Top10VPN is editorially independent. We may earn commissions if you buy a VPN via our links.

What is VPN Passthrough?

JP Jones is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process.

Our Verdict

A VPN passthrough is a router feature that allows devices on an internal network to establish an outbound VPN connection with devices on an external network. Traffic is literally allowed to pass through the router, enabling remote access to other systems from behind a local firewall. VPN passthrough is mainly required for older VPN protocols such as PPTP and IPsec.

VPN Passthrough

VPN software uses a set of predefined instructions called protocols to communicate with a remote server.

Some older VPN protocols are not compatible with the Network Address Translation (NAT) feature on routers, which is the process that allows multiple devices on a single network to share the same public IP address.

If you’re using a remote access VPN with an outdated protocol like PPTP or IPsec, you’ll need to set up VPN passthrough on your router for the connection to be successful.

In this guide, we’ll explain what a VPN passthrough is and how it works, exactly what it’s used for, and how to enable a VPN passthrough on your router.

Why Trust Us?

We’re fully independent and have been reviewing VPNs since 2016. Our advice is based on our own testing results and is unaffected by financial incentives. Learn who we are and how we test VPNs.

What Is VPN Passthrough?

VPN passthrough is a feature on VPN routers that allows you to set up an outbound VPN connection between a device on an internal network (behind a firewall) and a device on an external network (e.g. the Internet). VPN passthrough literally allows VPN traffic to pass through the router.

Routers use a feature called Network Address Translation (NAT) to allow several computers on a local network to share a public IP address. Your NAT type also dictates how open and accessible your local network is.

Outdated VPN protocols like L2TP, PPTP, and IPSec are not compatible with NAT. If you’re using a PPTP or IPsec VPN on an outbound connection, your router may drop the packets or block the connection altogether.

Put simply, VPN passthrough forwards your VPN traffic through the router, allowing it to bypass the NAT process. If you enable IPSec passthrough for example, the IPSec traffic will be internally passed through to an Application Layer Gateway, which handles the redirection of traffic instead.

Newer VPN protocols like OpenVPN, IKEv2, and WireGuard are compatible with NAT, so they do not require VPN passthrough.

How Does VPN Passthrough Work?

To understand how VPN passthrough works, you first need to understand the NAT process. In short, Network Address Translation is the process in which one or more private IP addresses are translated into one or more public IP addresses.

NAT comes in three main forms:

  • Static NAT: This maps a single private IP address with a unique public IP address. It is commonly used for hosting servers on the web.
  • Dynamic NAT: This maps multiple private IP addresses to a pool of public IP addresses. It is used when the number of users who want to access the Internet at the same time is known.
  • Port Address Translation: PAT, also known as NAT overload, maps many private IP addresses to a single public IP address. It uses port numbers to distinguish the traffic between devices.

Older VPN protocols like PPTP and IPsec are natively incompatible with Network Address Translation (NAT) technology on the router.

These protocols encrypt and repackage data packets in a way that does not provide NAT with enough information to deliver them to their intended recipients. There can be multiple private IPs associated with a single public address, and it’s impossible for NAT to know which one to forward the data to.

Diagram of Router With VPN Passthrough Set up

VPN passthrough forwards your VPN traffic through the router, bypassing NAT in the process.

VPN passthrough is used to overcome this problem. It works by automatically forwarding your VPN traffic through the router using additional ports, bypassing NAT in the process.

Different protocols use different ports to establish a VPN connection. IPsec passthrough uses NAT-T to encapsulate IPsec packets in UDP packets, which are compatible with NAT in port 4500. L2TP uses UDP Port 1701, which is used as a control port to set up the connection.

Is VPN Passthrough the Same as a VPN Client?

VPN passthrough and a VPN client are two different things. A VPN client is an application installed on your device that allows you to configure your VPN’s connection settings. It’s through the VPN client that you choose your server, adjust your settings, and enable the connection.

VPN passthrough is a feature on your router that allows VPN clients to connect to the server using older protocols. It’s enabled in your router’s settings.

What’s the Difference Between VPN Passthrough and a VPN Router?

A VPN router is simply a WiFi router with virtual private network (VPN) software installed on it. It encrypts all of the traffic that passes through your WiFi network, allowing you to protect all of your devices at the same time.

You can buy VPN routers with VPN software already installed on them, or you can flash some router models with custom firmware like OpenWrt or FreshTomato. VPN routers support modern VPN protocols like OpenVPN and Wireguard, and they provide other advanced functionalities, too.

VPN routers are the endpoint of the VPN connection; the VPN tunnel is established between the VPN server and the router. In effect, the router acts as the VPN client. This is useful when devices such as games consoles, smart TVs, or IoT devices need to connect to a VPN but do not support applications natively.

This is very different from VPN passthrough, which is a feature on normal routers that allows VPN traffic to literally pass through the router. In this case, the VPN client is on your device.

Find out how to set up a VPN router in our dedicated installation guide

Should VPN Passthrough Be Enabled?

