Disclosure: Top10VPN is editorially independent. We may earn commissions if you buy a VPN through links on our site.

VPN Server Security: Are Rented VPN Servers & Virtual Server Locations Safe?

JP Jones - CTO @ Top10VPN

JP Jones is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process.

Every VPN provider implements its server network differently, which means it's hard for users to know exactly where their data goes and who is responsible for it. In this guide, we’ll shine a light on virtual servers, fake locations, and rented VPN servers so you’ll know exactly what to look out for.

vpn, dns, and proxy servers

Every VPN’s server network is slightly different. Instead of owning their servers outright, some VPN services choose to rent large portions of their server infrastructure in order to for their users to access a wider range of geographical locations.

It’s also common for VPN companies to use virtual server locations. These provide users with an IP address from one country, even though the server is physically located in a different country.

Both of these variables can come with privacy and security concerns if not implemented correctly. VPNs can be hacked through compromised VPN servers which why it’s important your VPN takes the management of each server seriously.

In recent years, we’ve seen some VPN services come under scrutiny for how they manage their servers — the NordVPN hack in 2018 is a good example.

Some companies are upfront about how they control their network while others are less transparent.

In this guide, we’ll explain the different ways a personal VPN service can implement its server network, and how this can impact your online privacy and security.

Here’s a quick summary of our most important findings:

  • Fake/Virtual VPN server locations are servers that are not physically based in their advertised location. For example, a VPN server that offers an Australian IP address but is physically located in the US. These servers are safe to use, as long as there is transparency from the provider.
  • Virtual VPN servers are servers hosted on virtual machines. These are only a danger to users when the VPN provider doesn’t also own or rent the underlying physical hardware.
  • Rented VPN servers are servers leased from a third-party landlord, such as a data center. In theory, these VPN servers are no less safe than first-party owned servers, as long as the provider enforces a stringent vetting process and remotely monitors the server effectively.

For a full explanation of our findings, skip to our verdict on VPN server safety.

What Is a VPN Server?

When you use a virtual private network (VPN) you’ll usually choose between a list of server locations in different countries.

Once you’ve connected to one and requested a website in your browser, the VPN software on your device encrypts your connection and routes it via your chosen server on its way to the internet.

At the most basic level, VPN servers are simply standard computers designed to host and deliver encrypted tunneling services. When you access a website, the server decrypts your traffic and sends it onto its intended destination.

If your VPN is working effectively, the websites and services you access will see the IP address of the VPN server you’re connected to, rather than your personal IP address.

Diagram showing how a VPN works.

When these websites send information back to you, the data is again routed through the VPN server which encrypts and transmits it back to your device. The VPN software on your device then decrypts it so it can be loaded in your web browser.

This process establishes a secure communication channel between your device and the VPN server, known as a VPN tunnel. You can read more about VPN encryption and VPN tunnels in our in-depth article on how VPNs work.

VPN servers can be either physical or virtual, and VPN providers can either rent or own the servers they use.

In the next section, we’ll discuss the issue of server ownership. Alternatively, jump to our chapters on virtual machines or virtual server locations.

1. VPN Server Ownership: The Dangers of Rented Servers

illustrations of the three vpn server ownership options: on-site ownership, co-location, and rented

Generally speaking, VPN providers have the choice between renting or owning the servers in their network. Users should know whether their chosen service rents its servers because this can have important consequences for privacy, security, and performance.

Unfortunately, server ownership can often be a closely-guarded secret. Many VPN services are reluctant to disclose when they are using rented servers.

In this section we’ll introduce the different ownership options available to commercial VPN providers as well as the advantages and disadvantages of each.

Here are the three main options when it comes to server ownership:

  1. On-Site Ownership: The company purchases, installs, and maintains its servers itself. The servers are owned outright and stored somewhere on company premises, meaning only trusted employees have physical access to them.
  2. Co-Location Agreement: In a co-location agreement, the company owns and operates its servers but stores them off-site, usually in a data center. For a fee, the data center provides a rack for storage, air conditioning facilities, and a set amount of bandwidth. The company’s staff monitor the server remotely and visit the data center to repair hardware when needed.
  3. Rented Servers: It’s possible to rent servers straight from the data center. Otherwise known as dedicated or managed hosting, this method allows companies to forego the expense, time, and expertise required to purchase, install, and maintain a physical server. Instead, the data center handles everything on the hardware side and the company is given remote access to manage the software. Companies can also rent virtual servers. We’ll discuss these in the next chapter.

We’ll now discuss each of these ownership options in greater detail. Alternatively, you can skip straight to our verdict on how VPN server ownership affects users.

On-Site Ownership

From a privacy and security perspective, the ideal VPN provider owns its entire server network and stores it on-site. This way, the provider knows everything about the hardware they use and also owns the surrounding network infrastructure.

This means that no one could physically access the VPN servers other than the provider’s employees. There is no hidden data center or mysterious third party with physical access to the servers.

