ITC Compliance, based in the UK, helps car dealerships and other retailers meet the standards of the UK’s Financial Services Regulator. By becoming appointed representatives of ITC Compliance, these businesses rely on the organization to handle their compliance. This way, clients stay compliant with the Financial Conduct Authority (FCA), without dealing with complex rules, allowing them to focus on their main work. 

James Snell, IT Director at ITC Compliance, manages technology strategy and vision, technology teams, cybersecurity, IT infrastructure, and operations. He is also responsible for vendor and stakeholder management. He needs to secure remote access to sensitive internal systems while maintaining regulatory compliance.

The challenge

Securing remote access while meeting regulatory compliance

The COVID-19 pandemic led ITC Compliance to shift to remote and hybrid work. This required a secure way for employees to access internal systems with sensitive data from various locations.

“COVID changed how companies work,” explains James Snell. “Only ITC Compliance employees can access our systems, so we needed secure remote access to internal resources.” Managing individual IP whitelisting for all remote employees was impractical.

As a regulated company working towards SOX compliance, ITC Compliance also needed strict access controls, which are crucial for certification.

The solution

Using NordLayer for secure and simple remote access

To tackle these issues, ITC Compliance adopted NordLayer as their business VPN in 2020. Routing all employee traffic through NordLayer allowed for a consistent IP address, which simplified security.

NordLayer also offered essential security tools, like multi-factor authentication (MFA). This met ITC Compliance’s security needs and supported their SOX compliance goals.

Why choose NordLayer

During renewal, James considered other options but decided to keep NordLayer. The solution felt reliable, and the pricing suited their needs, so switching wasn’t necessary.

NordLayer offered scalability and flexibility, with easy server setup and team routing through different IPs. From a cybersecurity standpoint, NordLayer provided essential tools, including ease of use, strong security features, and simple management with MFA options.

One key feature enabling ITC Compliance to maintain a fixed IP is NordLayer’s Dedicated IP. It ensures online traffic stays private and secure, helps control permissions, and prevents unauthorized access. With NordLayer, a fixed IP allows smooth, secure access to business data from any location. You can control who accesses resources by allowlisting specific IPs. Dedicated servers with fixed IPs cost $40/month and are available on all plans except Lite.

The outcome

Enhanced security and compliance support

NordLayer helped ITC Compliance secure remote access to internal systems. Using a single IP address simplified security management and reduced workload.

The NordLayer rollout was smooth, and the team found it easy to use. Scaling is simple, and adding licenses is hassle-free.

Pro cybersecurity tips

Protecting sensitive information is crucial, especially for regulated businesses. James Snell shares three essential tips for enhancing security.

With NordLayer, ITC Compliance simplified remote access, strengthened security, and met compliance needs. Try NordLayer to secure your team’s access, no matter where they work.

A VPN passthrough is a router feature that allows data encrypted by VPN protocols to pass network firewall filters.

Passthroughs were once essential to work around router limitations. Improved protocols and security technology have made them less critical. However, some situations still involve the VPN passthrough setting.

Key takeaways

After reading this article, you will:

• Know what a VPN passthrough is and how passthrough types function.
• Learn how to configure IPSec, PPTP, and L2TP passthroughs on standard routers.
• Understand the limitations of VPN passthrough features and common security vulnerabilities.
• Know how to troubleshoot VPN passthrough security problems and create secure VPN router setups.
• Learn about effective alternatives to a VPN passthrough and how to choose the right way to establish VPN connections.

VPN passthrough definition

A VPN passthrough is a router feature that allows outbound VPN traffic to pass through a network firewall.

Passthroughs allow businesses to connect devices to VPNs without compromising firewall protection. Users can encrypt traffic leaving the network and hide their activity. The firewall filters other inbound and outbound traffic normally.

Think of a VPN passthrough as a secret passage. Only authorized users can access the passage, and external actors cannot see where it leads.

How does a VPN passthrough work?

Sometimes, compatibility issues arise between VPNs and network routers. Some routers do not support VPN protocols.

VPNs rely on protocols to encrypt and transport data. VPN clients must establish connections with VPN servers outside the network boundary. This leads to problems when Network Address Translation (NAT) setups cannot handle VPN protocols.

NAT assigns a public IP address and sends data to its destination. Unfortunately, older VPN protocols can derail this process. NAT is unable to route packets to their final destination. Instead of creating an encrypted tunnel, routers block data packets and return them to the source.

