Table of Contents
One of the most common questions we get at 5Gstore is some version of: “I set up a 5G or LTE router at a remote site, but my IP address keeps changing. How do I get back in?” It is a completely reasonable problem. US carriers — AT&T, T-Mobile, Verizon, and their MVNOs — assign dynamic IP addresses by default on virtually every data plan. Your router’s public IP can change any time it reconnects, and suddenly the bookmark you saved to reach your remote web camera, NAS, or office PC just stops working.
The good news is that there are several well-established solutions, ranging from free DIY tools to polished cloud platforms built specifically for cellular routers. This post walks through all of them so you can pick the right fit for your situation.
Why Carriers Don’t Give You a Static IP by Default
Carriers manage enormous pools of IP addresses shared across millions of devices. Assigning a permanent IP to every SIM would exhaust that pool quickly, so dynamic addressing is the default. On top of that, many carriers place cellular devices behind Carrier-Grade NAT (CGNAT), which means your router does not even get a true public IP at all — it shares one with dozens or hundreds of other subscribers. That makes traditional inbound connections impossible without some kind of workaround.
Understanding which situation you are in matters. Log into your router and check the WAN IP address it reports. Then visit a site like whatismyip.com from a device on that network. If the two addresses do not match, you are behind CGNAT, and solutions that rely on port forwarding (like basic DDNS) will not work on their own. You will need a VPN, tunnel, or cloud management platform instead.
Option 1: Dynamic DNS (DDNS)
Best for: Sites with a true public dynamic IP (no CGNAT), needing simple inbound access.
Dynamic DNS is the classic solution. A DDNS service gives your router a fixed hostname — something like mysite.ddns.net — and keeps it pointed at whatever IP address your router currently has. Any time your IP changes, a small client running on the router updates the DNS record automatically, usually within seconds to a minute.
How to set it up:
- Create a free account with a DDNS provider. Popular options include No-IP, Dynu, and DuckDNS. Many Peplink, Cradlepoint, and Teltonika routers also have built-in integrations with these services.
- Create a hostname in your DDNS dashboard (e.g., mywarehouse.ddns.net).
- Log into your router’s admin panel and find the DDNS settings (usually under Network or WAN). Enter your provider credentials and hostname.
- Enable port forwarding on the router for whatever service you want to reach — port 80/443 for a web interface, port 22 for SSH, port 3389 for Remote Desktop, etc.
- Test by connecting from an external network using your hostname and port.
The catch: DDNS only works if your router has a real routable public IP. If you are behind CGNAT, port forwarding has nowhere to forward to. In that case, skip ahead to the VPN or tunnel options below.
Option 2: VPN (Tailscale or ZeroTier)
Best for: Any connection type including CGNAT, secure access to the full remote network, multi-site setups.
Modern mesh VPNs like Tailscale and ZeroTier are arguably the cleanest solution for cellular connections because they punch through NAT without requiring any inbound ports to be open. Both work by routing traffic through an encrypted peer-to-peer tunnel, coordinated by a relay server in the cloud. Even behind CGNAT, devices on both ends can reach each other.
Tailscale is built on WireGuard and is extremely easy to set up. It supports Windows, Mac, Linux, iOS, and Android. Many current Peplink and GL.iNet routers support Tailscale natively in their firmware.
How to set up Tailscale:
- Create a free account at tailscale.com. The free tier supports up to 100 devices.
- Install the Tailscale client on the remote machine (or enable it in your router’s firmware if supported).
- Install Tailscale on your laptop, phone, or the device you will connect from.
- Both devices will appear in your Tailscale admin console with stable private IP addresses (in the 100.x.x.x range) that never change regardless of your carrier IP.
- Connect to the remote machine using its Tailscale IP. No port forwarding, no firewall rules needed.
ZeroTier works similarly and is a good alternative if you need more control over the virtual network configuration or are working with devices that do not support Tailscale.
Option 3: Reverse Proxy / Tunnel (Cloudflare Tunnel)
Best for: Exposing web-based services (cameras, dashboards, admin panels) without opening any ports, works through CGNAT.
Cloudflare Tunnel (formerly Argo Tunnel) flips the connection model entirely. Instead of waiting for an inbound connection, a small agent called cloudflared runs on your remote device or router and establishes an outbound connection to Cloudflare’s edge network. Cloudflare then routes traffic from the public internet to your device through that persistent tunnel. Nothing inbound ever touches your router’s firewall.
How to set it up:
- Create a free Cloudflare account at cloudflare.com and add your domain (or use a free Cloudflare Pages subdomain).
- Download and install the cloudflared agent on the remote machine. It is available for Linux, Windows, Mac, and ARM devices like Raspberry Pi.
- Run
cloudflared tunnel loginand authenticate. - Create a tunnel and configure a hostname that points to your local service (e.g., camera.yourdomain.com pointing to https://localhost:8080).
- Start the tunnel. Your service is now reachable at that public URL from anywhere, with no port forwarding required.
Cloudflare Tunnel is particularly useful for exposing IP camera streams, internal dashboards, or web-based router admin pages to authorized users. Combined with Cloudflare Access, you can add SSO authentication in front of any service with no code changes.
