• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 732
  • Last Modified:

The difference between a VPN tunnel and VPN-passthrough.

Can someone please explain the differences between a VPN-Tunnel and a VPN pass-through?

Here is what i am trying to achieve:

Remotely manage a network of 30 Pcs using VNC/PCanywhere

Server 1 - Windows 2000 server with static internet facing IP address (213.xxx.xxx.xxx) and 1 static address of
Server 2 - Windows 2000 DC running DHCP for the 30 client PCs. 1 static address of
Server 3 - Windows 2000 DC (backup) with static IP

30 clients ( >

I am looking for a hardware firewall/router/vpn device so that i can connect my pc to my client's office and be assigned an internal IP allowing access inside the network ( for example). The some devices of the ones i'm looking at have X number of VPN tunnels and some just have VPN-passthrough, so what's the difference? Which one should i use given my situation?
  • 2
1 Solution
Hi apcs-uk,
A VPN Tunnel is where the device itself acts as the end point to the VPN so it handles all the encryption required and efectivly joins the two local networks together.

The alternative method is to run a VPN client on a PC. For this to work the router/firewall the traffic goes through needs to understand the VPN traffic as on home routers this option is called 'pass-thru'.
apcs-ukAuthor Commented:
grblades, thanks for the quick response. With the VPN tunnel, how does the authentication to the 2000 domain work (ie. access to resources within the domain)?

With the PASS-THROUGH, can i route the VPN traffic to a specific server on the network, (, for example)?
If you have the Windows server as the VPN endpoint then you can either:-
1) Log into your machine and then ititiate the VPN connection. When you connect you supply a username/password. When you go to access a resource you may be asked a password for the domain once.
2) When you log on to your machine you choose to log on remotely and when you connect you log straight into the domain at the remote site. This will mean the user gets a different profile. Most of the time this is too much of a pain to use.

A router supporting PASS-THRU can only reliably be used at the clients site. If you want a router for your main site where the VPN server is you need a better router/firewall when you can specify specifically the type of traffic which can be sent to a particular machine

My normal recomendation is to go for something like a Cisco PIX firewall and for the clients to use the Cisco VPN client as it is more secure. You can configure the PIX to authenticate against the Windows server if you wish. When clients connect using this method they are asked for a password and then the Cisco client connects. Once connected they will be asked for a username/password when they access the network resource.

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now