How to Access a Teltonika Router Behind CGN with Cloudflare Tunnel

Setting up remote access to a device on a 4G or 5G mobile network can be incredibly frustrating. I recently went through this exact process with a Teltonika RUTC50 router and wanted to document the entire journey. Initially I thought it wasn't possible, since I saw many questions but no answers. Teltonika engineers even said it wasn't possible.

This isn't a perfect, polished tutorial. It's a real-world log of what worked, what didn't, and the final, correct steps required to get a stable, secure connection to a device behind a mobile carrier's restrictive firewall. We'll start with the obvious (but wrong) approach and end with the modern, correct solution.

What We'll End Up With

  • Secure, public access to the Teltonika router's web interface using a custom domain (https://router.domain.com) outside it's local network.
  • A stable connection that works even though the mobile carrier blocks all incoming traffic (a problem known as Carrier-Grade NAT or CGN).
  • A persistent service on the router that automatically starts the tunnel on boot.

Part 1: The Failed DDNS Approach

The first logical step was to use Dynamic DNS (DDNS). The router gets a public IP, and the DDNS service points a domain name to it. Simple, right?

Not so much. Even with the correct IP address in Cloudflare, their servers couldn't reach the router, resulting in an Error 523 "Origin is unreachable". This is the classic symptom of Carrier-Grade NAT (CGN). Your mobile carrier gives you a shared public IP and its firewall blocks all incoming connections.

Conclusion: Dynamic DNS cannot work if the carrier blocks incoming traffic.

Part 2: The Correct Solution - Cloudflare Tunnel

A Cloudflare Tunnel solves the CGN problem by creating a secure outbound connection from your router to Cloudflare's network. Since this connection is initiated from inside your network, the carrier's firewall allows it. Cloudflare then routes all incoming traffic for your domain through this secure tunnel.

Here are the final, correct steps to set this up on a Teltonika RUTC50.

Step 1: Create and Configure the Tunnel in Cloudflare

  1. Navigate to the Cloudflare Zero Trust Dashboard.
  2. Go to Access > Tunnels and click "Create a tunnel".
  3. Choose "Cloudflared" as the connector type and save the tunnel with a name (e.g., rutc50).
  4. You'll be prompted to install a connector. We will do this manually, so move to the next step where you configure the Public Hostname.
  5. Add a public hostname to route traffic to your router's web interface:
    • Subdomain: router
    • Domain: domain.com
    • Service > Type: HTTP
    • Service > URL: localhost:80
  6. Save the public hostname configuration.

Step 2: Install cloudflared on the Router (via SSH)

Your Teltonika router runs RutOS, an embedded system where core directories are read-only. Commands like apt-get and sudo do not exist. We must install the program manually in a writable location.

  1. SSH into your router as the root user.
  2. Navigate to the writable home directory:
    cd /root
  3. Download the correct cloudflared binary for the router's ARM64 architecture:
    wget -O cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64
  4. Make the downloaded file executable:
    chmod +x cloudflared

Step 3: Create and Start the Service

The final step is to create a service script that runs the tunnel and ensures it starts automatically when the router boots.

  1. Create the service script file using the vi text editor.

    vi /etc/init.d/cloudflared
  2. Paste the script content. Press i to enter "INSERT" mode, then paste the script below.

    • Important: You must replace <YOUR_TUNNEL_ID> with your actual Tunnel ID. You can find this on the main Tunnels page in the Cloudflare dashboard.
    #!/bin/sh /etc/rc.common
    
    USE_PROCD=1
    START=99
    
    start_service() {
        procd_open_instance
    		procd_set_param command /root/cloudflared --no-autoupdate tunnel run --token "<YOUR_TUNNEL_ID>"
        procd_set_param respawn
        procd_close_instance
    }
  3. Save and quit vi. Press Esc, then type :wq and press Enter.

  4. Make the new service script executable.

    chmod +x /etc/init.d/cloudflared
  5. Enable and Start the Service. The enable command makes it start on boot, and the start command runs it immediately.

    /etc/init.d/cloudflared enable
    /etc/init.d/cloudflared start

Step 4: Verification

The tunnel should be active. You can verify this by running logread | grep cloudflared on your router and by checking that the tunnel status is "HEALTHY" in your Cloudflare dashboard. Cloudflare will have also automatically created the necessary CNAME DNS record for you.

You can now access your router's web interface securely from anywhere via https://router.domain.com.

Comments