Option 4: Router Cloud Management Platforms
Best for: Teams managing 5G/LTE routers at multiple sites who want a purpose-built portal rather than piecing together DIY tools.
If you are already running Peplink, Cradlepoint, Digi, or Teltonika hardware, you may already have access to a cloud management platform that solves the remote access problem as a built-in feature — no DDNS or VPN configuration required. These platforms maintain a persistent cloud connection from each router regardless of IP changes or CGNAT, and provide remote access tools through their web portals.
Peplink InControl2
InControl2 is Peplink’s cloud management platform and is included free for the first year with most Peplink routers, then billed per device annually. Beyond remote router management, InControl2 lets you remotely access devices on the LAN behind each router through its built-in remote web admin and SpeedFusion VPN capabilities. You can also use PepVPN or SpeedFusion to build encrypted tunnels between sites without needing static IPs on either end.
Cradlepoint NetCloud
NetCloud Manager is Cradlepoint’s subscription-based platform and is tightly integrated with their router hardware. It provides remote configuration, diagnostics, and LAN-side access through the NetCloud portal. The platform also supports SD-WAN policies and out-of-band management, making it well-suited for enterprise and fleet deployments where cellular is a primary or failover link.
Digi Remote Manager
Digi Remote Manager supports the full range of Digi cellular routers including the popular IX20, EX15, and TX64. It provides persistent cloud connectivity, remote CLI access, configuration templates, firmware management, and the ability to tunnel into serial and LAN-connected devices behind each router. Particularly useful for industrial and IoT deployments where on-site IT support is not available.
Teltonika RMS
Teltonika Remote Management System is available for all Teltonika RUT and RUTX series routers and offers a compelling free tier for smaller deployments. RMS provides remote router access, LAN device access via a built-in VPN tunnel, SMS management, and fleet-wide configuration push. For cost-conscious deployments with Teltonika hardware, RMS is often the fastest path to reliable remote access without touching DDNS or firewall rules at all.
Option 5: Carrier Static IP Add-On
Best for: Sites where simplicity and reliability are the priority and the budget allows for it.
The most straightforward solution is to simply buy a static IP from your carrier. AT&T, T-Mobile for Business, and Verizon all offer static IP add-ons on business plans, typically for $5 to $15 per line per month. Some MVNOs like Wireless Guardian also offer static IP SIMs.
With a true static IP in hand, standard port forwarding works reliably. Set up your forwarding rules once and they stay valid indefinitely. There is no client software to maintain, no third-party service dependency, and no NAT traversal complexity.
The main limitation is cost at scale. If you are managing dozens or hundreds of remote sites, per-line static IP fees add up quickly, which is where the cloud management and VPN options above start to make more financial sense.
Which Option is Right for You?
| Situation | Best Option |
|---|---|
| True public dynamic IP, basic inbound access needed | DDNS + port forwarding |
| Behind CGNAT, need full network access | Tailscale or ZeroTier |
| Exposing a web service through CGNAT | Cloudflare Tunnel |
| Already on Peplink, Cradlepoint, Digi, or Teltonika | Use the native cloud platform |
| Need simplicity and have the budget | Carrier static IP add-on |
| Managing many sites at scale | Cloud management platform + VPN |
In practice, many deployments combine approaches. For example, a Peplink router managed through InControl2 for remote administration, with Tailscale installed on a local server for full LAN access, is a very capable and resilient setup that works through virtually any carrier configuration.
FAQ
Does my carrier support static IPs? AT&T, T-Mobile, and Verizon all offer static IP as a business plan add-on. Coverage and pricing vary. Contact your carrier’s business sales team or reach out to us and we can point you in the right direction.
How do I know if I am behind CGNAT? Log into your router admin page and note the WAN IP it shows. Then visit whatismyip.com from a device on that network. If the IPs do not match, you are behind CGNAT.
Is Tailscale free? Yes, the personal/hobbyist tier supports up to 100 devices at no cost. Paid plans add user management, access controls, and higher device limits.
Does Cloudflare Tunnel work on a Raspberry Pi or embedded Linux device? Yes. The cloudflared agent has ARM builds that run well on Raspberry Pi and similar single-board computers often used at remote monitoring sites.
Can I use DDNS on a Peplink or Cradlepoint router? Most Peplink and Cradlepoint routers have built-in DDNS client support. Check the WAN or DNS settings in your router’s admin panel for supported providers.
What if I need both remote router management and LAN device access? The cloud management platforms (InControl2, NetCloud, Digi RM, Teltonika RMS) handle both. For DIY setups, combine a VPN like Tailscale with a subnet router configuration to expose the full remote LAN.
5Gstore Take
Remote access on a cellular connection is a solvable problem regardless of whether your carrier gives you a static IP or buries you behind CGNAT. The right approach depends on your hardware, budget, and how much you want to manage yourself. If you are running Peplink, Cradlepoint, Digi, or Teltonika equipment, you likely already have access to a cloud platform that handles most of this for you.
If you are not sure which path fits your situation, contact us at 5Gstore and we are happy to walk through it with you. We have been helping customers solve exactly this kind of connectivity challenge for over 15 years.
