Fixed IP SIM Cards Roaming · Fixed · Private IP
Call our connectivity team 0300 124 6181
Get a Quote
Guide

Private APN and VPN Explained for IoT SIM Cards

How private APNs and VPN tunnels work together to keep IoT devices and routers off the public internet while still allowing secure remote access.

In short

A private APN gives your SIM-connected device a private, non-routable IP address instead of a public one, removing it from the public internet entirely. A VPN tunnel then connects your access point – office, cloud platform, or management system – into that same private network, so you can reach the device securely. Together, these are what make our private IP roaming SIM cards work.

What an APN actually does

Every SIM card connects to a mobile network via an Access Point Name, which determines how the device’s traffic is routed once it reaches the network. With a standard (public) APN, traffic is routed to the public internet, and the device gets a public or shared dynamic IP address depending on the SIM type. With a private APN, traffic is instead routed to a private network – the device gets an IP address from a private range (similar to the 10.x.x.x or 192.168.x.x ranges used on home and office networks), and that address simply isn’t part of the public internet at all.

Why this matters for security

A device with a public IP address, even a dynamic one from a shared pool, is part of the addressable public internet and will be found by scanning tools. A device on a private APN has an address that doesn’t exist on the public internet – there’s nothing for a scanner to find, because the address space isn’t routable from the internet at all. This is a structural difference, not just a configuration setting that could be misconfigured.

Where the VPN comes in

A private network that nothing can connect to isn’t directly useful – you need a way in. This is what the VPN provides: a secure, authenticated tunnel from your access point (an office network, a cloud server, or your own laptop with VPN client software) into the private network that the SIM’s traffic is routed to. Once the VPN tunnel is established, your access point effectively becomes part of that private network, and you can reach the device using its private IP address – the same way you’d access something on your local office network.

In practice, this means:

  • The device (router, camera, PLC) connects via the SIM to a private network – it has no public IP and is invisible to internet scanning
  • Your access point establishes a VPN tunnel into that same private network
  • Once connected, you can reach the device’s management interface, or anything on its LAN, using private IP addressing
  • Without the VPN tunnel established, no one – including you – can reach the device from outside

Setting this up

On the device side, this requires a router capable of VPN connections – standard on industrial routers from Teltonika and Milesight, supporting IPsec, OpenVPN and WireGuard. On the access side, you need a VPN endpoint – this might already exist if your office has a VPN setup, or it can be a cloud-hosted VPN service, or in simpler deployments, a direct connection between two routers.

If you’re setting up a private IP and VPN configuration for the first time, get in touch and our team can talk through what’s needed for your specific router and network setup alongside the SIM order.

Call 0300 124 6181 Get a Quote