Most computers connect to the Internet through a NAT device (usually a router). PPTP natively doesn’t work with NAT. Since most VPN connections start from behind a router this is a very common problem. PPTP passthrough addresses this by allowing VPN connections to traverse a NAT with ease. NAT (or more specifically PAT) can’t function without the use of ports. It is important you understand how NAT functions and it’s reliance on ports. If unsure I would advise reading up on network address translation first.

NOTE: With some routers multiple VPN connections is not supported.

The PPTP Problem

PPTP uses a TCP channel on port 1723 for control and the GRE protocol to encapsulate data and create a VPN tunnel. The issue isn’t really PTPP itself but GRE; GRE doesn’t use ports. Since a requirement of NAT is that the connection must use an IP address and port number it doesn’t work with GRE. This is what PTPP passthrough addresses.

How PPTP Passthrough Works

There is nowhere on the internet that officially states how PPTP passthrough works so I started my own investigation. I found that PPTP doesn’t use the standard GRE protocol but an enhanced GRE version. When you compare GRE to Enhanced GRE there are several differences but the only one we are interested in here is the addition of something called the Call ID. When a PPTP client attempts a connection it generates a unique call ID and inserts it into the modified header. At this point I realised it could be used as a replacement for ports in the NAT translation. After a bit more research on call ID I came across how PPTP port mapping is handled by Microsoft routers. This MS article confirms that the Call ID is used to uniquely identify PPTP clients behind a NAT;  it used as a substitute for ports for PPTP traffic ONLY. This is non standard to how NATs  function but is necessary to allow PPTP to pass through it. As it is non standard routers need to know to switch from ports to call ID’s when it sees PTPP traffic. Adding this feature is what PPTP passthrough is.


Routers that support PPTP passthrough allow VPN clients to make outbound PPTP connections. The only way this would be possible is by using the methods described above. This leaves no doubt that the above must be exactly what PPTP passthrough is.

You may also want to read VPN passthrough

Routers That Support VPN Passthrough

The Netgear WGR614 Wireless Router is your bog standard home router which supports up to 3 concurrent VPN connections; this ideal for home or even small business use. The Netgear FWAG114 ProSafe is bit more upmarket and comes with a heavier price tag; this also supports end-to-end VPNs otherwise known as Site to site VPNs. You can check out other Netgear products that support concurrent VPN from Netgears official page.

Print Friendly, PDF & Email