Rate this page:

Programmable Wireless: How to Configure a Virtual Private Network

A Virtual Private Network (VPN) is a secure tunnel established between Internet-connected devices. The Programmable Wireless VPN creates this secure pathway using Internet Protocol Security protocol (IPSec) and encrypts all communication between your Programmable Wireless SIM-connected devices and servers.

The Programmable Wireless VPN creates a unique Internet Protocol (IP) address. This allows for constant Mobile Terminated (MT) and Mobile Originated (MO) communications between your server and your devices.

Programmable Wireless VPN set up requires manual input from Twilio, so it can’t yet be enabled in the Console. Please contact us if you would like to make use of Programmable Wireless VPN.

General VPN features

  • Block devices from requesting unauthorized sites and services.
  • Connect SIMs to your local network.
  • Secure, encrypted data.
  • Access a device (Mobile Terminated), anytime.

Key VPN components

VPN Gateway A network device, such as a router or a firewall, which supports the IPSec protocol suite. The device needs to be assigned an IPv4 address routable on the Internet.
Firewall (optional)

The system that monitors and controls your incoming and outgoing network traffic. This is usually the same device as your VPN gateway.

Your firewall policies should allow your internal servers to communicate with your SIMs.

IPsec interconnection with Twilio

There are two supported ways to set up IPsec interconnections with Twilio:

  • Explicit encryption domains/IPsec direct encapsulation We explicitly specify what source/destination ranges to encrypt. For example, if your internal servers in need to access SIMs in IP range (allocated by Twilio), then we setup mirroring crypto ACLs to only encrypt traffic between the two ranges. This method is ideal if you don’t need to process SIM’s Internet-bound traffic and you don’t have many discontinuous internal networks that need to communicate with your SIMs.
  • Encrypt everything/Cisco VTI style IPsec If you want to process SIMs Internet-bound traffic or you have a wide range of internal networks that need to access SIM, then Cisco VTI style IPsec Interconnection is preferred. You can advertise a default route to Twilio. Twilio will then encrypt all traffic generated from SIM and send to your internal servers, and vice versa as long as SIM destined traffic match the IP range Twilio allocated to you. With this method, we can either do static routing or BGP. BGP is preferred. Twilio will peer from AS 394434, if you don’t have a public BGP AS, Twilio will allocate a private one to you. There are no restrictions as to what encryption domains/route advertisements from you as long as they don’t overlap with Twilio will allocate an IP range for your SIMs to you.

What we need to get started

The following information is necessary and required by Twilio, as the VPN provider, to provide a secure tunnel between Programmable Wireless and your VPN-enabled device:

What Why How
VPN Gateway To establish an IPSec tunnel between your network and Twilio’s. Router or firewall supporting IPSec VPN could be procured from network equipment manufacturers such as Cisco, Juniper, etc., or by using a cloud service such as AWS or Azure.
IPSec phase I and II specifications To configure your VPN gateway. You will receive Twilio’s IPSec VPN specification. IKE PSK will be sent separately via secure email.
IPSec Interconnection method To configure your VPN gateway. Ask your network administrator which one of two IPsec configuration methods that work best for you.
The number of devices you expect to bring online over a one-year period To allocate an adequate number of IP addresses and to provide a continuous range of IP addresses. This will be the number of IP addresses we will carve out for you. You can add to your range in the future.
Account SID(s) So that we know which Twilio account is authorized to use your private connection and financially responsible for it. See the Console dashboard.
Rate Plan SID(s) VPN-enabled Rate Plans require manual setup by Twilio. Create a new Rate Plan (or provide an existing one) that will be associated with VPN-enabled SIMs.
Sim(s) Provide lists of Sim SIDs to map to IP addresses. SIMs must be registered to an account to assign an IP address.

Programmable Wireless Console configuration

To use a VPN, you must use a physical Programmable Wireless SIM (2FF/3FF/4FF or embedded). You can order your SIMs using the Console.

The following are required to configure the Programmable Wireless SIM to access your virtual private network:

1. A VPN-enabled Rate Plan

There is no physical distinction between a regular Programmable Wireless SIM and one with VPN enabled. What differentiates these two SIMs is that the latter is associated with a Rate Plan that is configured for VPN access. To set up such a Rate Plan:

  1. Create a new Rate Plan that meets your business requirements.
  2. Contact Twilio to enable VPN access for the given Rate Plan.

2. The correct Access Point Name (APN)

Devices with a Programmable Wireless SIM using the VPN must set their APN to:

Server-side VPN setup guides

The following third-party guides will help you configure your servers for VPN.

Microsoft Azure

Amazon Web Services

Rate this page:

Need some help?

We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Stack Overflow Collective or browsing the Twilio tag on Stack Overflow.

Thank you for your feedback!

Please select the reason(s) for your feedback. The additional information you provide helps us improve our documentation:

Sending your feedback...
🎉 Thank you for your feedback!
Something went wrong. Please try again.

Thanks for your feedback!