Question, please check
Hello, how are you? I have an important question and surprised at the same time, but I would like to clarify things and are the following:
1-have added new servers in Portugal and I think it’s great because it needs expansion according to customer requirements.
2-Eh Whois made in the new servers and I find that the registry there is data from a company called PureVPN. I leave the image for more information.
Do you have any relationship with PureVPN?, are they the same company? Or, can you please clarify this situation?
Thank you kindly, greetings.
Most likely they rent from the same hoster as PureVPN and got an IP that was previously used by PureVPN.
The IP is registered in Portugal which is good.
But when you do abit of digging (1)(2)(3) you find that the owner/hoster of the IP is located in India. Also registered at the same address is OneHostingServices.com - an indian hosting company.
I do hope Proton are doing the correct background checks on these companies before throwing up VPN server.
The dedicated server provider for the Portugal servers are HostRoyale, based in India. We used them when bringing up our servers in India. When bringing up new servers, we try to use existing providers (fewer providers is easier to manage). Since HostRoyale also provides server in Portugal, they were selected.
The RIPE entry there may be an outdated database, because on RIPE we don’t see any connection between HostRoyale and PureVPN. Our guess is that PureVPN also has rented servers from HostRoyale. That seems likely given that HostRoyale is based in India which is close to where PureVPN is located, so it makes sense for them to go with a local provider.
There’s no connection between us and PureVPN however. All of our servers are dedicated servers which we configure from scratch on top of the bare metal.
Maybe that IP range was formley used by PureVPN? Hmmm
Look at the whois dates:
created: 2016-10-24T14:07:16Z
last-modified: 2017-10-25T08:27:47Z
They must be re-using some old PureVPN IPs. They just need to have the host update the whois and have the range reallocated to them downstream.
Would love to know the answer to this as PureVPN have been proven they log.
Looks like all 4 of the Portugal IP’s are/were part of PureVPN’s network??
An official comment from protonvpn would be nice?!
You think they forgot to update the WHOIS then?
Well it is probable that the database has not been updated, but in Ripe Whois still appears and I checked the PureVPN servers in Portugal but do not coincide with the current IPs of ProtonVPN. We’re still waiting for ProtonVPN’s official response.
In honesty, I doubt background checks are going on. It’s more likely they’re finding the most economical ones, comparing and then going with them.
person: PURE VPN Portugal Range
address: 36/F, Tower Two, Times Square, 1 Matheson Street, Causeway Bay, Hong Kong
phone: +85285281254857
nic-hdl: AK16572-RIPE
mnt-by: in-akroyale-1-mnt
created: 2016-10-21T07:27:17Z
last-modified: 2018-05-14T12:55:06Z
source: RIPE
If, however, the Whois was recently modified in the Month 5 of this year, and PureVPN’s name appears with its address.
You can also give how much that PureVPN use another IP address (range) of this company hosting and is as follows: Range 185.174.159.0/255
I hope that ProtonVPN modify the data, hoping that this does not become something dangerous and distrust for those people.
Could understand if one IP’s WHOIS hadn’t been updated… but 4? Hmm… 
Yes, or the database that site uses isn’t updated, yet.
servers in Portugal but do not coincide with the current IPs of ProtonVPN
They only use their direct IP allocations for Secure Core. It seems all non secure core servers and even the secure core exit nodes use whatever IP allocation the datacenter provides them.
You’re looking at the wrong whois info. You’re looking at the PureVPN sub-delegation account, so any time they make any change to their sub-delegation record, it updates the timestamp.
The actual ASN owner hasn’t updated the sub-delegation since the dates I posted.
inetnum: 185.174.156.0 - 185.174.159.255
netname: IN-AKROYALE-20161024
country: IL
org: ORG-AKTA9-RIPE
admin-c: AK16572-RIPE
tech-c: AK16572-RIPE
mnt-routes: MEER-MNT
mnt-routes: EXTRAHOST-MNT
mnt-routes: CYTANET-NOC
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-by: in-akroyale-1-mnt
created: 2016-10-24T14:07:16Z
last-modified: 2017-10-25T08:27:47Z
source: RIPE
Here is the ASN for that IP range, the IPs are not owned by PureVPN, but rather by the hosting provider. The hosting provider has to update the whois record for the sub-delegation.
They just announced their Portuguese servers like a week ago. As someone who has had to update sub-delegation records, you’re dependent on the ASN (IP range) owner. All you can do is ask them to do so.
I hope that ProtonVPN modify the data, hoping that this does not become something dangerous and distrust for those people.
I 100% agree, this looks suspicious because most people don’t interact with the whois system very often. They absolutely need to get this information corrected. Your post startled me and caused me to look much more deeply into it, but some people won’t and will just assume ProtonVPN is being shady. Especially with all that PIA fake news Tesonet bullshit that occurred.
It’s the same range, so that’s not too unlikely.
Exactly, but you know that, about AS, you have made me investigate a little more and we can go deeper without needing so many laps, I draw a lot more attention on the subject that I believe here, and we can talk about the other AS (peers) ) that are used by the other vpn providers, it seems that ProtonVPN is somewhat weird to say the least.
Go back to the website of AS204287 HostRoyale Technologies Pvt Ltd - bgp.he.net and we will see the first one (peers) that connects the host to another internet provider called (AS62874 Web20Objets LLC), this last AS of ISP lo uses another well-known company and is called ExpressVPN, we can track this data using tracerouter where it travels and where it goes (connection). If we enter the AS62874, we can see the other (peers) that connect, look at the list that appears and you will be surprised: AS201341 (Tesonet Ltd) and AS396319 (CLOUDVPN INC.)
This last CloudVPN uses it according to Google Play, NordVPN and, these 2 AS connect to AS628774, do you realize not? It will not be coincidence of something weird and hid from behind? I say, because these results that I am seeing in my research is very suspicious to me and I think that I should get away from these VPN companies. We only ask to ProtonVPN to clarify nothing more than the truth and because they hired this hosting service in Portugal to install their VPN servers, once again, we only ask you to tell the truth, is there any connection between the VPN companies currently? Because sooner or later everything comes to light. Mind you, I am not accusing you, but we are asking only for the TRUTH.
Thank you.