What is VPN Passthrough and How does it Work?

Updated on: 18 June 2019
Updated on:18 June 2019

Routers come in two types:

  • Those that natively accept a VPN connection, technology such as IPsec, PPTP or L2TP. You can establish this router to work as a VPN server or create a site-to-site VPN with another VPN gateway.
  • Those that aren’t built with the express purpose of serving as VPN servers. They don’t natively support this kind of technology, so you have to work around this limitation. You do this with the passthrough feature. Activate it and the traffic coming from the VPN client will go through the internet and reach the VPN gateway right away.

The VPN passthrough feature can be activated on many home routers, and the ones that do are widely accepted as the standard because they support both PPTP and IPsec VPNs.

In other words, this feature will allow computers on a private network to establish outbound VPNs. It doesn’t affect or otherwise hinder the proper functioning of any inbound VPN connections.

The name comes from the fact that this feature allows the VPN traffic to pass through the router. You don’t have to open any ports in order to do this. The process is completely automatic.

The difference between a VPN and a VPN passthrough

This feature is mainly present in small business Internet gateway devices and consumer VPN routers. These devices are specially constructed to work with VPN protocols like IPsec, PPTP, L2TP or even the SSL VPN technology.

What this means is that they will be able to connect to a central server or the VPN gateway without a VPN client present. In fact, this type of client is incompatible with such a router, and you’ll only be wasting time trying to mix them up.

Small business network devices that support the VPN passthrough feature will actually permit the data packages coming from the VPN client to be encrypted with VPN technology and reach the internet.

Why you need VPN passthrough

Firstly, the small business devices I told you about are working based on the NAT and PAT technologies. Basically, this is what allows a router to share the same internet connection between multiple computers.

This is how a standard home router functions. However, VPN protocols are natively incompatible with the NAT and PAT technologies. And since the vast majority of routers implement NAT, the problem becomes apparent. And we don’t want any problem to become apparent, now do we?

In this sense, there are two solutions:

  • The PPTP passthroughThe IPsec passthrough

Let’s take a closer look at each of them and explain what really happens behind the scene.

PPTP passthrough and how it works

Like I said before most routers connect to the internet using a NAT protocol. PPTP and NAT are like fire and water. They’d gouge out each other’s eyes if they could.

Well, the PPTP passthrough circumvents this issue with ease. It allows the VPN connections to traverse the NAT background. However, NAT requires the use of ports in order to function properly.

However, PPTP uses the TCP channel on port 1723 for control, and the GRE protocol to gather up the data and create the VPN tunnel. This happens without the use of any ports.

The native GRE of PPTP doesn’t need any ports to establish the VPN tunnel. Since NAT requires a valid IP address and a port number, the situation is critical.

How the PPTP passthrough feature works is like this – it reconfigures the GRE function and enhances a few of its functions. Most importantly, it adds Call ID.

See, when a PPTP client tries to connect to a server, a unique call ID is created and inserted into the modified header. Does this ring any bells? This call ID can be used as a substitute for the ports in the NAT translation.

These call IDs are widely used across PPTP port mapping to uniquely identify PPTP clients that use NAT. It’s natively supposed to act as a replacement for PPTP traffic only, but it’s a non-standard procedure that isn’t automatically recognized by the router.

It is necessary to allow PPTP to pass through the NAT router though, and the way you do this is with the PPTP passthrough feature. It pushes a router into switching from the standard port to the call ID when it comes across any PPTP traffic.

This allows VPN clients to make outbound PPTP connections as a result.

IPSec passthrough and how it works

This is done with the NAT-T, the network address translator traversal. In essence, this is a networking procedure that’s implemented to establish and safely maintain IP connections over gateways that require NAT.

Now, IPSec virtual private networks have to use NAT-T if they are to function properly with the NAT protocol. Otherwise, the traffic wouldn’t be encrypted at all, and the VPN tunneling will not be created.

The NAT-T encapsulates the security payload in a UDP packet which is recognized by NAT.

The process is much more efficient because IPSec is based on many protocols that have to be fully enabled in order to traverse firewalls and the network address translators:

  • Internet Key Exchange (IKE) – the User Datagram Protocol (UDP) port 500
  • IPSec NAT traversal – UDP port 4500, when the NAT traversal is functioning
  • Encapsulating Security Payload (ESP) – IP protocol number 50
  • Authentication Header (AH) – IP Protocol number 51

Many routers have explicit features embedded within their program, and these are called the IPSec passthrough. In Windows XP, the NAT traversal is enabled by default, so you don’t have to change any settings.

However, Windows XP with Service Pack 2 has it disabled by default because of security issues. You’ll have to manually enable it again with NAT-T patches. Why am I talking about an operating system from the fucking Paleolithic?

Because Windows 7 and all the others have the NAT-T enabled from the get-go. You’re safe as long as you’re up to date with the technology of the 21st century.

How to disable VPN passthrough – pros and cons

You should only disable the VPN passthrough when this will give you more security overall. The open communication ports through the firewall that are otherwise opened and accessible will now be blocked.

However, this means that any user behind the gateway will find it impossible to create and maintain a VPN connection. This happens as a consequence of the VPN ports being blocked at the firewall.

Ideally, if you’re a heavy VPN user on a SOHO (small office home office) network, then you shouldn’t block these ports.

Routers that support a VPN passthrough

The most reliable and efficient router in this case that has become the standard for VPN passthrough is the Netgear WGR614 Wireless Router. It supports no less than 3 simultaneous VPN connections.

Next, there’s the Netgear FWAG114 ProSafe. Although a bit more expensive than the previous one, this one also supports end-to-end VPNs, better known as site-to-site VPNs.

In the end, you can see that the VPN passthrough procedure has many advantages and almost no downsides. It efficienty gives you a way to use VPNs with almost all routers by overcoming their default system settings.

Now you know what to do when your router can’t connect to a VPN. Perform the IPSec or the PPTP VPN passthrough, depending on the router itself, and welcome the fresh air of privacy.

Written by: Bogdan Patru

Author, creative writer, and tech-geek. Bogdan has followed his passion for the digital world ever since he got his hands of his first pc. After years of accumulating knowledge and experience, the good Samaritan in him whispered him one day about the virtue of sharing that knowledge with those who needed it. It was 2014 when that idea would grow into a life-defining passion. One that keeps driving him to this day.

Leave a Reply

Your email address will not be published. Required fields are marked *