Virtual Server Locations & Rented VPN Servers Explained

When you use a virtual private network (VPN) you’ll usually choose between a list of server locations in different countries.

At the most basic level, VPN servers are simply computers designed to host and deliver encrypted tunneling services.

Once you’ve connected to a server and requested a website in your browser, the VPN software on your device encrypts your connection and routes it via your chosen server on its way to the internet.

This process establishes a secure communication channel between your device and the VPN server, known as a VPN tunnel.

When you access a website, the VPN server decrypts your traffic and sends it onto its intended destination.

When these websites send information back to you, the data is again routed through the VPN server which encrypts and transmits it back to your device. The VPN software on your device then decrypts it so it can be loaded in your web browser.

If your VPN is working effectively, the websites and services you access will see the IP address of the VPN server you’re connected to, rather than your personal IP address.

VPN servers can be either physical or virtual, and VPN providers can either rent or own the servers they use.

In the next sections, we’ll discuss the issues of server ownership, virtual machines, and virtual server locations in more detail.

VPN services have the choice between renting or owning the servers in their network. This can have important consequences for privacy, security, and performance.

Unfortunately, server ownership can often be a closely-guarded secret. Many VPN services are reluctant to disclose when they are using rented servers.

In this section, we’ll explain the different ownership options available to VPN services, along with their advantages and disadvantages.

On-Site Ownership

From a privacy and security perspective, the ideal VPN service owns its entire server network and stores it on-site. This way, the VPN service knows everything about the hardware they use and also owns the surrounding network infrastructure.

It also means that no one could physically access the VPN servers other than the provider’s employees. There is no third party with physical access to the servers.

More importantly, it also prevents other third parties from logging server activity. VPN logging policies apply only to the VPN company, and not to any other parties they might work with.

A “zero-logs” policy means very little to users if there is a data center monitoring server activity and collecting logs.

For this reason, first-party on-site ownership is the gold standard for VPN server networks when it comes to privacy. It is the only way to ensure that there is absolutely no third-party involvement beyond the company that users have explicitly chosen to place their trust in.

Unfortunately, it is usually not practical for a commercial VPN service to run a server network that is entirely owned on-site.

If a VPN service wants the security benefit of owning its VPN servers without the practical drawbacks of actually storing them, its best option is a co-location agreement with a trustworthy data center.

Co-Location Agreements & Rented Servers

In practical terms, most VPN companies have to make the choice between owning their servers through co-location or renting them from a data center.

Co-located servers are purchased by the VPN company and hosted in a third-party data center. Usually, the server is locked in a cabinet where only members of the VPN provider’s staff are able to physically access it.

Rented servers are controlled remotely by the VPN company while the data center owns and manages the hardware.

In this section, we’ll compare co-locating with renting VPN servers, and assess whether you should avoid using VPN providers that rent their server network.

Privacy & Security

Co-location gives VPN providers the benefit of knowing exactly what has gone into their server’s hardware. The ability to physically inspect and audit this hardware is often not possible when servers are rented.

By contrast, rented VPN servers are usually installed, monitored, and maintained by data center employees. In theory, this carries the possibility that a third party — unknown to the VPN user — has the ability to tamper with the server’s hardware.

In practice, renting VPN servers is often not the privacy concern it is reported to be.

Most modern servers are equipped with a Remote System Management Card. Combined with real-time system logging, this means that VPN services are able to remotely monitor almost everything about a server’s operation, including any modifications made to its hardware.

This applies to both rented and co-located servers. If anything suspicious happens, the VPN company is able to investigate it and shut down operations accordingly.

This largely protects rented VPN servers from the dangers posed by physical tampering.

The extent to which these risks are mitigated, however, depends entirely on how diligent the provider is in its remote monitoring. For the most part, a rented VPN server is no more at risk from physical tampering than a co-located server.

A privacy issue that both co-located and rented VPN servers face is the status of the networking environment around them.

Any server in a data center — whether it is owned or rented — is connected to that data center’s network.

This means that VPN providers have very little knowledge of the network infrastructure that is upstream of their servers — and they certainly have no control over it.

This can pose a risk for VPN users because the service provider can never be completely sure that their server isn’t being monitored. Attackers and intelligence agencies are able to use the upstream network switch to record (and then mirror) all of the activity going in and out of a targeted server.

This is particularly relevant to data centers in countries with invasive data privacy laws. Local authorities could monitor upstream traffic or even compel the data center to store information locally and share it with them. This effectively amounts to logging on behalf of the data center without the VPN provider’s knowledge.

