Rate this page:

Thanks for rating this page!

We are always striving to improve our documentation quality, and your feedback is valuable to us. How could this documentation serve you better?

Programmable Wireless: Virtual Private Network (VPN) (Preview)

Wireless VPN is in Developer Preview with availability by request. Some features are not yet implemented, and others will change before the product is generally available. Developer Preview API's are very likely to change before the product reaches general availability.


The Programmable Wireless Virtual Private Network (VPN), with the help of Twilio Interconnect, creates a secure tunnel using Internet Protocol Security protocol (IPSec). All your communications are encrypted to allow data to freely transmit to and from your SIM connected devices and servers.

The Programmable Wireless VPN solution creates a unique Internet Protocol (IP) address. This allows for constant Mobile Terminated (MT) and Mobile Originated (MO) communications from your server to your SIM connected devices and vice versa.

General VPN features

  • Block devices from requesting unauthorized sites and services
  • Connect SIMs to your local network
  • Secure, encrypted, data
  • Access a device (mobile terminate), anytime

Common components

Name Description
VPN Gateway A network device (such as a router, firewall) supporting IPSec protocol suite. The device needs to be assigned an IPv4 address routable on the Internet.
Firewall (optional)

The system that monitors and controls your incoming and outgoing network traffic. This is usually the same device as your VPN gateway.

Your firewall policies should allow your internal servers to communicate with your SIMs

IPsec interconnection with Twilio

There are two supported ways to set up IPsec Interconnections with Twilio:

Explicit encryption domains/IPsec direct encapsulation - We explicitly specify what source/destination ranges to encrypt. For example, if your internal servers in need to access SIMs in IP range (allocated by Twilio), then we setup mirroring crypto ACLs to only encrypt traffic between the two ranges. This method is ideal if you don’t need to process SIM’s Internet-bound traffic and you don’t have many discontinuous internal networks that need to communicate with your SIMs.

Encrypt everything/Cisco VTI style IPsec - If you want to process SIMs Internet-bound traffic or you have a wide range of internal networks that need to access SIM, then Cisco VTI style IPsec Interconnection is preferred. You can advertise a default route to Twilio. Twilio will then encrypt all traffic generated from SIM and send to your internal servers, and vice versa as long as SIM destined traffic match the IP range Twilio allocated to you. With this method, we can either do static routing or BGP. BGP is preferred. Twilio will peer from AS 394434, if you don’t have a public BGP AS, Twilio will allocate a private one to you. There are no restrictions as to what encryption domains/route advertisements from you as long as they don’t overlap with Twilio will allocate an IP range for your SIMs to you.

VPN Access Point Name (APN)

For data access exclusively on APN.

What we need to get started

The following information is necessary and required by Twilio, as the VPN provider, to provide a secure tunnel between Twilio Programmable Wireless and your VPN-enabled device:

What Why How
VPN Gateway To establish an IPSec tunnel between your and Twilio networks. Router or firewall supporting IPSec VPN could be procured from network equipment manufacturers such as Cisco, Juniper, or by using a cloud service such as AWS or Azure.
IPSec phase I and II specifications To configure your VPN gateway. You will receive Twilio’s IPSec VPN specification. IKE PSK will be sent separately via secure email.
IPSec Interconnection method To configure your VPN gateway. Ask your network administrator which one of two IPsec configuration methods that work best for you.
The number of devices expected to bring online over a one year period It’s ideal to allocate an adequate number of IP addresses to provide a continuous range of IP addresses. Provide Twilio with the devices do you expect to bring online in the next two years? This will be the number of IP addresses we will carve out for you. You can add to your range in the future.
Account Sid(s) So that we know which Twilio account is authorized to use your private connection and financially responsible for it. See your Console dashboard.
Rate Plan Sid(s) VPN-enabled Rate Plans require a manual step by Twilio while in Developer Preview. Create new or provide existing Rate Plan(s) that will be associated with VPN-enabled SIMs.
Sim(s) Provide lists of SIM Sids to map to IP addresses. SIMs must be registered to an account to assign an IP address.

Programmable Wireless Console configuration

The following are required to configure a Programmable Wireless SIM in the Console to access your virtual private network:

Physical Twilio SIM (2FF/3FF/4FF or embedded)

  • Order the Twilio SIMs using the Console.

No physical distinction exists between a VPN and non-VPN SIM.

SIM (VPN-enabled) Rate Plans

A VPN-enabled Twilio SIM means the SIM is associated with a Rate Plan that is configured for VPN access.

  1. Create a new Rate Plan that meets your business requirements.
  2. Have Twilio manually enable VPN access for the given Rate Plan while in Developer Preview.

Access Point Network (APN)

A VPN-enabled device with a Twilio SIM must set its APN to:


Get VPN-enabled SIMs

Sign up to our Developer Preview and a member from our Sales team will reach out.

Rate this page:

Need some help?

We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd browsing the Twilio tag on Stack Overflow.