How to Access a PLC or SCADA System Remotely Without a VPN
A field engineer receives an alarm at 02:00. The nearest technician is three hours away. The machine has a Siemens S7 or an Allen-Bradley ControlLogix with a web-based HMI running on the plant floor, but the corporate IT department has not approved VPN access to the OT network and will not do so quickly. This guide explains how to securely expose a PLC web interface, a SCADA dashboard, or a Modbus TCP endpoint to authorised personnel over the internet using a Localtonet TCP or HTTP tunnel, without modifying firewall rules or waiting for IT to provision a VPN.
📋 What's in this guide
The Remote Access Challenge in Operational Technology
Operational Technology (OT) networks the networks that run PLCs, SCADA systems, HMIs, and industrial controllers are typically isolated from the corporate IT network and the public internet by design. Air-gapping or strict firewall segmentation protects production systems from cyber threats. This is the right approach for security. The problem arises when legitimate remote access is needed: vendor commissioning support, remote fault diagnosis by an off-site engineer, or monitoring by a manager who is not physically on site.
The traditional solution is a VPN either a hardware VPN appliance at the plant or a software VPN client on the engineer's laptop connecting to the corporate network. VPNs work well when properly configured and maintained, but they require IT department involvement, approved hardware, provisioned user accounts, and ongoing maintenance. In smaller facilities, system integrators, or situations requiring rapid access during an incident, that process takes time that may not be available.
What changes with a tunnel approach
A tunnel creates a specific, controlled, time-limited path to one service on one machine. It does not expose the entire OT network. It does not require inbound firewall rule changes. It runs on a gateway machine inside the plant network that makes an outbound connection to the relay. The relay address becomes the only external point of contact. When the tunnel is stopped, the path disappears entirely.
Any remote access capability in an OT environment must be evaluated against your organisation's cybersecurity policy and relevant standards such as IEC 62443. The approach described in this guide provides a controlled, authenticated tunnel for specific services. It is not a substitute for a comprehensive OT security framework. Always consult your security and operations teams before implementing remote access to production systems.
How Tunnel-Based Access Works in an OT Environment
The key architectural principle is that the tunnel is initiated from inside the OT network, not from outside. A gateway machine a Windows PC, a Linux server, or an industrial edge device running inside the plant runs the Localtonet client and makes an outbound connection to the Localtonet relay server. Outbound connections on standard ports (typically 443) are allowed by most industrial firewalls because they follow the same pattern as normal HTTPS web traffic.
Once the tunnel is established, traffic flows like this: the remote engineer connects to the relay address, the relay forwards the connection through the tunnel to the gateway machine inside the plant, and the gateway machine forwards it to the target device the PLC web interface, the SCADA server, or the Modbus TCP endpoint. The PLC never communicates directly with the internet. Only the gateway machine does, and only outbound.
Scenario A: Accessing a SCADA or HMI Web Interface
Many modern SCADA systems and PLC HMI panels include a built-in web server that serves a browser-based operator interface. Siemens SIMATIC panels, Weintek HMIs, Ignition SCADA, Wonderware Web Client, and similar platforms all provide HTTP or HTTPS interfaces on standard web ports. An HTTP tunnel exposes this interface to a remote browser with a valid HTTPS URL.
Architecture
Connection path
Remote engineer's browser
↓
Localtonet relay (public HTTPS URL)
↓
Localtonet client on gateway machine (inside OT network)
↓
SCADA server / HMI panel (local IP, e.g. 192.168.10.50:8080)
Setup steps on the gateway machine
Install Localtonet on the gateway machine
The gateway machine must be on the same network segment as the SCADA server or HMI panel. Download and authenticate Localtonet using your AuthToken from Dashboard → My Tokens.
Create an HTTP tunnel pointing at the SCADA IP and port
Go to the HTTP tunnel page.
Set the local IP to the SCADA server or HMI panel's IP address on the OT network
(for example 192.168.10.50) and the port to the web interface port
(typically 80, 8080, or 443).
Click Create and start the tunnel.
Share the relay URL with the authorised engineer
The dashboard shows a public HTTPS URL. The remote engineer opens this URL in a browser and sees the SCADA or HMI web interface. Their login credentials on the SCADA system provide the application-level authentication layer.
Localtonet running on the gateway machine can forward traffic to any IP address reachable on the OT network.
Set the tunnel's local IP to the SCADA server's IP rather than 127.0.0.1.
The gateway machine acts as the outbound tunnel endpoint and transparent forwarder.
This separation means the SCADA server itself never runs external software.
