VPN Passthrough
VPN passthrough is a router feature that lets older VPN protocols like PPTP, L2TP, and certain IPsec variants through the router's address translation (NAT) so a device behind it can connect to an external VPN server. It does not establish a VPN connection itself and only serves to let the traffic through.
VPN passthrough is a feature in many home and office routers that lets older VPN protocols through the router’s address translation (NAT) and firewall. The key distinction: VPN passthrough does not turn the router into a VPN server. It only ensures that a device behind the router can establish its VPN connection to a server on the internet in the first place.
How does VPN passthrough work?
Almost every router runs NAT: it translates your devices’ private addresses to a single public IP address and uses ports to remember which reply belongs to which device. Some older VPN protocols fit poorly into this scheme. PPTP uses the GRE protocol; classic IPsec uses ESP traffic with no fixed ports. NAT cannot readily map these replies back to the right internal device, so the connection breaks.
VPN passthrough is the vendors’ answer. When the feature is on, the router recognizes the VPN handshake (for example PPTP control on TCP 1723 or IPsec-IKE on UDP 500) and installs its own rules so the traffic reaches the right device. Cisco describes VPN passthrough on its RV routers exactly this way: PPTP and IPsec traffic from devices behind the router may cross the NAT to reach remote VPN gateways. Linksys provides separate toggles for IPsec, L2TP, and PPTP.
Modern IPsec avoids the detour entirely: with NAT traversal (NAT-T), client and server detect the address translation and wrap ESP traffic in ordinary UDP packets (usually port 4500). To NAT this looks like normal traffic, and no special passthrough setting is needed.
Do you still need VPN passthrough?
In most cases, no. The feature only matters for old protocols. NordVPN states plainly that a VPN passthrough is only needed for older protocols like PPTP, L2TP, or IPsec. Modern VPNs work without it:
- WireGuard runs over a single UDP port and is NAT-friendly by design.
- OpenVPN uses normal UDP or TCP ports and behaves like any other application to the router.
- IKEv2/IPsec has NAT-T built into the standard.
On routers from the last decade or so, passthrough for PPTP, L2TP, and IPsec is usually on by default. You generally only deal with it when bringing an old corporate VPN over a legacy protocol back to life. When a modern VPN will not connect, the cause is more often firewall rules or provider throttling than missing passthrough.
Is VPN passthrough safe?
Passthrough itself is neutral; it only sets up the connection. The risk lies in the protocol behind it. PPTP is outdated and insecure, and so is L2TP without strong IPsec. Enabling passthrough does not fix these weaknesses; it only enables the connection. Disabling passthrough, on the other hand, does not make your network safer: it just breaks the old VPNs without addressing the real problem. To actually improve security, switch to a modern protocol like WireGuard or OpenVPN rather than touching this toggle.
VPN passthrough vs. VPN router: what is the difference?
The two are often confused but do opposite things. A VPN router builds the VPN connection itself and encrypts the traffic of every connected device. VPN passthrough encrypts nothing. It only lets a single device’s VPN connection pass through NAT to an external server. One more misconception: some router implementations allow only one device per protocol behind NAT in classic IPsec passthrough. Modern NAT-T removes that limitation.