The latency to your VPN server is a constant added to the latency between your VPN server and whatever servers you are connected to. As long as the user’s VPN service doesn’t use different VPN servers for different destinations, it is impossible to determine the location of the user behind the VPN based on latency, and in general it is impossible to determine how far a user is from their VPN server because of varying latency introduced by the user’s own network or by bad infrastructure at the local ISP level. You can only know how far they aren’t based on the speed of light across the surface of the earth.
But, without a VPN, this is a real attack that was proven by a high school student using some quirks of Discord CDNs. Even without using Discord’s CDNs, if somebody wanted to locate web visitors using this technique, they could just rent CDN resources like nearly every big company is doing. Of course, if you have the opportunity to pull this off, you normally have the user’s IP address and don’t care about inferring the location by latency. The reason why it was notable with Discord was because the attacker was not able to obtain the victim’s IP address.
You say what I described is impossible but it’s been demonstrated by researchers such as “CPV: Delay-Based Location Verification for the Internet” by AbdelRahman Abdou with the Department of Systems and Computer Engineering, Carleton University Ontario.
Furthermore, on top of that method, if a company has access to data from servers in multiple places along the chain between endpoints, then they can see that a series of packets of specific size are traveling in a specific direction, narrowing down the location of the other endpoint. A company like Amazon, whose AWS servers make up almost 30% of the internet.
One of the more convoluted methods to defeat this approach was to simply add more stops along the chain, fragment the encrypted data into multiple parts, and pass it along random paths to the endpoint. I believe, but I could be wrong, that Tor utilizes this method. The problem with that is: it’s slower.
The latency to your VPN server is a constant added to the latency between your VPN server and whatever servers you are connected to. As long as the user’s VPN service doesn’t use different VPN servers for different destinations, it is impossible to determine the location of the user behind the VPN based on latency, and in general it is impossible to determine how far a user is from their VPN server because of varying latency introduced by the user’s own network or by bad infrastructure at the local ISP level. You can only know how far they aren’t based on the speed of light across the surface of the earth.
But, without a VPN, this is a real attack that was proven by a high school student using some quirks of Discord CDNs. Even without using Discord’s CDNs, if somebody wanted to locate web visitors using this technique, they could just rent CDN resources like nearly every big company is doing. Of course, if you have the opportunity to pull this off, you normally have the user’s IP address and don’t care about inferring the location by latency. The reason why it was notable with Discord was because the attacker was not able to obtain the victim’s IP address.
You say what I described is impossible but it’s been demonstrated by researchers such as “CPV: Delay-Based Location Verification for the Internet” by AbdelRahman Abdou with the Department of Systems and Computer Engineering, Carleton University Ontario.
Furthermore, on top of that method, if a company has access to data from servers in multiple places along the chain between endpoints, then they can see that a series of packets of specific size are traveling in a specific direction, narrowing down the location of the other endpoint. A company like Amazon, whose AWS servers make up almost 30% of the internet.
One of the more convoluted methods to defeat this approach was to simply add more stops along the chain, fragment the encrypted data into multiple parts, and pass it along random paths to the endpoint. I believe, but I could be wrong, that Tor utilizes this method. The problem with that is: it’s slower.