What is VPN Passthrough?

We’ve encountered numerous users who struggle with configuring their routers to work seamlessly with their VPN connections, especially when using older protocols.

One of the most common issues is the inability to establish a stable VPN tunnel due to incompatibilities between the chosen protocol and the router’s Network Address Translation (NAT) settings, which is how routers share a single public IP address among multiple devices on a local network.

This problem often arises when attempting to use protocols like PPTP, L2TP, or IPsec, which are not natively compatible with NAT.

To help users overcome these connectivity issues, we’ve created this comprehensive guide on VPN passthrough, the feature that allows VPN traffic to bypass potential conflicts with your router’s NAT settings.

We’ll explain what VPN passthrough actually is, how it works, and why it’s necessary, so you can determine whether you need to enable this feature and learn exactly how to do so.

A VPN passthrough is a feature on routers that allows encrypted VPN data packets from devices on your local network to pass through the router’s firewall without being blocked or dropped.

It’s important to note that VPN passthrough does not establish the VPN connection itself. The actual VPN connection is created between the device (e.g., your computer or smartphone) and the VPN server.

VPN passthrough merely facilitates the unhindered flow of this VPN traffic through your router.

Without a VPN passthrough enabled, some older VPN protocols may not work correctly due to conflicts with NAT.

Routers use NAT to allow multiple devices on a local network to share a single public IP address. The NAT type also determines how accessible your local network is from the internet.

Older VPN protocols like L2TP, PPTP, and IPsec are not compatible with NAT. If you’re using a PPTP or IPsec VPN on an outbound connection without a VPN passthrough enabled, your router may drop the VPN packets or block the VPN connection altogether.

A VPN passthrough essentially forwards your VPN traffic through the router, allowing it to bypass the NAT process. For example, if you enable an IPSec passthrough, the IPsec traffic will be internally passed through to an Application Layer Gateway, which handles the redirection of traffic instead.

Newer VPN protocols like OpenVPN, IKEv2, and WireGuard are compatible with NAT, so they do not require VPN passthrough to function correctly.

By understanding how a VPN passthrough works, you can determine if enabling this feature on your router is necessary for your particular VPN setup.

How Does VPN Passthrough Work?

VPN passthrough facilitates the smooth transmission of VPN traffic through your router’s NAT process. When your VPN software attempts to connect with a remote VPN server, it uses VPN protocols to encapsulate its connection requests, which then pass through your router’s NAT.

NAT allows a single public IP address to be shared among many devices on a local network by transparently translating the private IP addresses used on the internal network into the public IP address needed for communication over the internet. It acts as an intermediary, mapping the private IP addresses to the public IP address and vice versa.

However, problems arise with older VPN protocols like PPTP, LT2P and IPsec, as these protocols encrypt and repackage data packets in a way that does not provide NAT with enough information to deliver them to their intended recipients.

There can be multiple private IPs associated with a single public address, and it’s impossible for NAT to know which one to forward the data to.

Instead of disabling NAT on your router, which is generally not advised, VPN passthrough provides a more elegant solution.

A VPN passthrough solves the compatibility issue by allowing the encrypted VPN traffic to bypass the NAT process, ensuring that the VPN packets are delivered to their intended recipients without interference.

This enables seamless VPN connectivity while preserving the benefits of NAT for your local network.

Types of VPN Passthrough

Instead of being blocked by NAT, we can use VPN passthrough functionality on the router.

VPN passthrough allows the router to identify and properly handle VPN protocols like PPTP, L2TP, and IPsec.

The specific implementation of VPN passthrough varies depending on the VPN protocol being used.

However, the general principle involves modifying the VPN data channels to include additional identifier fields, such as Call IDs or Session IDs.

The router then associates this data channel traffic with the corresponding control channel connection using these identifiers and the destination IP address, allowing it to correctly forward the VPN data packets to the server by translating the private IP/ports while leaving the encrypted payload untouched.

PPTP Passthrough

PPTP passthrough allows VPN traffic to traverse through the NAT router or firewall by modifying how the PPTP protocol functions:

1. PPTP uses a TCP control channel (port 1723) for tunnel establishment/management, and a GRE data channel for the encrypted data packets.
2. GRE lacks port numbers, conflicting with NAT’s need for port translation.
3. Passthrough adds a Call ID field to the GRE header, acting as as a substitute for port numbers.
4. When a PPTP client initiates a VPN connection, it sends a request over the TCP control channel on port 1723, which the router allows through standard NAT rules.
5. The PPTP server responds with a unique Call ID inserted into the GRE data channel packets.
6. The router inspects the GRE packets, associating them with the control channel using the Call ID and destination IP.
7. The router translates the client’s private IP/port and forwards the GRE data to the VPN server, establishing the PPTP VPN tunnel.

