A VPN(neues Fenster) passthrough is a router feature that allows VPN traffic to move through your firewall and Network Address Translation (NAT)(neues Fenster). It doesn’t create the VPN connection itself, but ensures your router doesn’t block a device on your network from connecting to an external VPN.

For most businesses, this isn’t something you need to configure or think about. Trusted VPNs like Proton VPN are built to work with NAT by default, so routers handle traffic automatically without need for any special rules.

Why does a VPN passthrough exist?

A VPN passthrough solves compatibility issues between older VPN protocols and newer network infrastructure. Most networks use NAT to allow multiple devices to share one public IP address. While this works for regular traffic, some older VPNs weren’t designed with NAT in mind.

Because older VPN protocols don’t always use standard ports or structures that NAT can interpret, the router can’t track where the data belongs, and the connection will fail. A VPN passthrough acts as a workaround that helps the router recognize and correctly route this type of traffic.

How does a VPN passthrough work?

A VPN passthrough is a set of mechanisms built into routers to support specific VPN protocols. When enabled, the router:

  • Identifies VPN traffic using specific protocols or ports
  • Applies special handling rules so encrypted packets are not dropped
  • Allows the connection to pass through NAT correctly

Without VPN passthrough, the router may block or misroute the traffic, preventing the VPN from connecting.

Types of VPN passthrough

Different VPNs handle data differently, so there isn’t a single type of passthrough. If you’re working with older systems, you may see different types of VPN passthrough depending on the protocol used.

PPTP passthrough

The point-to-point tunneling protocol (PPTP) is one of the oldest VPN types. It uses a protocol called Generic Routing Encapsulation (GRE) to send and receive data. However, NAT requires a port number to direct traffic, and GRE doesn’t use ports, which creates a conflict that causes the connection to drop.

PPTP passthrough solves this by adding a Call ID to the data. The router treats this ID as a port number, which allows the traffic to move through the firewall correctly.

L2TP passthrough

Layer 2 tunneling protocol (L2TP) works similarly to PPTP. To get past the NAT hurdle, L2TP passthrough assigns a Session ID to the data packets. This ID acts as a substitute for a port number, letting the router identify and route the traffic to the right device.

IPSec passthrough

IPSec (Internet Protocol Security) uses a technology called NAT Traversal (NAT-T) to navigate routers. It wraps the encrypted IPSec data inside a standard UDP packet.

Because routers already know how to handle UDP packets, the IPSec passthrough can establish a connection using a specific port (UDP 4500). This allows the router to correctly map and route the connection while keeping the encrypted data secure and untouched.

What is the difference between a VPN and a VPN passthrough?

A VPN is the service that protects your data. It encrypts your internet traffic and masks your IP address by routing your connection through a secure, remote server. 

A VPN passthrough is a feature on your router. It doesn’t encrypt your data, hide your IP address(neues Fenster), or provide any security on its own. Its only job is to recognize VPN traffic and allow it to pass through the router’s firewall.

If you’re using a good VPN, you generally do not need to worry about passthrough settings at all, as the router will handle it automatically.

VPN passthrough vs. VPN router

These two are often confused, but they serve very different purposes:

  • A VPN router actively encrypts and routes traffic for every device connected to it.
  • A VPN passthrough allows an individual device on your network to connect to an external VPN.

Do VPNs need passthrough?

In most cases, the answer is no. VPN protocols are built to handle NAT automatically. Protocols like WireGuard(neues Fenster), OpenVPN(neues Fenster), and IKEv2(neues Fenster) are designed to allow routers to track connections and send data to the correct device without any manual setup or special rules.

Proton VPN relies exclusively on secure protocols, so it’s compatible with standard router configurations by default.

  • No manual configuration: You do not need to change any advanced settings in your router’s firmware to get connected.
  • Automatic compatibility: Proton VPN works with almost all home and office networking equipment right out of the box.
  • Better security: By avoiding older passthrough mechanisms, you also avoid the security vulnerabilities associated with legacy protocols like PPTP.

Unless you are using extremely old hardware or a highly restrictive corporate firewall, you can connect to Proton VPN without ever needing to adjust your passthrough settings.

Do you need VPN passthrough?

You may only need to think about VPN passthrough if:

  • You are using legacy VPN protocols like PPTP or L2TP
  • You rely on older networking equipment
  • You manage specialized or industrial systems with outdated software

Otherwise, VPN clients like Proton VPN will handle this compatibility by default.

Are there security risks with a VPN passthrough?

Most security concerns stem from the fact that VPN passthrough is designed to help older, less secure protocols bypass standard router protections.

  • Reliance on weak protocols: VPN passthrough is most commonly used for legacy protocols like PPTP, which are no longer considered secure and can be easily exploited by cyberattacks.
  • Firewall blind spots: Your firewall might not inspect the data moving in and out of the connection. If the VPN protocol itself is weak, this creates a path for malicious traffic to enter your network undetected.
  • Increased attack surface: Enabling VPN passthrough often requires opening specific communication ports on your router. Each open port is a potential entry point that attackers can scan for and attempt to exploit.

Best practices for a secure VPN passthrough setup

For most businesses and individuals, the best security strategy is to avoid needing a VPN passthrough altogether. If you must use it, follow these steps to keep your network secure:

  • Prioritize up-to-date protocols: Use VPNs that support WireGuard or OpenVPN, which are standard for Proton VPN. These are designed to work with routers and NAT without needing a VPN passthrough.
  • Disable what you don’t use: If your router has VPN passthrough enabled by default but you use a service like Proton VPN, you should turn it off. Reducing the number of active features on your router shrinks your attack surface.
  • Audit your router settings regularly: It’s easy to enable a setting for a one-time fix and forget about it. Regularly check your router’s firmware to ensure you aren’t leaving unsecured entries for legacy protocols you no longer use.
  • Keep hardware updated: Ensure your router firmware is current. Manufacturers often release updates that patch vulnerabilities related to how the router handles encrypted traffic and port management.

Ultimately, you should view VPN passthrough as a last resort for legacy systems. If your infrastructure allows it, moving to a modern VPN setup is the most effective way to eliminate these risks.

The bottom line

VPN passthrough is a solution to a compatibility problem between older VPN protocols and newer networks. Today, it is largely unnecessary.

Most VPN protocols, such as those used by Proton VPN, are built to work seamlessly with NAT. This makes VPN passthrough something most businesses will never need to configure. If you find yourself still relying on passthrough, it may be a sign that your VPN setup or network infrastructure needs to be updated.