UPnP is a networking protocol suite that is primarily designed to allow devices on the same local network to automatically discover and connect to each other. If this sounds like a dream for non-technical users, in many ways, it is.
After all, in today’s ultra-connected world, convenience is king. From gaming consoles that effortlessly connect to the internet, to smart TVs and IoT devices(new window) that seem to “just work” right out of the box—modern networks are designed to minimize user effort. One of the technologies that quietly make all this seamless connectivity possible is Universal Plug and Play (UPnP).
However UPnP is also often used to configure port forwarding on routers, allowing devices on the internet to access resources on your local area network (LAN). This (together with other security vulnerabilities that we’ll discuss later) means that it may be good idea to turn off UPnP altogether.
In this article, we’ll look at:
- What is UPnP?
- How does UPnP work?
- Why is UPnP dangerous?
- Why you should disable UPnP
- Port forwarding, UPnP, and VPNs
- How to disable UPnP on routers
- UPnP — convenience at a cost
What is UPnP?
As its name suggests, the primary aim of UPnP is to make networked devices “plug and play”. In other words, when you connect a device to your network, it should just work, with no need to dig into your router’s settings, open ports, or tinker with IP addresses.
UPnP achieves this using a set of networking protocols that permit devices on your local network, such as personal computers, printers, modems, routers, and mobile devices, to seamlessly discover each other’s presence on the network and then communicate with each other.
UPnP can also be used to configure port forwarding, routing connections through your router’s firewall so that you can connect devices on the internet with devices on your local network. Popular reasons for this include:
- IoT devices: For example, you may want check your security camera feed, control your smart thermostat, or manage your smart home system from anywhere in the world.
- Home media servers: So you can watch content from your Plex or Jellyfin server over the internet while away from home
- Games servers: So that you can host multiplayer games without paying third-party server fees
- P2P file sharing: To allow incoming connections for improved download speeds. See our Ultimate guide to torrenting for more information on how this works.
How does UPnP work?
In simple terms, the way UPnP works can be broken down into the following steps:
- Discovery: When a device is connected to a network, it broadcasts a message to announce its presence. Other devices on the network can respond to this message, allowing them to discover each other.
- Description: Once devices have discovered each other, they exchange information about their capabilities and services. This step involves the devices sharing details about what they can do and how other devices can interact with them.
- Automatic configuration: Devices can request port forwarding from the router automatically. For example, a gaming console might request the router to open specific ports so it can host multiplayer games without manual intervention.
Why is UPnP dangerous?
While UPnP brings undeniable convenience, it also introduces serious security concerns. What makes UPnP risky is not just how it works, but how little control and visibility you typically have over what it’s doing behind the scenes. The key risks with UPnP are:
Automatic port forwarding
Although designed primarily to connect devices on a local network, one of UPnP’s most useful features is the ability to automatically open ports on a router so that devices on your LAN can communicate with devices on the internet. Unfortunately, open ports can allow malicious actors to gain access to devices on your local network.
It should be noted that this risk is also present if you manually configure port forwarding on your router. However, if UPnP is enabled, it may open ports to automatically configure multiple (potentially vulnerable) devices on your local network without your knowledge.
No authentication
UPnP was designed with trusted local networks in mind, so it doesn’t usually require any authentication from devices to work. This means any device on the same network — including potentially compromised ones—can send requests to the router to open ports or redirect traffic.
If malware is present on a single infected device inside your network, it can silently modify network settings and punch holes in your firewall without your knowledge, thus allowing the malware to communicate with the outside world. This is what happened with the infamous Mirai botnet(new window), which exploited UPnP vulnerabilities to infect IoT devices (like home cameras) and routers to launch some of the world’s largest ever DDoS attacks(new window).
This lack of authentication also means malware can easily spread across UPnP devices connected to your local network.
Higher risk of port scanning attacks
Thanks mainly to older or poorly configured routers that accept UPnP connections from the internet (not just local ones), millions of network devices and routers(new window) are vulnerable to DDoS and other attacks.
Why you should disable UPnP
UPnP can make life easier by automating your network setup, but its lack of security controls and potential for abuse make it a high-risk feature. This is especially true on consumer-grade routers where UPnP’s default “trust everything” design philosophy simply doesn’t align with modern security best practices and is a boon to the spread of malware. So for most people, the convenience is arguably not worth the risk.
The lack of visibility over which ports are open, why they’re open, and whether you’ve closed them properly creates blind spots in your network security. This provides an easy entry point for malware and hackers, who can then create persistent backdoors into your network, or even route your traffic through attacker-controlled DNS servers (as seen with the Switcher Trojan(new window)).
A much better solution is to manually configure port forwarding as and when you need it, so you have complete control and oversight over which ports are open.
Learn how to manually set up port forwarding on various routers
Please be aware, though, that there’s no point setting up port forwarding on your router for devices that connect to a VPN (see below).
Port forwarding, UPnP, and VPNs
When you connect a device to a VPN server, all data traveling between the device and the server is routed through an encrypted VPN tunnel. While traveling through this VPN tunnel, no other person or device can see your data.
This includes your internet service provider (ISP), and by extension your government, but it also includes your own router. So when using a VPN, the connection effectively bypasses your router, making UPnP (and manual port forwarding on the router) redundant. Port forwarding when using a VPN means opening a port on the NAT firewall your VPN provider uses to protect the VPN server — not on the router.
If a device (or app running on that device, such as a BitTorrent client) supports UPnP, you should disable the setting to prevent conflicts with the VPN software.
Learn more about port forwarding with Proton VPN
How to disable UPnP on routers
Disabling UPnP on your router is a straightforward process, but the exact steps vary depending on the make and model of your router. Below are general instructions for disabling UPnP on some of the most common router brands. On other routers, the instructions will be similar.
To start, enter your router’s IP address (usually 192.168.1.1 or 192.168.0.1) into your browser’s address bar and sign in with your admin username and password. This is usually printed on a sticker attached to your router (unless you’ve changed it). Then:
Linksys routers
Go to the Administration tab → UPnP → and toggle the UPnP setting off. Click Save Settings to apply the changes. It’s a good practice to reboot your router to ensure the changes take effect. To do this, go to the Administration tab → Reboot.
Netgear routers
Go to the Administration tab → UPnP → and toggle the UPnP setting off. Click Apply to save the changes. It’s good practice to reboot your router to ensure the changes take effect. To do this, go to the Maintenance tab → Reboot.
TP-Link routers
Go to the Advanced tab → NAT forwarding → UPnP and toggle the UPnP setting off. It’s good practice to reboot your router to ensure the changes take effect. To do this, go to the System tab → Reboot.
Final thoughts on UPnP — convenience at a cost
UPnP was designed with good intentions; to make networking easier for ordinary people by allowing devices to communicate and configure themselves automatically. But in a time when cyber threats are more advanced and frequent than ever, this convenience is also a liability.
UPnP’s lack of authentication, port forwarding, and history of exploitation make it a risky feature to leave enabled, especially on home routers that are rarely monitored or updated. While it may simplify the setup of games, streaming devices, and smart home gadgets, it also quietly opens doors that hackers and malware are more than happy to walk through.
Fortunately, disabling UPnP is simple, and most people won’t notice a difference in day-to-day internet usage—especially if you take a little time to manually configure the few services that truly need open ports.
This is even easier if you use Proton VPN on your devices, as you simply need to turn the feature on, and we’ll open a suitable port in our VPN firewall for you.
