One of my friends traveling to China recently asked me about some deals for VPN providers to bypass the Great Firewall and asked specifically about a few providers. Two of these caught my eye for a number of reasons, so let's start.
They share the same locations for the most part, and on top of that both participate in a very amusing practice of fake locations without disclosing that they're fake. These "locations" use falsified WHOIS information to spoof their location, while not having servers there. They are then advertised as actual locations. Here's an example from Ivacy.
airbears2-10-142-32-120:~ hzr$ traceroute lu1.dns2use.com traceroute to lu.pointtoserver.com (220.127.116.11), 64 hops max, 52 byte packets 1 xe-1/2/0-543.inr-306-sut.berkeley.edu (10.142.128.1) 1.499 ms 1.443 ms 1.117 ms 2 t5-4.inr-202-reccev.berkeley.edu (18.104.22.168) 2.124 ms 1.642 ms 1.481 ms 3 xe-5-2-0.inr-001-sut.berkeley.edu (22.214.171.124) 1.459 ms 1.601 ms 1.412 ms 4 dc-sfo-agg-1--ucb-10ge.cenic.net (126.96.36.199) 2.356 ms 2.346 ms 2.358 ms 5 dc-svl-agg4--sfo-agg1-10ge-2.cenic.net (188.8.131.52) 4.016 ms 3.945 ms 4.087 ms 6 10-1-1-91.ear1.sanjose1.level3.net (184.108.40.206) 3.713 ms 4.197 ms 3.819 ms 7 ae-1-9.edge2.sanjose3.level3.net (220.127.116.11) 4.120 ms 4.353 ms ae-3-19.edge2.sanjose3.level3.net (18.104.22.168) 4.057 ms 8 xe-5-2-0.cr0-sjc1.ip4.gtt.net (22.214.171.124) 3.972 ms 4.188 ms tinet-level3-xe.sanjose3.level3.net (126.96.36.199) 4.122 ms 9 et-7-3-0.cr1-atl1.ip4.gtt.net (188.8.131.52) 62.513 ms 62.435 ms 62.497 ms 10 as53889.xe-2-2-2-40.cr1.atl1.us.as4436.gtt.net (184.108.40.206) 62.523 ms 62.475 ms 62.718 ms ^C airbears2-10-142-32-120:~ hzr$ ping 220.127.116.11 PING 18.104.22.168 (22.214.171.124): 56 data bytes 64 bytes from 126.96.36.199: icmp_seq=0 ttl=117 time=71.173 ms 64 bytes from 188.8.131.52: icmp_seq=1 ttl=117 time=72.093 ms ^C --- 184.108.40.206 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 71.173/71.633/72.093/0.460 ms
I am reasonably sure that Luxembourg is not 60-70 milliseconds away from California. However, AS53889, Micfo LLC, just so happens to have a datacentre in Atlanta that is also announcing that /24 prefix.
Same goes for another randomly picked location, Turkey.
airbears2-10-142-32-120:~ hzr$ ping tr1.dns2use.com PING tr.pointtoserver.com (220.127.116.11): 56 data bytes 64 bytes from 18.104.22.168: icmp_seq=0 ttl=108 time=72.314 ms 64 bytes from 22.214.171.124: icmp_seq=1 ttl=108 time=72.010 ms 64 bytes from 126.96.36.199: icmp_seq=2 ttl=108 time=73.958 ms ^C --- 188.8.131.52 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 72.010/72.761/73.958/0.856 ms
72ms from California to Turkey is generally not a thing. However, that seems about right for Colocrossing Buffalo, NY, which announces this prefix via reseller B2 Net Solutions.
To their credit, some locations are actually marked with hostnames beginning with vl (presumably meaning virtual location), but a large amount of the ones that are not marked as such (and should be really present there) are actually one of those fake locations. Most of the "VL" IPs are directly owned by PureVPN and have a netname of PUREVPN. However:
Both of these, the "fake" and "real" locations, aren't in Sweden. In fact, they even have the same IP.
$ host vlus-se1.dns2use.com vlus-se1.dns2use.com is an alias for vlus-se.pointtoserver.com. vlus-se.pointtoserver.com has address 184.108.40.206 vlus-se.pointtoserver.com has address 220.127.116.11 vlus-se.pointtoserver.com has address 18.104.22.168 vlus-se.pointtoserver.com has address 22.214.171.124 vlus-se.pointtoserver.com has address 126.96.36.199 $ host se1.dns2use.com se1.dns2use.com is an alias for se.pointtoserver.com. se.pointtoserver.com has address 188.8.131.52
At cursory glance of just a random selection, a huge amount of their locations are not actual locations. Even after removing all the vl-hostnames, a large amount of the non-vl hostnames still resolve to mostly US-based providers (Pakistan is Micfo, Atlanta, GA, US; Venezuela is Micfo, Atlanta; UAE is Ecatel/Quasi Networks, Amsterdam, Netherlands; etc).
Pretty much, you're not getting the locations you paid for.
Just some similarities
Here's Ivacy's Windows app, from their own support page.
Here's PureVPN's app.
See any similarities? Additionally, almost all (if not all) of the locations directly point from Ivacy to PureVPN - dns2use is Ivacy's domain, pointtoserver is PureVPN's domain for server hostnames.
$ host ch1.dns2use.com ch1.dns2use.com is an alias for ch.pointtoserver.com.
- Nowhere on Ivacy's site do they disclose the fact that your traffic is traversing PureVPN's network, domains, hostnames, or more (or disclose their connections).
- Ivacy is also well known on reddit for deceptive marketing.
- Ivacy appears to be banned from Slickdeals, likely for shill/spam. If you Google for the term
site:slickdeals.net "ivacy", you'll notice several threads that are now deleted. If you view the cached copy, you will notice that the usernames posting them are random combinations of female FirstLast, new signups, and only post Ivacy comments.
- PureVPN has the same deal. Search for
site:slickdeals.net "It just caught my eye on Facebook" + "purevpn"and NicoleB4285, and PeterS3066, and "AshleyJ6475", and JeffD1766.