What is VPN Passthrough on Router – Do You Need It?
Key Takeaways
- VPN passthrough is a configuration setting found in routers that allows VPN connections to pass through the Network Address Translation (NAT) system. It’s essential for old VPN protocols like PPTP, IPSec, and L2TP.
- Modern routers manufactured in the last 10 years do not require VPN passthrough. New VPN protocols like OpenVPN and WireGuard do not need passthrough configuration.
- If you use a modern VPN protocol and a new Wi-Fi router, you don’t need to worry about passthrough. VPN routers are also an alternative.
VPN passthrough is a software configuration that allows VPN traffic to pass through a router. It’s a concept that most users don’t need to worry about. However, it is a critical element in home networking and every user should know at least what it is.
In this short article, we take you through the what, how, and why of the VPN passthrough feature.
Looking for the best overall VPN?
Test Your VPN Knowledge – Take A Quiz!
What is VPN Passthrough?
VPN passthrough is a networking feature that allows your VPN connection to pass through the router. In other words, it enables an outbound VPN connection through your router, especially if you’re using older VPN protocols like IPSec, PPTP, or L2TP. Without passthrough, your VPN traffic will not be able to communicate with the router.
Here’s an example that simplifies VPN passthrough. Assume you have an internet connection that is relayed wirelessly through a Netgear Wi-Fi home router. You install a VPN on your computer and for some reason choose the L2TP protocol. You switch on the VPN and surf the web.
As expected, the VPN will encrypt your connection and tunnel it through a private network. However, when this connection tries to pass from your computer to your Netgear Wi-Fi router, the router may or may not understand it. The mapping system within the router (called NAT, explained below) will reject the tunneled and encrypted connection. In other words, your VPN connection will not be completed, making you vulnerable to privacy and identity attacks.
In case a passthrough is not available in your Netgear router, you will not be able to effectively use the VPN. This is largely because of the incompatibility between older networking technologies.
On the other hand, if your router has a VPN passthrough, you just need to enable it. (Most routers sold today come preloaded and preactivated with passthrough.) This will let the repackaged virtual private network connection (encryption + tunneling) pass through the router. As you can guess, this is how it gets its name.
If you’re using a router model that was launched a few years ago, you don’t need to worry about passthrough. However, if you use an old model (older than 2010), you will need to consider upgrading it or finding a way to activate NAT passthrough.
How Does VPN Passthrough Work?
The need for VPN passthrough emerged due to the shortage of IPv4 addresses. To aid free communication over the internet, a workaround to this shortage was invented. Called NAT or Network Address Translation, it acts as a mapping system. The NAT configuration aggregates and forwards connections, thus helping a router communicate with multiple devices at once.
Do you connect multiple devices to the internet via your home Wi-Fi router? You should thank NAT. Read on to find out how VPN passthrough works.
NAT and VPN Passthrough Feature: Where It Comes From
While Network Address Translation solved the IP shortage issue even before IPv6 addresses arrived in 1998, another problem came up. This involved virtual private networks. NAT requires some information from the incoming communication to do its magic i.e., mapping.
With a VPN connected, NAT is unable to extract essential information from the repackaged data packets. Compare a regular connection with an encrypted connection. In the second one, you have encryption and tunneling combined into one. This type of repackaging is difficult for NAT to analyze and extract data from. Such a setup requires additional configuration where the VPN communication is “dumbed down” for NAT. This configuration that makes it easier for NAT to understand VPN traffic is called VPN passthrough. The process is called NAT traversal.
As it stands, passthrough enables network address translators to make sense of a VPN connection. While most routers automatically configure it, you may need to manually enable VPN passthrough in some cases.
You should also know that passthrough modifies the connection and not NAT. Modern VPN protocols like OpenVPN and WireGuard do not need passthrough.
Why and When Do You Need VPN Passthrough?
