What is a VPN Passthrough?

A VPN passthrough is a router feature that enables any device connected to allow VPN traffic to pass through that specific router or access a remote network.

How Does a VPN Passthrough Work?

A VPN passthrough relies on NAT (Network Address Translation) which comes well-equipped in most standard routers. NAT is the process of mapping private IP addresses to a public IP address before any information can be transferred. 

PAT (Port Address Translation) is similar to NAT with the main difference being that IP addresses are translated into the public IP address via unique source port numbers. 

In order to function correctly, NAT technology relies on specific information about the connections exiting and entering your router. Outdated VPN protocols encrypt the connection and prevent NAT from working properly. As a result, traffic is not able to pass through. 

This issue is commonly found on home routers, creating major security gaps for organizations that allow remote access work and IT monitoring of employees. A VPN passthrough can go around these restrictions in order for NAT to access information in IP packet headers. 

Let’s briefly discuss a few other VPN protocols that can also help bypass the encrypted connections.

Looking to secure your remote workforce?

What is IPsec Passthrough?

IPsec passthrough establishes safe IP connections over gateways using a technique known as Network Address Translation-Traversal (NAT-T). NAT-T ensures that traffic is sent to the specified destination when a device does not have a public IP address. NAT-T encapsulates IPsec packets with the User Datagram Protocol (UDP) to assist in the exchange of messages between computing devices in a network. 

IPsec passthrough allows you to connect devices that do not natively support IPsec to a VPN connection. IPsec passthrough router devices include built-in support for this protocol. IPsec passthrough server hosting providers enable a VPN server for this protocol.

Advantage

IPsec Passthrough allows secure IP connections over routers using NAT before any information is transferred. Could you guess what percent of data breaches are caused by human error? More than half? You’d be slightly off by quite a bit.

Disadvantage

IPsec passthrough connections cannot be routed through the tunnel in both directions. Traffic can only travel in one direction, meaning you won’t be able to access sites hosted on remote servers. It also leads to higher latency as the data packets pass through encryption and decryption.

How to Configure IPSec Passthrough

You need to check the IPsec passthrough setting on your router and enter the data provided by your VPN service provider. Some routers only allow you to define a single port with an IPSec passthrough. The IPsec passthrough subnet is used to define the network to be routed through the tunnel.

What is PPTP Passthrough?  Malware

PPTP passthrough enables your VPN router to support Point-to-Point Tunneling Protocol connections. PPTP is a method of tunneling that enables one network device to communicate with another through the secure connection of an existing network. 

PPTP passthrough servers are used to host the tunnel so that devices can access it.

Advantages

• PPTP passthrough helps improve overall performance 
• It is compatible with all major OS platforms including Windows, Mac, and Linux

Disadvantages

• It is less secure than the SSTP passthrough connection, so users may need to rely on additional security features to stay safe.
• PPTP is outdated and has major security vulnerabilities
• Weaker encryption. PPTP was built with 128-bit encryption which can easily be hacked in a brute force attack

Looking to secure your remote workforce?

What is L2TP Passthrough?

Layer Two Tunneling Protocol or L2TP passthrough is another type of VPN passthrough that is similar to the PPTP passthrough because it adds a tunnel to any device that you would like to connect to your VPN network. It is a more secure protocol than its predecessors. 

Once set up, it behaves like the PPTP passthrough because all data sent across your connection will be encrypted and secure. L2TP passthrough ports are required for this type of connection. They are found under the “service type” section of a port forwarding table.

Advantages

• The L2TP Passthrough connection offers increased security over the PPTP passthrough.
• L2TP offers 256-bit key encryption 
• Ease of configuration
• Highly stable and compatible with all major OS platforms

Disadvantages

• L2TP passthrough connections can only travel in one direction
• Limited on the number of ports. 
• Speed is a bit slower which also affects the data transfer process

How to Enable VPN Passthrough

The VPN passthrough setting might be labeled ‘Enable VPN passthrough’ or ‘Virtual server,’ and you can find it under the security tab of your device’s settings. The exact location of the setting will vary depending on your router model, but if you’ve enabled other types of VPN connections before — like a PPTP connection for example — you can enable this connection.

Some routers will allow you to set a different port. Some routers even let you select which device on your network should get routed through the VPN passthrough first before any other devices are serviced by the VPN.

How to Enable VPN Passthrough on a Router

To enable a VPN passthrough through your router, you’ll need to access your router’s settings. Once you’ve logged in to your router’s settings, look for the section that deals with VPN passthrough. Enable the passthrough, and enter the information for your VPN provider. Save your changes, and you are ready.

VPN Passthrough: Enable or Disable

You will need to go into the settings. Choose the option that says something like “VPN” or “VPN Settings.” You should see an entry for “Allow virtual private network connections through this device.” After clicking on it, you’ll see options that allow you to enable or disable your VPN passthrough.

What is The Difference Between a VPN Passthrough and a VPN Router?

A VPN passthrough is different from a VPN router in that it allows you to connect one additional device to your VPN connection. A VPN router keeps all devices on your network anonymous as they are connected through the encrypted VPN tunnel.

A VPN router is a device that supports and forwards VPN connections. It has built-in support for connecting to a VPN server, which means that all of your devices can connect through the encrypted tunnel of the VPN service provider. VPN routers serve a great purpose for securing devices across branch office locations and across the corporate network. 

All connected devices will require firmware which also gives IT the ability to distribute bandwidth based on traffic type. A VPN router supports the VPN passthrough by enabling devices to be connected directly to the VPN connection.

What is The Difference Between a VPN Passthrough and IPsec Passthrough?

The difference between a VPN passthrough and an IPsec passthrough is that an IPsec passthrough allows you to connect devices that do not natively support IPsec. A VPN passthrough is used when a device connects directly to a VPN server.

You can use a device with built-in support for IPsec passthrough to connect devices that do not natively support this protocol through a secure connection.

IPsec passthrough router devices are embedded routers that support this protocol for connecting through a VPN connection. Since the IPsec passthrough is compatible with the NAT protocol and offers greater levels of security, it has the overall edge.

Looking to secure your remote workforce?

Do You Need a VPN Passthrough?

Almost all modern routers have a VPN passthrough baked in, so the short answer is no. Protocols such as PPTP are outdated and come with a range of security concerns. If remote access is your priority, an RDP or Remote Desktop Protocol should be considered. It is easy to monitor and provides more secure access to sensitive company resources. 

There are some advantages of a VPN passthrough, however. A VPN passthrough helps bypass the firewall of a router in order to access a remote network. If your router supports VPN passthrough (which it should), adding this feature to the device will encrypt all data sent to the connection and keep you protected.

Replacing Legacy VPNs with Zero Trust

Since a VPN passthrough comes prebuilt with most modern routers, it might not be the best fit for growing organizations that need to secure an entire network – and primarily secure remote teams.

As the need to connect more remote devices increases, legacy VPNs and other forms of traditional hardware become outdated.

This is when organizations turn to ZTNA (Zero Trust Network Access) to minimize the attack surface. 

Perimeter 81’s ZTNA framework eliminates threats by limiting unrestricted access and specifically defining user roles and permissions using the principle of least privilege.

Zero trust enables employees to access applications from any device securely. Learn how implementing and enforcing company policies using Perimeter 81’s Zero Trust approach can help secure your critical applications and infrastructure without the added expenses.