A VPN passthrough solves this problem. Passthroughs allow routers to recognize protocols like IPSec, L2TP, or PPTP. When the VPN passthrough is engaged, encrypted traffic can pass across the network edge, protecting user data.

Note: Advanced protocols like OpenVPN and WireGuard avoid the need for a VPN passthrough. Modern VPN protocols work with NAT, allowing outbound traffic to the VPN server.

Do all routers need a VPN passthrough?

Not all routers need a VPN passthrough, but some do. It’s important to know whether your routers support VPNs, as configuration issues can expose sensitive data to cyber attackers.

The good news is most routers include a VPN passthrough option. In practice, only very old routers lack passthrough capabilities (and you should probably replace those devices for security reasons).

The bottom line is that you need to enable passthrough for older VPN protocols like IPsec or PPTP. Modern protocols and more secure alternatives make this unnecessary.

If you do need passthrough functionality on your router, choosing the right type matters. That’s where we will turn next.

Types of VPN passthrough

VPN passthroughs deal with different VPN protocols. There is no one-size-fits-all passthrough design, as protocols operate differently. Here are the three main versions:

PPTP passthrough

The point-to-point tunneling protocol (PPTP) uses the Transmission Control Protocol (TCP) via Port 1723 and the Generic Routing Encapsulation (GRE) protocol.

GRE does not require a specific port or IP address to create a PPTP connection. NAT requires a port number and IP address—creating a conflict. That’s where a PPTP passthrough becomes essential.

The PPTP passthrough feature solves this conflict by assigning a Call ID to GRE headers. The router sees this Call ID as a port number and allows traffic through the firewall.

Users implement a PPTP passthrough via their router firmware. Here’s how to do so:

1. Find your router IP address and enter it into a browser address bar.
2. Log onto the router settings tool and find the VPN settings section.
3. You should see an option to apply a PPTP passthrough. Enable the VPN passthrough and save your settings.
4. Reboot the router. The VPN passthrough functionality should be enabled.

IPSec passthrough

IPSec (Internet Protocol Security) passthroughs use NAT-Traversal (NAT-T) technology.

NAT-T packages data using the User Datagram Protocol (UDP) to wrap IPSec data. The NAT router can recognize this format but cannot understand encrypted IPSec traffic.

IPSec passthroughs use UDP port 4500 to establish an IKE packet exchange. IKE exchange allows the router to assign a private IP address for IPSec traffic while underlying payloads remain untouched.

Users also implement an IPSec passthrough via router firmware. To do so:

1. Firstly, log onto your router via a web browser.
2. Look for the VPN section and the option to enable IPSec passthrough.
3. You may need to reboot the router after saving passthrough settings.
4. Test the VPN connection to ensure passthrough is enabled.

L2TP passthrough

The L2TP VPN passthrough resembles the process for PPTP. In this case, passthroughs use Port 1701 to create a VPN connection.

VPN passthroughs assign a Session ID to UDP packets passing over the port. This Session ID substitutes for the port number, allowing transfers via the NAT router.

What is the difference between a VPN and a VPN passthrough?

VPNs and VPN passthroughs sound similar, but they are very different technologies. Passthroughs only allow VPN traffic from internal networks to the public internet. That’s all they do.

Virtual Private Networks are far more powerful network security tools. VPN companies operate servers across the world. The VPN server transports encrypted data and assigns new IP addresses, effectively making users anonymous.

Users generally access the VPN server via a locally-hosted VPN client. VPN software uses protocols to encrypt and send data to servers. A VPN passthrough feature smooths that process.

Companies may also choose to install a VPN router. VPN routers operate on the internal network and eliminate the need to install a VPN client on every device. The router encrypts and anonymizes data and connects with external VPN services.

Passthroughs are not usually needed if you run a VPN router. They may be necessary if you rely on separate clients for devices connected to a standard network router.

VPN passthroughs and security considerations

Let’s assume you continue using PPTP or IPSec and must traverse a typical NAC router. Does this impact your network security status, and should you take action in response?

Firstly, passthroughs are more secure than disabling NAC. This would solve the routing issue, but NAC manages traffic efficiently, conceals IP addresses from the public internet, and allows easy IP changes for network users.

Don’t even think about disabling NAC. Even so, VPN passthroughs generally leave networks more exposed to cybersecurity threats. There are a few reasons why this happens.

• Firstly, passthroughs can allow connections via insecure old VPN protocols. These protocols are rarely updated (if ever) and become less secure over time.
• Security teams may not know if users may establish insecure outbound VPN connections — putting data at risk.
• Another problem is that firewalls cannot inspect VPN traffic passing into and from network devices. This is fine if VPNs use strong encryption, but insecure VPN traffic can become an attack vector.
• Passthroughs also open ports for attackers to exploit. They may even act as backdoors, allowing freedom of movement for malicious traffic inside the network.