More importantly, it also prevents other third parties from logging server activity. VPN logging policies apply only to the VPN company and not to any other parties they might work with. A “zero-logs” policy means very little to users if there is a data center monitoring server activity and collecting logs.

For this reason, first-party on-site ownership is the gold standard for VPN server networks when it comes to privacy. It is the only way to ensure that there is absolutely no third-party involvement beyond the company that users have explicitly chosen to place their trust in.

Unfortunately, in practical terms it is just not viable for a commercial VPN provider to run a server network that is entirely owned on-site.

Though great for security, on-site ownership simply isn’t a practical option for a commercial VPN company operating an international server network. Here’s why:

  • Huge up-front costs: The VPN provider would need to fund a network of servers, data center-grade power, bandwidth and cooling facilities, back-up hardware in case of failures, and a team of highly-skilled administrators. These costs can be enormous and would need to be multiplied for every additional location the provider wants to host a server in. It is far cheaper to host in a data center.

  • Weakened connection speeds: Data centers tend to be much closer to an internet exchange — in terms of network hops — than on-site servers. This can result in slower speeds and higher latency for users as their connections will have further to travel.

  • Small server networks: A key feature of any top-tier VPN is a large network of servers in a wide range of locations. However, on-site ownership restricts a provider’s ability to physically expand their network. To avoid using data centers, the company would have to own land in every location they want to place a physical server.

If a VPN provider wants the security benefit of owning its VPN servers without the practical implications of storing them on-site, its best bet is a co-location agreement with a trustworthy data center.

In the next section, we’ll compare co-locating with renting VPN servers, and assess whether you should avoid using VPN providers that rent their server network.

Co-Location Agreements vs. Rented Servers

an illustration of a man selecting between a rented VPN server and a co-located VPN server

In practical terms, most VPN companies have to make the choice between owning their servers through co-location or renting them from a data center.

Here’s how these two options compare when it comes to privacy and performance.

Privacy & Security

Co-located servers are purchased by the VPN company and hosted in a third-party data center. Usually, the server is locked in a cabinet where only members of the VPN provider’s staff are able to physically access it.

In contrast, rented servers are controlled remotely by the VPN company while the data center owns and manages the hardware.

As with on-site ownership, co-location gives VPN providers the benefit of knowing exactly what has gone into their server’s hardware. The ability to physically inspect and audit this hardware is often not possible when servers are rented.

By contrast, rented VPN servers are usually installed, monitored, and maintained by data center employees. In theory, this carries the possibility that a third party — unknown to the VPN user — has the ability to tamper with the server’s hardware.

In practice, however, renting VPN servers is often not the privacy concern it is reported to be.

Most modern servers are equipped with a Remote System Management Card. Combined with real-time system logging, this means that VPN providers are able to remotely monitor almost everything about a server’s operation, including any modifications made to its hardware.

This applies to both rented and co-located servers. If anything suspicious happens, the company is able to investigate it and shut down operations accordingly.

This largely protects rented VPN servers from the dangers posed by physical tampering.

Yes, third parties have increased physical access to a rented server than they do a co-located server in a locked rack — meaning the possibility of tampering is higher. But a good VPN provider can put in place a remote monitoring system that alerts it to any changes made to the server’s hardware, rented or otherwise.

The risks of physical tampering are therefore mitigated as providers are capable of remotely identifying any unexpected hardware modifications and acting appropriately.

The extent to which these risks are mitigated, however, depends entirely on how diligent the provider is in its remote monitoring. When a NordVPN server was hacked in 2018, it was widely highlighted as evidence of the dangers of renting VPN servers. The attacker exploited an unsecured hardware card, which NordVPN claimed the data center had put there without telling them.

While it is true that physical access to the server may have brought the hardware card to the company’s attention, NordVPN technicians could’ve also seen the card’s presence via their remote access to the server’s installed hardware. Ultimately, the breach wasn’t really to do with the server being rented – with greater due diligence on the part of NordVPN, the vulnerability could’ve been avoided.

While the ability to physically audit server hardware is perhaps a slight advantage for co-located servers, it should not be necessary if the server is being remotely monitored effectively. This makes the issue of renting VPN servers significantly less concerning.


For the most part, a rented VPN server is no more at risk from physical tampering than a co-located server.

A privacy issue that both co-located and rented VPN servers face is the status of the networking environment around them.

Any server in a data center — whether it is owned or rented — is connected to that data center’s network. As we have seen, this gets VPN servers far closer to an internet exchange than they could’ve been otherwise, which helps improve connection speeds.

However, it also means that providers have very little knowledge of the network infrastructure that is upstream of their servers — and they certainly have no control over it.

This can pose a risk for VPN users because the service provider can never be completely sure that their server isn’t being monitored. Attackers and intelligence agencies are able to use the upstream network switch to record (and then mirror) all of the activity going in and out of a targeted server.