Pros Cons
Allows you to connect to a VPN using older VPN protocols when the connection would otherwise be blocked by NAT. Weakens the security of your local network.
Can be complex to set up without previous technical experience.
Only necessary for outdated protocols which are already unsecure.
Requires port forwarding to be enabled on the router.

Your system will always be more secure without VPN passthrough enabled. A VPN passthrough opens ports in your local firewall that would otherwise be inaccessible – the fewer ports that are open for communication, the more secure you are.

It also requires port forwarding to be enabled on your router, which comes with its own security risks. For example, PPTP passthrough uses the TCP port 1723. If you regularly connect and disconnect to the VPN, this port might stay open longer than necessary, which exposes your network to attacks.

However, if you are going to enable this feature, we recommend using Private Internet Access as it’s a trusted VPN service and unlike many other VPNs, PIA allows port forwarding to all of its users.

VPN passthrough also relies on outdated protocols and technologies that are seldom subject to updates. They’re less likely to be patched for security vulnerabilities, and much less secure than modern equivalents.

These outdated VPN protocols can be hacked and should only be used when absolutely necessary. If the VPN passthrough is not not being actively used, it should be disabled immediately.

The feature is most commonly used in professional or commercial situations alongside a remote-access VPN. If the company’s VPN uses an old protocol like IPsec or PPTP, you’ll need to set up a VPN passthrough to successfully connect to the office using the VPN.

When to use a VPN passthrough:
You should use a VPN passthrough only when you need to establish a VPN connection that does not support modern VPN protocols. If you’re in a professional situation that’s reliant on outdated technology and does not involve sensitive information, you can use VPN passthrough.

When not to use a VPN passthrough:

You do not need to enable VPN passthrough when using consumer VPN services, installing a VPN on your router, or connecting to a VPN using modern protocols. If you have access to modern hardware that supports the latest protocols, then you should use those instead of VPN passthrough.

How to Enable or Disable VPN Passthrough on Your Router

If it’s absolutely necessary to enable VPN passthrough on your router, follow these instructions:

1. Find the IP Address of Your Router

The IP address of your router can be found in the network settings of your device. Every brand has a different user interface, but It is usually listed as the ‘default route’ or ‘gateway’.

In the following example, the address of the router is 192.168.1.1:

Details of where to find your routers IP address

You can find your router’s IP address in your device’s network settings.

2. Login to the Router Settings Dashboard

Open a web browser and enter the IP address of the router. It should present you with a login screen. Enter your router’s default login credentials, which should be written on the back of the router. Usually, the default username is admin and default password is password.

Linksys router login page

Linksys login interface.

3. Find the VPN Section

Every router has a different interface. The VPN passthrough setting is usually under the ‘security and firewall’ option on most routers. Some cheaper routers do not support VPN passthrough, so refer to your router’s manual if you can’t find the settings menu.

Linksys VPN passthrough settings

We found Linksys VPN passthrough feature in the security menu.

4. Configure the VPN Settings

Different protocols and ports will be required to enable the VPN passthrough, depending on the type of VPN you’re using. Click enable or disable next to the protocol that your VPN uses and then press ‘apply’.

  • IPSec Passthrough: This allows IPSec VPN traffic to pass through the router. It requires opening UDP port 500 and port 4500 for IKE and NAT traversal.
  • PPTP Passthrough: This allows PPTP VPN traffic to pass through the router. It operates on TCP port 1723.
  • L2TP Passthrough: This allows L2TP VPN traffic to pass through the router. It requires opening UDP port 500, 4500, and 1701 for proper functioning.
The different protocols required for VPN passthrough on a linksys router

Linksys protocol settings menu.

5. Restart the Router

Unplug your router for 10 seconds and then plug it back in. The new settings – including the VPN passthrough – should take effect upon restart.

FAQs

Does VPN Passthrough Affect Gaming?

VPN passthrough only helps establish a VPN connection in certain circumstances, it does not affect your gaming experience. If you are experiencing high latency and slow performance, it is probably due to connecting to a VPN server that is physically located far from your location.

What Is a NAT Passthrough?

NAT passthrough is another name for VPN passthrough. Since older VPN protocols do not provide enough information to NAT about where to deliver data packets, NAT drops them – thereby blocking the connection. If you configure the VPN connection to pass through the router, it bypasses NAT, too. Hence, it is sometimes called NAT passthrough.

What Is IP Passthrough Mode?

Most routers provided by ISPs act as a modem, router and wireless access point simultaneously. Enabling IP passthrough mode switches off the router and wireless access point functionality. This provides greater flexibility to users with alternative equipment they want to use instead. IP Passthrough mode should not be enabled unless you want to use a separate router for your network.

What Happens If I Disable VPN Passthrough?

Disabling the VPN passthrough feature on your router will prevent you from establishing VPN connections using the IPsec, PPTP, and L2TP protocols. Some ports on your router firewall will be blocked, making your network more secure. You will still be able to use modern VPN services that do not depend on VPN passthrough.