VPN virtual locations: what are they and are they secure?
Virtual server locations are getting widespread lately
Over the last few weeks, some of the best VPN services have been announcing their decision of going virtual to protect the privacy of users from India's new data law.
This means that subscribers can still connect via an Indian IP despite the closure of the physical servers within the country. How? Their VPN traffic will be rerouted through some safer servers outside India's borders but with a spoofed Indian IP.
This tactic is not really new, though, and has been used for quite a while now. From a logistical point of view, it can help expanding a network at minimal costs, or, as is the case with India VPNs, virtual locations can bypass intrusive laws and other restrictions.
At this point you might be wondering whether these virtual locations are as safe as standard servers. And what's the role of VPN servers in user data protection, anyway?
Read on and we'll explain how different VPN servers work, the pros and cons of virtual server locations, and what experts and providers think about their safety.
How does a VPN server work?
You can think of a VPN server like a very powerful computer designed to host and deliver the encrypted tunnel responsible to protect your data. Once you're connected to it, your IP address will appear to be the one of your chosen server instead of your actual location.
Put simply, VPN servers act like the middle-man between your device and the internet. Every time you access a website, the server decrypts your traffic to send it to the intended destination. It then encrypts any information before reaching back to your device.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
When a VPN gets hacked - like the 2018 NordVPN breach - it means that its servers have become compromised. That's why it is extremely important to understand if your VPN takes all the right measures to guarantee your data protection, no matter the type of server running.
Virtual servers vs physical servers
Even though they deliver the same functionality, VPN servers can be both physical or virtual.
As the name already implies, physical servers are physical machines stored in a data center. The IP address generally coincides with their actual location. This is beneficial for data security reasons as the provider is usually the owner of the data center. There are also some functionality advantages. Physical servers are easier to set to specific requirements. Plus, because their processing power isn't split across different virtual locations, end users may get faster connection speeds.
On the other hand, virtual servers operate in a virtualized environment, simulating the work of their physical counterparts. That means that VPN providers can use fewer machines in a data center to provide multiple virtual servers, each assigning users totally different IP locations. This can help enlarging a VPN network while cutting infrastructure's costs. However, if the physical machines become overwhelmed with work, that can affect VPN performance.
Virtual servers vs virtual server locations
Despite the similarity between the two terms, virtual servers and virtual server locations describe two very different concepts.
A virtual server is infrastructure running through virtual machines connected to a physical server. In contrast, virtual or fake server locations mean that there is a discrepancy between the VPN server’s physical location and its IP address. This happens when providers spoof the geo-location on a block of IP addresses which can then be assigning to servers based elsewhere - whether these are physical or virtual ones.
For instance, ExpressVPN now offers some virtual locations to allow people in India to browse with a secure Indian IP. This means that their connection will be rerouted outside the country, passing through physical servers based in Singapore and in the UK.
ExpressVPN removes VPN servers in India. Users will still be able to connect to VPN server locations that will give them Indian IP addresses. Read more: https://t.co/JpCWXW1DcbJune 2, 2022
And it's not just India. The VPN provider has also implemented fake locations in other countries that lack reliable internet infrastructures. They include Malaysia, Cambodia, Malta and Myanmar.
Bear in mind, of course that, as an ExpressVPN spokesperson told TechRadar: "All virtual locations are linked to physical servers and have a server physically located in another country."
Surfshark, CyberGhost, PureVPN and Private Internet Access (PIA) are among other VPN providers implementing virtual server locations.
Virtual server vs virtual private server
There's a final distinction that's also worth clarifying: virtual servers and virtual private servers (VPS).
Even though quite similar in terms of infrastructure, an important discrepancy is around their ownership. While virtual servers are run on physical servers owned by the VPN provider, VPS requires renting virtual space from a third-party shared data-hosting service.
Theoretically, a VPN service can decide to build its virtual server or virtual location on a VPS hosting-base. It's an effective way to cut costs and operations of running their own dedicated data centers. However, this practice involves more risks for the user data security because a VPS is more vulnerable to side-channel attacks.
What are the pros of using a virtual server location?
As we have seen, providers might employ virtual server locations for different reasons.
First of all, a virtual location can expand the VPN server network to countries that lack reliable internet infrastructures. While cutting operational costs, they may also result in better performance speeds than a local equivalent and less risk for the end users as their data doesn't have to pass through unsecure data centers.