In the case of VPN traffic, the activity should be encrypted. However, traffic correlation attacks are still a possibility and attackers can still get access to certain metadata, like the user’s originating IP address.

Speed & Performance

In terms of connection speeds, both rented and co-located VPN servers share the benefits of being in a data center. This allows them to be close to (and sometimes even peer directly with) an internet exchange, which greatly improves performance.

VPN services who rent their server network are afforded a degree of flexibility that is harder to come by with co-location.

Rental agreements can be scaled up or scaled down to match user demand, whereas co-location agreements keep providers tied-down to the hardware they have purchased and installed.

Renting also makes it easier to offer a large number of servers in a wide range of locations. When providers don’t have to worry about maintaining their servers, they have greater freedom to expand their network globally.

A larger server network provide users with a more diverse array of IP addresses, which should also facilitate faster connection speeds

Which VPN Providers Rent Their Servers?

The majority of commercial VPN server networks combine both rented and co-located servers. While many refuse to openly disclose this information, here is a list of VPN services that are honest and transparent about renting at least some of their servers:

• CactusVPN
• F-Secure Freedome
• HideMyAss! (HMA)
• NordVPN
• Private Internet Access (PIA)
• PrivateVPN
• Proton VPN
• Windscribe
• X-VPN

A number of these providers go to great lengths to emphasize how careful they are when selecting a data center to rent from:

PIA, for example, told us they have a “stringent vetting process” when assessing potential third parties.

This highlights an important point: in general, rented VPN servers aren’t a danger to users as long as the data center is vetted and considered to be trustworthy.

It is impossible for the average user to know exactly which third parties are being entrusted with their data, so we have to trust our VPN service to choose its partners carefully.

A good VPN may rent its servers, but it will thoroughly vet the data center it is renting them from. This vetting process will include a full hardware audit and an inspection of the data center’s networking environment in order to understand any potential threats.

We urge any VPN service that uses rented servers to be more transparent about the specifics of their vetting process, so users can have full confidence that their servers are safe to use.

VPN servers can be either physical or virtual. So far, we’ve mostly focused on physical servers. These are the machines that are often seen on racks in data centers.

Virtual servers are virtualized environments run on physical servers. They can host VPN software and carry out tunneling services in just the same way as a bare-metal VPN server.

In short, a virtual machine behaves like a physical server in almost every aspect apart from the hardware.

Virtual VPN servers have all the same benefits as a bare-metal server, without the physical component.

Importantly, however, an individual physical server can run multiple virtual servers at once. This means you can host multiple VPN servers on one machine.

In the next section, we’ll evaluate the differences between physical and virtual VPN servers.

Physical vs. Virtual Servers

Hosting a VPN server on a virtual machine is not inherently dangerous – it is only a security risk in certain contexts.

If a VPN provider owns or rents the underlying physical server, there is very little difference between a VPN server that is virtualized and one that is physical in terms of user privacy and security.

The main danger with virtual VPN servers comes with general-purpose cloud hosting or Virtual Private Servers (VPS). This is when providers rent virtual space on a physical server and host their VPN on there.

In this scenario, the provider does not own the virtual machine or the physical server it is hosted on.

A cloud-hosting service owns the physical server and runs multiple virtual machines which are rented out to different clients, each of whom uses their virtual machine for a different purpose. Some might run websites, some might store databases, and others might host VPN servers.

Until recently, this was considered a secure way to host a VPN server. However, a series of CPU side-channel attacks – such as Spectre, Meltdown, and Zombieland – have rendered general-purpose cloud hosting a privacy red-flag for VPN users.

For this reason, it is highly recommended that VPN providers using virtual servers also own or rent the entire underlying physical machine.

If a VPN provider owns or rents the underlying hardware and not just the virtual machine, they are not at risk of CPU side-channel attacks. This is because they have complete control over what is happening on the physical server’s other virtual machines.

Physical servers can also offer better performance than their virtual counterparts. By definition, virtual servers operate with only a portion of the physical server’s total computing power – they therefore have less resources at their disposal than their physical counterparts. In theory, this can lead to reduced performance and slower speeds for VPN users.

In practice, however, the inefficiencies of physical servers are so vast that the majority of users won’t notice any loss in performance when using a virtual server over a physical one.