That sounds worrying. However, the best practices below should ensure a secure passthrough setup:

• Avoid older VPN protocols. Use secure protocols like OpenVPN or WireGuard that are harder to crack and offer better compatibility. Use VPN passthrough as a last resort.
• Block inactive ports. If you set up a VPN passthrough, only enable port forwarding where necessary. Check and close open ports that the VPN does not need.
• Maintain authentication and access policies. Limit network access to authorized users and devices. Use multi-factor authentication and processes to limit VPN access.
• Monitor VPN traffic. Use logs and real-time tracking to detect unusual behavior patterns or potential attacks.
• Use network segmentation. If you need passthroughs for certain activities, create secure zones with network segmentation tools. That way, intruders will find their path blocked if they exploit passthrough vulnerabilities.
• Audit passthroughs regularly. It’s never wise to enable VPN passthrough permanently. Regularly check router settings. Disable VPN passthrough when it is no longer needed.
•  

Alternatives to a VPN passthrough

Another way to avoid the security problems above is to use an alternative solution for outbound VPN traffic. Common alternatives include:

• SSL encryption. SSL encrypts HTTPS traffic passing across the network edge. You can use SSL as a VPN alternative, but only for web traffic. SSL is a viable alternative for web-based workloads but a poor general security option.
• RDP. The Remote Desktop Protocol (RDP) enables remote work connections without firewall conflicts. It’s a good alternative if you need to access remote devices for maintenance or training. However, RDP does not offer encrypted tunnels, making it less secure than a VPN passthrough.
• SD-WAN. Software-defined wide-area networks enable companies to create secure networks across many sites. Access controls and encryption transfer data securely without needing a standard VPN.
• Site-to-Site VPN. Site-to-Site VPNs connect locations via an encrypted tunneling protocol. Internet gateways interact without firewall conflicts, and there is no need for individual clients. However, this VPN style often relies on inefficient hub-and-spoke routing, and configuration can be complex. Problems may also arise when securing cloud deployments.
• IAM. Identity and Access Management (IAM) partly replaces VPNs for cloud-based and hybrid networks. Admins can control who accesses sensitive assets, blocking unauthorized connections. With the correct security setup, there is no need for an extra VPN or a VPN passthrough.

A VPN passthrough may be necessary to connect older devices or applications and allow remote work. But more advanced alternatives exist. Options include the tools above and modern VPN protocols that render passthroughs obsolete.

Go beyond a VPN passthrough with NordLayer’s security solutions

One thing hasn’t changed—companies must secure connections without compromising firewall performance. As cyber threats mount, protecting data transfers is becoming more important than ever.

NordLayer provides a flexible solution to secure remote connections and optimize efficiency. Our business VPN uses a variant of the WireGuard protocol, with no need to configure a VPN passthrough.

Secure gateways connect remote devices to on-premises and cloud assets. Strong encryption and IP address anonymization keep transfers completely secure. Access controls and Firewall-as-a-Service implement Zero Trust Network Access principles—blocking unknown and unauthorized connections.

Forget about VPN passthrough issues. Our simple, scalable, secure solution protects data and streamlines security management. To find out more, contact the NordLayer team today.

Frequently asked questions

Should VPN passthrough be enabled?

No. As a rule, companies should minimize the need for a VPN passthrough.

Passthroughs rely on outdated VPN protocols and create serious security vulnerabilities. Instead, security teams should invest in a modern router or investigate secure remote access solutions.

Only enable a VPN passthrough if bypassing your firewall is necessary. You may need a point-to-point tunneling protocol (PPTP) passthrough for remote access or operating devices that rely on the PPTP VPN protocol.

If possible, update your setup to accommodate newer protocols. Only use the VPN passthrough as a temporary solution.

What happens if you turn off the VPN passthrough?

Turning off the VPN passthrough is rarely a problem.

Turning off a VPN passthrough can prevent encrypted data transfers through your network firewall. The VPN passthrough allows transfers across older VPN connection types. If the VPN passthrough fails or is not activated, the VPN connection will lapse.

This can cause problems for remote workers who rely on their VPN client to establish outbound VPN connections. In some cases, users may backslide to less secure connection methods.

Generally, choosing to enable VPN passthrough is worse than turning it off. Advanced VPN protocols and tools like IAM provide reliable connectivity and improve security.