This is particularly relevant to data centers in countries with invasive data privacy laws. Local authorities could monitor upstream traffic or even compel the data center to store information locally and share it with them. This effectively amounts to logging on behalf of the data center without the VPN provider’s knowledge.

In the case of VPN traffic, the activity should be encrypted. However, traffic correlation attacks are still a possibility and attackers can still get access to certain metadata, like the user’s originating IP address.

Here’s a summary of the key differences between rented and co-located VPN servers when it comes to privacy and security:

  • A co-located VPN server is marginally better than a rented server from a security perspective because the provider is able to fully audit the server’s hardware and physically inspect it whenever they please.
  • Remote access and system logs allow providers that rent VPN servers to monitor their hardware effectively. This largely mitigates the concerns one might have about third parties having physical access to rented servers.
  • Both rented and co-located VPN servers are at risk of upstream traffic monitoring due to lack of control over the data center’s network infrastructure. Neither rented or co-located servers allow providers to be 100% sure that their servers are not being monitored by governments, intelligence agencies, or any other third party with access to the data center.

Speed & Performance

In terms of connection speeds, both rented and co-located VPN servers share the benefits of being in a data center. This allows them to be close to (and sometimes even peer directly with) an internet exchange, which greatly improves performance.

VPN providers who rent their server network are afforded a degree of flexibility that is harder to come by with co-location. Rental agreements can be scaled up or scaled down to match user demand, whereas co-location agreements keep providers tied-down to the hardware they have purchased and installed.

This flexibility can be beneficial in situations where authorities attempt to compel VPN providers to censor user activity or retain logs. It’s easier to cease operations in a country when all you’ve committed to is a monthly rental fee, as opposed to owning a large piece of hardware that’s physically located in that country.

Renting is also better suited to having a large number of servers in a wide range of locations. When providers don’t have to worry about maintaining their servers or keeping them within commuting distance for staff, they have greater freedom to expand their network globally.

Not only does a larger server network provide users with a more diverse array of IP addresses, it should also facilitate faster connection speeds. This is because, in a lot of cases, it will reduce the geographic distance between a given user and the closest VPN server.

These are the key differences between rented and co-located VPN servers when it comes to performance:

  • Whether it’s owned or rented, any server stored in a data center benefits from being in close proximity to an internet exchange. This can improve connection speeds.
  • Without the commitment involved in owning a server network, VPN providers that rent their servers are better able to amend their operations in line with customer demands. They can offer larger server networks in a wider range of locations, and will find it much easier to cease operations when facing pressure from foreign governments.

Our Verdict on Server Ownership

It is impractical for a commercial VPN provider to own and manage all of its servers on-site. Of the remaining options, a rented VPN server is only marginally worse than a co-located server from a security perspective. It might even have some performance benefits in terms of connection speeds and operational flexibility.

Both methods are subject to the same privacy risks when it comes to the monitoring of upstream traffic.

Overall, as long as the VPN provider takes the time to properly configure the server, remotely monitor it effectively, and understand the data center’s network environment, there is little increased risk with a rented VPN server versus a co-located server.

Which VPN Providers Rent Their Servers?

The majority of commercial VPN server networks combine both rented and co-located servers. While many refuse to openly disclose this information, here is a list of VPN providers that are honest and transparent about renting at least some of their servers:

  • CactusVPN
  • F-Secure Freedome
  • HideMyAss! (HMA)
  • NordVPN
  • Private Internet Access (PIA)
  • PrivateVPN
  • Proton VPN
  • Windscribe
  • X-VPN

NOTE: NordVPN have recently announced plans to convert its entire server network to be co-located.

A number of these providers go to great lengths to emphasize how careful they are when selecting a data center to rent from:

PIA, for example, told us they have a “stringent vetting process” when assessing potential third parties.

This highlights an important point: in general, rented VPN servers aren’t a danger to users as long as the data center is vetted and considered to be trustworthy.

It is impossible for the average user to know exactly which third parties are being entrusted with their data, so we have to trust our VPN service to choose its partners carefully.

A good VPN may rent its servers, but it will thoroughly vet the data center it is renting them from. This vetting process will include a full hardware audit and an inspection of the data center’s networking environment in order to understand any potential threats.

Unfortunately, most VPN providers keep the specifics of their vetting processes hidden. This means we can only rely on trust that their procedures are comprehensive and secure.

We urge any VPN service that uses rented servers to be more transparent about the specifics of their vetting process. Only then can we have full confidence that their servers are safe to use.

For users who would rather avoid the uncertainty associated with rented servers, there are a small number of VPN providers that advertise an entirely self-owned network. These include AzireVPN, IPVanish, and VyprVPN.

2. Virtual and Physical Servers

VPN servers can be either physical or virtual. So far, we’ve mostly focused on physical servers. These are the machines that are often seen on racks in data centers.

photo of physical servers stored in racks in data centers

Physical servers in a data center

Virtual servers are virtualized environments run on physical servers. They can host VPN software and carry out tunneling services in just the same way as a bare-metal VPN server.