Scenario B: Modbus TCP Remote Access
Modbus TCP is the most widely supported protocol for direct PLC data access from software clients.
Siemens S7-1200 and S7-1500 PLCs support Modbus TCP as both client and server.
Allen-Bradley PLCs with the appropriate Add-On Instruction or ProSoft gateway module also expose Modbus TCP.
The standard port is 502.
A Localtonet TCP tunnel forwards raw TCP traffic transparently, which is exactly what Modbus TCP requires. The remote Modbus client connects to the relay address and the tunnel forwards the connection to the PLC on port 502 inside the plant.
Setup steps
Confirm Modbus TCP is enabled on the PLC
For Siemens S7-1200 and S7-1500, Modbus TCP server functionality is configured in TIA Portal
using the MB_SERVER instruction block. Assign a connection instance DB
and confirm the PLC is listening on port 502.
For Allen-Bradley ControlLogix with the ProSoft MVI56E-MNET module,
confirm the module is configured as a Modbus TCP server and note the module's IP address.
Create a TCP tunnel for port 502 on the gateway machine
Go to the TCP/UDP tunnel page,
select TCP, set local IP to the PLC's IP address on the OT network
(for example 192.168.10.10) and port to 502.
Click Create and start the tunnel.
The dashboard shows a relay address such as example.localto.net:33502.
Connect the Modbus client to the relay address
Configure your Modbus client software Modbus Poll, Node-RED, Python with pymodbus, or any SCADA historian to connect to the relay hostname and port instead of the PLC's local IP address.
# Python example using pymodbus
from pymodbus.client import ModbusTcpClient
# Connect via the Localtonet relay instead of the local PLC IP
client = ModbusTcpClient(
host='example.localto.net',
port=33502,
timeout=10
)
client.connect()
# Read holding registers (Function Code 03)
# Reading 10 registers starting at address 0
result = client.read_holding_registers(address=0, count=10, slave=1)
if not result.isError():
print('Register values:', result.registers)
else:
print('Read error:', result)
client.close()The Modbus protocol does not include authentication or encryption. Anyone who can reach port 502 on the relay address can send Modbus commands to the PLC. This makes access control at the tunnel level critical. See the security section below for how to restrict access to specific IP addresses and how to enable SSO authentication in front of the tunnel. Limit Modbus TCP tunnel access to named individuals during defined maintenance windows only.
Gateway Machine Setup and Recommended Architecture
The gateway machine is the only device in the OT network that needs internet access and Localtonet installed. It should be a dedicated machine or industrial PC, not the SCADA server itself, to maintain separation between the OT application layer and the external access layer.
| Component | Requirement | Notes |
|---|---|---|
| Gateway machine OS | Windows 10/11, Windows Server, or Linux | Localtonet runs on all platforms. Linux preferred for always-on setups. |
| Network connectivity | Access to OT network segment AND outbound internet (port 443) | Dual-NIC setup recommended to segment OT and IT traffic. |
| Localtonet version | Latest stable binary for the OS | Install via localtonet.com/download. |
| Tunnel count | One tunnel per service exposed | Do not create a single tunnel that exposes the entire network. |
| AuthToken | Dedicated token per site or installation | One token per physical location. Revoke individually if compromised. |
Running Localtonet as a Persistent Service
For installations where remote access must be available at any time not just when someone manually starts a tunnel register Localtonet as a system service so it starts automatically on boot and restarts automatically if it stops.
Linux (systemd)
sudo localtonet --install-service --authtoken <YOUR_TOKEN>
sudo localtonet --start-service --authtoken <YOUR_TOKEN>
# Verify service is active
systemctl status localtonet
journalctl -u localtonet -fWindows (Service)
# Run as Administrator
localtonet.exe --install-service --authtoken <YOUR_TOKEN>
localtonet.exe --start-service --authtoken <YOUR_TOKEN>
# Verify
Get-Service -Name "localtonet"After registration, Localtonet starts automatically at system boot and resumes tunnel connections without any manual intervention. Tunnels configured in the dashboard become active as soon as the client connects to the relay.
For production environments where remote access should only be available during approved maintenance windows, keep Localtonet installed as a service but stop and start individual tunnels from the dashboard rather than leaving them running continuously. An engineer opens the tunnel before a maintenance session and closes it when finished. The service remains ready but no path exists when tunnels are inactive.
Security and Access Control
Remote access to OT systems carries significant responsibility. The following controls should be considered mandatory, not optional.
