a crack in the ground covered by plasters

What is a Virtual Private Network (VPN) passthrough? You may have heard about it on your online trail in search of a VPN. And yet, you still don’t know what it is? Fear not, for you have stumbled upon an article that will explain everything you need to know about it. Read ahead to find out what a VPN passthrough is, how it’s tied to router functionality, and how to enable it if needed.

Table of contents

    What is a VPN passthrough?

    A VPN passthrough is a router feature that allows VPN traffic to pass through your router using old VPN protocols. This software was built for VPN protocols such as IPSec and PPTP, which would otherwise not work with modern routers.

    Nearly all modern routers have built-in VPN passthrough functionality. Your only input should be activating or deactivating the passthrough for different protocols through router settings. It’s worth keeping in mind that most routers have a VPN passthrough enabled by default.

    A VPN passthrough is sometimes mistaken for having a VPN set up on a router, but these are entirely different:

    • A VPN router encrypts and protects data on all devices connected to its network; 
    • A VPN passthrough allows VPN traffic to pass through the router.

    How does a VPN passthrough work?

    A VPN passthrough provides a solution for when a VPN and a router don’t work together. Typically, a VPN connection would go from your device, through your router, to the World Wide Web and connect to a VPN server. 

    However, when a VPN protocol doesn’t give the router (or, to be more precise, the router’s Network Address Translation (NAT) — more on that in the next section) anything to work with, a connection becomes impossible. 

    That’s where a VPN passthrough becomes necessary. It isn’t a single thing but a set of workarounds that make older tunneling protocols work with the router. And by “older protocols,” we mean PPTP, IPSec, and L2TP.

    A diagram depicting old routers and VPNs not working together and showing that a VPN passthrough makes the connection possible.

    For example, a PPTP passthrough replaces GRE (a tunneling protocol used by PPTP) with enhanced GRE. That’s why when we’re talking about a VPN passthrough, we use an umbrella term encompassing PPTP, IPSec, and L2TP passthroughs.

    Surfshark VPN doesn’t use those ancient protocols as they no longer provide the security that would meet the industry standard. Instead, the app utilizes protocols like WireGuard, OpenVPN, and IKEv2, all accounting for NAT’s needs.

    What is an IPSec passthrough?

    As mentioned above, IPSec is an outdated protocol that doesn’t work with NAT routers. An IPSec passthrough uses a NAT-T (Network Address Transition-Traversal) technique to solve this issue.

    In other words, it makes an old protocol work with a modern router. The same goes for PPTP and L2TP passthroughs. 

    Do you need a VPN passthrough?

    Likely, you won’t ever need to worry about a VPN passthrough. Here’s why:

    Modern routers are made with passthroughs

    Most routers you can buy these days come with a VPN passthrough already installed. Unless you’re using ancient systems, you should be fine.

    Only ancient protocols need it

    PPTP, L2TP, and IPSec aren’t the newest technologies on the block. More modern protocols like OpenVPN and IKEv2 are smart enough to deal with NAT without special provisions.

    Premium VPNs use newer protocols

    Take Surfshark as an example. Surfshark doesn’t even use PPTP, L2TP, or IPSec, as they no longer provide a satisfactory level of security. Instead, it runs on Wireguard, OpenVPN, or IKEv2.

    Only matters for older computers

    OpenVPN is supported on operating systems as ancient as Windows XP. So if you use something older — it’s probably because you work at a power plant, and the Windows 98 computer is the only one running the emulator for turbine software.

    A VPN passthrough: where does it come from?

    A VPN passthrough exists because of old technologies that can’t play nice with each other. Mainly, it’s because IPv4 had issues that required the development of NAT. Both technologies are still widely employed today.

    IPv4 is the fourth version of the Internet Protocol (IP), a system of communication rules that allows computers to exchange information over a network, thus giving rise to the internet. But for a computer to have a presence on the internet, it has to have an IP address — how else would the data know where to go? 

    IP address exhaustion

    That’s where we run into a problem — address exhaustion. IPv4 uses 32-bit address space: it can only support 4.3 billion IP addresses. Even back in 1983, people understood that it wasn’t enough, and we ran out of them in 2015. 

    And that’s why NAT was born. Instead of giving EVERY device — a computer, a smartphone, a baby camera, a fridge — a unique IP, you only give a unique IP to the router. That IP is called the “public IP.” The devices get fake IPs (“private IPs”) that are only used for communicating with the router. And that’s the NAT’s area of interest.

    Graph showing how NAT in the router handles data packages from computers, smartphones, and internet of things devices.

    The NAT solution

    Network Address Translation is like a mail-aggregation-and-forwarding system that works in a router. 

    It collects the data packages from connected devices, notes which fake IP sent what, slaps the router’s IP address, and forwards it onto the net. It then does the reverse for incoming data. That’s how the issue of address scarcity is avoided even when everyone has three network devices (plus a tablet for the cat). 

    Here’s where the issues with a VPN arise. VPN tunneling protocols are a necessity if you want to create a private network that works via a public one. Those protocols re-package the data and encrypt it to make it private. However, this leaves the data package without the information NAT needs to forward it. That’s why a VPN passthrough exists as a technical solution that allows VPN tunneling protocols to traverse NAT.

    Did reading all this give you the impression that the internet is a complex web of systems that don’t want to work together? And that it is full of various fixes, patches, and kludges that barely keep it functional? Well, you’re absolutely right.

    How to enable a VPN passthrough

    So you need a VPN passthrough on your router. As a modern device, it’s likely to have it already. You may just need to turn it on. You can do it via the interface that controls all of the other functions of the router.

    Here’s how it looks on a TP-Link Archer 7 router:

    How to enable a VPN passthrough

    Every manufacturer provides a different interface, so check their website or your router manual!

    In conclusion: VPN passthroughs — a thing of the past

    A VPN passthrough is a software capability that’s becoming less relevant with each passing day. It was necessary when old VPN protocols didn’t work with NAT, the data traffic resolving system in your router. That’s why a VPN passthrough was an essential functionality. 

    Those old protocols are no longer the industry standard. Premium VPNs like Surfshark use newer, more secure protocols that work with NAT. Why not try it out yourself?

    Get a VPN that doesn’t need any passthroughs

    Get Surfshark


    Should a VPN passthrough be enabled?

    No, unless you’re dealing with old VPN protocols like PPTP and L2TP and old routers. And you shouldn’t be using such old protocols anyway. 

    What is a VPN passthrough for IPSec?

    Old routers and basic IPSec don’t work together nicely, and a VPN passthrough makes them finally cooperate. 

    How do I turn on a VPN passthrough?

    Modern routers allow you to enable a VPN passthrough via the router settings menu. You can access it via your browser by entering the router’s address. 

    Should I enable L2TP passthrough?

    Only if you really need it (have an ancient router or can’t use newer protocols for some reason). L2TP is an outdated protocol.

    What’s the difference between a VPN passthrough and a VPN router?

    They are two completely different things that involve a router. A VPN passthrough allows VPN traffic to pass through a router. A VPN router is a router that has a VPN installed on it.