In short, a virtual machine behaves like a physical server in almost every aspect apart from the hardware.

Virtual VPN servers have all the same benefits as a bare-metal server, without the physical component.

Importantly, however, an individual physical server can run multiple virtual servers at once. This means you can host multiple VPN servers on one machine.

To run a virtual VPN server, you first need to create a virtualized environment. These environments are known as virtual machines (VM) and a single physical server can host several of them. The process of creating a VM is known as virtualization.

Software is used to separate the physical server from the virtual machines that are running on it. This keeps the VMs distinct from the physical server and also keeps them running independently from one another. Each VM can even run its own OS. So VM1 might run Ubuntu Linux, whilst VM2 runs Windows.


Virtual machines are entirely capable of acting as fully-functioning VPN servers. When they do, we refer to them as virtual servers.

In the next section, we’ll evaluate the differences between physical and virtual VPN servers.

If you’d rather just read our verdict on whether virtual servers are safe for VPN users, you can do so here.

Physical vs. Virtual Servers

illustration depicting a physical server running multiple virtual servers

Hosting a VPN server on a virtual machine is not inherently dangerous – it is only a security risk in certain contexts.

If a VPN provider owns or rents the underlying physical server, there is very little difference between a VPN server that is virtualized and one that is physical in terms of user privacy and security.

In fact, there are some benefits to using a virtual VPN server:

  • Low Cost: Virtualization helps to maximize server utility. Normal physical servers use only a fraction of their available resources – running virtual machines on them helps to solve this inefficiency. Running multiple VMs on a single physical server can save a VPN provider huge sums of money, which can result in cheaper subscription fees for users.

  • Environmentally-friendly: Data centers have large carbon footprints, which can be reduced by making physical servers more efficient.

  • Easy Migration: It is possible to migrate virtual environments from one machine to another. If the underlying physical hardware starts to fail or needs updating, you can simply migrate the virtual server to another machine, reducing the VPN server’s downtime.

The main danger with virtual VPN servers comes with general-purpose cloud hosting or Virtual Private Servers (VPS). This is when providers rent virtual space on a physical server and host their VPN on there.

In this scenario, the provider does not own the virtual machine or the physical server it is hosted on. A cloud-hosting service owns the physical server and runs multiple virtual machines which are rented out to different clients, each of whom uses their virtual machine for a different purpose. Some might run websites, some might store databases, and others might host VPN servers.

Until recently, this was considered a secure way to host a VPN server. However, a series of CPU side-channel attacks – such as Spectre, Meltdown, and Zombieland – have rendered general-purpose cloud hosting a privacy red-flag for VPN users.

These side-channel attacks target the physical server’s CPU cache from within one of its virtual machines. If the attackers are successful, they are able to view what is happening on the server’s other virtual machines and sometimes even control their activity.

For this reason, it is highly recommended that VPN providers using virtual servers also own or rent the entire underlying physical machine.

If a VPN provider owns or rents the underlying hardware and not just the virtual machine, they are not at risk of CPU side-channel attacks. This is because they have complete control over what is happening on the physical server’s other virtual machines.

Physical servers can also offer better performance than their virtual counterparts. By definition, virtual servers operate with only a portion of the physical server’s total computing power – they therefore have less resources at their disposal than their physical counterparts. In theory, this can lead to reduced performance and slower speeds for VPN users.

In practice, however, the inefficiencies of physical servers are so vast that the majority of users won’t notice any loss in performance when using a virtual server over a physical one.

In summary, the advantages and disadvantages of physical vs virtual servers are:

  • Virtualized VPN servers pose no extra risk to users than physical ones, as long as the provider also rents or owns the underlying machine.
  • Virtual servers that run in general-purpose cloud environments pose a security risk and should be avoided.
  • Virtual servers are cheaper, more easily migrated, and more environmentally-friendly than physical VPN servers.
  • In theory, physical VPN servers provide faster speeds and better performance than virtual servers. However, in practice, the difference is usually negligible.

Our Verdict on Virtual Servers

For the most part, virtual VPN servers are not something that users need to worry about. Most VPN providers will rent or own the underlying physical hardware and run their own virtual machines on there, posing no additional risk to users.

The only danger comes from general-purpose cloud hosting. Here, providers rent just a virtual machine — meaning they have to share the physical hardware with other, potentially dangerous, individuals.

Which VPN Providers Use Virtual Servers?

While most VPN providers refuse to disclose whether their VPN servers are virtualized or not, there are a few services that are open and honest, including:

  • CactusVPN
  • F-Secure Freedome
  • Hotspot Shield
  • PureVPN
  • SaferVPN

As discussed above, using virtual servers is not usually a risk as long as the VPN provider owns or rents the underlying physical machine.

