Generally speaking, VPN providers have the choice between renting or owning the servers in their network. Users should know whether their chosen service rents its servers because this can have important consequences for privacy, security, and performance.
Unfortunately, server ownership can often be a closely-guarded secret. Many VPN services are reluctant to disclose when they are using rented servers.
In this section we’ll introduce the different ownership options available to commercial VPN providers as well as the advantages and disadvantages of each.
Here are the three main options when it comes to server ownership:
- On-Site Ownership: The company purchases, installs, and maintains its servers itself. The servers are owned outright and stored somewhere on company premises, meaning only trusted employees have physical access to them.
- Co-Location Agreement: In a co-location agreement, the company owns and operates its servers but stores them off-site, usually in a data center. For a fee, the data center provides a rack for storage, air conditioning facilities, and a set amount of bandwidth. The company’s staff monitor the server remotely and visit the data center to repair hardware when needed.
- Rented Servers: It’s possible to rent servers straight from the data center. Otherwise known as dedicated or managed hosting, this method allows companies to forego the expense, time, and expertise required to purchase, install, and maintain a physical server. Instead, the data center handles everything on the hardware side and the company is given remote access to manage the software. Companies can also rent virtual servers. We’ll discuss these in the next chapter.
We’ll now discuss each of these ownership options in greater detail. Alternatively, you can skip straight to our verdict on how VPN server ownership affects users.
From a privacy and security perspective, the ideal VPN provider owns its entire server network and stores it on-site. This way, the provider knows everything about the hardware they use and also owns the surrounding network infrastructure.
This means that no one could physically access the VPN servers other than the provider’s employees. There is no hidden data center or mysterious third party with physical access to the servers.
More importantly, it also prevents other third parties from logging server activity. VPN logging policies apply only to the VPN company and not to any other parties they might work with. A “zero-logs” policy means very little to users if there is a data center monitoring server activity and collecting logs.
For this reason, first-party on-site ownership is the gold standard for VPN server networks when it comes to privacy. It is the only way to ensure that there is absolutely no third-party involvement beyond the company that users have explicitly chosen to place their trust in.
Unfortunately, in practical terms it is just not viable for a commercial VPN provider to run a server network that is entirely owned on-site.
Though great for security, on-site ownership simply isn’t a practical option for a commercial VPN company operating an international server network. Here’s why:
Huge up-front costs: The VPN provider would need to fund a network of servers, data center-grade power, bandwidth and cooling facilities, back-up hardware in case of failures, and a team of highly-skilled administrators. These costs can be enormous and would need to be multiplied for every additional location the provider wants to host a server in. It is far cheaper to host in a data center.
Weakened connection speeds: Data centers tend to be much closer to an internet exchange — in terms of network hops — than on-site servers. This can result in slower speeds and higher latency for users as their connections will have further to travel.
Small server networks: A key feature of any top-tier VPN is a large network of servers in a wide range of locations. However, on-site ownership restricts a provider’s ability to physically expand their network. To avoid using data centers, the company would have to own land in every location they want to place a physical server.
If a VPN provider wants the security benefit of owning its VPN servers without the practical implications of storing them on-site, its best bet is a co-location agreement with a trustworthy data center.
In the next section, we’ll compare co-locating with renting VPN servers, and assess whether you should avoid using VPN providers that rent their server network.
Co-Location Agreements vs. Rented Servers
In practical terms, most VPN companies have to make the choice between owning their servers through co-location or renting them from a data center.
Here’s how these two options compare when it comes to privacy and performance.
Privacy & Security
Co-located servers are purchased by the VPN company and hosted in a third-party data center. Usually, the server is locked in a cabinet where only members of the VPN provider’s staff are able to physically access it.
In contrast, rented servers are controlled remotely by the VPN company while the data center owns and manages the hardware.
As with on-site ownership, co-location gives VPN providers the benefit of knowing exactly what has gone into their server’s hardware. The ability to physically inspect and audit this hardware is often not possible when servers are rented.
By contrast, rented VPN servers are usually installed, monitored, and maintained by data center employees. In theory, this carries the possibility that a third party — unknown to the VPN user — has the ability to tamper with the server’s hardware.
In practice, however, renting VPN servers is often not the privacy concern it is reported to be.
Most modern servers are equipped with a Remote System Management Card. Combined with real-time system logging, this means that VPN providers are able to remotely monitor almost everything about a server’s operation, including any modifications made to its hardware.
This applies to both rented and co-located servers. If anything suspicious happens, the company is able to investigate it and shut down operations accordingly.
This largely protects rented VPN servers from the dangers posed by physical tampering.
Yes, third parties have increased physical access to a rented server than they do a co-located server in a locked rack — meaning the possibility of tampering is higher. But a good VPN provider can put in place a remote monitoring system that alerts it to any changes made to the server’s hardware, rented or otherwise.
The risks of physical tampering are therefore mitigated as providers are capable of remotely identifying any unexpected hardware modifications and acting appropriately.
The extent to which these risks are mitigated, however, depends entirely on how diligent the provider is in its remote monitoring. When a NordVPN server was hacked in 2018, it was widely highlighted as evidence of the dangers of renting VPN servers. The attacker exploited an unsecured hardware card, which NordVPN claimed the data center had put there without telling them.
While it is true that physical access to the server may have brought the hardware card to the company’s attention, NordVPN technicians could’ve also seen the card’s presence via their remote access to the server’s installed hardware. Ultimately, the breach wasn’t really to do with the server being rented – with greater due diligence on the part of NordVPN, the vulnerability could’ve been avoided.
