What is VPN Passthrough and How does it Work?

Stephen Mash

By Stephen Mash . 4 August 2022

IT Specialist

Justin Oyaro

Fact-Checked this

2 Comments

In this guide, I will explain what a VPN passthrough is and how it works.

What is a VPN passthrough?
In a nutshell, a VPN passthrough is a router feature that enables any device connected to that router to establish an outbound VPN connection. By contrast, a VPN router is a device that actively implements a VPN connection. The VPN passthrough is a passive enabler for VPN traffic.

Read below to learn more about how a VPN passthrough works.

Use the navigational menu on the right (desktop) or below (mobile) to quickly jump to relevant sections.

VPN Passthrough

Why Do Some Routers Need a VPN Passthrough?

Routers come in two main types, those that natively accept a VPN connection and those that don’t.

Routers that natively accept a VPN connection will support technology such as IPsec (Internet Protocol Security), PPTP (Point-to-Point Tunneling Protocol), or L2TP (Layer Two Tunneling Protocol).

You can configure this router to work as a VPN server or create a site-to-site VPN with another VPN gateway.

The design of some routers does not support their use as VPN servers. They don’t natively support this kind of technology and so block VPN traffic. To use a VPN, you have to work around this limitation.

You can do this with the VPN passthrough feature. When activated, traffic from the VPN client will go through the internet and reach the VPN gateway.

The VPN passthrough feature is available on many home routers, and the ones that do are widely accepted as the standard because they support both PPTP and IPsec VPNs.

In other words, this feature will allow computers on a private network to establish outbound VPNs. It doesn’t affect or otherwise hinder the proper functioning of any inbound VPN connections.

The name comes from this feature allowing the VPN traffic to pass through the router. You don’t have to open any ports to do this. The process is entirely automatic.

What is the Difference Between a VPN and a VPN Passthrough?

This feature is mainly present in small business Internet gateway devices and consumer VPN routers. These devices will work with VPN protocols like IPsec, PPTP, L2TP or even the SSL (Secure Sockets Layer) VPN technology.

This means that they will be able to connect to a central server or the VPN gateway without a VPN client present. This type of client is incompatible with such a router, and you’ll only be wasting time trying to mix them up.

Small business network devices that support the VPN passthrough feature will permit the data packages from the VPN client to be encrypted with VPN technology and reach the internet.

Why Do You Need VPN Passthrough?

Most routers on the market come with a built-in VPN passthrough. It’s needed to utilize a VPN that uses the IPsec or PPTP protocols.

However, the replacement of these security protocols by faster and more secure protocols, such as OpenVPN and IKEv2/IPsec, have made this function redundant.

VPN protocols are natively incompatible with the NAT (Network Address Translation) and PAT (Port Address Translation) technologies.

This incompatibility is an issue if you use networked devices based on these technologies to share the same internet connection between multiple computers.

This scenario has two possible solutions: a PPTP passthrough or an IPsec passthrough.

PPTP passthrough and how it works

Most routers connect to the internet using a NAT protocol incompatible with PPTP. The PPTP passthrough circumvents this issue, allowing VPN connections to traverse the NAT background. However, NAT requires the use of ports to function correctly.

PPTP uses the TCP (Transmission Control Protocol) channel on port 1723 for control and the GRE (Generic Routing Encapsulation) protocol to gather up the data and create the VPN tunnel, which happens without the use of any ports.

The native GRE of PPTP doesn’t need any ports to establish the VPN tunnel. Since NAT requires a valid IP address and a port number, there is a conflict.

The PPTP passthrough feature works by reconfiguring the GRE function and enhancing a few of its services. Most importantly, it adds the call ID.

When a PPTP client connects to a server, it creates a unique call ID that it inserts into the modified header. This call ID is then available as a substitute for the ports in the NAT translation.

Call IDs are widely used across PPTP port mapping to identify PPTP clients that use NAT uniquely.

It’s natively supposed to act as a replacement for PPTP traffic only, but it’s a non-standard procedure that isn’t automatically recognized by the router.

The PPTP passthrough feature allows PPTP to pass through the NAT router. It forces the router to switch from the standard port to the one indicated by the caller ID when it comes across any PPTP traffic.

This function allows VPN clients to make outbound PPTP connections result.