Unfortunately, this isn’t always the case. CactusVPN’s support team informed us that they “rent Virtual Private SSD Servers”. This is the type of server vulnerable to CPU side-channel attacks, and we would urge CactusVPN and any other provider renting VPS systems to reconsider this practice.

By contrast, VPNs such as Perfect Privacy openly reject the use of rented virtual servers. Their website states that they “renounce virtual servers”.

We asked Perfect Privacy to elaborate on why they take such a strong stance against virtual servers. They replied with the following email, concluding that “VPS is simply unsuitable for a VPN service, and it’s fraudulent to advertise privacy”:

an email from Perfect Privacy support staff stating "VPS is simply unsuitable for a VPN service"

The support staff clarified that: “A VPN on a dedicated server (rented or owned)… is no problem. Only VM/VPS on foreign hardware [are an issue].”

This sentiment is echoed by AzireVPN whose website emphasizes that they stay away from “rented virtual servers”.

a screenshot of AzireVPN's website where they claim to never rent virtual servers

AzireVPN makes a point to not rent virtual VPN servers

A number of providers have also made it clear to us that they do not host any of their VPN servers on virtual machines. These include:

  • CyberGhost
  • PrivateVPN
  • Private Internet Access (PIA)
  • TunnelBear

3. Fake VPN Server Locations

illustration of a map showing servers in a different location to where their IP address is registered

Virtual servers are often confused with fake VPN server locations. As we’ve seen, a virtual server is simply a server running on a virtualized machine on a physical server.

A fake server location, on the other hand, is when a VPN server’s physical location differs from where its IP address is registered.

ExpressVPN, for example, have VPN servers that give users a Mongolian IP address even though the server they connect to is physically located in Singapore.

VPN companies use fake locations (or ‘virtual server locations’) to expand their server networks, provide faster speeds, and test new locations. In doing so, however, they can affect user privacy and connection speeds.

In this chapter we will consider how fake server locations work and explore the pros and cons of using a VPN server with a fake location. Or skip straight to our verdict on whether fake server locations are a danger to VPN users.

How Do Fake VPN Server Locations Work?

When websites check the physical location of their visitors, they look up the connection’s IP address in a geolocation database. VPN providers spoof these databases in order to set-up VPN servers with fake locations.

To do this, VPN providers purchase blocks of IP addresses from the huge global registries that are responsible for linking individual IP addresses to physical locations.

These registries tend to be region-specific: ARIN serves much of North America; AFRINIC serves Africa; APNIC serves the Asia-Pacific region; LACNIC serves much of Central and South America; and RIPE NCC serves Europe and some parts of Asia.

The same organizations are also in charge of allocating their region’s registered IP addresses. This means that for a fee, anyone can go through a registration process and obtain an IP address for a specific location within that registry’s region.

All a VPN provider needs to do is purchase a block of IP addresses registered to New York, for example, and by making some changes to the BGP routing protocol, they can assign these IP addresses to servers physically located elsewhere.

When websites look up the VPN server’s IP address in a geolocation database, they see that the server is registered in New York and so grant the user access to US-specific content, such as the US Netflix library. Meanwhile, the VPN server is physically located in London, Moscow, or wherever.

As you can see, it is reasonably straightforward and perfectly legal for VPN providers to use fake server locations.

In the next section we explain the difference between fake locations and virtual servers. However, you can skip straight to our verdict on fake server locations, if you’d prefer.

Virtual Servers vs. Fake Server Locations

Virtual servers and fake server locations are often confused and conflated in the VPN industry. This is partly due the fact that fake locations are commonly referred to as ‘virtual server locations’, or sometimes even just ‘virtual servers’.

screenshot from PureVPN's website discussing virtual servers

PureVPN confusingly refer to fake server locations as ‘virtual servers’

The two are in fact entirely different concepts and it’s important to differentiate between them. In short, a fake VPN server location has nothing to do with whether the server is virtual or physical. And a virtual server has nothing to do with the location of the IP address you are assigned.

The term ‘virtual server’ names the process of running a VPN server within a virtualized environment. If a virtual machine hosts the server, then we can say it is a virtual VPN server.

A fake location (or ‘virtual server location’), on the other hand, describes instances where there is a disconnect between the VPN server’s physical location and its IP address.

Fake locations can be implemented on both physical servers and virtual servers. A server doesn’t need to be virtual to use a fake location, and a fake location is not always hosted on a virtual server.

PureVPN’s statement (above), though confusing, provides a clear definition of both concepts. A virtual server “gives users the benefits of a physical server, minus the physically placed part”, while a fake server location “mimics being physically hosted at a particular location, without actually being physically present at that location”.

To summarize the difference between virtual servers and fake locations:

  • Virtual servers and fake locations are two distinct features of VPN servers, though they can be used in conjunction.
  • A virtual server can assign an IP address that matches the physical location of the machine it is hosted on. It can also assign an IP address that does not match this location.
  • A physical server can assign an IP address that matches its true location. It can also use a fake location.