While the ability to physically audit server hardware is perhaps a slight advantage for co-located servers, it should not be necessary if the server is being remotely monitored effectively. This makes the issue of renting VPN servers significantly less concerning.
For the most part, a rented VPN server is no more at risk from physical tampering than a co-located server.
A privacy issue that both co-located and rented VPN servers face is the status of the networking environment around them.
Any server in a data center — whether it is owned or rented — is connected to that data center’s network. As we have seen, this gets VPN servers far closer to an internet exchange than they could’ve been otherwise, which helps improve connection speeds.
However, it also means that providers have very little knowledge of the network infrastructure that is upstream of their servers — and they certainly have no control over it.
This can pose a risk for VPN users because the service provider can never be completely sure that their server isn’t being monitored. Attackers and intelligence agencies are able to use the upstream network switch to record (and then mirror) all of the activity going in and out of a targeted server.
This is particularly relevant to data centers in countries with invasive data privacy laws. Local authorities could monitor upstream traffic or even compel the data center to store information locally and share it with them. This effectively amounts to logging on behalf of the data center without the VPN provider’s knowledge.
In the case of VPN traffic, the activity should be encrypted. However, traffic correlation attacks are still a possibility and attackers can still get access to certain metadata, like the user’s originating IP address.
Here’s a summary of the key differences between rented and co-located VPN servers when it comes to privacy and security:
- A co-located VPN server is marginally better than a rented server from a security perspective because the provider is able to fully audit the server’s hardware and physically inspect it whenever they please.
- Remote access and system logs allow providers that rent VPN servers to monitor their hardware effectively. This largely mitigates the concerns one might have about third parties having physical access to rented servers.
- Both rented and co-located VPN servers are at risk of upstream traffic monitoring due to lack of control over the data center’s network infrastructure. Neither rented or co-located servers allow providers to be 100% sure that their servers are not being monitored by governments, intelligence agencies, or any other third party with access to the data center.
Speed & Performance
In terms of connection speeds, both rented and co-located VPN servers share the benefits of being in a data center. This allows them to be close to (and sometimes even peer directly with) an internet exchange, which greatly improves performance.
VPN providers who rent their server network are afforded a degree of flexibility that is harder to come by with co-location. Rental agreements can be scaled up or scaled down to match user demand, whereas co-location agreements keep providers tied-down to the hardware they have purchased and installed.
This flexibility can be beneficial in situations where authorities attempt to compel VPN providers to censor user activity or retain logs. It’s easier to cease operations in a country when all you’ve committed to is a monthly rental fee, as opposed to owning a large piece of hardware that’s physically located in that country.
Renting is also better suited to having a large number of servers in a wide range of locations. When providers don’t have to worry about maintaining their servers or keeping them within commuting distance for staff, they have greater freedom to expand their network globally.
Not only does a larger server network provide users with a more diverse array of IP addresses, it should also facilitate faster connection speeds. This is because, in a lot of cases, it will reduce the geographic distance between a given user and the closest VPN server.
These are the key differences between rented and co-located VPN servers when it comes to performance:
- Whether it’s owned or rented, any server stored in a data center benefits from being in close proximity to an internet exchange. This can improve connection speeds.
- Without the commitment involved in owning a server network, VPN providers that rent their servers are better able to amend their operations in line with customer demands. They can offer larger server networks in a wider range of locations, and will find it much easier to cease operations when facing pressure from foreign governments.
Our Verdict on Server Ownership
It is impractical for a commercial VPN provider to own and manage all of its servers on-site. Of the remaining options, a rented VPN server is only marginally worse than a co-located server from a security perspective. It might even have some performance benefits in terms of connection speeds and operational flexibility.
Both methods are subject to the same privacy risks when it comes to the monitoring of upstream traffic.
Overall, as long as the VPN provider takes the time to properly configure the server, remotely monitor it effectively, and understand the data center’s network environment, there is little increased risk with a rented VPN server versus a co-located server.
Which VPN Providers Rent Their Servers?
The majority of commercial VPN server networks combine both rented and co-located servers. While many refuse to openly disclose this information, here is a list of VPN providers that are honest and transparent about renting at least some of their servers:
- F-Secure Freedome
- HideMyAss! (HMA)
- Private Internet Access (PIA)
A number of these providers go to great lengths to emphasize how careful they are when selecting a data center to rent from:
PIA, for example, told us they have a “stringent vetting process” when assessing potential third parties.
This highlights an important point: in general, rented VPN servers aren’t a danger to users as long as the data center is vetted and considered to be trustworthy.
It is impossible for the average user to know exactly which third parties are being entrusted with their data, so we have to trust our VPN service to choose its partners carefully.
A good VPN may rent its servers, but it will thoroughly vet the data center it is renting them from. This vetting process will include a full hardware audit and an inspection of the data center’s networking environment in order to understand any potential threats.
Unfortunately, most VPN providers keep the specifics of their vetting processes hidden. This means we can only rely on trust that their procedures are comprehensive and secure.
We urge any VPN service that uses rented servers to be more transparent about the specifics of their vetting process. Only then can we have full confidence that their servers are safe to use.
For users who would rather avoid the uncertainty associated with rented servers, there are a small number of VPN providers that advertise an entirely self-owned network. These include AzireVPN, IPVanish, and VyprVPN.