Surfshark VPN Passthrough graphic

What is VPN passthrough? You may have heard about it on your online trail on the search for a VPN. Yet you do not know what it is or what it has to do with things. Fear not, for you have stumbled upon an article that will explain everything you need to know about it.

There’s one context in which VPN passthrough matters, and that’s routers. To put it very simply, a router without it may not be able to support VPN traffic. Older VPN protocols don’t give the information the router needs to forward data. This is mostly a non-issue with newer protocols and new routers, but you may run into some issues with legacy technology.

Read ahead to find out what VPN passthrough is, how it’s tied to router functionality, and how to enable it if you need it.

VPN passthrough: where does it come from

VPN passthrough exists because of old technologies that can’t play nice with each other. Mainly, it’s because IPv4 had issues that required the development of NAT – and both of these technologies are still widely employed today.

IPv4 is the fourth version of the Internet Protocol, the system of communication rules that allow computers to exchange information over a network, thus giving rise to the internet. But for a computer to have a presence on the internet, it has to have an IP address that works as an identification number. Here, we run into a problem: address exhaustion. IPv4 uses 32-bit address space: what this gibberish means is that it can only support 4.3 billion IP addresses.

Even back in 1983, people understood that it wasn’t enough. That’s why NAT was born. Network Address Translation is like a mail-aggregation-and-forwarding system that works in a router. It collects the data packages from connected devices, notes down who-sends-what, slaps its IP address, and forwards it into the net. It then does the reverse for incoming data. That’s how the issue of address scarcity avoided even in the day of everyone having three network devices (plus the tablet for the cat). 

(As an aside, IPv6 was created to solve the issue, but it’s deployment started only recently.) 

Here’s where the issues with a VPN arise. VPN tunneling protocols are a necessity if you want to create a private network that works via a public one. Those protocols re-package the data and encrypt it to make it actually private. However, this leaves the data package without information NAT needs to forward it. That’s why VPN passthrough exists as a technical solution that allows VPN tunneling protocols to traverse NAT.

If reading all this gave you the impression that the internet is a complex web of systems that don’t want to work together, and that it is full of various fixes, patches, and kludges that bring it all together, you’re absolutely right. 

How Does VPN Passthrough Work

Typically, a VPN connection would go from your device through your router to the world wide web and connect to a VPN server. However, when a VPN protocol doesn’t give the router’s NAT anything to work with, the connection is impossible. 

That’s where the VPN passthrough works. It isn’t a single thing, but a set of workarounds that make older tunneling protocols work NAT. PPTP, IPSec, and L2TP are all older protocols. For example, a PPTP passthrough actually replaces GRE (a tunneling protocol used by PPTP) with enhanced GRE. That’s why when we’re talking about VPN passthrough, we’re actually using an umbrella term that encompasses PPTP, IPSec, and L2TP passthroughs.

Older tunneling protocols no longer provide the security that would be industry-standard, and that’s why Surfshark doesn’t use them. Newer protocols like OpenVPN and IKEv2 account for NAT’s needs.

Do You Need a VPN Passthrough?

I would love to say that you don’t have to care about VPN passthrough. Here’s why:

Modern routers have it.
Most routers you can buy these days come with a VPN passthrough already installed. Unless you’re using ancient systems, you should be fine.


Only ancient protocols need it.
PPTP, L2TP, and IPSec aren’t the newest technologies on the block. More modern protocols like OpenVPN and IKEv2 are smart enough to deal with NAT without special provisions.


Premium VPNs use newer protocols.
Take Surfshark as an example. Surfshark doesn’t even use PPTP, L2TP, or IPSec as they no longer provide a satisfactory level of security. Instead, it runs on OpenVPN, who know how to play nice with NAT, and IKEv2, which may need PPTP support.


Only matters for older computers.
OpenVPN is supported on OSs as ancient as Windows XP. So if you use something older, you may be using older protocols and thus need VPN passthrough. 

How Do I Enable a VPN passthrough

So it happens that you need to have a VPN passthrough on your router. As a modern device, it’s likely to have it already. You may just need to turn it on. You can do it via the interface that your router uses in general.

Here’s how it looks on a TP-Link Archer 7 router:

TP-Link Archer 7 router vpn passthrough

Every manufacturer has a different interface, so check their website or your router manual!

What’s the difference between a VPN passthrough and a VPN router

These two are not even remotely similar things. 

VPN passthrough: it’s the software capability for the router to allow VPN traffic to pass it. It does not do any VPN operations itself. 

VPN router: it’s a router that a VPN client is installed on. Not all routers can support it, but many do. Want to learn more and possibly set one up at your own house? Read our article on VPN routers

In conclusion

VPN passthrough is a software capability that’s becoming less relevant with each passing day. It was a necessity when old VPN protocols did not work with NAT, which is basically the data traffic resolving system in your router. That’s why VPN passthrough was a necessary functionality. Those old protocols are no longer the industry standard. Premium VPNs like Surfshark use newer, more secure protocols that work with NAT. Why not try it out yourself?

Don’t bother with VPN passthrough

Get Surfshark