Remote access via SSH tunneling
In many deployments, the Charge Controller resides on a segregated network (for example, behind a local Ethernet switch and 4G modem) separate from a corporate or VPN network. This network isolation can make it challenging to access the Charge Controller's Dashboard directly.
This guide covers methods to access your Charge Controller remotely when direct connections are not possible due to network restrictions such as NAT (Network Address Translation) or Carrier-grade NAT (CGN).
1. Common connectivity challenges
Several network scenarios can prevent direct access to your Charge Controller:
- Multiple NAT layers: When the Charge Controller is behind both a router NAT and a carrier-grade NAT (common with GSM/cellular connections)
- No public IP address: When your internet service provider doesn't assign a public IP to your connection
- Firewall restrictions: When network policies block incoming connections
- Network segmentation: When the Charge Controller is on an isolated network segment
2. Using the built-in SSH tunneling capability
The Charge Controller includes built-in SSH tunneling capabilities that allow it to establish an outbound connection to a publicly accessible SSH server. This creates a secure tunnel that allows you to connect back to the Charge Controller through the server, bypassing NAT and firewall restrictions.
2.1. How it works
- The Charge Controller initiates an outbound SSH connection to your SSH server
- This connection establishes a reverse tunnel that maps ports on your SSH server to services on the Charge Controller
- You can then connect to these mapped ports on your SSH server to access the Charge Controller
The Charge Controller provides two built-in scripts:
custom_script1.sh contents
charge@~$ cat custom_script1.sh
#!/bin/sh
rip='((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}'
rdm='([a-z][a-z0-9-]*\.)+[a-z0-9][a-z0-9-]+$'
run='^[a-z0-9_-]+'
if echo $1 | grep -Eiq "$run\@($rdm|$rip)"
then
logger Ebee custom script invoked with parameter $1
ssh $1 -R 1111:localhost:22 -y -N -f -i /home/charge/.ssh/id_rsa &
logger Ebee custom script invocation completed
else
logger Ebee custom script not invoked: Argument does not match user@domain
fi
custom_script2.sh contents
charge@~$ cat custom_script2.sh
#!/bin/sh
rip='((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}'
rdm='([a-z][a-z0-9-]*\.)+[a-z0-9][a-z0-9-]+$'
run='^[a-z0-9_-]+'
if echo $1 | grep -Eiq "$run\@($rdm|$rip)"
then
logger Ebee custom script invoked with parameter $1
ssh $1 -R 1112:localhost:80 -y -N -f -i /home/charge/.ssh/id_rsa &
logger Ebee custom script invocation completed
else
logger Ebee custom script not invoked: Argument does not match user@domain
fi
2.2. Requirements
- A publicly accessible SSH server
- The Charge Controller must have internet access to reach your SSH server
- The Charge Controller's public SSH key must be authorized on your SSH server
- For OCPP-triggered tunneling: An OCPP backend connected to the Charge Controller
2.3. Authentication method
The SSH tunneling feature uses public key authentication, not passwords. The Charge Controller has a pre-generated SSH key pair, and you need to add its public key to the authorized_keys file on your SSH server.
2.4. Activation methods
There are two ways to activate the SSH tunnel:
2.4.1. Through OCPP
If your Charge Controller is connected to an OCPP backend, you can trigger the SSH tunnel by sending a ChangeConfiguration command:
Key: InvokeCustomScript1
Value: username@your-ssh-server.com
For Dashboard access:
Key: InvokeCustomScript2
Value: username@your-ssh-server.com
The OCPP backend and SSH server do not need to be the same system. The OCPP backend is used only to trigger the tunnel, while the SSH server is the endpoint of the tunnel.
2.4.2. Through SSH
2.4.2.1. Prerequisites
- Direct SSH access to the Charge Controller (via USB, LAN, or Ethernet)
- An SSH server accessible from the Charge Controller's network
2.4.2.1.1. Public key setup for authentication
- SSH into the Charge Controller:
ssh charge@<CHARGE_CONTROLLER_IP>
- Get the Charge Controller's public key:
cat /home/charge/.ssh/id_rsa.pub
- Add the public key to your SSH server's
authorized_keysfile
OR run this helper script (replace SSH_SERVER with your SSH server details):
SSH_SERVER="your-username@192.168.0.1" ; HOST=$(echo "$SSH_SERVER" | cut -d@ -f2) ; echo "[*] Pinging SSH server at $HOST..." ; ping -c 2 -W 2 "$HOST" > /dev/null ; if [ $? -ne 0 ]; then echo "[✗] Cannot reach $HOST. Check VPN or network." ; exit 1 ; fi ; echo "[✓] Server reachable. Proceeding with key upload..." ; KEY=$(head -n 2 ~/.ssh/id_rsa | tail -n 1 | cut -d ' ' -f2) ; if [ -z "$KEY" ]; then echo "[!] Failed to extract key from ~/.ssh/id_rsa" ; exit 1 ; fi ; ssh "$SSH_SERVER" "mkdir -p ~/.ssh && echo 'ssh-rsa $KEY' >> ~/.ssh/authorized_keys" && echo "[✓] Key uploaded successfully!" || echo "[✗] SSH connection failed. Check if key is accepted on the server."
