VPN connectivity for your IoT devices
Time to read: 4 minutes
I am excited to announce that Super SIM now has VPN (Virtual Private Network) support, enabling you to set up secure private networks between Twilio and your application data centers and have your Super SIM connected devices use these private networks. With regular Internet breakout, the traffic from devices using Super SIM will go over the Internet and get routed to your application data center. When VPN is used, the same traffic is sent over a secure and private tunnel as shown below:
The benefits of using VPN for IoT devices
With a VPN that tunnels your device connectivity, you get the following benefits:
- Secure channel - A secure data channel is created between Twilio and your data center. All traffic to/from the devices going through this data channel is encrypted and does not go over the public Internet unprotected.
- Private end-to-end network - You can connect your private network to Twilio using the VPN. Since the traffic to/from your device goes over the VPN tunnel, you are in complete control of which application servers you devices talk to.
- Extended session duration - TCP/UDP sessions between your devices and your application servers can have extended duration without TCP/UDP bindings expiring at intermediate NAT/firewalls.
- Network initiated connection to device - You can reach a device at a private static IP address without your device having to setup and maintain a persistent TCP or UDP session.
- No need for a client VPN - Your devices don’t need to be modified to implement a client based VPN, which can be very resource intensive.
- Not constrained by NAT/Firewall timers - For a typical cellular connected device, if the device does not send a periodic keepalive, the NAT/Firewall state expires. This results in you not being able to reach your device until the device sets up a connection again. With VPN, you don’t have this limitation - there are no UDP/TCP session timers between your devices and your application cloud.
Does my use case really require VPN?
Most IoT use cases do not actually require a VPN, and you shouldn’t opt for one if your application won’t benefit from it. This is because setting up and maintaining a VPN connection involves increased complexity, and it comes at an additional cost. Please review your use case with your IoT specialist at Twilio to determine if it warrants a VPN connection. If you do not have an assigned IoT specialist yet but would like to discuss this with one, please reach out to us.
If your use case simply requires sending a message from your cloud to your device, IP Commands is a simple and much cheaper alternative to Super SIM VPN. Using IP Commands, you can send short IP/UDP messages from your application cloud to your Super SIM-enabled IoT devices without the device having to maintain a persistent connection to your cloud, having to use a VPN between your cloud and the cellular network, or requiring a static public IP address for each device.
If you know you need VPN or would like to explore the setup with Twilio, read on.
Setting up a Super SIM VPN
Setting up a VPN involves exchanging configuration information with Twilio. This includes:
- VPN Gateway IP address
- Encryption Domains (the private IP subnets behind the VPN gateway)
- BGP config (ASN)
- Routing mode selection
- Required bandwidth (10/100/1000 Mbps)
- IKEv1/IKv2/IPsec parameters
- Pre-shared key for mutual authentication between the VPN gateways
For a lot of information above, you can just select the pre-defined default values. Once the Twilio VPN gateway and your VPN gateway are configured with the right information, the VPN connection is set up automatically.
Routing your traffic
Super SIM VPN supports two modes to route traffic from the devices:
- Split tunneling - In this mode, traffic destined to your data center will be sent via the VPN tunnel. If the destination of the traffic is a server on the Internet, traffic will be routed directly to that server over the Internet instead of going through the VPN. This mode is useful when you want to handle only the traffic that is sent to your application servers and not to other destinations on the Internet.
- All traffic through the tunnel - In this mode, your devices can only talk to your application cloud; they will not be allowed to exchange traffic with any server on the Internet. With this mode, you are in full control of the traffic and make sure that the devices can only talk to your cloud.
You can specify the mode you want to use when you create the VPN connection.
Using the VPN
To have your Super SIM enabled devices use the VPN, it is as simple as enabling VPN for the corresponding Fleet. There is no need to configure private/special APNs on the devices for using the VPN. When you add a SIM to a Fleet that has VPN enabled, the corresponding device will start using the VPN connection automatically the next time it attaches to a cellular network. If you remove a SIM from a VPN-enabled Fleet, the device with that SIM will stop using the VPN connection the next time it attaches to a cellular network.
Static IP Addresses
With VPN, each of your Super SIMs gets a static private IP address. This IP address assignment is permanent as long as you keep the SIM on a VPN-enabled Fleet. You can reach your devices at these static IPs from your application cloud. You can initiate any kind of IP connection (SSH, UDP, etc) from your cloud to your device.
You can read the static IP address allocated to each SIM through the SIM Resource view on the Console, through the Twilio API (IpAddresses Subresource) or through
- From the Twilio Console
- Through Super SIM Connection Events
How to get access to Super SIM VPN
We are currently in the Private Beta phase for Super SIM VPN. If you decide that your application needs VPN, please reach out to your Twilio sales representative or Twilio Support. Please review the documentation on How to Setup Super SIM VPN before you reach out. If you do not have an assigned IoT specialist yet but would like to discuss the use of our IoT SIM with VPN tunneling with one of our specialists, please reach out to us.
We can’t wait to hear from you!
Vijay Devarapalli is a Principal Product Manager for Twilio IoT, responsible for the Twilio Distributed IoT Mobile Core that drives Super SIM and other IoT cellular connectivity products. Vijay is a telecom industry veteran, having designed and built 3G and LTE packet core and edge computing solutions, as well as technologies for improving radio network efficiency. He has also made significant contributions in the standards space, having authored 17 RFCs in the IETF and numerous contributions to 3GPP LTE specifications.
Related Posts
Related Resources
Twilio Docs
From APIs to SDKs to sample apps
API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
Resource Center
The latest ebooks, industry reports, and webinars
Learn from customer engagement experts to improve your own communication.
Ahoy
Twilio's developer community hub
Best practices, code samples, and inspiration to build communications and digital engagement experiences.