← All posts

Industrial Remote Access for MSPs: PLCs, HMIs, and SCADA Without Agents or Port Forwarding

How MSPs and OT integrators remotely reach PLCs, HMIs, and SCADA on the factory floor — one WireGuard router tunnel, no agents on controllers, no open ports.

Industrial networks are the hardest environment to support remotely, and the one where getting it wrong is the most dangerous. A single production line runs PLCs from Siemens, Allen-Bradley, or Schneider, HMI panels driving the operator interface, a SCADA server logging the process, VFDs, and managed switches tying the control network together. None of the controllers, drives, or HMI panels can run a remote access agent. They run real-time firmware, they are certified as part of the machine, and installing third-party software on them voids the OEM warranty. Many sites also sit on a 4G/LTE industrial router with no public IP at all.

The traditional answers all fail here. Port forwarding a PLC or SCADA server to the internet is the fastest way to end up indexed in Shodan and, in an OT context, is a genuine safety risk. A full site-to-site VPN needs a client, credentials, and firewall changes on every engineer laptop, and it flattens the network segmentation that OT security depends on. And an agent-per-device tool cannot touch a controller that has no place to install an agent.

What an Industrial Network Actually Looks Like

A typical manufacturing or process line has:

  • PLCs — Siemens S7-1200/1500, Allen-Bradley CompactLogix, Schneider Modicon. Programmed over proprietary protocols (S7comm, EtherNet/IP, Modbus TCP). No agent support of any kind.
  • HMI panels — Siemens Comfort, Weintek, Pro-face, or Advantech touch panels. Many expose a web interface on port 80/443 and a VNC server for remote viewing of the operator screen.
  • SCADA / historian server — a Windows box running Ignition, WinCC, or Wonderware. RDP is the standard access method.
  • Managed industrial switches — Hirschmann, Moxa, or Cisco IE. Web and SSH management.
  • Edge gateway — a Linux IPC or industrial router (Teltonika, Moxa) bridging the OT VLAN to the outside.

The engineer who supports this equipment is frequently a systems integrator or an MSP covering multiple plants — often plants in different countries with no on-site IT. When a line stops at 3am, driving four hours to plug a laptop into a switch is not an acceptable response time.

One Outbound Tunnel on the OT Gateway

Instead of installing anything on the controllers, install one WireGuard tunnel on the site's edge gateway or industrial router. The router dials outbound to ProxyLink's relay and holds the connection with a persistent keepalive. From that point the relay can route to any IP on the control network — whether or not the target device runs any software.

Because the tunnel is outbound, CGNAT, dynamic IPs, and 4G/LTE connections are irrelevant. Teltonika and Moxa cellular routers common on remote industrial sites work the same as a fibre connection. And critically, there are no open inbound ports on the plant network — the control network stays dark to the internet, which is exactly what IEC 62443 and any competent OT security policy demand.

What Engineers Actually Reach

Once the tunnel is up, create a proxy link for each device:

  • SCADA / historian server (port 3389) — browser RDP to the Windows machine running Ignition or WinCC. No mstsc.exe, no VPN client on the engineer's laptop.
  • HMI panel (VNC or port 80/443) — browser VNC to view and drive the operator screen, or an HTTP/HTTPS proxy link to the panel's web interface. See exactly what the operator sees.
  • PLC programming (TCP link) — a VPN-secured TCP proxy link to the PLC's protocol port (Modbus TCP 502, EtherNet/IP 44818, S7comm 102). Point TIA Portal, Studio 5000, or your SCADA client at the ProxyLink TCP endpoint and go online with the controller as if you were on the LAN.
  • Managed switch / gateway (port 22) — browser SSH for CLI diagnostics and VLAN changes. No PuTTY, no local VPN.

Network Segmentation Stays Intact

Plants that segment the process network from the business network — the Purdue model in practice — need exactly one WireGuard peer. Add each OT VLAN under Additional Subnets when creating the tunnel, and every declared subnet becomes reachable through the same peer:

LAN subnet:        10.10.0.0/24     (control network — PLCs, HMIs)
Additional subnet: 10.20.0.0/24     (SCADA / historian VLAN)

Access is still scoped per engineer, and every session is logged: engineer identity, target IP and port, timestamp, and duration. RDP and SSH sessions can be recorded per link — the audit trail that IEC 62443 and NIS2 require when someone reaches a controller.

Why This Fits OT

Nothing is installed on the PLC, drive, or HMI. Nothing is exposed to the internet. One tunnel on one gateway covers the whole line, across every VLAN, over any connection including cellular. TeamViewer and AnyDesk — both breached in 2024 — cannot reach a controller and route your process data through their own infrastructure. ProxyLink's relay runs on EU infrastructure with no third-party remote-access network in the path.

Try ProxyLink free at app.proxylink.dev — no card required, free during early access. Setup guides for MikroTik, pfSense, OPNsense, OpenWRT, and Linux gateways are in the docs.

ProxyLink is free during Early Access

One WireGuard tunnel on a router gives you browser RDP, VNC, and SSH to every device on the LAN. No agent on the target. No credit card. No trial countdown.

Get free access →
← Back to all posts