Fake Server Locations: Advantages & Disadvantages

Using fake server locations is often reported as an unquestionably bad thing for VPN providers to do. In reality, the issue is far more complex. There are certainly some advantages to using virtual locations:

five small illustrations depicting the advantages of using virtual/fake server locations

  • Faster Speeds: When a VPN server is physically located in a country that is closer to the user than the country it is registered in, it will offer faster speeds. For example, an American user looking to connect to an Indian server will get faster speeds when connected to a fake server location that is actually located in Canada than if they were connected to a real server location in India.

  • Poor Internet Infrastructure: Some countries do not have the network infrastructure to support a reliable and secure VPN server network. Instead, VPN companies can use fake server locations to provide users with an IP address in those countries without having to risk using unreliable data centers.

  • Avoid Authoritarian Governments: A good VPN company might avoid placing physical servers in countries with authoritarian or censorious governments. Instead, they may deploy VPN servers in safer countries and utilize fake locations in order to provide IP addresses in the country they need. This is what ExpressVPN did after its server was seized by Turkish authorities.

  • Test New Locations: VyprVPN uses fake locations (what they call “virtual servers”) in order to test out where they should deploy new physical servers. By assessing which locations are popular with its customers, VyprVPN are able to determine where it is worth investing the time and money to place new physical servers.

  • Larger Server Networks: Fake locations allow VPN providers to increase the size of their server network. Grand marketing claims such as “1070+ VPN servers in 210+ countries” are increasingly popular in the VPN industry. While large networks can prevent congestion by providing a larger pool of IP addresses, it’s possible that a provider might focus on the number of servers in its network and ignore their quality.

There are also some legitimate concerns when it comes to using fake server locations:

two small illustrations depicting the disadvantages of using virtual/fake server locations

  • Dangerous Jurisdictions: One important factor to consider when choosing a VPN server to connect to is how privacy-friendly the authorities in that location are. Every country has different laws and practices when it comes to logging and data sharing, which we refer to as VPN jurisdictions. It becomes much harder to assess the impact of a jurisdiction on your privacy if your provider is using virtual locations.

    If you’re trying to avoid your data travelling through the US, you’d want to avoid a fake server location in Hong Kong that was actually located in America, for example.

  • Slower Speeds: Some users might purposefully connect to a VPN server that is close to their real location in order to maximize connection speeds. If the server is actually physically located elsewhere, the user will likely face slower speeds than anticipated.

Our Verdict on Fake Server Locations

Overall, fake server locations can be both beneficial and detrimental to VPN users. The key is transparency.

If VPN providers are open and honest about when and where they use fake locations then the disadvantages of them are largely mitigated. If it is clear where a server is actually located, users who want to avoid certain jurisdictions or optimize their connection speeds will be free to do so.

Which VPN Providers Use Fake Server Locations?

There are honest VPN providers that have taken a transparent approach to servers and fake locations. However, there are still many providers using fake server locations without publicly disclosing it.

We’ve spoken to a number of VPN companies that are keen to emphasize that they do not use fake server locations. This means all of their servers are physically located in the country advertised. These providers include:

  • CactusVPN
  • IPVanish
  • NordVPN
  • PrivateVPN

However, fake server locations aren’t an issue as long as the VPN provider is transparent. The following VPN providers are open about their use of virtual locations:

  • CyberGhost
  • ExpressVPN
  • HideMyAss (HMA)
  • PureVPN
  • Surfshark
  • VyprVPN

While we commend all of these providers for their honesty, only ExpressVPN and HMA inform users where their servers are actually located. The other providers acknowledge that their server locations are fake without stating where that server’s true location is.

Users can use that information to avoid fake server locations altogether, but it would be more beneficial if they could see where each server is physically located. That way, users can judge for themselves whether connecting to a particular server would reduce their connection speeds or involve an undesirable jurisdiction.

We urge the other providers on this list to follow ExpressVPN and HMA’s lead by publicly disclosing the true location of their VPN servers.

Summary: What Do You Need To Know About VPN Servers?

This report has covered a number of important topics related to VPN servers. To summarize:

  1. Server Ownership: VPN providers can either rent or own the servers that form their network. Though concerns are often raised over the safety of rented VPN servers, these are mostly mitigated by the use of Remote Console Access. As long as the VPN provider is rigorous in its vetting of data centers and diligent in its remote monitoring of the server, rented servers shouldn’t be an issue for the majority of VPN users.
  2. Virtual and Physical Servers: VPN servers can be either physical or virtual. From a user’s perspective, the difference between these two is usually unimportant. The only danger arises when providers use general-purpose cloud hosting services to rent just a virtual server. When providers don’t also own or rent the underlying physical hardware, they put their user’s privacy at risk.
  3. Fake Server Locations: VPN servers can be physically located in a different location to the IP address they announce. This practice is only problematic for VPN users when providers are not transparent about it. If a provider is explicit about which of its servers use fake locations, and where those servers are really located, then fake server locations are not a threat to users.