It might seem like everything was going right with your VPN till now. You have a VPN installed and you are using it to unblock streaming sites. And now suddenly you read about passthrough. Do you actually need it?
The answer depends on multiple factors. You need a passthrough only if:
- You use outdated VPN protocols like PPTP and L2TP
- You have an outdated, pre-2010 router
- You use an outdated operating system
- You use a DIY VPN
If your router model is from the last five years, you don’t have to do anything.
If you have premium VPNs like NordVPN or ExpressVPN, you don’t even have to worry. These VPNs no longer support outdated protocols.
Notes on PPTP Passthrough and IPSec Passthrough
Depending upon what protocol you choose, you need to ensure that the corresponding passthrough is activated. This will allow your virtual network connection to traverse the NAT.
This is why we advise you to enable all types including PPTP and IPSec passthrough in your router settings. What it does basically is reconfigure the Generic Routing Encapsulation (GRE) and Transmission Control Protocol (TCP).
Without getting into further technicalities, suffice it to say that activated passthrough for any protocol aids the VPN connection to cooperate with NAT. This lets you use your VPN efficiently.
It’s good to note that PPTP, IPSec, and L2TP lack internet protocol security features, making them a poorer alternative to OpenVPN and WireGuard.
PPTP Passthrough: How It Works
Enabling PPTP passthrough feature in a router allows Point-to-Point-Tunneling Protocol (PPTP) connections. It creates a call ID to act as a port that is essential for NAT mapping. This call ID in the modified header of the data packets gives the required information to NAT, thus allowing the VPN traffic (outbound PPTP connections) to pass.
PPTP passthrough basically uses a unique call ID to make up for the lack of ports and valid private IP addresses in the PPTP VPN technology.
You should not disable PPTP passthrough in any case. Doing so can put you at risk of security threats.
L2TP and IPSec Passthrough: How It Works
For IPsec and Layer 2 Tunneling Protocol (L2TP), the software configures the NAT-T (the T standing for Traversal) over User Datagram Protocol (UDP). Since NAT can recognize UDP, it can extract all the needed information from NAT-T (IPSec packets) to allow the VPN traffic to pass.
You should enable IPSec passthrough in your router if you use an IPSec-based VPN.
Note – There is not much difference between IPSec passthrough and other types. Different configurations exist to enable different VPN protocols to communicate with NAT.
How to Enable or Disable VPN Passthrough?
To switch on or off VPN passthrough setting in your router, follow these steps:
- Access your router’s settings (usually via an online interface)
- Go to the security or network security section
- Look for PPTP Passthrough, IPSec Passthrough, or L2TP Passthrough under VPN
- Enable or disable passthrough for the required protocol
You can configure your router settings to enable or disable PPTP passthrough and other types.
We recommend configuring the settings of your router and enabling passthrough for all VPN protocols. Passthrough settings may differ for different router manufacturers. You should check your router’s manual for instructions.
In case you are unable to find the configuration settings, consider contacting your router manufacturer. In the worst case, you may have to buy a new one.
Note – Modern routers have built-in VPN passthrough or auto-enable it if it detects VPN tunneling.
Why Do Some Routers Need a VPN Passthrough?
Ancient routers (manufactured before 2010) do not have the built-in capability to understand a secure connection. This is because the NAT function in these routers is not able to gather the required information from such a connection. As a result, VPN operations fail in these old routers. Passthrough fixes this issue.
Routers That Support VPN Traffic (Passthrough)
- Netgear DGN1000
- Cisco RV016
- TP-Link TL-WR845N
- D-Link DIR-615
- Tenda AC10
Most modern routers (manufactured from 2011 onwards) support VPN passthrough. Brands such as Netgear, Linksys, TP-Link, D-Link, and Cisco produce routers with built-in NAT passthrough.
Alternatively, you can buy a VPN router that comes with built-in VPN functionality. The advantage is that you can enjoy VPN across all your devices.
Should VPN Passthrough Be Enabled?
