Remote access via reverse tunneling
In some deployments, the Charge Controller resides on a segregated network—often behind a local Ethernet switch and 4G router — with no direct access from the outside. This can pose a challenge for remote diagnostics and maintenance when using the Config UI or SSH.
This guide explains how to establish remote access via a secure reverse tunnel. The tunnel is created from the Charge Controller itself and links back to your own Server, enabling access through restrictive networks (e.g. NAT, CG-NAT, firewalls).
Reverse tunneling should only be used as a fallback when every other option has been exhausted. It is by no means a reliable, long-term solution.
1. Common connectivity challenges
Your Charge Controller may be unreachable due to:
- Multiple NAT layers: Cellular or router-based NAT, or both
- No public IP address: Common with mobile internet providers
- Firewall restrictions: Prevent incoming connections
- Isolated sub-nets: Devices are isolated from office networks or VPNs
2. Tunneling feature overview
The Charge Controller includes built-in reverse tunneling capabilities that allow it to establish an outbound connection to a publicly accessible Server. This creates a secure tunnel that allows you to connect back to the Charge Controller through the server, bypassing NAT and firewall restrictions.
2.1. How it works
- The Charge Controller initiates an outbound SSH connection to your server
- This connection establishes a reverse tunnel that maps ports on your server to services on the Charge Controller
- You can then connect to these mapped ports on your server to access the Charge Controller
2.2. Tunnel options
These ports are fixed. Changing ports requires firmware modification and is not supported.
3. Activation
If your Charge Controller is connected to an OCPP Backend, you can trigger script execution remotely using the OCPP ChangeConfiguration.req command.
3.0.1. Requirements
3.0.2. Retrieve the SSH key and add it to your tunneling server
- The
SSHClientKeykey under the OCPP configuration (GetConfiguration) contains the public SSH key - Add this key to your server’s
authorized_keysfile
3.0.3. Trigger the tunnel
Run a ChangeConfiguration request with the following body:
Payload example:
{
"name": "INVOKECUSTOMSCRIPT1",
"value": "your-username@192.168.0.1"
}
A ChangeRequest can be run through most OCPP Backends by changing the value of the configuration key inside the Backend dashboard.
Replace:
INVOKECUSTOMSCRIPT1withINVOKECUSTOMSCRIPT2to create a Config UI tunnel instead.- your-username@192.168.0.1 with your tunneling server details
Only one tunnel can be run at a time
3.0.4. Troubleshooting
If the OCPP command went through, you will get a response like this back (may differ between OCPP Backends):
Change request send to charger!
3.0.5. Limitations and considerations
-
Hardcoded port mappings
custom_script1.shmaps remote port 1111 to the Charge Controller’s port 22 (SSH)custom_script2.shmaps remote port 1112 to port 80 (Config UI)- These values are fixed and can't be changed
- This means your server needs to reserve ports 1111 and 1112 for tunneling
-
No result feedback through OCPP
- Script success or failure isn't communicated back via
ChangeConfiguration - Users must manually verify tunnel functionality (e.g. by attempting to connect to port 1111)
- Script success or failure isn't communicated back via
- Reliance on correct DNS resolution
- DNS may fail in cellular or captive network environments
- Using raw IP addresses is recommended to avoid silent failures
4. Accessing the tunnel
Once established, you can reach the Charge Controller from your local machine through the external Server:
SSH access
ssh -p 1111 your-username@your-ssh-server.com
Config UI access
http://your-ssh-server.com:1112
5. Troubleshooting
Once you've got direct access to the Charge Controller, you can either
a) Check the log in in the Config UI under Diagnostics > User Logs (put ocpp in the search field and click Apply) or
b) Check the log through SSH
If you encounter issues with the tunneling, here are some common problems and solutions:
5.1. Tunnel not created
- Confirm the controller has internet access
- Confirm the server is reachable and the public key is authorized
- Confirm the
valuestring matchesusername@host
5.2. OCPP not triggering the script
- Ensure the controller is connected to the OCPP Backend
- Check controller logs for execution messages
- Do note that the OCPP Backend won't produce any logs related to the tunneling procedure
5.3. Tunnel drops intermittently
- Some routers may close idle ports; use
ServerAliveIntervalon your server
6. Frequently Asked Questions
6.1. Do I need an OCPP backend to use tunneling?
Yes.
6.2. Can I change the port numbers used by the reverse tunnel?
No.
6.3. Is the reverse tunnel secure?
Yes, the reverse tunnel uses industry-standard encryption and public key authentication. However, the security also depends on how well you secure your Server and manage the Charge Controller's public key.
6.4. Can I use the reverse tunnel for other services besides SSH and HTTP?
The built-in scripts are configured only for SSH (port 22) and HTTP (port 80). If you need access to other services, you would need to create custom scripts or use additional port forwarding.
6.5. How does the tunnel handle network interruptions?
The connection needs to be established manually after an interruption. There is no notification on an interrupted connection.