This script does the following:
- Checks if the SSH server is reachable
- Extracts the public key from the Charge Controller
- Adds the public key to the SSH server's
authorized_keysfile
Another helper script for extracting the Charge Controller's public key:
dropbearkey -y -f ~/.ssh/id_rsa | grep "^ssh-rsa"
example output:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCNqOyR/bAsG3s/rcj1uf+Zbeyds7DEPX7auaoC6PeJTNqjGhEaq+sxoh5o8Zy3Thy/pPgZTQyufMXVyKzafbqwKtESgYsrXtivCclGjCwsUfqxmdDfHYZEZ3wNMmA424jybSL7fxmmUQh1WLwRQC2hXrjRt0+nHTdUOcOeASLUsfZQW7sjL2YUiIl+UyMg2xpuN+ZBaom7aulwFlRIVWsMmfaxXrYGuclu1W5Vd9B1gdjboNv/Yuu6Wx3zRjCG66GpHDyLw3SiNftSGrDOtCiZA8QTkaCXdvrVhRUGRUzpOY0YoA1XrX1y1asue+LdGbkSEEaj8ui0mfN0LtpEqukh charge@cp
copy from ssh-rsa to the end of the line and add it to your SSH server's authorized_keys file manually. If you do have SSH access, you can use the first script.
If you have direct SSH access to the Charge Controller, you can manually execute the built-in scripts:
- SSH into the Charge Controller:
ssh charge@<CHARGE_CONTROLLER_IP>
- Get the Charge Controller's public key:
cat /home/charge/.ssh/id_rsa.pub
-
Add this public key to your SSH server's
authorized_keysfile -
Execute the SSH tunnel script:
./custom_script1.sh username@your-ssh-server.com
the argument username@your-ssh-server.com needs to be adapted to your environment. username is the user on the SSH server, your-ssh-server.com is the domain or IP address of the SSH server.
./custom_script1.sh username@your-ssh-server.com instructs the Charge Controller to connect to your-ssh-server.com (can be an IPv4 address or domain name) as a user named username. The Charge Controller will then attempt to connect to your SSH server using its private key.
The Charge Controller's DNS lookup is limited. Resolve your SSH server's domain name to an IP address and use that instead. Do note that DNS lookup from within a corporate network might be limited.
For example: 5.tcp.eu.ngrok.io -> manual DNS lookup -> 3.67.161.145
(Your domain) -> manual DNS lookup -> resolved IP address
2.5. For operators: Accessing the Charge Controller remotely
Once the SSH tunnel is established, you can access the Charge Controller through your SSH server:
- For SSH access:
ssh -p 1111 charge@your-ssh-server.com
- For Dashboard access:
http://your-ssh-server.com:1112
3. Troubleshooting SSH tunneling
If you encounter issues with the SSH tunneling feature, here are some common problems and solutions:
3.1. Connection refused or timeout
- Check internet connectivity: Ensure the Charge Controller has internet access
- Verify SSH server configuration: Make sure your SSH server is running and accessible
- Check firewall settings: Ensure your SSH server allows incoming connections on ports 22, 1111, and 1112
- Verify public key authentication: Check that the Charge Controller's public key is correctly added to your SSH server's
authorized_keysfile
3.2. Tunnel disconnects frequently
- Check network stability: Unstable internet connections can cause the tunnel to disconnect
- Increase ServerAliveInterval: The built-in scripts use a 60-second interval, which may need adjustment for some networks
- Check SSH server settings: Some SSH servers have timeout settings that may disconnect inactive sessions
3.3. Cannot access Dashboard through tunnel
- Verify tunnel is established: Check if the SSH process is running on the Charge Controller
- Check port mapping: Ensure port 1112 on your SSH server is correctly mapped to port 80 on the Charge Controller
- Try local port forwarding: If direct access doesn't work, try using SSH local port forwarding as described above
3.4. OCPP command not triggering the tunnel
- Check OCPP connection: Ensure the Charge Controller is connected to the OCPP backend
- Verify command format: Make sure the ChangeConfiguration command uses the correct key and value format
- Check logs: Look for OCPP-related messages in the Charge Controller's logs
4. Frequently Asked Questions
4.1. Do I need an OCPP backend to use SSH tunneling?
No, while the primary intended method is to trigger the tunnel via OCPP, you can also manually execute the built-in scripts if you have direct SSH access to the Charge Controller.
4.2. Can I change the port numbers used by the SSH tunnel?
The port numbers (1111 for SSH, 1112 for Dashboard) are hardcoded in the built-in scripts. If you need different ports, you would need to modify the scripts.
4.3. Is the SSH tunnel secure?
Yes, the SSH tunnel uses industry-standard encryption and public key authentication. However, the security also depends on how well you secure your SSH server and manage the Charge Controller's public key.
4.4. Can I use the SSH tunnel for other services besides SSH and HTTP?
The built-in scripts are configured only for SSH (port 22) and HTTP (port 80). If you need access to other services, you would need to create custom scripts or use additional port forwarding.
4.5. How does the tunnel handle network interruptions?
The built-in scripts include a loop that attempts to reconnect if the connection is lost. The script will wait 60 seconds before attempting to reconnect.
5. Benefits of remote access solutions
Implementing a proper remote access solution offers several advantages:
- Simplified maintenance: Technicians can troubleshoot and update Charge Controllers without on-site visits
- Enhanced security: Properly configured remote access is more secure than opening direct ports
- Flexibility: Works with various network configurations including cellular connections
- Scalability: Can be extended to provide access to multiple Charge Controllers
- Cost-effective: Reduces the need for on-site service calls