No products in the basket.
VPN On Cellular Routers
VPN on Cellular Routers – A Practical Guide
A VPN (Virtual Private Network) on a cellular router creates an encrypted tunnel between the router and a central server or network, over a mobile data connection. This lets you reach remote equipment – PLCs, CCTV cameras, meters, payment terminals – securely from any location, without exposing those devices to the public internet. Most industrial 4G and 5G routers sold today run one or more VPN protocols natively, with no additional hardware or software required.
This guide covers why cellular routers specifically benefit from VPN, the main VPN protocol options and their trade-offs, how VPN compares to a fixed IP SIM card, and which routers in the routerstore.com range support VPN out of the box.
Why Cellular Routers Need VPN
The core problem with cellular connectivity is dynamic IP addressing. Mobile networks assign IP addresses from a shared pool. Every time a router reconnects – after a reboot, a signal dropout, or a SIM failover – it typically gets a different public IP address. This makes it impossible to reach the router from a fixed host unless you know the current IP.
There are two standard solutions to this problem. The first is a fixed IP SIM card, where the mobile network permanently assigns a static IP address to the SIM. The second is a VPN, where the router connects outbound to a VPN server with a known fixed address and maintains a persistent tunnel. Both approaches solve the reachability problem, but in different ways and for different use cases.
VPN also adds encryption and authentication. Traffic between the router and the VPN server is encrypted end to end. This protects communications that travel across shared mobile networks, which is important for industrial control data, CCTV streams, and payment systems.
VPN Protocol Comparison
Teltonika RutOS and Robustel RobustOS both support multiple VPN protocols. The right choice depends on what you are connecting to, your security requirements, and the available hardware at each end.
| Protocol | Typical Use | Strengths | Considerations |
|---|---|---|---|
| IPsec | Site-to-site VPN, connection to existing enterprise firewalls and VPN concentrators | Industry standard; compatible with Cisco, Fortinet, pfSense, and most enterprise firewalls; strong encryption; no client software needed on the router side | Configuration is more complex than newer protocols; can struggle with NAT traversal on some mobile networks |
| OpenVPN | Remote access to individual routers or sites; connections to cloud-hosted VPN servers | Runs over TCP or UDP; passes through most firewalls; widely supported; certificate-based authentication | Higher CPU overhead than WireGuard; slower on lower-spec routers |
| WireGuard | Remote access; site-to-site; high-throughput requirements | Very low CPU overhead; fast connection establishment; modern cryptography; works well on low-power industrial routers | Newer protocol; less widely supported in legacy enterprise firewall hardware; UDP only |
| GRE | Encapsulation of non-IP protocols; MPLS interconnect; specific carrier configurations | Lightweight encapsulation; no encryption overhead (combine with IPsec if encryption needed); useful for bridging legacy protocols | No built-in encryption; generally used in combination with IPsec rather than standalone |
| L2TP/PPTP | Legacy systems; compatibility with older VPN endpoints | Widely supported in older hardware and operating systems | PPTP is considered cryptographically weak; L2TP adds overhead; not recommended for new deployments |
For new deployments where you control both ends of the connection, WireGuard is the most practical choice on modern Teltonika and Robustel routers. It is fast, uses minimal CPU, and establishes connections quickly after a cellular reconnect. For connecting into existing enterprise infrastructure such as a Cisco ASA or Fortinet firewall, IPsec is the correct choice. OpenVPN is the best option for connections to cloud-hosted VPN servers such as those running on AWS, Azure, or a Linux VPS.
VPN vs Fixed IP SIM – Which Do You Need?
