IoT Hacking Series #11: How do VPN, APN and Fixed IP SIM work?

Tags: IoT
A picture of Marcin Kulczycki
Written by
Marcin Kulczycki

In this post, we explain all the little details and nuances about VPNs, APNs and Fixed IP features and their exact meanings.

After reading the post, you shouldn't have any further confusion between the different variants of APN and VPN deployment models available.

This newest blog post continues on the topic of APN and VPN technology, which we have explored earlier.

What is an APN?

From the above-mentioned blog post, we know that APN stands for Access Point Name. It is the name of a gateway and point of entry onto the Internet (IP network) from a mobile network.

Also, we already know that there are several variants of APNs in everyday use. These are:

  • Public APN
  • Private APN
  • Custom APN

Public APN is the default option that is associated with all SIM subscriptions of a given service provider. These default settings allow all users access to the Internet without any additional steps in IoT device reconfiguration.

Private APN, also called Corporate APN, is used to access a specific network. Here, the SIM subscription must be provisioned on this specific APN gateway, and APN settings have to be updated in the IoT device.

The picture below illustrates the traffic flow in a typical use case of a Private APN.


Here, the traffic flows directly from the IoT device via the mobile network to the customer's private network, where it terminates. This traffic does not travel across the Internet.

Private APN offers more security than Public APN, which uses the Internet. Only SIM subscriptions that are authorised by the customer may be provisioned onto an APN gateway. Private APN is not accessible to any other subscriber since it is a private network that can only be accessed by the customer's SIM subscriptions.

The last variant, Custom APN is a de-facto Public APN with an alias, set up according to the customer organisation’s requirements, masking a generic name assigned by a service provider.

Why would anyone need Private APNs?

As per its name, Private APN gives more control over how to secure and configure the data connection.

There are several benefits of using Private APN for customers, including:

  • Configurability. It offers the ability to configure various settings such as IP addressing (either static or dynamic) and authentication methods. 
  • Security. Subscribers are only visible to other devices on the same APN. This makes Private APNs a superior solution in terms of data security when compared to using Public APN or any other Internet access. It allows data to remain only on the customer's private network.
  • Cost-effectiveness. It offers a cost-effective mobile security solution due to the ability to aggregate usage.
  • Organization Policies. When applied as part of a mobile security solution, it benefits from having mobile users conform to security and usage policies. This feature limits potential misuse of mobile services.
  • Global Coverage. With a network of global carrier partners, users have access to their Private APN across the globe, allowing for convenient and secure access to all the customer organisation's applications.

The Private APN solution offers truly secure mobile connectivity, comparable to the level of protection applied in private networks that allow sending customer organisation's data traffic within a closed and private group of hosts.

What is a VPN?

VPN stands for Virtual Private Network. It is a layer of security for Internet access from an IoT device. It allows for the data exchange to remain confidential via encryption and decryption mechanisms. It is crucial when a device remains connected to the Internet via a public network, including Public APN.

A VPN is set up as a site-to-site connection. It creates a so-called VPN tunnel, which is stretched between two endpoints. One end, the Software VPN Client, is running on an IoT device, and the VPN Server on the other side, which is usually the organisation's back-end server or specialised hardware firewall or router.

These two endpoints add headers to the original packet, with these headers including fields that allow the VPN devices to make the traffic secure. The VPN devices also encrypt the original IP packet, meaning that the original packet's contents are indecipherable to anyone who happens to see a copy of the packet as it is transmitted over the Internet.

The picture below illustrates the VPN tunnel concept.


For creating a VPN tunnel on the IoT device side, there is a need to assign an IP address. This IP address is assigned by use of an APN gateway via APN settings applied on the IoT device. It enables connections directly to the device through a VPN tunnel and extends this private and secure network to the IoT devices.

Specialised mobile VPN solutions are used for IoT devices where an endpoint of the VPN is not fixed to a single IP address, but instead roams across various data networks without dropping the secure VPN session or losing application sessions.

Here, Mobile VPN tunnels are not tied to physical IP addresses and instead each tunnel is bound to a logical IP address. That logical IP address is assigned to the IoT device (being a device in motion) no matter where it may roam. Applications running on the device and inside the customer organisation’s network communicate through that one logical IP address, remaining unaware of the user's motion and the different physical IP addresses and data network transitions.

Why would anyone need VPNs?

VPNs provide the same security features as private networks, while still sending data over a network that is open to other participants, such as the Internet. Compared to a private network, the Internet does not provide a secure environment that protects the privacy of a customer organisation's data.

The main benefits of using VPNs are security-related features:

  • Confidentiality and Privacy. Preventing anyone in the middle of the Internet ('man in the middle') from being able to read the data, including website owners, third parties, and other agencies specialising in an online traffic tracking.
  • Authentication. Verifying that the sender of the VPN packet is a legitimate device and not a device used by an attacker.
  • Data Integrity. Verifying that the packet was not changed as the packet crossed the Internet.
  • Anti-replay. Preventing a 'man in the middle', from copying and later replaying the packets sent by a rightful user, to appear to be a legitimate user.

From the more practical side, using a VPN allows setting up a connection from the server to the IoT device. Without a VPN, different firewalls or Network Address Translation (NAT) can prevent connecting to the device, and moreover such a connection can only be initiated from the IoT device itself.

And last but not least, a VPN protects against unwanted connections from other users trying to reach the IoT device. Only the SIM subscriptions provisioned with the VPN can connect to the customer organisation's applications. Outside SIM subscriptions and users can not access the configured VPN tunnel.

What is Fixed IP?

There are two types of IP addressing - fixed IP address, also called static IP address, and dynamic IP address.

Dynamic IP addresses are assigned automatically based on preconfigured settings in the network and dedicated DHCP servers (dynamic host configuration protocols), which manage a pool of IP addresses available for use.

Fixed IP addresses remain static and don't change over time. Their use allows for opening two-way communication between the IoT device and the customer organisation's servers. In other words, it ensures remote access to the IoT device to retrieve information when needed, and without having to wait for the device to send its data back to the server. Since it is a fixed IP address assigned to the IoT device, the IP address to reach the device is already known.

The illustration below shows the difference between both types.


Also, there are several variants of Fixed IP:

  • Public Fixed IP, which provides a static and a public IP address. It is unique on a global scale and allows for connections to an IoT device from any other host connected to the Internet. In this case, a standard Public APN is used.
  • Private Fixed IP, which provides a static and a private IP address. Such an address is valid only within a particular customer organisation's network (which is an example of a private network). In this case, a customer-defined Private APN must be used.

Why would anyone need Fixed IPs?

There are several benefits of using a Fixed IP:

  • It allows greater visibility and control over IoT devices. They can be easily reached from anywhere in the world using a public Internet connection.
  • In connection with VPN technology, it ensures end to end security and encryption in data traffic.


In the next blog post, we’re going to learn about real-life deployments for APNs, VPNs and Fixed IPs. Together with a guide to finding the best solution for every IoT company.

If you have any questions, don't hesitate to reach us at hacking[at] 1oT.com.

THIS MONTH AT 1oT

Stay up-to-date with IoT cellular connectivity topics.

Subscribe to a once-a-month email newsletter. No spam.
This website uses cookies to ensure you get the best experience on our website. Learn more