Skip to main content
v5.33
operator
manufacturer
Last updated

Remote access/reverse proxy

In many deployments, the Charge Controller resides on a segregated network (for example, behind a local Ethernet switch and 4G modem) separate from a corporate or VPN network. This network isolation can make it challenging to access the Charge Controller's web interface directly.

This guide covers methods to access your Charge Controller remotely when direct connections are not possible due to network restrictions such as NAT (Network Address Translation) or Carrier-grade NAT (CGN).

1. Common connectivity challenges

Several network scenarios can prevent direct access to your Charge Controller:

  • Multiple NAT layers: When the Charge Controller is behind both a router NAT and a carrier-grade NAT (common with GSM/cellular connections)
  • No public IP address: When your internet service provider doesn't assign a public IP to your connection
  • Firewall restrictions: When network policies block incoming connections
  • Network segmentation: When the Charge Controller is on an isolated network segment

2. Using the built-in remote access script

The Charge Controller provides a pre-made script (invoke_custom_script_1) that can establish a connection to a proxy server, creating an access path when direct connections aren't possible.

2.1. How it works

The script initiates an outbound connection from the Charge Controller to a publicly accessible server. This creates a tunnel that allows you to connect back to the Charge Controller through the server, bypassing NAT and firewall restrictions.

2.2. Requirements

  • A publicly accessible server (proxy)
  • SSH access to the Charge Controller
  • Basic knowledge of SSH tunneling

2.3. For manufacturers: Setting up the SSH tunnel

  1. SSH into the Charge Controller:
ssh charge@<CHARGE_CONTROLLER_IP>
  1. Create a script file for the reverse tunnel. You can use the built-in invoke_custom_script_1 capability:
#!/bin/ash
while true; do
ssh -N -R 10022:localhost:22 -o ServerAliveInterval=60 user@your-proxy-server.com
sleep 60
done
  1. Save this script to the Charge Controller and make it executable

  2. Configure the Charge Controller to run this script automatically using the invoke_custom_script_1 parameter in the configuration interface

  3. Access the Charge Controller through the proxy:

ssh -p 10022 charge@your-proxy-server.com

2.4. For operators: Accessing the web interface

Once the SSH tunnel is established, you can access the Charge Controller's web interface through the proxy server. Your network administrator should provide you with:

  • The address of the proxy server
  • Any required authentication credentials
  • Specific port or URL path to access your Charge Controller

3. Alternative: Using a reverse proxy

Another approach is to set up a dedicated reverse proxy server that can access both the Charge Controller's network and your corporate network.

3.1. What is a reverse proxy?

A reverse proxy is a server that sits between clients and the Charge Controller. It receives client requests and forwards them to the Charge Controller, then returns the Charge Controller's responses to the clients. This allows controlled access to the Charge Controller's web interface without exposing the device's network directly.

3.2. Network overview

The typical scenario involves two separate networks:

  1. Device network: Contains the Charge Controller (e.g., a local LAN with the Charge Controller and perhaps a modem)
  2. Corporate network: Where users want to access the Charge Controller from

The reverse proxy server connects to both networks, acting as a bridge specifically for web traffic to the Charge Controller.

3.3. Charge Controller requirements

One advantage of using a reverse proxy is that the Charge Controller itself requires minimal configuration:

  1. Network connectivity: Ensure the Charge Controller is connected to a network (via Ethernet, WLAN, or GSM)
  2. IP address: Know the Charge Controller's IP address on its network
  3. Credentials: Change the default passwords for both Operator and Manufacturer accounts

No additional software or configuration is needed on the Charge Controller itself. The web interface is already accessible via HTTP on the Charge Controller's IP address.

3.4. Access scenarios

With a reverse proxy in place, you can access the Charge Controller in different scenarios:

  • Internal access: Users on the corporate network can access the Charge Controller through the reverse proxy using an internal hostname or IP address
  • Remote access: For off-site access, the reverse proxy can be configured to allow secure connections from the internet
  • Hybrid setup: The same reverse proxy can serve both internal and external users, with appropriate security controls for each access path

3.5. Security considerations

When implementing a remote access solution, consider these security best practices:

  1. Change default passwords on the Charge Controller
  2. Keep the Charge Controller's firmware updated as recommended by Bender
  3. Maintain network isolation between the device network and corporate network
  4. Use HTTPS encryption for all connections to the proxy
  5. Implement authentication at the proxy level
  6. Monitor access logs to track who accessed the Charge Controller and when

4. Benefits of remote access solutions

Implementing a proper remote access solution offers several advantages:

  1. Simplified maintenance: Technicians can troubleshoot and update Charge Controllers without on-site visits
  2. Enhanced security: Properly configured remote access is more secure than opening direct ports
  3. Flexibility: Works with various network configurations including cellular connections
  4. Scalability: Can be extended to provide access to multiple Charge Controllers
  5. Cost-effective: Reduces the need for on-site service calls