What is an IoT VPN
Quick definition
An IoT VPN is an encrypted tunnel between the carrier exit and the customer infrastructure. It lets devices on the cellular network reach private servers without going over the public internet. Typical options are IPSec, WireGuard, and L2TP/IPSec.
VPN vs private APN
The private APN gives the IP plan and a controlled exit point. The VPN gives encryption and the actual path to your DC. The usual stack is both: private APN + IPSec to your firewall.
Which VPN to pick
IPSec remains the enterprise standard (works with any serious firewall). WireGuard wins where you want simplicity and performance (much less overhead). L2TP/IPSec is fading out and only shows up in legacy systems.
FAQ
Does the device encrypt or only the carrier?+
The carrier encrypts. The device pushes traffic through the private APN and the carrier wraps it in the tunnel to your DC. For end-to-end from the device itself, use TLS or a device-side VPN.
How much latency does the VPN add?+
Typically 5-30 ms within Europe, 80-150 ms across continents. Distance dominates, not the crypto.
Related terms
What is a private APN
A private APN is a mobile network access point dedicated to a single company or project. Your IoT traffic never touches the public internet: it exits the carrier straight to your data center over a private tunnel, with your own IP plan, firewall rules, and routing.
What is a static-IP IoT SIM
A static-IP SIM is an IoT card the carrier always assigns the same IP address to, instead of a different dynamic IP per session. It can be public (reachable from the internet) or private (reachable from your private APN or VPN). It is essential whenever a server needs to initiate the connection to the device.
What is MQTT
MQTT (Message Queuing Telemetry Transport) is a very lightweight publish/subscribe protocol designed for devices with little CPU, little RAM, and flaky links. It works against a central broker (Mosquitto, HiveMQ, EMQX, AWS IoT Core) and carries most modern industrial IoT traffic.