A VPN normally works one way: you reach out, nothing reaches in. That’s a security feature right up until it isn’t, because seeding torrents, hosting a co-op game, or reaching your own NAS from a cafĂ© all require the internet to initiate a connection to you.
Port forwarding is the feature that re-opens that door, deliberately and narrowly. Most major VPNs have removed it. The shortlist that remains is small, specific, and worth knowing precisely.
What the feature does and who needs it
With port forwarding, the provider assigns you a port on the VPN server’s public IP, and inbound traffic to that port gets routed down your tunnel to your device. Three audiences genuinely need this.
Torrenters, first and largest. Without an open port you can only connect to peers who are themselves connectable, which slows swarms and can crater seeding ratios; private trackers effectively require connectability. With a forwarded port, peers initiate to you, ratios recover, and rare torrents with few connectable seeds become reachable. This is the single biggest quality-of-life difference in the torrenting VPN world.
Self-hosters, second. A home lab, a Plex or Jellyfin server for personal use, a NAS you want reachable while traveling: forwarding through the VPN gives you a stable, reachable endpoint without exposing your home IP to the world, which is half the point of running the tunnel at all.
Gamers, third and most occasional. Some co-op and self-hosted game servers need an open port for friends to join; the forwarded port stands in for the router fiddling those setups usually demand, useful on networks you don’t control (dorms, CGNAT connections) where router access doesn’t exist.
Who still offers it, and how well
| VPN | Port forwarding | How it works | Notes |
|---|---|---|---|
| Proton VPN | Yes, paid plans | Per-connection via app toggle | Best mainstream option |
| Private Internet Access | Yes | Per-connection, app-assigned port | Cheap, unlimited devices |
| AirVPN | Yes | Static ports via dashboard | The enthusiast’s choice |
| Windscribe | Yes, paid | Static ports, config control | Pairs with Build-A-Plan |
Proton VPN is the best mainstream answer: port forwarding ships on paid plans, toggled in the app, with the port number displayed for pasting into your torrent client. It rides on Proton’s 4.3/5 overall score, audited no-logs and 5/5 speed, which makes it the rare provider where the privacy purist and the seeder are the same satisfied customer. Get Proton VPN here.
PIA offers forwarding with its usual value pitch: $3.33/mo territory, unlimited devices, court-proven no-logs. The port is assigned per connection (note it after connecting, update your client), and the combination of forwarding plus MACE plus the logging court record makes PIA the budget seeder’s default.
AirVPN is the specialist: static ports you manage in a dashboard, generous limits, deep technical controls. The app experience is austere and the brand is enthusiast-only, but for the home-lab crowd that wants ports as stable infrastructure rather than a per-session lottery, it’s the most capable implementation in the market.
Windscribe rounds out the list with static port options on paid accounts, slotting nicely into its tinkerer identity (R.O.B.E.R.T., config generators) covered in our Windscribe review.
The absences define the market: NordVPN, ExpressVPN and Surfshark offer nothing, and Mullvad removed its forwarding in 2023, publicly citing abuse. That removal is the story worth understanding before you buy.
Why the big names abandoned the feature
Open inbound ports on shared VPN infrastructure attracted exactly what you’d predict: people hosting illegal content behind the provider’s IP space, law enforcement attention arriving at the provider’s door, and IP ranges accumulating reputational damage that hurt every customer. Mullvad’s removal announcement said the quiet part plainly, and the mass-market providers concluded the same math earlier: forwarding serves a minority of users while its abuse taxes everyone.
That’s why the surviving implementations look the way they do: gated behind paid tiers, rate-limited, sometimes rotated. The feature lives on with providers whose audiences skew technical, where legitimate use dominates. Practical consequence for you: don’t expect the feature to reappear upmarket, and treat the providers that maintain it well as making a deliberate, costly choice for your niche.
Using it without hurting yourself
A forwarded port is a hole you chose to make, so handle it like one. Forward only to applications built to face the internet (a torrent client, a hardened service), never to your whole device. Keep the receiving software updated, since whatever listens on that port is now reachable by scanners within hours. Bind your torrent client to the VPN interface so a tunnel drop can’t expose it, the same discipline our torrenting guide drills. And close or release the port when the use case ends; an open door with nothing behind it is still a door.
Privacy note for the careful: an open port makes your VPN session slightly more distinctive (one user per port), a non-issue for seeding and self-hosting, but one more reason anonymity-first users were never this feature’s audience.
The CGNAT side-benefit nobody advertises
A growing share of home connections (mobile internet, fiber resellers, most of the developing world) sit behind carrier-grade NAT: you don’t have a public IP at all, and ordinary router port forwarding is impossible. VPN port forwarding sidesteps the whole problem, because the open port lives on the provider’s server, not your unreachable home address. For CGNAT households, the feature isn’t an optimization; it’s the only practical way to be connectable at all, which makes the provider shortlist above double as the CGNAT shortlist.
The same logic serves the Raspberry Pi crowd: a forwarded port through the VPN gives a self-hosted service a stable public doorway without exposing the home network, the architecture our Pi guide builds on directly.
(Feature availability shifts in this niche more than most, as the Mullvad story proves; recheck a provider’s current forwarding policy at purchase rather than trusting any list, this one included.)
The niche rewards homework precisely because it shrank: four good options is a shortlist you can actually test inside one refund window, and the right one tends to be obvious by day three of real use.
Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.
Setup in practice
Proton and PIA: connect, toggle forwarding in settings, read the assigned port number, paste it into your application’s listening-port field, verify with your client’s connectability check (most torrent clients show a green/connectable indicator within a minute). AirVPN and Windscribe: reserve the static port in the web dashboard first, then configure once; it survives reconnects, which is the entire appeal. In all cases, one verification beats assumptions: an open-port checker against your VPN IP confirms the path end to end.
Port forwarding is a niche feature the mass market abandoned, which makes provider choice unusually clear-cut. Proton VPN is the best blend of forwarding, trust and performance; PIA is the budget seeder's pick; AirVPN is the static-port specialist for infrastructure thinking. If you don't recognize yourself in the three audiences above, you don't need the feature, and the mainstream table serves you better. If you do, buy from this shortlist and skip the disappointment of discovering your favorite brand quit this game years ago.