Teltonika Pi Hat + SIMSY + Cloudflare — Connected Pi anywhere | SIMSY Developers
SIMSY/developers
Back to tools
Pi Hat + SIMSY + Cloudflare

A Raspberry Pi that's reachable anywhere

Three components, one outcome: a Raspberry Pi that lives on cellular, joins the SIMSY network, and is reachable through Cloudflare Access with your existing SSO. No port forwarding, no DDNS, no Tailscale, no public exposure of the device.

Order a starter kit Visit the shop
The stack

Three pieces, one private path

Teltonika Pi Hat

Snaps onto a Raspberry Pi 4 or 5 over GPIO. Adds an LTE modem, SIM slot, and managed power. Pre-flashed with a SIMSY-aware build.

SIMSY SIM

Connects the Hat to the SIMSY core. Identity at the network layer, default-deny external access, multi-network failover, all the same primitives as a full router.

Cloudflare Tunnel + Access

cloudflared running on the Pi creates an outbound-only tunnel. Cloudflare Access enforces SSO for incoming traffic. Your Pi is reachable through your IdP — no inbound ports, ever.

Why this combination

Each layer does one job, well

SIMSY handles the network. Identity, routing, default-deny, monitoring, multi-network failover. The Pi is on cellular but treated like a member of your private estate.

Cloudflare handles the access. cloudflared on the Pi opens an outbound-only tunnel. Cloudflare Access enforces who can reach the Pi — sit it behind Google Workspace, Okta, GitHub, whatever you already use for SSO. Inbound is impossible without a valid session.

The Pi handles the workload. Run whatever you'd normally run — SSH, a web UI, an inference server, Home Assistant, a custom service. None of it is on the public internet at any point.

Quickstart

From boxed Pi to remote-accessible

The starter kit ships pre-flashed. If you're rolling your own, the steps below are the whole story.

1. Mount the Hat and insert the SIMSY SIM

The Hat snaps onto the GPIO. Slide the SIMSY SIM into the SIM slot on the Hat. Power the Pi.

2. Confirm the cellular interface is up

terminal — on the Pi
$ ip addr show wwan0
3: wwan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
   inet 10.42.7.1/30 ...

# Verify the SIM has come up on the SIMSY network
$ curl https://api.s-imsy.com/api/v1/endpoints/{id}/status \
  -H "Authorization: Bearer $SIMSY_TOKEN"

3. Install cloudflared and create the tunnel

terminal — on the Pi
$ curl -L https://pkg.cloudflare.com/install.sh | sudo bash
$ sudo apt install cloudflared

$ cloudflared tunnel login                # one-time, in your browser
$ cloudflared tunnel create pi-lab-01
$ cloudflared tunnel route dns pi-lab-01 pi-lab-01.your-domain.com

$ cloudflared tunnel run pi-lab-01 &

4. Add Access policy in Cloudflare

In the Cloudflare Zero Trust dashboard, add an Access application for pi-lab-01.your-domain.com with a policy bound to your IdP. From now on, hitting that hostname forces SSO. The Pi never sees an unauthenticated request.

What it's good for

Where this combination wins

Edge ML / inference nodes you SSH into from anywhere
On-device data collection for industrial pilots
Remote labs and developer test rigs
Demonstration kits for partner pitches
Pop-up networks at events with managed access controls
Temporary site monitoring with a single Pi as the gateway
Shop the family

Three Pi Hats, one workflow

Teltonika's Calyx family. Same form factor across all three — drops onto a Pi 4 or Pi 5. Difference is the radio.

4G LTE Cat 4

Calyx EBD021

The entry — 4G connectivity for any Pi-based project. Cheapest path to a managed cellular Pi.

£49 ex VAT
5G RedCap

Calyx EBD070

IoT-tuned 5G. Lower power, lower cost than full 5G. The middle ground for sensor and control workloads.

£159 ex VAT
Full 5G Sub-6

Calyx EBD050

Flagship — full 5G throughput. For edge AI, HD video, anywhere you want a Pi pushing real bandwidth.

£259 ex VAT

Order a Pi Hat starter kit

Pre-flashed Pi, Hat, SIMSY SIM with credit, and a quickstart guide. Or BYO and we'll just send the SIM.

Shop Pi Hats Talk to us