As in the case of India, providers might set up virtual server locations to avoid compliance with authoritarian governments' intrusive regulations. This has already happened with some Turkey VPNs before, for example. It means that the server cannot be seized by the authorities, plus, the provider doesn't have to gain access for maintenance.
Virtual locations are also beneficial when providers want to test new IP locations. It allows them to understand whether or not it's worth investing in actual physical servers within a country beforehand.
And the disadvantages?
On the other hand, there are a few factors to keep in mind when using a virtual server location.
To start off, you should take into consideration the degree of risk of the VPN jurisdiction that applies to the physical location from where your connection will be rerouted. For example, if you want to avoid your connection passing through the US and the UK - both founder members of the Five Eyes alliance who are famous for invasive surveillance practices - you might want to avoid to connecting to fake locations that are linked to physical data centers based in these countries.
We said before that, at times, the VPN performance can be better compared to the actual location. However, this isn't always the case. Let's say that you are in Egypt and you want to browse safely with a local IP with your ExpressVPN account. You can do that, but your connection will be rerouted via a server located in the Netherlands. That means that you are likely to experience slower speeds because, as a rule of thumb, the closer a server is to your physical location, the faster your connection will be.
Are VPN virtual server locations really safe?
We asked VPN providers about their server choice and, while all claimed not to use virtual servers for security reasons, we found mixed responses and approaches to the usage of virtual locations.
For example, an ExpressVPN spokesperson told us: "There’s no incremental risk or disadvantage of using a virtual location per se, it all depends on how they are operated by the individual provider."
ExpressVPN uses TrustedServer technology to make sure that any user data cannot be logged on their servers, even accidentally. They also claim to use unique encryption keys for each server so that, in case one of them gets compromised, hackers are prevented from accessing others. Plus, the provider carries out regular independent audits to assure that its VPN infrastructure works exactly as it claims.
"In some circumstances, virtual server locations increase security when the alternative - having a server physically located in a given country - poses privacy or security risks," said the spokesperson.
It was a similar response when we contacted other VPN companies including Surfshark, PIA and PureVPN. They all seem to operate on a RAM-only infrastructure to prevent their servers from collecting data. They also all claimed to use high security practices to protect their data centers, of course.
Despite not having any active virtual locations at present, IPVanish is considering setting some up to bypass new India's data law.
Among the VPN companies interviewed, ExpressVPN is the only provider to list its virtual locations along with their matching physical servers. Surfshark and PureVPN label theirs but without specifying where the connection passes through.
While PIA told us that, at the moment, virtual locations don't benefit from any special labels on their user-interface to set them apart, and that could be a problem for users who want to be able to trace back the exact routing of their connection at all times.
Windscribe fears other problems. Although it doesn’t think that fake locations are inevitably less secure, it explained that they might create operation security challenges to users. People connect to a server thinking they'll be subjected to one set of local laws and instead have their connection rerouted to another country without them knowing it. For that reason, Windscribe chooses not to offer any virtual locations to its users.
"We think it's dishonest to offer 'virtual' locations, just to pad the number of 'servers in X countries' metric on the sales page," they said.
Hide.me was equally opposed to virtual locations when asked. With reference to India, the provider claims that geo-located IPs can be easily detected and if you route traffic to an Indian proxy server, you might fall under the CERT-in directive.
"So, ultimately there’s no secure way of offering services through an Indian server," said Hide.me. "Many providers just do not care too much about real privacy, as well as many users…”
In contrast, NordVPN took a less hardline stance on the matter. "While we don't think that virtual servers are inherently less safe, for now we hope to meet our customers' needs without relying on virtual IP addresses. We believe that we are going to find a way to meet the requirements of all of our customers, regardless of their location.”
VPN servers have a huge role when it comes to protecting your data. That is why it is important to understand how your information is treated and, also, from where your connection is rerouted - no matter the type of server employed.
As TechRadar cybersecurity specialist Mike Williams states: "It’s arguably a little dishonest, though, if the provider isn’t transparent about what they’re doing.
"Is this really a safety issue? Not a huge one, but it’s a legitimate concern, and providers should still be clear to their users about the service they’re providing, so that users can make up their own minds."
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com