This all serves to highlight the huge variation in how commercial VPN services choose to implement their networks. Often, users aren’t privy to these nuances or simply don’t consider them. This makes picking the right VPN provider all the more important.

If you’re truly concerned about privacy and security online, you need to be using a paid VPN service that is transparent and trustworthy when it comes to issues such as data center vetting procedures, the use of fake server locations, and not using rented virtual servers.

While we can’t expect every provider to own their network outright or openly discuss every detail of its operation, we should be holding the industry accountable when it comes to acknowledging the way in which VPN servers are implemented and how this can affect users.

With greater transparency, users will be able to make informed decisions about who to trust with our data and which VPN service is right for us.

If you are concerned by the issues discussed in this report, then three of the best VPN services for you currently are:

  • Private Internet Access (PIA): Audits data centers with a ‘stringent vetting process’, and explicitly avoids using virtual servers.
  • ExpressVPN: Leads the industry in transparency when it comes to fake server locations.
  • AzireVPN: One of the few providers to own its entire server network, and openly criticizes the use of rented virtual servers.

How to Test Your VPN Server For a Fake Location

In this section we’ll teach you how to discover where a VPN server is really located.

Using a few online tools, you can find out whether your provider is being honest about its use of fake server locations.

These tests might seem daunting at first, but we’ll walk you through a simple step-by-step process that you can use to test your VPN server’s physical location. We’ll then present a few case studies so you can see the testing process in action.

1Find the VPN Server’s IP Address

To start, you’ll need to identify the IP address of the VPN server you want to test.

The easiest way to do this is to connect to your VPN server of choice and head to our IP checker tool. It’ll show you your current public IP address.

EXPERT TIP: If your geographic location is showing up as similar to your true location, it’s possible your VPN is leaking. To check whether this is the case, use our VPN leak test tool.

2Ping the VPN Server From a Range of Locations

A ping test measures the time it takes for a request to be sent to a server and for a response to be sent back. This helps test the rough distance between two points in a network: the higher the ping, the longer the distance between the two points.

To test where your server is physically located, you need to ping it from a number of locations around the world. By finding the lowest ping rate we can hone in on the server’s real physical location.

There are a number of online tools that allow you to run a ping test on a specific server from multiple locations worldwide. Our favorite is the CA App Synthetic Monitor ping tool, but you can also use MapLatency.com.

screenshot of a ping test to determine a VPN server's true location

To begin, enter the VPN server’s IP address into the search box at the top and click the start button.

The tool will ping the server from each of their monitoring stations and record how long it takes. The CA App Synthetic Monitor tool has over 50 stations located around the world.

In this tool, rtt stands for ‘round trip time’ and refers to the amount of time (ms) it takes for a signal to be sent and an acknowledgement of that signal to be received.

You can analyze the results of this ping test to see which locations have the lowest round trip time and then infer the rough physical location of the server from there. Networking complications can sometimes lead to anomalous results, so the “minimum rtt” figure is usually the most reliable number to use.

If the rough location you can infer from the shortest round trip time differs significantly from the VPN server’s advertised country, it is likely that the server is using a fake location.

3Run Traceroute Tests to Investigate the Findings

Using the traceroute tools offered by Looking Glass or CA App Synthetic Monitor, you can plot a data packet’s journey through the network from a monitoring station to your chosen VPN server.

The number of network hops, the location of the network hops, and the transmission time all help you investigate where your server is really located.

a traceroute test from a monitoring station Charleston, South Carolina

To start, run the traceroute that should be the closest to the VPN server. In other words, select a location that is as close as possible to the server’s advertised country.

Then, test the locations which had the smallest round trip times in the initial ping test.

Roughly speaking, if these locations show faster speeds and fewer network hops than the advertised location, it’s likely that your server’s location is fake.

4Verify Your Results With a Separate Ping Tool

Network variability can sometimes lead to anomalous results, so it’s worth running each of the above tests multiple times in order to ensure your results are reliable. To finish, it is also worth running a second ping test, using a different online tool.

We like to use ping.pe as it has a good range of monitoring locations.

Input your server’s IP address in the box at the top and the tool with start pinging it from a range of locations. The ping times should hopefully match your previous findings, giving an indication of your server’s true location.

screenshot of a ping test to determine a VPN server's real location

With these four easy steps you should be able to get a rough idea of where your VPN server is physically located. If the country you’ve found differs significantly from the location of the server’s advertised IP address, you’ve probably found a fake VPN server location.

It’s worth noting that this is not an exact science. Ping time is an indicator of geographic location, but a number of factors can distort it. The steps described in this guide will give you a rough idea of where a server is (or is not) located, but you should be wary of using these methods to draw definitive conclusions.