Yes, the VPN passthrough feature must be enabled in your router if you want to use your VPN. This is applicable only if you’re using older VPN technology like IPSec or PPTP protocols. If you do not enable passthrough, your router will prevent you from establishing a VPN tunnel.
If you do not use a Wi-Fi router, you don’t need to worry about passthrough.
Should You Disable VPN Passthrough?
We advise that you keep VPN passthrough enabled at all times. However, if you wish to stop a device from using a VPN in your small office, home office (SOHO) network, you can disable it.
What happens if I disable passthrough, you ask? Turning passthrough off will also lead to closed communication ports. This is not recommended if you plan to use a proxy remote network. In networking, passthrough is usually switched off for security reasons.
What is the Difference Between a VPN Passthrough and a VPN Router?
The confusion between the two is understandable. But there’s a very clear difference between a VPN router and passthrough:
- VPN router is a router with a built-in VPN client
- VPN passthrough is a router setting that accepts VPN connections from another device
Moreover, passthrough is a small setting in a router. Enabling or disabling it will not give you an encrypted or tunneled connection. You will need to install a VPN client for that.
Frequently Asked Questions
Here are answers to a few more questions related to passthroughs.
Do I need a VPN passthrough?
Yes, you’ll need VPN passthrough if you use an outdated tunneling protocol or router. You’ll have to either manually enable it on your router or upgrade your router. Regardless of why you use a VPN (say, to access a remote network), you’ll need NAT passthrough to use it effectively via your router.
What is the difference between a VPN and a VPN passthrough?
A VPN is an application that provides data encryption and tunneling services to keep you anonymous. You install a VPN on a device like a computer or a smartphone. Passthrough is a router feature that allows unobstructed passage of VPN traffic.
Does a VPN passthrough slow internet?
No, VPN passthrough does not slow down an internet connection. Instead, it helps improve the speed by facilitating faster virtual connections.
Is VPN passthrough safe?
You need VPN passthrough when you use an outdated VPN protocol. However, these protocols such as PPTP and L2TP are not secure and are no longer used widely. If you use secure protocols like OpenVPN, you don’t need a passthrough.
What is a passthrough router?
It is a router that has built-in passthrough functionality. It can also mean an automatic software that detects the type of connection and enables the passthrough accordingly. All modern Wi-Fi routers are passthrough routers.
Do all routers have VPN passthrough?
No, old routers do not have the passthrough feature and therefore do not accept encrypted connections. In such cases, you’ll need to activate or force-install it. In the worst case, you may need to upgrade your router.
Does my router have passthrough? How do I check?
You can check if your router has the passthrough feature by accessing your router settings. It’ll be found in the security or VPN settings. Look for IPSec Passthrough, PPTP Passthrough, and L2TP Passthrough and ensure that they’re enabled.
Is VPN passthrough the same as a VPN client?
No, they are different. VPN passthrough is a Wi-Fi router configuration whereas VPN clients VPN apps like the one provided by NordVPN or ExpressVPN.
Should I turn off NAT?
No, turning off NAT in your router will stop your internet connection. Since NAT is responsible for redirecting internet traffic to your router-connected devices, you should never switch off NAT.
What is a NAT passthrough?
NAT passthrough is another name for VPN passthrough. Both terms can be used interchangeably.
What is IP passthrough mode?
IP passthrough mode is a router feature that allows you to switch off its routing and wireless access point functionalities. It then just acts as a modem to deliver the internet to you. You’ll need a separate Wi-Fi router for routing.
Is there a need to configure my VPN connection settings for VPN passthrough?
No, you don’t need to configure your VPN app settings for passthrough. It’s something that you do on your router’s configuration settings.
Does VPN passthrough affect gaming?
No, VPN passthrough does not affect gaming in any way. If you’re facing high latency or laggy video game performance, the encrypted connection or the VPN server choice might be the cause. Try switching to a nearby VPN server for the best results.
VPN and privacy researcher