Remote access/reverse proxy
In many deployments, the Charge Controller resides on a segregated network (for example, behind a local Ethernet switch and 4G modem) separate from a corporate or VPN network. This network isolation can make it challenging to access the Charge Controller's web interface directly.
This guide covers methods to access your Charge Controller remotely when direct connections are not possible due to network restrictions such as NAT (Network Address Translation) or Carrier-grade NAT (CGN).
1. Common connectivity challenges
Several network scenarios can prevent direct access to your Charge Controller:
- Multiple NAT layers: When the Charge Controller is behind both a router NAT and a carrier-grade NAT (common with GSM/cellular connections)
- No public IP address: When your internet service provider doesn't assign a public IP to your connection
- Firewall restrictions: When network policies block incoming connections
- Network segmentation: When the Charge Controller is on an isolated network segment
2. Using the built-in remote access script
The Charge Controller provides a pre-made script (invoke_custom_script_1
) that can establish a connection to a proxy server, creating an access path when direct connections aren't possible.
2.1. How it works
The script initiates an outbound connection from the Charge Controller to a publicly accessible server. This creates a tunnel that allows you to connect back to the Charge Controller through the server, bypassing NAT and firewall restrictions.
2.2. Requirements
- A publicly accessible server (proxy)
- SSH access to the Charge Controller
- Basic knowledge of SSH tunneling
2.3. For manufacturers: Setting up the SSH tunnel
- SSH into the Charge Controller:
ssh charge@<CHARGE_CONTROLLER_IP>
- Create a script file for the reverse tunnel. You can use the built-in
invoke_custom_script_1
capability:
#!/bin/ash
while true; do
ssh -N -R 10022:localhost:22 -o ServerAliveInterval=60 user@your-proxy-server.com
sleep 60
done
-
Save this script to the Charge Controller and make it executable
-
Configure the Charge Controller to run this script automatically using the
invoke_custom_script_1
parameter in the configuration interface -
Access the Charge Controller through the proxy:
ssh -p 10022 charge@your-proxy-server.com
2.4. For operators: Accessing the web interface
Once the SSH tunnel is established, you can access the Charge Controller's web interface through the proxy server. Your network administrator should provide you with:
- The address of the proxy server
- Any required authentication credentials
- Specific port or URL path to access your Charge Controller
3. Alternative: Using a reverse proxy
Another approach is to set up a dedicated reverse proxy server that can access both the Charge Controller's network and your corporate network.
3.1. What is a reverse proxy?
A reverse proxy is a server that sits between clients and the Charge Controller. It receives client requests and forwards them to the Charge Controller, then returns the Charge Controller's responses to the clients. This allows controlled access to the Charge Controller's web interface without exposing the device's network directly.
3.2. Network overview
The typical scenario involves two separate networks:
- Device network: Contains the Charge Controller (e.g., a local LAN with the Charge Controller and perhaps a modem)
- Corporate network: Where users want to access the Charge Controller from
The reverse proxy server connects to both networks, acting as a bridge specifically for web traffic to the Charge Controller.
3.3. Charge Controller requirements
One advantage of using a reverse proxy is that the Charge Controller itself requires minimal configuration:
- Network connectivity: Ensure the Charge Controller is connected to a network (via Ethernet, WLAN, or GSM)
- IP address: Know the Charge Controller's IP address on its network
- Credentials: Change the default passwords for both Operator and Manufacturer accounts
No additional software or configuration is needed on the Charge Controller itself. The web interface is already accessible via HTTP on the Charge Controller's IP address.
3.4. Access scenarios
With a reverse proxy in place, you can access the Charge Controller in different scenarios:
- Internal access: Users on the corporate network can access the Charge Controller through the reverse proxy using an internal hostname or IP address
- Remote access: For off-site access, the reverse proxy can be configured to allow secure connections from the internet
- Hybrid setup: The same reverse proxy can serve both internal and external users, with appropriate security controls for each access path
3.5. Security considerations
When implementing a remote access solution, consider these security best practices:
- Change default passwords on the Charge Controller
- Keep the Charge Controller's firmware updated as recommended by Bender
- Maintain network isolation between the device network and corporate network
- Use HTTPS encryption for all connections to the proxy
- Implement authentication at the proxy level
- Monitor access logs to track who accessed the Charge Controller and when
4. Benefits of remote access solutions
Implementing a proper remote access solution offers several advantages:
- Simplified maintenance: Technicians can troubleshoot and update Charge Controllers without on-site visits
- Enhanced security: Properly configured remote access is more secure than opening direct ports
- Flexibility: Works with various network configurations including cellular connections
- Scalability: Can be extended to provide access to multiple Charge Controllers
- Cost-effective: Reduces the need for on-site service calls