IPsec Passthrough

IPsec passthrough works using NAT-Traversal (NAT-T) technology:

1. IPsec secures IP communications by authenticating/encrypting data packets at the IP layer but conflicts with NAT as it embeds IP addresses within the data stream.
2. NAT-T encapsulates IPsec packets inside UDP packets that NAT can handle.
3. The IPsec client behind NAT initiates a connection to a server, sending an IKE (Internet Key Exchange) packet over UDP port 4500.
4. The NAT router detects this UDP traffic and translates the client’s private IP/port to a public IP/port.
5. The IPsec server responds with an IKE packet in UDP, which NAT routes back to the client.
6. After IKE negotiation, IPsec data (ESP packets) is also encapsulated in UDP packets using port 4500.
7. NAT translates the UDP/IP headers but leaves the IPsec payload untouched, allowing the VPN traffic to pass through the router.

LT2P Passthrough

L2TP passthrough works similarly to PPTP, as L2TP originated from PPTP and L2F:

1. Like PPTP, L2TP uses a TCP control channel (port 1701) for tunnel management, and a UDP data channel for encrypted packets.
2. The UDP data channel lacks port numbers, conflicting with NAT’s translation requirements.
3. L2TP passthrough adds a Session ID field to the L2TP over UDP header. This Session ID acts as a substitute for port numbers that NAT can use for translation.
4. When an L2TP client initiates a VPN connection, it sends a request over the TCP control channel (port 1701). The router allows this traffic through using standard NAT rules.
5. The L2TP server responds with a unique Session ID, which is inserted into the L2TP header of the UDP data channel packets.
6. The router inspects the UDP packets and associates them with the corresponding TCP control channel connection based on the Session ID and destination IP address.
7. The router then translates the private IP/port of the L2TP client to its public IP/port and forwards the UDP data packets to the VPN server, allowing the L2TP VPN tunnel to be established.

Is VPN Passthrough the Same as a VPN Client?

VPN passthrough and a VPN client are entirely different things. A VPN client is a software application installed on your device that allows you to configure your VPN’s connection settings. It’s through the VPN client that you choose your server, adjust your settings, and enable the connection.

VPN passthrough is a feature on your router that allows VPN clients to connect to the server using older protocols. It’s enabled in your router’s settings.

What’s the Difference Between VPN Passthrough and a VPN Router?

A VPN router is a router with VPN software installed on it. It encrypts traffic from all devices on your local network, protecting them simultaneously.

You can buy VPN routers pre-installed with VPN software or flash compatible router with custom firmware like OpenWrt or FreshTomato. VPN routers support modern VPN protocols like OpenVPN and WireGuard, offering advanced features.

The VPN router acts as the VPN client, establishing a tunnel between itself and the VPN server. This allows devices without native VPN support (e.g., game consoles, smart TVs, IoT) to connect securely.

In contrast, VPN passthrough is a feature on regular routers that allows VPN traffic to pass through by modifying the protocol headers for NAT compatibility. With passthrough, the VPN client runs on your device, not the router.

Pros	Cons
Allows you to connect to a VPN using older VPN protocols when the connection would otherwise be blocked by NAT.	Weakens the security of your local network.
	Can be complex to set up without previous technical experience.
	Only necessary for outdated protocols which are already unsecure.
	Requires port forwarding to be enabled on the router.

Your system will always be more secure without VPN passthrough enabled. A VPN passthrough opens ports in your local firewall that would otherwise be inaccessible – the fewer ports that are open for communication, the more secure you are.

It also requires port forwarding to be enabled on your router, which comes with its own security risks. For example, PPTP passthrough uses the TCP port 1723. If you regularly connect and disconnect to the VPN, this port might stay open longer than necessary, which exposes your network to attacks.

However, if you are going to enable this feature, we recommend using Private Internet Access as it’s a trusted VPN service and unlike many other VPNs, PIA allows port forwarding to all of its users.

VPN passthrough also relies on outdated protocols and technologies that are seldom subject to updates. They’re less likely to be patched for security vulnerabilities, and much less secure than modern equivalents.

These outdated VPN protocols can be hacked and should only be used when absolutely necessary. If the VPN passthrough is not not being actively used, it should be disabled immediately.

The feature is most commonly used in professional or commercial situations alongside a remote-access VPN. If the company’s VPN uses an old protocol like IPsec or PPTP, you’ll need to set up a VPN passthrough to successfully connect to the office using the VPN.

If it’s absolutely necessary to enable VPN passthrough on your router, follow these instructions:

1. Find Your Router’s IP Address

You can find your router’s IP address in your device’s network settings, typically listed as the ‘Default Gateway’ or ‘Router’.

In the following example, the address of the router is 192.168.1.1:

2. Access Router Settings

Open a web browser and enter your router’s IP address. Enter the default login credentials (usually admin for username and password for password), which should be written on the back of the router.

3. Find the VPN Passthrough Section

The VPN passthrough setting is usually under ‘Security’ or ‘Firewall’ options. Refer to your router’s manual if you can’t locate it, as some routers may not support this feature.

4. Configure the VPN Settings

Enable the protocol your VPN uses and apply the settings. Common protocols and ports:

• IPSec Passthrough: UDP port 500 and port 4500 (IKE and NAT-T)
• PPTP Passthrough: TCP port 1723
• L2TP Passthrough: UDP ports 500, 4500, and 1701

5. Restart Router

Unplug your router for 10 seconds, then plug it back in to apply the new VPN passthrough settings.