VPNs have been a revelation since they first hit the scenes. The network of VPN servers and their impressive encryption algorithms provide users with online anonymity and security, as well as a chance to spoof their online location.
Using a Virtual Private Network (VPN), a user can pretend to be in an entirely different country. This allows you access to content restricted to a particular region/country; helps you bypass restrictions by your Internet Service Provider (ISP); and gets you past government censorship.
But how does a VPN really work? For most VPNs, the claim is that they have servers in different countries and cities. The nearer a server is to you, the faster your connection. Likewise, the server location is key to unblocking content and bypassing censorship.
In reality, VPN providers may not actually have real servers in the locations they claim. Why so? To understand why, we first need to understand what VPN servers are, how they operate, and what the ownership of a VPN server may look like.
Once you’ve installed a VPN client on your device, you’d find a list of server locations from which you can choose. This typically includes servers in different countries – and different cities within those countries.
Once connected to a particular location, your traffic is encrypted and routed through the server on its way to its eventual destination. But what exactly is this server?
You can think of a VPN server like an encrypted tunnel. Except this tunnel is a computer in a different location. The computer intercepts your web requests, encrypts it, and delivers it safely to its destination.
By the time your request arrives the target website, your IP will have been transformed to one associated with the VPN server. The target website then interprets your location as that of the intermediary VPN server, rather than your original location.
The response to your request is equally encrypted and transmitted through this tunnel before it is decrypted and loaded onto your device.
I know what you’re thinking. Certainly, the VPN provider must own the servers they use, yeah? Unfortunately, this isn’t always the case and server ownership can be a well-kept secret.
VPN services are unable to own all of the servers they use for different reasons. For instance, it may be impossible to own servers in certain locations. Sometimes, though, it’s simply cheaper to let others handle the overhead costs of server ownership and maintenance.
Whatever the reasons, a VPN provider may not own all of the servers in its fleet. Indeed, providers like HideMyAss! (HMA), NordVPN and Windscribe, among others, openly state that they rent some of their servers.
This shouldn’t be a problem, so long as the VPN provider can vouch for the integrity of the servers they use. It’s also important that VPN providers are upfront about the ownership of their servers so subscribers can decide if they’re okay with that.
The real problem, is a lack of transparency around rented servers. Some simply don’t disclose the fact they’ve rented their servers, while some disclose this but say nothing about their vetting process. If a VPN provider isn’t honest enough about their servers, how can you trust them with your data?
With servers, it’s either the VPN company owns the servers or they don’t. However, that’s just the basics. Digging a little dipper, you’d find that server ownership could take a multitude of forms and sizes.
So, what server options are available to each provider? Consider four of them:
For the most part, this is what you think about when you hear of a VPN server. A room owned and managed by your VPN provider which hosts all of the servers they need. Perhaps, you even believe there’re a number of rooms like this scattered around the world for their different target locations.
On-site ownership of servers is the ideal for any VPN provider. Here, the company buys, installs, maintains and services its servers by itself. Everything about the servers and the location they’re stored belongs to the VPN company.
These types of servers can only be accessed by trusted, authorized individuals from the company. No mysterious third party may somehow access this center physically.
It goes without saying that these types of servers are ideal for privacy and security. The provider knows all there is to know about the server, its hardware and supporting infrastructure. They also hold the key to the security of the servers.
Most importantly, this form of ownership keeps third parties at bay, preventing them from logging your activities against your provider’s wishes. Unfortunately, this isn’t always practical.
Owning and running a data center is expensive and tedious. The alternative – owning servers in multiple physical locations – is even more expensive.
First party ownership of servers is expensive. A data center (which is where servers are stored) requires the purchase of servers, backup servers in case of failures, cooling facilities, bandwidth facilities, and skilled personnel for management. Data centers also limits possible expansion in the future.
Renting servers contrasts sharply with owning them yourself, but it’s much cheaper for VPN providers. Here, the VPN company simply rents the servers available in an existing data center for a period of time.
The data center buys, installs, and manages the hardware of the servers in its center. The renter, on the other hand, buys one for a period and remotely control it without having to come on-site.
Theoretically, this means the data center operator could tamper with the servers and alter it to soothe their needs. But this isn’t necessarily so. Real-time logging and Remote System Management Cards allow VPN operators closely monitor every single action taken on their servers.
So, while third parties have access to your servers, this access is fettered. Intrusive tampering could lead the provider to investigate and shutdown operations. And every modification is noticed and vetted by the provider.
Interestingly, because rented servers are closer to an internet exchange than privately owned servers, they typically make for faster connections. This is because the servers are all connected to the data center’s large network.
But this is also problematic. It means the data center could use the upstream of their servers to monitor, and even mirror all of the activities on the servers. While providers may vet their centers, intrusive privacy laws could lead government agencies to force this form of monitoring.
A co-located server is a hybrid between on-site ownership and rented servers. Here, the VPN company buys and installs the VPN servers… in an existing data center. so, while they do not own the center, they own the servers and store them in a secure closet within the center.
Co-located servers are fully serviced by the VPN provider. This means they know all there is to know about their hardware, and can physically audit and inspect them. Like rented servers, they may also employ remote management systems to remotely monitor and prevent possible tampering,
Co-located servers also benefit from being in close proximity to a large server network. The internet exchange improves connection speeds. Scaling is also much easier as VPN providers can focus their energy on meeting customer demands, while spending much less on server operations.