In the remainder of this report, we’ll run through a few case studies to demonstrate the investigation process in action.

Case Study #1: ExpressVPN

ExpressVPN offers users a server in Vietnam, but is transparent about the fact that it is a fake location. The server is actually located in Singapore.

We can verify that this is indeed a fake location using the steps described below.

1Server’s IP address:

We can see the server’s IP address by connecting to ExpressVPN’s Vietnam server and checking browserleaks.com.

browerleaks.com screenshot showing ExpressVPN's Vietnam server's IP address

2An initial ping test strongly suggests the server is physically located in Singapore and not Vietnam.

When we pinged the VPN server from a range of global locations, the shortest ping times came from Singapore, India, and China – with Singapore being the fastest by a significant margin.

ping test results from ExpressVPN's Vietnam server showing a 0.945ms ping from Singapore

Shortest Pings:

    1. Singapore — Singapore (0.945ms)
    2. India — Chennai (33.227ms)
    3. China — Hong Kong (37.918ms)
    4. India — Bangalore (38.497ms)
    5. India — Mumbai (60.718ms)

In contrast, a ping from Ho Chi Minh City – where the IP address is registered – took a minimum of 74.881ms.

ping test results from ExpressVPN's Vietnam server showing a 74.881ms ping from Vietnam

The 0.945ms ping time from Singapore is significantly smaller than those from other locations. This alone is enough to infer a better idea of the server’s real location.

However, some small calculations show us that, even moving at the speed of light (300km/ms), data from the Singapore monitoring station can travel a maximum of 283km in 0.945ms. The data has to travel to and from the VPN server in this timeframe (0.945ms).

As the shortest distance between Singapore and Vietnam is 1,488km, this makes it impossible for the VPN server to be located in Vietnam.

We can therefore conclude with confidence that the ExpressVPN Vietnam server is not physically located in Vietnam. It is most likely based in Singapore, just as ExpressVPN states.

3Our findings are supported by a traceroute and a separate ping test.

When we cross-checked our results with a traceroute test and with a separate ping tool, we found very similar stories.

Although the ping.pe tool doesn’t have a monitoring station in Vietnam, the extremely low ping times recorded at the Singapore monitoring station strongly suggest this VPN server is physically located in Singapore.

ping test results from ExpressVPN's Vietnam server showing a 1.13ms ping from Singapore

Case Study #2: CyberGhost

Like ExpressVPN, CyberGhost is transparent about which of its servers use fake locations. Unfortunately, it isn’t also transparent about where these servers are actually located.

CyberGhost state that their Isle of Man servers use virtual locations.

We used the methods described in this section to investigate where these VPN servers are really located.

1Server’s IP address:

When you connect to a CyberGhost server location, the application helpfully tells you what your new IP address is. We confirmed this using several IP address checking tools.

2An initial ping test suggests the VPN server is located in Western Mainland Europe.

When we pinged the VPN server from global monitoring stations, the results indicated that it was located in mainland Europe, near the Netherlands or Belgium.

Shortest Pings:

    1. Netherlands — Eemshaven (4.901ms)
    2. Belgium — St. Ghislain (5.691ms)
    3. Germany — Frankfurt (8.017ms)
    4. UK — London (8.638ms)
    5. Denmark — Copenhagen (13.007ms)

ping test results from CyberGhost's Isle of Man server

3Traceroute testing suggests the server might be located in Amsterdam, Netherlands.

We ran a traceroute on Looking Glass comparing Dublin (which is closest to the Isle of Man geographically) and Amsterdam.

The results showed an increased transmission time and several additional network hops when connecting to the server from Dublin as opposed to from Amsterdam. Also of interest was that network hop 3 in the Dublin traceroute connected it to the Amsterdam internet exchange.

This all suggests that the VPN server is not located in the Isle of Man, but is probably based somewhere closer to Amsterdam, Netherlands.

traceroute tests from Dublin and Amsterdam to the CyberGhost Isle of Man VPN Server

Traceroute tests from Amsterdam (top) and Dublin (bottom) to CyberGhost’s Isle of Man VPN server

4A second ping test supports our findings that the VPN server is most likely located somewhere in the Netherlands.

We then cross-checked our findings with a ping test tool that uses a monitoring station in Amsterdam. The ping time averaged under 2ms.

ping test results from CyberGhost's Isle of Man server

With a bit of math, we can work out that the furthest possible distance our VPN server can be from Amsterdam is 177km. We get this from the speed of light (300km/ms) multiplied by the shortest ping time (1.18ms) and divided by two (because it’s a round trip).

When we plot this on map, we can see that it is highly probable the CyberGhost Isle of Man server is in fact located in the Netherlands — most likely somewhere near Amsterdam.

a map plotting an 177km radius around Amsterdam, Netherlands

CyberGhost’s Isle of Man server has to be within a 177km radius around Amsterdam, Netherlands (Map made using mapdevelopers.com).