There are routers that establish a VPN connection (VPN router). Any device connected to the router will automatically establish a VPN connection. The VPN client or software is already pre-installed in the router. The VPN router actively establishes a VPN connection .
However, there are also routers that cannot establish a VPN connection. A VPN passthrough is required here. As the name “Passthrough” suggests, VPN traffic passes through this feature. It can be said that a VPN passthrough functionally extends the router.
The VPN passthrough is a passive enabler for VPN traffic. When it is active, the receiving traffic is routed through the Internet. The VPN gateway is reached. VPN passthrough is often used in Internet gateway devices for small businesses as well as in private VPN routers.
Especially for home networks this function is used. Most routers available on the market have a built-in VPN passthrough.
In summary, this means that there are two main types of routers: those that accept a VPN connection and those that do not.
VPN protocols and port numbers
Depending on the type of VPN, different protocols and ports are used to ensure that the VPN traffic “flows”:
VPN routers support the following technologies:
- IPsec (Internet Protocol Security)
- PPTP (Point-to-Point Tunneling Protocol)
- L2TP (Layer Two Tunneling Protocol). You can configure this type of router to work as a VPN server or create a site-to-site VPN with another VPN gateway.
A VPN passthrough works with:
- PPTP
- IPsec → one uses UDP port 500 for IKE and port 4500 for NAT traversal
- L2TP
What are the advantages & disadvantages of VPN passthrough?
VPN passthrough is especially useful in home networks and for small businesses that do not have VPN routers. It is required if you want to use a VPN that uses the IPsec or PPTP protocols.
At the same time, companies want to establish a connection via VPN within their own network. Normally, these external accesses are protected by the firewall. With VPN passthrough, the VPN connection is established despite the firewall.
Advantages VPN Passthrough
- The data packets coming from the VPN client reach the Internet encrypted.
- An outgoing VPN connection is automatically established in the private network.
- The connection can be established from all devices without opening ports.
- VPN protocols such as PPTP, IPSec and L2TP do not normally work with NAT. A VPN passthrough still makes it possible to work with NAT. NAT is required so that everyone uses the same online connection and IP address.
- PPTP Passthrough function allows PPTP to be routed through the NAT router.
- If you use an older VPN protocol that is not supported by the router, passthrough will help. This is often the case with free VPN providers. Without VPN passthrough, there is no sufficient encryption and privacy.
Disadvantages VPN Passthrough
- There are already faster and more secure protocols that make VPN passthrough largely redundant.
- Good VPN providers always offer customers access to the latest network protocols.
- If you forget to switch the VPN protocol before connecting to the server, the connection will not be encrypted correctly. The PPTP connection then passes through the router by mistake. If you want to be absolutely sure, it is better to disable PPTP passthrough. This way you make sure that the connections are properly encrypted.
What is IPsec passthrough?
IPsec passthrough is a feature to establish IPsec connections across NAT boundaries – similar to NAT traversal. It was developed because there were problems with secure data transmission of IPv4 addresses over IPsec.
Unfortunately, NAT exchanges the IP addresses and TCP or UDP ports of the IP packets. This results in changed information in the IP header. The compatibility of the data is no longer given and invalid packets occur. So a solution had to be found!
The NAT routers involved simply pass certain IPsec (Internet Protocol Security) packets through with IPsec passthrough.
What is a Remote Access VPN?
A Secure Remote Access VPN is a remote VPN connection to a local network. External employees (e.g. on business trips or customer meetings) can establish a secure connection to the company network via Secure Remote Access VPN. Individual connections are established from various end devices into a central VPN gateway.
What is a Site-to-Site VPN?
Site-to-site VPN uses IPsec to establish an encrypted tunnel from a customer network to the customer’s remote site. It is similar to the Remote Access VPN. However, it works only with one user. Comparatively, multiple users are allowed in Remote Access VPN.
Enable VPN Passthrough
- Log in to your router program or the user interface of your hoster like Fritzbox. Selects VPN > VPN Passthrough.
- Do not forget to save!
Then optionally and individually customize the protocol you want to use:
- IPSec Passthrough: Activates the check mark for IPSec Passthrough in the “VPN Passthrough” area.
- PPTP passthrough: Enables the check mark for PPTP passthrough to allow PPTP tunnels to pass through the router.
- L2TP passthrough: Enables the check mark for L2TP passthrough to allow L2TP tunnels to pass through the router.
Conclusion about VPN Passthrough
A VPN passthrough helps support the VPN protocols of the past. Likewise, it helps to make protocols compatible with NAT. BUT!
It must be clearly stated that today protocols such as PP2P and L2TP are no longer standard. You simply should not follow outdated protocols. For these reasons, it is no longer necessary to use a VPN passthrough.
Nowadays, there are reliable VPN providers that offer modern protocols. They work seamlessly with NAT. They also offer better protection and speed.