As with all hybrids, co-located servers import problems from both sides. On the one hand, they remain more expensive than server renting due to the cost of purchase and management.
With the right form of encryption, VPN servers in third-party data centers are near impossible to penetrate, but they’re not 100% risk-free.
On the other, the privacy concerns of rented servers remain. Although they can’t be physically tampered with, their connection to the data center’s network keeps them vulnerable to third parties monitoring and mirroring their activities.
While all of the options above involve the VPN provider having some form of ownership over the servers, there’s a fourth option – own nothing but your space.
Virtual servers run on physical servers. But there’s a world of difference between them. Here, virtualized environments are created to run on existing physical servers. The server behavior remains similar to a physical server without the physical component.
A physical server can host multiple virtual servers hosted in different virtual machines on the server. The VPN virtual machine is essentially a localized environment with all of the software and encryption of a typical VPN server. Separated by software, each virtual machine is separated from the other, and the physical server. Indeed, two virtual machines on the same physical server could run two different OS.
If the physical server is owned and operated by the VPN provider, a virtual server is hardly different from a physical one.
Because virtualization allows for multiple servers on a single piece of hardware, it improves efficiency and reduces cost. Virtualized machines are also much easier to migrate from one physical server to another in case of failure.
Unfortunately, with virtualization comes the chance of owning a server without owning the underlying hardware. Indeed, virtual servers are typically associated with cloud-hosted servers.
Here, the VPN provider rents a virtual space on a physical server to host their VPN. They own neither the physical hardware nor the virtual machine. The hosting service owns and runs both, renting out available spaces to interested parties who use them as they please.
With the rise of CPU side-channel attacks like Meltdown and Zombieland, cloud-hosted VPNs have become a huge risk. These attacks seek out vulnerable virtual machines on the server. Once they find their way in, they can view – or even control – activities on other virtual machines.
In terms of performance, virtual machines are mostly slower than physical servers. Considering they only use a portion of the CPU on which they run, that’s hardly a surprise. But this means you’d have to endure the slower speeds and performance as a VPN user.
Otherwise known as virtual locations, fake server locations are often confused with virtual servers. But they’re hardly the same.
For the average VPN user, a VPNs claims to have servers in multiple locations around the globe translates to owning some form of hardware in those countries.
But this isn’t always the case. VPN providers sometimes use virtual locations to provide access to certain locations without actually owning servers in those locations. For instance, a VPN may have servers that provide users with Scottish IP addresses while the physical servers are in London.
To understand how fake locations work, we must understand how websites work. For a website, your geolocation is a factor of the location associated with your IP address. Therefore, it’s the location of your IP address and not the server that counts.
When running virtual locations, VPN providers purchase blocks of IP addresses from the target location’s associated registry. With a little tweak to the routing protocol, they can lock in these IP addresses to servers in other locations.
For instance, a VPN provider could purchase a block of Barbadian IP addresses from ARIN – the registry in charge of North American IP addresses. With this IP locked into one of its servers in the US, it can claim to have a server in Barbados.
When it first came out that VPN providers may use fake locations, there was understandably widespread outrage. It feels like a clear betrayal – even outright deceit – to have servers in one location and claim them in a different location. But is there a reason for this?
Explaining its position in light of the scandal, ExpressVPN claimed its virtually impossible to obtain physical servers that match its lofty standards in particular locations. Using a nearby server allowed them provide IP addresses with endpoints in the desired location without compromising the quality of their service.
Indeed, certain countries are known for their poor power or internet infrastructure, both of which make it impossible to properly run a server in the country. Virtual locations may also be used to avoid authoritarian governments where VPNs are banned, or where they’re compelled to provide access to their data.
Importantly, though, the use of fake locations allows VPN providers scale faster. VPN services are known to boast about the number of servers – and number of locations – in their network. And this growth is much faster while using virtual locations. Virtual server locations also allow for testing of new in-demand locations at little overhead cost.
The intentions behind fake server locations seem to be as pure as they come. They’re cheaper and allow for entry into difficult in-demand markets. But the lack of transparency around them remains a big issue.
So long as a VPN declares its fake locations – and the actual server locations – upfront, there shouldn’t be an issue. Users can carefully decide if they’re okay with their options from the beginning.
Where VPNs are transparent about their use of fake locations, users can carefully assess their options. For instance, a user that doesn’t feel comfortable with Chinese data privacy laws will hardly choose a so-called Cambodian server that’s actually based out of China.
Fake server locations may also slow your connection. For instance, a server may be said to be in Ghana when it’s actually in faraway Switzerland. Users in Ghana seeking to connect simply to protect their online privacy will find this server very slow to use due to the distance of travel.
A lot goes into the setup and management of a VPN service. As the market becomes more competitive, it’s understandable that providers seek out measures to lower operating costs and make their services cheaper. It’s hardly a surprise, then, that high performing free VPN servers are a rarity.
Whether this comes in the form of virtual servers, fake/virtual locations, or rented servers is entirely up to the VPN provider. But it’s also up to you to decide what it is you’re comfortable with. This makes it important that VPN providers are upfront about the what’s what of their services.