Summary: A VPN passthrough enables encrypted VPN traffic through firewalls but poses security risks. What are the alternatives? Read the full guide for secure solutions.
A VPN passthrough is a router feature that allows data encrypted by VPN protocols to pass network firewall filters.
Passthroughs were once essential to work around router limitations. Improved protocols and security technology have made them less critical. However, some situations still involve the VPN passthrough setting.
After reading this article, you will:
A VPN passthrough is a router feature that allows outbound VPN traffic to pass through a network firewall.
Passthroughs allow businesses to connect devices to VPNs without compromising firewall protection. Users can encrypt traffic leaving the network and hide their activity. The firewall filters other inbound and outbound traffic normally.
Think of a VPN passthrough as a secret passage. Only authorized users can access the passage, and external actors cannot see where it leads.
Sometimes, compatibility issues arise between VPNs and network routers. Some routers do not support VPN protocols.
VPNs rely on protocols to encrypt and transport data. VPN clients must establish connections with VPN servers outside the network boundary. This leads to problems when Network Address Translation (NAT) setups cannot handle VPN protocols.
NAT assigns a public IP address and sends data to its destination. Unfortunately, older VPN protocols can derail this process. NAT is unable to route packets to their final destination. Instead of creating an encrypted tunnel, routers block data packets and return them to the source.
A VPN passthrough solves this problem. Passthroughs allow routers to recognize protocols like IPSec, L2TP, or PPTP. When the VPN passthrough is engaged, encrypted traffic can pass across the network edge, protecting user data.
Note: Advanced protocols like OpenVPN and WireGuard avoid the need for a VPN passthrough. Modern VPN protocols work with NAT, allowing outbound traffic to the VPN server.
Not all routers need a VPN passthrough, but some do. It's important to know whether your routers support VPNs, as configuration issues can expose sensitive data to cyber attackers.
The good news is most routers include a VPN passthrough option. In practice, only very old routers lack passthrough capabilities (and you should probably replace those devices for security reasons).
The bottom line is that you need to enable passthrough for older VPN protocols like IPsec or PPTP. Modern protocols and more secure alternatives make this unnecessary.
If you do need passthrough functionality on your router, choosing the right type matters. That's where we will turn next.
VPN passthroughs deal with different VPN protocols. There is no one-size-fits-all passthrough design, as protocols operate differently. Here are the three main versions:
The point-to-point tunneling protocol (PPTP) uses the Transmission Control Protocol (TCP) via Port 1723 and the Generic Routing Encapsulation (GRE) protocol.
GRE does not require a specific port or IP address to create a PPTP connection. NAT requires a port number and IP address—creating a conflict. That's where a PPTP passthrough becomes essential.
The PPTP passthrough feature solves this conflict by assigning a Call ID to GRE headers. The router sees this Call ID as a port number and allows traffic through the firewall.
Users implement a PPTP passthrough via their router firmware. Here’s how to do so:
IPSec (Internet Protocol Security) passthroughs use NAT-Traversal (NAT-T) technology.
NAT-T packages data using the User Datagram Protocol (UDP) to wrap IPSec data. The NAT router can recognize this format but cannot understand encrypted IPSec traffic.
IPSec passthroughs use UDP port 4500 to establish an IKE packet exchange. IKE exchange allows the router to assign a private IP address for IPSec traffic while underlying payloads remain untouched.
Users also implement an IPSec passthrough via router firmware. To do so:
The L2TP VPN passthrough resembles the process for PPTP. In this case, passthroughs use Port 1701 to create a VPN connection.
VPN passthroughs assign a Session ID to UDP packets passing over the port. This Session ID substitutes for the port number, allowing transfers via the NAT router.
VPNs and VPN passthroughs sound similar, but they are very different technologies. Passthroughs only allow VPN traffic from internal networks to the public internet. That's all they do.
Virtual Private Networks are far more powerful network security tools. VPN companies operate servers across the world. The VPN server transports encrypted data and assigns new IP addresses, effectively making users anonymous.
Users generally access the VPN server via a locally-hosted VPN client. VPN software uses protocols to encrypt and send data to servers. A VPN passthrough feature smooths that process.
Companies may also choose to install a VPN router. VPN routers operate on the internal network and eliminate the need to install a VPN client on every device. The router encrypts and anonymizes data and connects with external VPN services.
Passthroughs are not usually needed if you run a VPN router. They may be necessary if you rely on separate clients for devices connected to a standard network router.
Let's assume you continue using PPTP or IPSec and must traverse a typical NAC router. Does this impact your network security status, and should you take action in response?
Firstly, passthroughs are more secure than disabling NAC. This would solve the routing issue, but NAC manages traffic efficiently, conceals IP addresses from the public internet, and allows easy IP changes for network users.
Don't even think about disabling NAC. Even so, VPN passthroughs generally leave networks more exposed to cybersecurity threats. There are a few reasons why this happens.
That sounds worrying. However, the best practices below should ensure a secure passthrough setup:
Another way to avoid the security problems above is to use an alternative solution for outbound VPN traffic. Common alternatives include:
A VPN passthrough may be necessary to connect older devices or applications and allow remote work. But more advanced alternatives exist. Options include the tools above and modern VPN protocols that render passthroughs obsolete.
One thing hasn't changed—companies must secure connections without compromising firewall performance. As cyber threats mount, protecting data transfers is becoming more important than ever.
NordLayer provides a flexible solution to secure remote connections and optimize efficiency. Our business VPN uses a variant of the WireGuard protocol, with no need to configure a VPN passthrough.
Secure gateways connect remote devices to on-premises and cloud assets. Strong encryption and IP address anonymization keep transfers completely secure. Access controls and Firewall-as-a-Service implement Zero Trust Network Access principles—blocking unknown and unauthorized connections.
Forget about VPN passthrough issues. Our simple, scalable, secure solution protects data and streamlines security management. To find out more, contact the NordLayer team today.
No. As a rule, companies should minimize the need for a VPN passthrough.
Passthroughs rely on outdated VPN protocols and create serious security vulnerabilities. Instead, security teams should invest in a modern router or investigate secure remote access solutions.
Only enable a VPN passthrough if bypassing your firewall is necessary. You may need a point-to-point tunneling protocol (PPTP) passthrough for remote access or operating devices that rely on the PPTP VPN protocol.
If possible, update your setup to accommodate newer protocols. Only use the VPN passthrough as a temporary solution.
Turning off the VPN passthrough is rarely a problem.
Turning off a VPN passthrough can prevent encrypted data transfers through your network firewall. The VPN passthrough allows transfers across older VPN connection types. If the VPN passthrough fails or is not activated, the VPN connection will lapse.
This can cause problems for remote workers who rely on their VPN client to establish outbound VPN connections. In some cases, users may backslide to less secure connection methods.
Generally, choosing to enable VPN passthrough is worse than turning it off. Advanced VPN protocols and tools like IAM provide reliable connectivity and improve security.
Joanna Krysińska
Senior Copywriter
A writer, tech enthusiast, dog walker, and amateur pastry chef, Joanna grew up in a family of engineers and mathematicians, so a techy mind is in her genes. She loves making complex tech topics less complex and digestible. She also has a keen interest in the mechanics of cybercrime.
Subscribe to our blog updates for in-depth perspectives on cybersecurity.
