Written by: Bogdan Patru
Routers come in two types:
The VPN passthrough feature can be activated on many home routers, and the ones that do are widely accepted as the standard because they support both PPTP and IPsec VPNs.
In other words, this feature will allow computers on a private network to establish outbound VPNs. It doesn’t affect or otherwise hinder the proper functioning of any inbound VPNs.
The name comes from the fact that this feature allows the VPN traffic to “passthrough” the router. You don’t have to open any ports in order to do this. The process is completely automatic.
This feature is mainly present in small business Internet gateway devices. These devices are specially constructed to work with VPN protocols like IPsec, PPTP, L2TP or even the SSL VPN technology.
What this means is that they will be able to automatically connect to a central server or the VPN gateway without a VPN client present. In fact, this type of client is incompatible with such a router, and you’ll only be wasting time trying to mix them up.
Small business network devices that support the VPN passthrough feature will actually permit the data packages coming from the VPN client to be encrypted with VPN technology and reach the internet.
Firstly, the small business devices I told you about are working based on the NAT and PAT technologies. Basically, this is what allows a router to share the same internet connection between multiple computers.
This is how a standard home router functions. However, VPN protocols are natively incompatible with the NAT and PAT technologies. And since the vast majority of routers implement NAT, the problem becomes apparent. And we don’t want any problem to become apparent, now do we?
In this sense, there are two solutions:
Let’s take a closer look at each of them and explain what really happens behind the scene.
Like I said before most routers connect to the internet using a NAT protocol. PPTP and NAT are like fire and water. They’d gouge out each other’s eyes if they could.
Well, the PPTP passthrough circumvents this issue with ease. It allows the VPN connections to traverse the NAT background. However, NAT requires the use of ports in order to function properly.
However, PPTP uses the TCP channel on port 1723 for control, and the GRE protocol to gather up the data and create the VPN tunnel. This happens without the use of any ports.
The native GRE of PPTP doesn’t need any ports to establish the VPN tunnel. Since NAT requires a valid IP address and a port number, the situation is critical.
How the PPTP passthrough feature works is like this – it reconfigures the GRE function and enhances a few of its functions. Most importantly, it adds something called the Call ID.
See, when a PPTP client tries to connect to a server, a unique call ID is created and inserted into the modified header. Does this ring any bells? This call ID can be used as a substitute for the ports in the NAT translation.
These call IDs are widely used across PPTP port mapping to uniquely identify PPTP clients that use NAT. It’s natively supposed to act as a replacement for PPTP traffic only, but it’s a non-standard procedure that isn’t automatically recognized by the router.
It is necessary to allow PPTP to pass through the NAT router though, and the way you do this is with the PPTP passthrough feature. It pushes a router into switching from the standard port to the call ID when it comes across any PPTP traffic.
This allows VPN clients to make outbound PPTP connections as a result.
This is done with the NAT-T, the network address translator traversal. In essence, this is a networking procedure that’s implemented to establish and safely maintain IP connections over gateways that require NAT.
Now, IPSec virtual private networks have to use NAT-T if they are to function properly with the NAT protocol. Otherwise, the traffic wouldn’t be encrypted at all, and the VPN tunneling will not be created.
The NAT-T encapsulates the security payload in a UDP packet which is recognized by NAT.
The process is much ampler because IPSec is based on many protocols that have to be fully enabled in order to traverse firewalls and the network address translators:
Many routers have some explicit features embedded within their program, and these are called the IPSec passthrough. In Windows XP, the NAT traversal is enabled by default, so you don’t have to change any settings.
However, Windows XP with Service Pack 2 has it disabled by default because of security issues. You’ll have to manually enable it again with NAT-T patches. Why am I talking about an operating system from the fucking Paleolithic?
Because Windows 7 and all the others have the NAT-T enabled from the get-go. You’re safe as long as you’re up to date with the technology of the 21st century.
You should only disable the VPN passthrough because this will give you more security overall. The open communication ports through the firewall that are otherwise opened and accessible will now be blocked.
However, this means that any user behind the gateway will find it impossible to create and maintain a VPN connection. This happens as a consequence of the VPN ports being blocked at the firewall.
Ideally, if you’re a heavy VPN user on a SOHO (small office home office) network, then you shouldn’t block these ports.
The most reliable and efficient router in this case that has become the standard for VPN passthrough is the Netgear WGR614 Wireless Router. It supports no less than 3 simultaneous VPN connections.
Next, there’s the Netgear FWAG114 ProSafe. Although a bit more expensive than the previous one, this one also supports end-to-end VPNs, better known as site-to-site VPNs.
In the end, you can see that the VPN passthrough procedure has many advantages and almost no downsides. It efficienty gives you a way to use VPNs with almost all routers by overcoming their default system settings.
Now you know what to do when your router can’t connect to a VPN. Perform the IPSec or the PPTP VPN passthrough, depending on the router itself, and welcome the fresh air of anonymity.