registry, RIR, allocation data,
and heuristics around routing and address blocks. The SEP providers will often accept
self-declared data like customer feedback, corrections, and geofeeds, without a clear way to verify
them. IP Info takes a measurement first approach. One, proprietary probe net with 1,200 plus points of
presence. 2. We maintain an internet measurement platform of POPs in locations around the world.
3. Active measurements. 4. For each visible IP on the internet, including both IPV4 and IPV6 addresses,
we measure RTT from multiple probes. 5. Evidence-based geolocation. 6. We combine these
measurements with IPInfo's other signals to assign a country and more granular location that's
grounded in how the internet actually behaves. This measurement.
Measurement first approach is unique in the IP data space.
Once we realized how much inaccuracy came from self-declared data, we started investing heavily
in research and building probe net to use active measurements at scale.
Our goal is to make IP data as evidence-based as possible, verifying with observation on how
the Internet actually behaves.
Our methodology for this report, we approached this VPN investigation the way a skeptical
but well-equipped user would.
from the VPN's own claims, then test them. Step 1. Collecting what providers say for each of
the 20 VPN providers, we pulled together three kinds of data. Marketing promises. The
servers in X countries, claims in country lists from their websites. When a country was clearly listed
there, we treated it as the locations they actively promote. Configurations and locations lists.
Configurations from different protocols like OpenVPN or WireGuard were collected along with
location information available on provider command line tools, mobile applications, or APIs.
Unique provider location entries. We ended up with over 6 million data points and a list of
provider plus location combinations we could actually try to connect to with multiple IPs each.
Step 2. Observing where the traffic really goes next, we used IP info infrastructure and
Prognet to dial into those locations and watch what actually happens. We connected to each VPN,
location, and captured the exit IP addresses. For each exit IP address, we used IP info plus
probinase active measurements to determine a measured country, plus the nearest probe net vantage
point, E, G, US, Brazil, France. The round trip time, RTT, from that probe, often under one
millisecond, which is a strong hint about physical proximity. Now we had two views for each location,
Expected, claimed country.
What the VPN claims in its UI, configs, website.
Measured Country.
Where IP Info Plus ProbeNet actually see the exit IP.
Step 3.
Comparing claims VS reality for each location where a country was clearly specified,
we asked a very simple question.
Does the expected country match the measured country?
If yes, we counted it as a match.
If not, it became a mismatch.
A location where the app says one country, but the traffic.
exit somewhere else.
Acknowledgements, limitations, and constraints we deliberately used a very narrow definition
of mismatch.
For a location Toby counted, two things had to be true.
The provider had to clearly claim a specific country, on their website, in their app,
or in configs, and we HAD direct active measurements from ProbeNet for the exit IPs behind
that location.
We ignored any locations where the marketing was ambiguous, where we hadn't measured the exit
directly, or where we only had weaker hints like host name strings, registry data, or third-party
IP databases. Those signals can be used full and true, but we wanted our numbers to be as hard
to argue with as possible. The result is that the mismatch rates we show here are conservative.
With a looser methodology that also leaned on those additional hints, the numbers would
almost certainly be higher, not lower. Thank you for listening to this Hackernoon story,
read by artificial intelligence. Visit Hackernoon.com to
read, write, learn and publish.