In summary, the advantages and disadvantages of physical vs virtual servers are:

• Virtualized VPN servers pose no extra risk to users than physical ones, as long as the provider also rents or owns the underlying machine.
• Virtual servers that run in general-purpose cloud environments pose a security risk and should be avoided.
• Virtual servers are cheaper, more easily migrated, and more environmentally-friendly than physical VPN servers.
• In theory, physical VPN servers provide faster speeds and better performance than virtual servers. However, in practice, the difference is usually negligible.

Which VPN Providers Use Virtual Servers?

While most VPN providers refuse to disclose whether their VPN servers are virtualized or not, there are a few services that are open and honest, including:

• CactusVPN
• F-Secure Freedome
• Hotspot Shield
• PureVPN
• SaferVPN

As discussed above, using virtual servers is not usually a risk as long as the VPN provider owns or rents the underlying physical machine.

Unfortunately, this isn’t always the case. CactusVPN’s support team informed us that they “rent Virtual Private SSD Servers”. This is the type of server vulnerable to CPU side-channel attacks, and we would urge CactusVPN and any other provider renting VPS systems to reconsider this practice.

By contrast, VPNs such as Perfect Privacy openly reject the use of rented virtual servers. Their website states that they “renounce virtual servers”, and told us that “VPS is simply unsuitable for a VPN service, and it’s fraudulent to advertise privacy”.

A number of other VPN providers have also made it clear to us that they do not host any of their VPN servers on virtual machines. These include:

• CyberGhost
• PrivateVPN
• Private Internet Access (PIA)
• TunnelBear

Virtual servers are often confused with virtual VPN server locations. As we’ve seen, a virtual server is simply a server running on a virtualized machine on a physical server.

A virtual server location, on the other hand, is when a VPN server’s physical location differs from where its IP address is registered.

ExpressVPN, for example, have VPN servers that give users a Mongolian IP address even though the server they connect to is physically located in Singapore.

VPN companies use virtual server locations to expand their server networks, provide faster speeds, and test new locations. In doing so, however, they can affect user privacy and connection speeds.

How Do Virtual VPN Server Locations Work?

When websites check the physical location of their visitors, they look up the connection’s IP address in a geolocation database. VPN providers spoof these databases in order to set-up VPN servers with fake locations.

To do this, VPN providers purchase blocks of IP addresses from the huge global registries that are responsible for linking individual IP addresses to physical locations.

These registries tend to be region-specific: ARIN serves much of North America; AFRINIC serves Africa; APNIC serves the Asia-Pacific region; LACNIC serves much of Central and South America; and RIPE NCC serves Europe and some parts of Asia.

The same organizations are also in charge of allocating their region’s registered IP addresses. This means that for a fee, anyone can go through a registration process and obtain an IP address for a specific location within that registry’s region.

All a VPN provider needs to do is purchase a block of IP addresses registered to New York, for example, and by making some changes to the BGP routing protocol, they can assign these IP addresses to servers physically located elsewhere.

When websites look up the VPN server’s IP address in a geolocation database, they see that the server is registered in New York and so grant the user access to US-specific content, such as the US Netflix library. Meanwhile, the VPN server is physically located in London, Moscow, or wherever.

Virtual Servers vs. Fake Server Locations

Virtual servers and fake server locations are often confused and conflated in the VPN industry.

The two are in fact entirely different concepts. In short, the term ‘virtual server’ names the process of running a VPN server within a virtualized environment.

A ‘virtual server location’, on the other hand, describes instances where there is a disconnect between the VPN server’s physical location and its IP address.

Virtual locations can be implemented on both physical servers and virtual servers. A server doesn’t need to be virtual to use a fake location, and a fake location is not always hosted on a virtual server.

A virtual server “gives users the benefits of a physical server, minus the physically placed part”, while a fake server location “mimics being physically hosted at a particular location, without actually being physically present at that location”.

Virtual Server Locations: Advantages & Disadvantages

Using virtual server locations is often reported as an unquestionably bad thing for VPN services to do. In reality, the issue is far more complex. There are certainly some advantages to using virtual locations:

• Faster Speeds: When a VPN server is physically closer to a user than the country it is registered in, it will deliver faster speeds.

• Poor Internet Infrastructure: Some countries do not have the network infrastructure to support a reliable and secure VPN server network. Here, VPN companies can use fake server locations to provide users with an IP address in those countries without having to risk using unreliable data centers.

• Avoid Authoritarian Governments: A good VPN company might avoid placing physical servers in countries with authoritarian or censorious governments. Instead, they may deploy VPN servers in safer countries and utilize virtual locations in order to provide IP addresses in the country they need.

