What Is VPN Passthrough?
VPN passthrough is a feature on VPN routers that allows you to set up an outbound VPN connection between a device on an internal network (behind a firewall) and a device on an external network (e.g. the Internet). VPN passthrough literally allows VPN traffic to pass through the router.
Routers use a feature called Network Address Translation (NAT) to allow several computers on a local network to share a public IP address. Your NAT type also dictates how open and accessible your local network is.
Outdated VPN protocols like L2TP, PPTP, and IPSec are not compatible with NAT. If you’re using a PPTP or IPsec VPN on an outbound connection, your router may drop the packets or block the connection altogether.
Put simply, VPN passthrough forwards your VPN traffic through the router, allowing it to bypass the NAT process. If you enable IPSec passthrough for example, the IPSec traffic will be internally passed through to an Application Layer Gateway, which handles the redirection of traffic instead.
Newer VPN protocols like OpenVPN, IKEv2, and WireGuard are compatible with NAT, so they do not require VPN passthrough.
How Does VPN Passthrough Work?
To understand how VPN passthrough works, you first need to understand the NAT process. In short, Network Address Translation is the process in which one or more private IP addresses are translated into one or more public IP addresses.
NAT comes in three main forms:
- Static NAT: This maps a single private IP address with a unique public IP address. It is commonly used for hosting servers on the web.
- Dynamic NAT: This maps multiple private IP addresses to a pool of public IP addresses. It is used when the number of users who want to access the Internet at the same time is known.
- Port Address Translation: PAT, also known as NAT overload, maps many private IP addresses to a single public IP address. It uses port numbers to distinguish the traffic between devices.
Older VPN protocols like PPTP and IPsec are natively incompatible with Network Address Translation (NAT) technology on the router.
These protocols encrypt and repackage data packets in a way that does not provide NAT with enough information to deliver them to their intended recipients. There can be multiple private IPs associated with a single public address, and it’s impossible for NAT to know which one to forward the data to.
VPN passthrough is used to overcome this problem. It works by automatically forwarding your VPN traffic through the router using additional ports, bypassing NAT in the process.
Different protocols use different ports to establish a VPN connection. IPsec passthrough uses NAT-T to encapsulate IPsec packets in UDP packets, which are compatible with NAT in port 4500. L2TP uses UDP Port 1701, which is used as a control port to set up the connection.
Is VPN Passthrough the Same as a VPN Client?
VPN passthrough and a VPN client are two different things. A VPN client is an application installed on your device that allows you to configure your VPN’s connection settings. It’s through the VPN client that you choose your server, adjust your settings, and enable the connection.
VPN passthrough is a feature on your router that allows VPN clients to connect to the server using older protocols. It’s enabled in your router’s settings.
What’s the Difference Between VPN Passthrough and a VPN Router?
A VPN router is simply a WiFi router with virtual private network (VPN) software installed on it. It encrypts all of the traffic that passes through your WiFi network, allowing you to protect all of your devices at the same time.
You can buy VPN routers with VPN software already installed on them, or you can flash some router models with custom firmware like OpenWrt or FreshTomato. VPN routers support modern VPN protocols like OpenVPN and Wireguard, and they provide other advanced functionalities, too.
VPN routers are the endpoint of the VPN connection; the VPN tunnel is established between the VPN server and the router. In effect, the router acts as the VPN client. This is useful when devices such as games consoles, smart TVs, or IoT devices need to connect to a VPN but do not support applications natively.
This is very different from VPN passthrough, which is a feature on normal routers that allows VPN traffic to literally pass through the router. In this case, the VPN client is on your device.