The short answer: a fixed IP SIM gives you a permanent, routable public IP address at the SIM level, so any host on the internet can reach the router directly. A VPN gives you a private, encrypted connection to a specific server or network, without exposing the router to the public internet at all. Many deployments use both.
| Scenario | Fixed IP SIM | VPN |
|---|---|---|
| SCADA polling from a fixed control room host | Works – control room connects directly to the SIM’s static IP | Works – router connects to VPN server, control room accesses device via tunnel |
| CCTV remote viewing | Works – NVR is accessible at a known IP; port forwarding required | More secure – camera or NVR not exposed to public internet; VPN required on viewing device |
| Fleet of 200+ remote sites | Cost of fixed IP SIM per site can add up; simpler per-device setup | One VPN server handles all sites; easier central management; routers use standard roaming SIMs |
| eSIM routers (e.g. Robustel R1511e) | Fixed IP at network level still requires carrier agreement; not available on all eSIM profiles | RobustVPN provides a fixed IP via VPN on any eSIM profile – simpler for multi-carrier eSIM deployments |
| Encrypted communications required | Fixed IP alone provides no encryption; traffic travels unencrypted over the mobile network | End-to-end encryption between router and VPN server included |
For small deployments where simplicity matters, a fixed IP SIM with port forwarding is often the fastest path to remote access. For larger fleets, security-sensitive applications, or eSIM-based routers, a VPN server approach gives more flexibility and lower per-site cost.
Common VPN Use Cases on Industrial Cellular Routers
SCADA and Remote Substation Monitoring
SCADA systems poll remote RTUs and PLCs on a regular cycle. The SCADA host needs a reliable route to each field device. A VPN tunnel from each router to a central VPN concentrator provides this. The SCADA host connects to the concentrator and reaches all field routers through their assigned tunnel addresses. WireGuard or IPsec is typical here, with Teltonika RutOS managing tunnel keepalives and automatic reconnection after a cellular drop.
Remote CCTV Access
CCTV systems at remote sites – fuel stations, construction sites, infrastructure compounds – need a way to stream footage to a central monitoring station without exposing the NVR to the public internet. A VPN tunnel from the site router to a central server lets the monitoring station pull footage over the tunnel while the camera network remains completely private. This approach also means the site does not need a fixed IP SIM, since the router initiates the tunnel outbound.
EV Charge Point Management
OCPP-based EV charge point management systems communicate between charge points and a central back-office platform. Where charge points use cellular routers for connectivity, a VPN ensures that OCPP traffic between the charge point and the platform is encrypted and that the charge point cannot be reached by anything other than the authorised back-office system. This matters for tamper-proofing and PCI compliance where card payment is involved.
Retail and Vending Machine Connectivity
Vending machines, parcel lockers, and unattended payment terminals connect to host systems over cellular. A VPN from each device to the host network keeps transaction data encrypted in transit and means the terminal is not reachable from the public internet. For large vending fleets, a hub-and-spoke VPN configuration lets a single server manage thousands of devices.
Enterprise WAN Failover
Businesses running SD-WAN or MPLS need a cellular backup path that connects into the same network topology. A cellular router running an IPsec or WireGuard tunnel to the enterprise VPN gateway provides this. Traffic failing over from the primary MPLS link passes through the cellular router and the VPN tunnel to reach internal network resources with the same IP routing in place.
Secure Remote Access for Engineers
Field engineers need access to PLCs, HMIs, and network equipment at remote sites for diagnostics and configuration. A VPN from the site router to a central server lets engineers connect via a laptop VPN client and reach site equipment without the site network being accessible to anyone else. Teltonika RMS provides a similar capability for Teltonika routers specifically – see the Teltonika RMS guide for more detail.
VPN Support on routerstore.com Routers
All Teltonika routers running RutOS support IPsec, OpenVPN, GRE, and WireGuard natively. This includes every RUT, RUTX, RUTM, and RUTC series model. VPN configuration is handled through the RutOS web interface or via Teltonika RMS for remote fleet deployment. The RUTC series adds Docker support, which allows custom VPN clients and network applications to run as containers alongside the standard RutOS VPN stack – see the Docker on Teltonika routers guide for more detail.