🔐 Enable SSO authentication on every tunnel
In the Localtonet dashboard, enable Single Sign-On on each tunnel. Any person attempting to reach the relay URL must authenticate via Google, GitHub, Microsoft, or GitLab before the connection is forwarded to the OT network. This provides a strong identity layer in front of the PLC or SCADA system's own authentication. See the SSO documentation for setup instructions.
🌐 Restrict access to approved IP addresses
If the authorised engineers have fixed IP addresses an office network, a specific VPN exit node, or a corporate proxy configure IP restrictions in the Localtonet dashboard for the tunnel. Connections from any other IP are rejected at the relay before reaching the OT network.
⏱ Open tunnels only during approved maintenance windows
For Modbus TCP tunnels in particular, do not leave them running continuously. Define a maintenance window, start the tunnel, complete the work, and stop the tunnel. Log the start and stop times as part of your change management process. No active tunnel means no possible remote connection, regardless of any credential compromise.
📋 Use dedicated AuthTokens per site
Create a separate Localtonet AuthToken for each plant or installation in Dashboard → My Tokens. If a token is compromised or a gateway machine is decommissioned, revoke only that token without affecting access to other sites.
🔑 Do not expose PLC programming ports
This guide covers read and monitoring access via web interfaces and Modbus TCP. Programming access ports Siemens S7 protocol (port 102), Allen-Bradley EtherNet/IP (port 44818) should never be exposed through a tunnel without explicit security review and strict access controls. The risk of unauthorised PLC program modification is significantly higher than read-only monitoring access.
Frequently Asked Questions
Is this approach compliant with IEC 62443 or NERC CIP?
This guide describes a technical implementation. Compliance with IEC 62443, NERC CIP, or any other OT cybersecurity standard depends on your organisation's specific risk assessment, zone and conduit model, and security management processes. The tunnel approach can be part of a compliant architecture if properly documented, access-controlled, monitored, and reviewed. Consult your OT security team and any applicable regulatory requirements before implementation in regulated environments.
Does the Localtonet tunnel encrypt the traffic between the relay and the engineer's machine?
HTTP tunnels use TLS between the engineer's browser and the relay. TCP tunnels carry whatever protocol the application uses Modbus TCP is not encrypted by default. If the SCADA web interface serves over HTTPS, the traffic is encrypted end-to-end. For Modbus TCP, the traffic between the engineer's Modbus client and the relay is unencrypted. For sensitive environments, wrap Modbus TCP in an SSH tunnel or use an HTTPS proxy layer in front of the Modbus endpoint on the gateway machine.
Can I use this with older legacy PLCs that only have serial connections?
Not directly Localtonet requires a TCP/IP path to the target device. For legacy PLCs with only RS-232 or RS-485 serial connections, a serial-to-Ethernet gateway (such as a Moxa NPort or a ProSoft serial gateway) converts the serial protocol to Modbus TCP or similar, giving you a network-accessible endpoint that Localtonet can forward traffic to. This is a common architecture for connecting legacy equipment to modern monitoring systems.
What happens if the internet connection at the plant is interrupted?
If the plant's internet connection drops, the Localtonet tunnel goes down and remote access is unavailable until connectivity is restored. Local control from the plant floor is unaffected PLCs, HMIs, and SCADA systems continue operating on the OT network independently. Localtonet automatically reconnects the tunnel when internet access returns. This is by design: remote access is a non-critical overlay on top of a locally functional system.
Can multiple engineers access the same tunnel simultaneously?
For SCADA web interfaces, yes multiple browser sessions can connect through the same HTTP tunnel simultaneously, subject to the SCADA system's own concurrent user licensing. For Modbus TCP, most PLCs support multiple concurrent Modbus TCP connections, though the practical limit varies by controller model. Check your specific PLC documentation for the maximum number of simultaneous Modbus TCP connections it supports.
Can the same gateway machine handle tunnels to multiple PLCs or devices?
Yes. A single Localtonet client on the gateway machine handles all tunnels associated with its AuthToken simultaneously. Create a separate tunnel for each device one for the S7 web server at 192.168.10.10:80, another for Modbus TCP at 192.168.10.20:502, a third for the SCADA historian at 192.168.10.30:8080. Each gets its own relay address. All run through a single Localtonet client instance on the gateway machine.
Controlled Remote Access to Your Plant Floor | Without Opening Your Firewall
Install Localtonet on a gateway machine inside your OT network, create a tunnel for the specific service you need to expose, enable SSO authentication, and share the relay URL with authorised personnel. The tunnel exists only when you need it. Stop it when the maintenance window closes.
Create Free Localtonet Account →
