What is VPN Passthrough and How does it Work?

Updated on: 12 July 2020
Updated on:12 July 2020

What is a VPN passthrough?

In a nutshell, a VPN passthrough is a router feature that enables any device connected to that router to establish an outbound VPN connection. By contrast, a VPN router is a device that actively implements a VPN connection. The VPN passthrough is a passive enabler for VPN traffic.

Why do some routers need a VPN passthrough?

Routers come in two main types, those that natively accept a VPN connection and those that don’t.

Routers that natively accept a VPN connection will support technology such as IPsec (Internet Protocol Security), PPTP (Point-to-Point Tunneling Protocol) or L2TP (Layer Two Tunneling Protocol). You can configure this type of router to work as a VPN server or create a site-to-site VPN with another VPN gateway.

The design of some routers does not support their use as VPN servers. They don’t natively support this kind of technology, and so block VPN traffic. To use a VPN, you have to work around this limitation. You can do this with the VPN passthrough feature. When activated, traffic coming from the VPN client will go through the internet and reach the VPN gateway.

The VPN passthrough feature is available on many home routers, and the ones that do are widely accepted as the standard because they support both PPTP and IPsec VPNs.

In other words, this feature will allow computers on a private network to establish outbound VPNs. It doesn’t affect or otherwise hinder the proper functioning of any inbound VPN connections.

The name comes from the fact that this feature allows the VPN traffic to pass through the router. You don’t have to open any ports to do this. The process is entirely automatic.

What is the difference between a VPN and a VPN passthrough?

This feature is mainly present in small business Internet gateway devices and consumer VPN routers. These devices will work with VPN protocols like IPsec, PPTP, L2TP or even the SSL (Secure Sockets Layer) VPN technology.

What this means is that they will be able to connect to a central server or the VPN gateway without a VPN client present. This type of client is incompatible with such a router, and you’ll only be wasting time trying to mix them up.

Small business network devices that support the VPN passthrough feature will permit the data packages coming from the VPN client to be encrypted with VPN technology and reach the internet.

Why do you need VPN passthrough?

Most routers on the market come with a built-in VPN passthrough. It’s needed if you want to utilise a VPN that uses the IPsec or PPTP protocols. However, the replacement of these security protocols by faster and more secure protocols, such as OpenVPN and IKEv2/IPsec, have made this function generally redundant.

VPN protocols are natively incompatible with the NAT (Network Address Translation) and PAT (Port Address Translation) technologies. This incompatibility is an issue if you are using networked devices based on these technologies to share the same internet connection between multiple computers. In this scenario, there are two possible solutions, a PPTP passthrough or an IPsec passthrough.

PPTP passthrough and how it works

Most routers connect to the internet using a NAT protocol which is incompatible with PPTP. The PPTP passthrough circumvents this issue, allowing VPN connections to traverse the NAT background. However, NAT requires the use of ports to function correctly.

PPTP uses the TCP (Transmission Control Protocol) channel on port 1723 for control, and the GRE (Generic Routing Encapsulation) protocol to gather up the data and create the VPN tunnel, which happens without the use of any ports.

The native GRE of PPTP doesn’t need any ports to establish the VPN tunnel. Since NAT requires a valid IP address and a port number, there is a conflict.

The PPTP passthrough feature works by reconfiguring the GRE function and enhancing a few of its services. Most importantly, it adds the call ID.

When a PPTP client connects to a server, it creates a unique call ID which it inserts into the modified header. This call ID is then available as a substitute for the ports in the NAT translation.

Call IDs are widely used across PPTP port mapping to identify PPTP clients that use NAT uniquely. It’s natively supposed to act as a replacement for PPTP traffic only, but it’s a non-standard procedure that isn’t automatically recognised by the router.

The PPTP passthrough feature allows PPTP to pass through the NAT router. It forces the router into switching from the standard port to the one indicated by the call ID when it comes across any PPTP traffic. This function allows VPN clients to make outbound PPTP connections as a result.

IPsec passthrough and how it works

The IPsec passthrough works by using a NAT-T, the network address translator traversal. The implementation of this networking procedure will establish and safely maintain IP connections over gateways that require NAT.

IPsec VPNs need to use NAT-T if they are to function correctly with the NAT protocol. Otherwise, the traffic will not be encrypted, and no VPN tunnelling created.

The NAT-T encapsulates the security payload in a UDP (User Datagram Protocol) packet, which is recognised by NAT.

The process is much more efficient because the basis of IPsec is protocols that have to be enabled fully to traverse firewalls and the network address translators:

  • Internet Key Exchange (IKE) – the User Datagram Protocol (UDP) port 500
  • IPsec NAT traversal – UDP port 4500, when the NAT traversal is functioning
  • Encapsulating Security Payload (ESP) – IP protocol number 50
  • Authentication Header (AH) – IP Protocol number 51

Many routers have specific features embedded within their program, and these are called the IPsec passthrough. All supported versions of Microsoft Windows have the NAT traversal enabled by default, so you don’t have to change any settings.

Should you disable VPN passthrough?

You should only disable the VPN passthrough when this improves overall security. The communication ports through the firewall that are otherwise open and accessible will now be blocked.

However, this means that any user behind the gateway will be unable to create and maintain a VPN connection. This restriction will be as a consequence of blocking the VPN ports at the firewall.

VPN users on a SOHO (Small Office Home Office) network shouldn’t block these ports.

Conclusion

A VPN passthrough is necessary if you need to use an older VPN protocol that is not supported by the router that you use to connect to your network or the internet. If you use legacy technology, then this is a feature you may need to activate, but chances are nowadays that its now just of historical interest.

Routers that support a VPN passthrough

The most reliable and efficient router in this case that has become the standard for VPN passthrough is the Netgear WGR614 Wireless Router. It supports no less than 3 simultaneous VPN connections.

Next, there’s the Netgear FWAG114 ProSafe. Although a bit more expensive than the previous one, this one also supports end-to-end VPNs, better known as site-to-site VPNs.

In the end, you can see that the VPN passthrough procedure has many advantages and almost no downsides. It efficienty gives you a way to use VPNs with almost all routers by overcoming their default system settings.

Now you know what to do when your router can’t connect to a VPN. Perform the IPSec or the PPTP VPN passthrough, depending on the router itself, and welcome the fresh air of privacy.

Written by: Stephen Mash

Connect with him:

Software and Systems Assurance Specialist Based in West Sussex, England, Stephen has worked as an information security and safety assurance consultant since 1997, specialising in risk management for high integrity systems. Prior to that, he developed safety-critical software-based systems for the aerospace industry. He transitioned from consultancy into the role of technical copywriter and editor in 2019, writing and reviewing materials on behalf of a broad spectrum of clients.

One thought on “What is VPN Passthrough and How does it Work?”

  1. Nickie smith says:

    The pptp has been activated on my phone without my consent by my boyfriend to secretly switch so he can download all my cell data for his own purpose. Any way i can avoid him doing this besides having him arrested?

Leave a Reply

Your email address will not be published. Required fields are marked *