Robustel routers running RobustOS, including the Robustel R1511e, support IPsec, OpenVPN, GRE, and WireGuard. RobustVPN, part of the RCMS cloud platform, provides a fixed IP address via VPN on any active SIM or eSIM profile without requiring a separate fixed IP SIM card.
| Router Range | IPsec | OpenVPN | WireGuard | GRE |
|---|---|---|---|---|
| Teltonika RUT series | Yes | Yes | Yes | Yes |
| Teltonika RUTX series | Yes | Yes | Yes | Yes |
| Teltonika RUTM series | Yes | Yes | Yes | Yes |
| Teltonika RUTC series | Yes | Yes | Yes | Yes |
| Robustel R1511e | Yes | Yes | Yes | Yes |
Frequently Asked Questions
Do I need a fixed IP SIM if I use a VPN?
Not necessarily. With a VPN, the router connects outbound to a VPN server that has a fixed public IP. You reach the router by connecting to the VPN server, not directly to the router’s SIM IP. This means a standard roaming SIM with a dynamic IP works fine. However, if your VPN server or SCADA host requires the router to be reachable at a fixed address without running a VPN client at the monitoring end, a fixed IP SIM remains the simpler option for that specific scenario.
Which VPN protocol should I use on a Teltonika router?
For new deployments where you control both ends: WireGuard. It uses minimal CPU, connects quickly after a cellular drop, and the modern cryptography is solid. For connections into an existing enterprise firewall or VPN concentrator: IPsec, using IKEv2. For cloud-hosted VPN servers where OpenVPN is already running: OpenVPN over UDP. Avoid PPTP for any new deployment – it is cryptographically weak and not recommended.
Can I run VPN on a cellular router without a fixed IP SIM?
Yes. This is one of the main advantages of a VPN on a cellular router. The router initiates the connection outbound to a VPN server at a known IP address. Since the router makes the outbound connection, it does not need to be reachable at a fixed IP itself. Standard roaming SIMs with dynamic IPs work for this. Our roaming SIM cards are suitable for VPN-based deployments where a fixed IP is not required at the SIM level.
How many VPN tunnels can a Teltonika router run simultaneously?
This varies by model and depends on the number of configured instances rather than a hard protocol limit. Entry-level RUT series routers typically handle 2-4 simultaneous tunnels comfortably. RUTX and RUTM series routers handle more, and the RUTC series with its dual-core CPU and 1 GB RAM is suitable for demanding multi-tunnel deployments. For exact limits on a specific model, contact our UK-based technical support team on 0300 124 6181.
What is RobustVPN and how does it differ from running a VPN on the router?
RobustVPN is a managed VPN service built into the Robustel RCMS cloud platform. Instead of running your own VPN server, Robustel hosts the VPN infrastructure and assigns each Robustel router a fixed IP address through the RobustVPN service. This means you get a fixed IP address and encrypted remote access without hosting or maintaining a VPN server. It is particularly useful for eSIM-based routers like the Robustel R1511e, where the active eSIM profile may change and a carrier-level fixed IP is not always available.
Does using a VPN affect the cellular data usage on the router?
Yes, but modestly. VPN protocols add a small overhead to each packet – typically 10-20% depending on the protocol and packet size. IPsec and WireGuard have lower overhead than OpenVPN in TCP mode. For most industrial applications where data volumes are small (SCADA polling, alarm events, configuration changes) the additional usage is negligible. For high-volume applications such as continuous CCTV streaming, it is worth factoring VPN overhead into your data allowance calculation.
Related Products and Further Reading
Browse the full Teltonika 4G router range and Teltonika 5G routers – all models support IPsec, OpenVPN, WireGuard, and GRE natively via RutOS. For eSIM-based deployments with built-in VPN fixed IP, see the Robustel R1511e. If a fixed IP at the SIM level suits your use case better than a VPN, see our fixed IP SIM cards or visit the SIM connectivity page for the full range. For background on Teltonika’s remote management platform, see the Teltonika RMS explainer.