What is a VPN passthrough? You may have heard about it on your online trail on the search for a VPN. Yet you do not know what it is or what it has to do with things. Fear not, for you have stumbled upon an article that will explain everything you need to know about it. Read ahead to find out what a VPN passthrough is, how it’s tied to router functionality, and how to enable it if you need it.

Table of contents

    What is a VPN passthrough?

    A VPN passthrough is an umbrella term for software that allows old VPN protocols and routers to work together. Without them, routers wouldn’t know what to do with VPN traffic. It’s 99.99% likely that you don’t need a VPN passthrough.

    How does a VPN passthrough work?

    A VPN passthrough provides a solution for when VPN and router don’t work together. Typically, a VPN connection would go from your device through your router to the world wide web and connect to a VPN server. However, when a VPN protocol doesn’t give the router (or, to be more precise, the router’s NAT – more on that in the next section) anything to work with, a connection becomes impossible. 

    That’s where a VPN passthrough becomes necessary. It isn’t a single thing, but a set of workarounds that make older tunneling protocols work with the router. And by “older protocols” we mean PPTP, IPSec, and L2TP.

    A diagram depicting old routers and VPNs not working together and showing that a VPN passthrough makes the connection possible.

    For example, a PPTP passthrough replaces GRE (a tunneling protocol used by PPTP) with enhanced GRE. That’s why when we’re talking about a VPN passthrough, we’re actually using an umbrella term that encompasses PPTP, IPSec, and L2TP passthroughs.

    Surfshark VPN doesn’t use those ancient protocols as they no longer provide the security that would be industry-standard. Instead, the app utilizes protocols like WireGuard, OpenVPN, and IKEv2, all of which account for NAT’s needs.

    A VPN passthrough: Where does it come from?

    A VPN passthrough exists because of old technologies that can’t play nice with each other. Mainly, it’s because IPv4 had issues that required the development of NAT (Network Address Translation) – and both of these technologies are still widely employed today.

    IPv4 is the fourth version of the Internet Protocol, a system of communication rules that allow computers to exchange information over a network, thus giving rise to the internet. But for a computer to have a presence on the internet, it has to have an IP address – how else would the data know where to go? 

    IP address exhaustion

    That’s where we run into a problem: address exhaustion. IPv4 uses 32-bit address space: what this gibberish means is that it can only support 4.3 billion IP addresses. Even back in 1983, people understood that it wasn’t enough – and we ran out of them in 2015

    And that’s why NAT was born. Instead of giving EVERY device – a computer, a smartphone, a baby camera, a fridge – a unique IP, you only give unique IPs to the routers. That IP is called the “public IP.” The devices get fake IPs – “private IPs” – that are only used for communicating with the router. And that’s the NAT’s area of interest.

    Graph showing how NAT in the router handles data packages from computers, smartphones, and internet of things devices.

    The NAT solution

    Network Address Translation is like a mail-aggregation-and-forwarding system that works in a router. It collects the data packages from connected devices, notes which fake IP sent what, slaps the router’s IP address on the package, and forwards it into the net. It then does the reverse for incoming data. That’s how the issue of address scarcity is avoided even in the day of everyone having three network devices (plus a tablet for the cat). 

    (As an aside, IPv6 was created to solve the issue, but its deployment started only recently.) 

    Here’s where the issues with a VPN arise. VPN tunneling protocols are a necessity if you want to create a private network that works via a public one. Those protocols re-package the data and encrypt it to make it actually private. However, this leaves the data package without information NAT needs to forward it. That’s why a VPN passthrough exists as a technical solution that allows VPN tunneling protocols to traverse NAT.

    If reading all this gave you the impression that the internet is a complex web of systems that don’t want to work together, and that it is full of various fixes, patches, and kludges that barely keep it functional, you’re absolutely right.

    Do you need a VPN passthrough?

    I would love to say that you don’t have to care about a VPN passthrough. Here’s why:

    Modern routers are made with passthroughs.

    Most routers you can buy these days come with a VPN passthrough already installed. Unless you’re using ancient systems, you should be fine.

    Only ancient protocols need it.

    PPTP, L2TP, and IPSec aren’t the newest technologies on the block. More modern protocols like OpenVPN and IKEv2 are smart enough to deal with NAT without special provisions.

    Premium VPNs use newer protocols.

    Take Surfshark as an example. Surfshark doesn’t even use PPTP, L2TP, or IPSec as they no longer provide a satisfactory level of security. Instead, it runs on Wireguard, OpenVPN, or IKEv2.

    Only matters for older computers.

    OpenVPN is supported on OSs as ancient as Windows XP. So if you use something older – probably because you work at a power plant and the Windows 98 computer is the only one running the emulator for turbine software.

    How do I enable a VPN passthrough

    So it happens that you need to have a VPN passthrough on your router. As a modern device, it’s likely to have it already. You may just need to turn it on. You can do it via the interface that controls all of the other functions of the router.

    Here’s how it looks on a TP-Link Archer 7 router:

    Every manufacturer provides a different interface, so check their website or your router manual!

    What’s the difference between a VPN passthrough and a VPN router

    These two are not even remotely similar things. 

    VPN passthrough: A software capability for the router to allow VPN traffic to pass it. It does not do any VPN operations itself. 

    VPN router: A router that a VPN client is installed on. Not all routers can support it, but many do. Want to learn more and possibly set one up at your own house? Read our article on VPN routers.

    In conclusion: VPN passthroughs – a thing of the past

    A VPN passthrough is a software capability that’s becoming less relevant with each passing day. It was a necessity when old VPN protocols did not work with NAT, which is basically the data traffic resolving system in your router. That’s why a VPN passthrough was a necessary functionality. Those old protocols are no longer the industry standard. Premium VPNs like Surfshark use newer, more secure protocols that work with NAT. Why not try it out yourself?

    Get a VPN that doesn’t need any passthroughs

    Get Surfshark


    Should a VPN passthrough be enabled?

    Unless you’re dealing with old VPN protocols like PPTP and L2TP and old routers, no. And you shouldn’t be using such old protocols anyway. 

    What is a VPN passthrough for IPSec?

    Old routers and basic IPSec don’t work together nicely, and a VPN passthrough is what makes them finally cooperate. 

    How do I turn on a VPN passthrough?

    Modern routers allow you to enable a VPN passthrough via the router settings menu that you can access via your browser by entering the router’s address. 

    Should I enable L2TP passthrough?

    Only if you really need it (have an ancient router or can’t use newer protocols for some reason). L2TP is an outdated protocol.