Skip to contentSkip to navigationSkip to topbar
Rate this page:
On this page

Programmable Wireless: How to Configure a Virtual Private Network

A Virtual Private Network (VPN) is a secure tunnel established between Internet-connected devices. The Programmable Wireless VPN creates this secure pathway using Internet Protocol Security protocol (IPSec) and encrypts all communication between your Programmable Wireless SIM-connected devices and servers.

The Programmable Wireless VPN creates a unique Internet Protocol (IP) address. This allows for constant Mobile Terminated (MT) and Mobile Originated (MO) communications between your server and your devices.



Programmable Wireless VPN set up requires manual input from Twilio, so it can't yet be enabled in the Console. Please contact us(link takes you to an external page) if you would like to make use of Programmable Wireless VPN.

General VPN features

general-vpn-features page anchor
  • Block devices from requesting unauthorized sites and services.
  • Connect SIMs to your local network.
  • Secure, encrypted data.
  • Access a device (Mobile Terminated), anytime.

VPN Gateway: Firewall (optional)

A network device, such as a router or a firewall, which supports the IPSec protocol suite. The device needs to be assigned an IPv4 address routable on the Internet.:

The system that monitors and controls your incoming and outgoing network traffic. This is usually the same device as your VPN gateway.Your firewall policies should allow your internal servers to communicate with your SIMs.

VPN Gateway: IPsec interconnection with Twilio

A network device, such as a router or a firewall, which supports the IPSec protocol suite. The device needs to be assigned an IPv4 address routable on the Internet.:

There are two supported ways to set up IPsec interconnections with Twilio:

  • Explicit encryption domains/IPsec direct encapsulation We explicitly specify what source/destination ranges to encrypt. For example, if your internal servers in need to access SIMs in IP range (allocated by Twilio), then we setup mirroring crypto ACLs to only encrypt traffic between the two ranges. This method is ideal if you don't need to process SIM's Internet-bound traffic and you don't have many discontinuous internal networks that need to communicate with your SIMs.
  • Encrypt everything/Cisco VTI style IPsec If you want to process SIMs Internet-bound traffic or you have a wide range of internal networks that need to access SIM, then Cisco VTI style IPsec Interconnection is preferred. You can advertise a default route to Twilio. Twilio will then encrypt all traffic generated from SIM and send to your internal servers, and vice versa as long as SIM destined traffic match the IP range Twilio allocated to you. With this method, we can either do static routing or BGP. BGP is preferred. Twilio will peer from AS 394434, if you don't have a public BGP AS, Twilio will allocate a private one to you. There are no restrictions as to what encryption domains/route advertisements from you as long as they don't overlap with Twilio will allocate an IP range for your SIMs to you.

What we need to get started

what-we-need-to-get-started page anchor

The following information is necessary and required by Twilio, as the VPN provider, to provide a secure tunnel between Programmable Wireless and your VPN-enabled device:

VPN GatewayTo establish an IPSec tunnel between your network and Twilio's.Router or firewall supporting IPSec VPN could be procured from network equipment manufacturers such as Cisco, Juniper, etc., or by using a cloud service such as AWS or Azure.
IPSec phase I and II specificationsTo configure your VPN gateway.You will receive Twilio's IPSec VPN specification. IKE PSK will be sent separately via secure email.
IPSec Interconnection methodTo configure your VPN gateway.Ask your network administrator which one of two IPsec configuration methods that work best for you.
The number of devices you expect to bring online over a one-year periodTo allocate an adequate number of IP addresses and to provide a continuous range of IP addresses.This will be the number of IP addresses we will carve out for you. You can add to your range in the future.
Account SID(s)So that we know which Twilio account is authorized to use your private connection and financially responsible for it.See the Console dashboard(link takes you to an external page).
Rate Plan SID(s)VPN-enabled Rate Plans require manual setup by Twilio.Create a new Rate Plan (or provide an existing one) that will be associated with VPN-enabled SIMs.
Sim(s)Provide lists of Sim SIDs to map to IP addresses.SIMs must be registered to an account to assign an IP address.

Programmable Wireless Console configuration

programmable-wireless-console-configuration page anchor

To use a VPN, you must use a physical Programmable Wireless SIM (2FF/3FF/4FF or embedded). You can order your SIMs using the Console(link takes you to an external page).

The following are required to configure the Programmable Wireless SIM to access your virtual private network:

1. A VPN-enabled Rate Plan

1-a-vpn-enabled-rate-plan page anchor

There is no physical distinction between a regular Programmable Wireless SIM and one with VPN enabled. What differentiates these two SIMs is that the latter is associated with a Rate Plan that is configured for VPN access. To set up such a Rate Plan:

  1. Create a new Rate Plan(link takes you to an external page) that meets your business requirements.
  2. Contact Twilio(link takes you to an external page) to enable VPN access for the given Rate Plan.

2. The correct Access Point Name (APN)

2-the-correct-access-point-name-apn page anchor

Devices with a Programmable Wireless SIM using the VPN must set their APN to:

Server-side VPN setup guides

server-side-vpn-setup-guides page anchor

The following third-party guides will help you configure your servers for VPN.

Rate this page: