How to Access a Teltonika Router Behind CGN with Cloudflare Tunnel
Setting up remote access to a device on a 4G or 5G mobile network can be incredibly frustrating. I recently went through this exact process with a Teltonika RUTC50 router and wanted to document the entire journey. Initially I thought it wasn't possible, since I saw many questions but no answers. Teltonika engineers even said it wasn't possible.
This isn't a perfect, polished tutorial. It's a real-world log of what worked, what didn't, and the final, correct steps required to get a stable, secure connection to a device behind a mobile carrier's restrictive firewall. We'll start with the obvious (but wrong) approach and end with the modern, correct solution.
What We'll End Up With
- Secure, public access to the Teltonika router's web interface using a custom domain (
https://router.domain.com
) outside it's local network. - A stable connection that works even though the mobile carrier blocks all incoming traffic (a problem known as Carrier-Grade NAT or CGN).
- A persistent service on the router that automatically starts the tunnel on boot.
Part 1: The Failed DDNS Approach
The first logical step was to use Dynamic DNS (DDNS). The router gets a public IP, and the DDNS service points a domain name to it. Simple, right?
Not so much. Even with the correct IP address in Cloudflare, their servers couldn't reach the router, resulting in an Error 523 "Origin is unreachable". This is the classic symptom of Carrier-Grade NAT (CGN). Your mobile carrier gives you a shared public IP and its firewall blocks all incoming connections.
Conclusion: Dynamic DNS cannot work if the carrier blocks incoming traffic.
Part 2: The Correct Solution - Cloudflare Tunnel
A Cloudflare Tunnel solves the CGN problem by creating a secure outbound connection from your router to Cloudflare's network. Since this connection is initiated from inside your network, the carrier's firewall allows it. Cloudflare then routes all incoming traffic for your domain through this secure tunnel.
Here are the final, correct steps to set this up on a Teltonika RUTC50.
Step 1: Create and Configure the Tunnel in Cloudflare
- Navigate to the Cloudflare Zero Trust Dashboard.
- Go to Access > Tunnels and click "Create a tunnel".
- Choose "Cloudflared" as the connector type and save the tunnel with a name (e.g.,
rutc50
). - You'll be prompted to install a connector. We will do this manually, so move to the next step where you configure the Public Hostname.
- Add a public hostname to route traffic to your router's web interface:
- Subdomain:
router
- Domain:
domain.com
- Service > Type:
HTTP
- Service > URL:
localhost:80
- Subdomain:
- Save the public hostname configuration.
Step 2: Install cloudflared
on the Router (via SSH)
Your Teltonika router runs RutOS, an embedded system where core directories are read-only. Commands like apt-get
and sudo
do not exist. We must install the program manually in a writable location.
- SSH into your router as the
root
user. - Navigate to the writable home directory:
cd /root
- Download the correct
cloudflared
binary for the router's ARM64 architecture:wget -O cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64
- Make the downloaded file executable:
chmod +x cloudflared
Step 3: Create and Start the Service
The final step is to create a service script that runs the tunnel and ensures it starts automatically when the router boots.
Create the service script file using the
vi
text editor.vi /etc/init.d/cloudflared
Paste the script content. Press
i
to enter "INSERT" mode, then paste the script below.- Important: You must replace
<YOUR_TUNNEL_ID>
with your actual Tunnel ID. You can find this on the main Tunnels page in the Cloudflare dashboard.
#!/bin/sh /etc/rc.common USE_PROCD=1 START=99 start_service() { procd_open_instance procd_set_param command /root/cloudflared --no-autoupdate tunnel run --token "<YOUR_TUNNEL_ID>" procd_set_param respawn procd_close_instance }
- Important: You must replace
Save and quit
vi
. PressEsc
, then type:wq
and pressEnter
.Make the new service script executable.
chmod +x /etc/init.d/cloudflared
Enable and Start the Service. The
enable
command makes it start on boot, and thestart
command runs it immediately./etc/init.d/cloudflared enable /etc/init.d/cloudflared start
Step 4: Verification
The tunnel should be active. You can verify this by running logread | grep cloudflared
on your router and by checking that the tunnel status is "HEALTHY" in your Cloudflare dashboard. Cloudflare will have also automatically created the necessary CNAME
DNS record for you.
You can now access your router's web interface securely from anywhere via https://router.domain.com
.