IPsec passthrough and how it works

The IPsec passthrough works using a NAT-T, the network address translator traversal. Implementing this networking procedure will establish and safely maintain IP connections over gateways that require NAT.

IPsec VPNs need to use NAT-T to function correctly with the NAT protocol. Otherwise, the traffic will not be encrypted, and no VPN tunneling will be created.

The NAT-T encapsulates the security payload in a UDP (User Datagram Protocol) packet, which NAT recognizes.

The process is much more efficient because the basis of IPsec is protocols that have to be enabled fully to traverse firewalls and the network address translators:

  • Internet Key Exchange (IKE) – the User Datagram Protocol (UDP) port 500
  • IPsec NAT traversal – UDP port 4500, when the NAT traversal is functioning
  • Encapsulating Security Payload (ESP) – IP protocol number 50
  • Authentication Header (AH) – IP Protocol number 51

Many routers have specific features embedded within their program, called the IPsec passthrough. All supported versions of Microsoft Windows have the NAT traversal enabled by default, so you don’t have to change any settings.

Should I Disable VPN Passthrough?

It would help if you only disabled the VPN passthrough when this improves overall security. The communication ports through the firewall that are otherwise open and accessible will now be blocked.

However, this means that any user behind the gateway will be unable to create and maintain a VPN connection. This restriction will result from blocking the VPN ports at the firewall.

VPN users on a SOHO (Small Office Home Office) network shouldn’t block these ports.

Conclusion

A VPN passthrough is necessary if you need to use an older VPN protocol not supported by the router you use to connect to your network or the internet.

If you use legacy technology, this is a feature you may need to activate, but chances are nowadays that it’s just of historical interest.

Routers that Support a VPN Passthrough

The most reliable and efficient router in this case that has become the standard for VPN passthrough is the Netgear WGR614 Wireless Router. It supports no less than three simultaneous VPN connections.

Next, there’s the Netgear FWAG114 ProSafe. Although a bit more expensive than the previous one, this one also supports end-to-end VPNs, better known as site-to-site VPNs.

In the end, you can see that the VPN passthrough procedure has many advantages and almost no downsides. It efficiently allows you to use VPNs with virtually all routers by overcoming their default system settings.

Now you know what to do when your router can’t connect to a VPN. Perform the IPSec or the PPTP VPN passthrough, depending on the router itself, and welcome the fresh air of privacy.

Frequently Asked Questions

Some people found answers to these questions helpful

Should I allow VPN passthrough?

If your VPN connection relies on old VPN protocols such as PPTP and L2TP, you should. These protocols do not play well with NAT. Routers use NAT to know how to map and route packets on network devices. However, if you are using a modern VPN connection, there’s no need to enable the VPN passthrough. Modern protocol work with NAT.


How do I enable my VPN passthrough?

To check if your VPN passthrough is enabled, you must access your router’s web-based setup page. On most routers, the VPN passthrough setting will be under the security or the VPN tab. Ensure the following options are toggled on/enabled; IPSec Passthrough, PPTP Passthrough, and L2TP Passthrough. If they are allowed, you should be able to establish a VPN connection.


Is VPN passthrough safe?

The protocols offered for VPN passthrough are not secure. They will offer the fastest speeds and the expense of your security. If online security is your concern, you should disable the VPN passthrough and use VPN connections with modern security protocols such as the OpenVPN protocol.


Do all routers have a VPN passthrough?

Most popular routers come with a built-in VPN passthrough. This accommodates legacy users who still use VPN connections that rely on IPSec, PPTP, and L2TP protocols. If you don’t use these protocols, enabling this feature is unnecessary.


Should I turn off NAT?

No. NAT is helpful as it allows routers to redirect internet traffic to your devices. Your router usually connects to the internet with one registered external IP address. Your router-connected devices use private IP addresses. Turning off NAT means you will lose internet connection.


2 Comments

  • Nickie smith

    August 26, 2020 3:44 am

    The pptp has been activated on my phone without my consent by my boyfriend to secretly switch so he can download all my cell data for his own purpose. Any way i can avoid him doing this besides having him arrested?

    • Miklos Zoltan

      July 8, 2021 7:21 am

      Factory resetting your phone is perhaps a good idea. Just to make sure he didn’t install any malicious software. You can also report him to the police.

Leave a Comment