• Test New Locations: VyprVPN uses virtual locations to test out where they should deploy new physical servers. By assessing which locations are popular with its customers, VyprVPN are able to determine where it is worth investing the time and money to place new physical servers.

• Larger Server Networks: Virtual locations allow VPN providers to increase the size of their server network.

There are also some legitimate concerns when it comes to using virtual server locations:

• Dangerous Jurisdictions: Every country has different laws and practices when it comes to logging and data sharing, which we refer to as VPN jurisdictions. It becomes much harder to assess the impact of a jurisdiction on your privacy if your provider is using virtual locations.

• Slower Speeds: Some users might purposefully connect to a VPN server that is close to their real location in order to maximize connection speeds. If the server is actually physically located elsewhere, the user will experience slower speeds than anticipated.

Which VPN Providers Use Fake Server Locations?

There are honest VPN providers that have taken a transparent approach to virtual server locations. However, there are still many providers using virtual server locations without publicly disclosing it.

We’ve spoken to a number of VPN companies that are keen to emphasize that they do not use fake server locations. This means all of their servers are physically located in the country advertised. These providers include:

• CactusVPN
• IPVanish
• NordVPN
• PrivateVPN

However, fake server locations aren’t an issue as long as the VPN provider is transparent. The following VPN providers are open about their use of virtual locations:

• CyberGhost
• ExpressVPN
• HideMyAss (HMA)
• PureVPN
• Surfshark
• VyprVPN

While we commend all of these providers for their honesty, only ExpressVPN and HMA inform users where their servers are actually located. The other providers acknowledge that their server locations are fake without stating where that server’s true location is.

We urge the other VPN services on this list to follow ExpressVPN and HMA’s lead by publicly disclosing the true location of their VPN servers.

In this section we’ll teach you how to discover where a VPN server is really located.

Using a few online tools, you can find out whether your provider is being honest about its use of fake server locations.

These tests might seem daunting at first, but we’ll walk you through a simple step-by-step process that you can use to test your VPN server’s physical location. We’ll then present a few case studies so you can see the testing process in action.

1Find the VPN Server’s IP Address

To start, you’ll need to identify the IP address of the VPN server you want to test.

The easiest way to do this is to connect to your VPN server of choice and head to our IP checker tool. It’ll show you your current public IP address.

2Ping the VPN Server From a Range of Locations

A ping test measures the time it takes for a request to be sent to a server and for a response to be sent back. This helps test the rough distance between two points in a network: the higher the ping, the longer the distance between the two points.

To test where your server is physically located, you need to ping it from a number of locations around the world. By finding the lowest ping rate we can hone in on the server’s real physical location.

There are a number of online tools that allow you to run a ping test on a specific server from multiple locations worldwide. Our favorite is the CA App Synthetic Monitor ping tool, but you can also use MapLatency.com.

To begin, enter the VPN server’s IP address into the search box at the top and click the start button.

The tool will ping the server from each of their monitoring stations and record how long it takes. The CA App Synthetic Monitor tool has over 50 stations located around the world.

In this tool, rtt stands for ‘round trip time’ and refers to the amount of time (ms) it takes for a signal to be sent and an acknowledgement of that signal to be received.

You can analyze the results of this ping test to see which locations have the lowest round trip time and then infer the rough physical location of the server from there. Networking complications can sometimes lead to anomalous results, so the “minimum rtt” figure is usually the most reliable number to use.

If the rough location you can infer from the shortest round trip time differs significantly from the VPN server’s advertised country, it is likely that the server is using a fake location.

3Run Traceroute Tests to Investigate the Findings

Using the traceroute tools offered by Looking Glass or CA App Synthetic Monitor, you can plot a data packet’s journey through the network from a monitoring station to your chosen VPN server.

The number of network hops, the location of the network hops, and the transmission time all help you investigate where your server is really located.

To start, run the traceroute that should be the closest to the VPN server. In other words, select a location that is as close as possible to the server’s advertised country.

Then, test the locations which had the smallest round trip times in the initial ping test.

Roughly speaking, if these locations show faster speeds and fewer network hops than the advertised location, it’s likely that your server’s location is fake.

4Verify Your Results With a Separate Ping Tool

Network variability can sometimes lead to anomalous results, so it’s worth running each of the above tests multiple times in order to ensure your results are reliable. To finish, it is also worth running a second ping test, using a different online tool.

We like to use ping.pe as it has a good range of monitoring locations.

Input your server’s IP address in the box at the top and the tool with start pinging it from a range of locations. The ping times should hopefully match your previous findings, giving an indication of your server’s true location.

With these four easy steps you should be able to get a rough idea of where your VPN server is physically located. If the country you’ve found differs significantly from the location of the server’s advertised IP address, you’ve probably found a fake VPN server location.

It’s worth noting that this is not an exact science. Ping time is an indicator of geographic location, but a number of factors can distort it. The steps described in this guide will give you a rough idea of where a server is (or is not) located, but you should be wary of using these methods to draw definitive conclusions.

In the remainder of this report, we’ll run through a few case studies to demonstrate the investigation process in action.

Case Study #1: ExpressVPN

ExpressVPN offers users a server in Vietnam, but is transparent about the fact that it is a fake location. The server is actually located in Singapore.

We can verify that this is indeed a fake location using the steps described below.

1Server’s IP address: 45.10.234.90

We can see the server’s IP address by connecting to ExpressVPN’s Vietnam server and checking browserleaks.com.

2An initial ping test strongly suggests the server is physically located in Singapore and not Vietnam.

When we pinged the VPN server from a range of global locations, the shortest ping times came from Singapore, India, and China – with Singapore being the fastest by a significant margin.

Shortest Pings:

1. Singapore — Singapore (0.945ms)
2. India — Chennai (33.227ms)
3. China — Hong Kong (37.918ms)
4. India — Bangalore (38.497ms)
5. India — Mumbai (60.718ms)

In contrast, a ping from Ho Chi Minh City – where the IP address is registered – took a minimum of 74.881ms.

The 0.945ms ping time from Singapore is significantly smaller than those from other locations. This alone is enough to infer a better idea of the server’s real location.

However, some small calculations show us that, even moving at the speed of light (300km/ms), data from the Singapore monitoring station can travel a maximum of 283km in 0.945ms. The data has to travel to and from the VPN server in this timeframe (0.945ms).

As the shortest distance between Singapore and Vietnam is 1,488km, this makes it impossible for the VPN server to be located in Vietnam.

We can therefore conclude with confidence that the ExpressVPN Vietnam server is not physically located in Vietnam. It is most likely based in Singapore, just as ExpressVPN states.

3Our findings are supported by a traceroute and a separate ping test.

When we cross-checked our results with a traceroute test and with a separate ping tool, we found very similar stories.

Although the ping.pe tool doesn’t have a monitoring station in Vietnam, the extremely low ping times recorded at the Singapore monitoring station strongly suggest this VPN server is physically located in Singapore.

Case Study #2: CyberGhost

Like ExpressVPN, CyberGhost is transparent about which of its servers use fake locations. Unfortunately, it isn’t also transparent about where these servers are actually located.

CyberGhost state that their Isle of Man servers use virtual locations.

We used the methods described in this section to investigate where these VPN servers are really located.

1Server’s IP address: 45.132.140.22

When you connect to a CyberGhost server location, the application helpfully tells you what your new IP address is. We confirmed this using several IP address checking tools.

2An initial ping test suggests the VPN server is located in Western Mainland Europe.

When we pinged the VPN server from global monitoring stations, the results indicated that it was located in mainland Europe, near the Netherlands or Belgium.

Shortest Pings:

1. Netherlands — Eemshaven (4.901ms)
2. Belgium — St. Ghislain (5.691ms)
3. Germany — Frankfurt (8.017ms)
4. UK — London (8.638ms)
5. Denmark — Copenhagen (13.007ms)

3Traceroute testing suggests the server might be located in Amsterdam, Netherlands.

We ran a traceroute on Looking Glass comparing Dublin (which is closest to the Isle of Man geographically) and Amsterdam.

The results showed an increased transmission time and several additional network hops when connecting to the server from Dublin as opposed to from Amsterdam. Also of interest was that network hop 3 in the Dublin traceroute connected it to the Amsterdam internet exchange.

This all suggests that the VPN server is not located in the Isle of Man, but is probably based somewhere closer to Amsterdam, Netherlands.

4A second ping test supports our findings that the VPN server is most likely located somewhere in the Netherlands.

We then cross-checked our findings with a ping test tool that uses a monitoring station in Amsterdam. The ping time averaged under 2ms.

With a bit of math, we can work out that the furthest possible distance our VPN server can be from Amsterdam is 177km. We get this from the speed of light (300km/ms) multiplied by the shortest ping time (1.18ms) and divided by two (because it’s a round trip).

When we plot this on map, we can see that it is highly probable the CyberGhost Isle of Man server is in fact located in the Netherlands — most likely somewhere near Amsterdam.