Open Source • Apache 2.0 • Zero Trust

OpenCPO

The only EV charging platform
where chargers are invisible on the internet.

Enterprise-grade security. Open source. No compromise.
Zero trust networking, built-in PKI, and ISO 15118 Plug & Charge — built by an actual CPO running real chargers.

Includes a complete guide to becoming a CPO with minimal cost —
from installation to Plug & Charge, OCPI roaming, and EU subsidies.

Get Started GitHub See How It Works
Zero Trust Architecture
Own PKI Built-in CA
ISO 15118 Plug & Charge
NIS2 Aligned by Design

The Reality

EV Charging Is Critical Infrastructure.
Most Platforms Treat It Like a Webshop.

Most commercial CPO platforms share the same fundamental architecture. And it's broken.

Exposed on the Internet

Chargers communicate directly over the public internet. No VPN. No tunnel. Anyone can scan for your endpoints and probe your infrastructure.

Shared Passwords

Entire networks secured by a single shared OCPP password. One leak — one disgruntled employee, one phishing email — and every charger on your network is compromised.

No Device Identity

The server has no way to verify that a charger connecting is actually your charger. Rogue devices can impersonate legitimate hardware.

Unencrypted Traffic

Many deployments use plain WebSocket without TLS. Charging commands, session data, energy readings — all readable by anyone on the path.

Vulnerable to Attack

Man-in-the-middle attacks. Replay attacks. Unauthorized remote control of chargers. The attack surface is wide open.

NIS2 Non-Compliant

The EU's NIS2 directive requires encrypted communications, identity verification, and audit trails for critical infrastructure. Most platforms aren't close.

This isn't a theoretical risk. Power grids, fuel pipelines, and water systems have all been taken down by attackers. EV charging networks control the physical flow of energy. The attack vectors are real — and the industry is sleepwalking.

The Differentiator

Zero Trust Architecture

OpenCPO doesn't patch the broken model. It replaces it entirely.

Traditional
⚠ Exposed endpoint ⚠ Shared password ⚠ No device identity
🔌 Charger
OCPP WebSocket
🌐 Public Internet
Unencrypted · Scannable · No identity
☁️ CPO Cloud
Vendor SaaS
👾 Anyone on the path can intercept and replay
VS
OpenCPO
✓ Pi gateway per site ✓ Per-device certificates ✓ Mutual TLS
🔌 Charger
OCPP + mTLS cert
🥧 Pi Gateway
On-site · Cert vault · LAN only
🔒 WireGuard Tunnel
Encrypted mesh · No public IP
🏠 Your Infrastructure
Private · Self-hosted · Yours
✓ No public endpoint. Invisible on the internet.

Tailscale Native Integration

Designed for deployment over WireGuard mesh VPN (e.g. Tailscale). A lightweight gateway — a Raspberry Pi at each site — bridges chargers into the private mesh. No public endpoints. No open ports. Chargers are invisible on the internet.

WireGuard • Pi Gateway • Mesh VPN

Built-in PKI

Own Root CA, CPO Sub-CA, MO Sub-CA. Every device gets a unique digital certificate — its own passport. No shared passwords. Revoke access in under one second.

Root CA • Sub-CA • mTLS

Mutual TLS (mTLS)

Both sides verify identity. The charger proves it's your charger. The server proves it's your server. Every single connection, every time. Zero implicit trust.

Bidirectional Auth

ISO 15118 Plug & Charge

Full PKI hierarchy for ISO 15118: Root CA, CPO Sub-CA, MO Sub-CA. SECC cert signing and contract cert provisioning handlers built into the OCPP 2.0.1 stack. The foundation for app-less, card-less charging.

ISO 15118 • V2G PKI

NIS2 Compliant by Design

Encrypted communications, verified device identity, audit logging. OpenCPO is designed with the EU's critical infrastructure directive in mind — so you're building on the right foundation from day one.

EU NIS2 • Critical Infra

Full Audit Trail

Every command, every session, every authentication event — logged and queryable. Who authorized what, when, and from which verified device. Built for forensics and compliance reporting.

Structured Logs • Forensics

What You Get

The Complete Stack

Six purpose-built components. One platform. No missing pieces, no "build the rest yourself."

OpenCPO Core

OCPP 1.6 + 2.0.1 Central System with zero trust networking baked in. Profile-driven charger compatibility handles the real-world firmware quirks that break other implementations.

View repo

OpenCPO Admin

Network management dashboard — chargers, sessions, tariffs, PKI management, and a live OCPP message viewer. Full visibility into your infrastructure.

View repo

OpenCPO Charge

Driver-facing PWA — scan QR, charge, pay. No app store needed. Works on any device with a browser.

View repo

OpenCPO Farm

Virtual charger simulator with 18 stress test scenarios. Simulate entire networks without hardware. Load test before you deploy.

View repo

OpenCPO Bastion

Flashable site controller for Raspberry Pi or NanoPi. Zero-trust bridge, OCPP proxy, cert vault, sensor array, UniFi camera integration, LPR, 4G failover — with optional HA pair for zero-downtime sites.

View repo

OpenCPO Tester

OCPP compliance test suite — validate your charger firmware against the spec before deploying. Structured test reports with pass/fail per message type.

View repo

White-Label Ready

Your Brand. Your Charging App.

One engine, infinite looks. Switch skins with a single environment variable — or create your own in minutes using Google Stitch.

Voltage Backstage

🌙 Dark
Space Grotesk + Manrope

Theater control room aesthetic — stage lighting glows, atmospheric depth

Map Charger Session Receipt

Stroom Electron

🌙 Dark
Space Grotesk + Inter

Editorial lifestyle — lime green energy, community-driven feel

Map Charger Session

Ion Flux

🌙 Dark
Space Grotesk + Inter

Obsidian HUD — carbon fiber depth, neon cyan data strikes

Map Charger Session

Current Flow

☀️ Light
Manrope + Inter

Clean Dutch editorial — sunlight-readable, eco-conscious

Charger Session Receipt

Voltage Industrial

🌙 Dark
Space Grotesk + Inter

SCADA terminal — monospace readouts, industrial HMI precision

Map Charger Session Receipt
Skin preview
Create custom skins in minutes. Use Google Stitch to design your screens → export the zip → run stitch-to-skin → deploy. Your brand, your colors, your typography — on top of the same rock-solid charging engine.
bash
# Convert a Stitch export to a skin
$ python stitch-to-skin.py my-brand.zip my-brand
✓ Extracted 47 color tokens, 3 font families
✓ Skin 'my-brand' created
 
# Activate it
$ SKIN=my-brand docker compose up
📱 Charge app running with 'my-brand' skin
Learn More — Skin System Guide →

How We Compare

OpenCPO vs. Commercial Platforms

One platform checks every box. Most are starting from scratch.

Feature OpenCPO Commercial Platforms (typical)
Zero trust networking
Built-in PKI & mTLS
ISO 15118 Plug & Charge ~
Open source
Self-hosted / no vendor lock-in
NIS2-aligned by design ~
Skinnable driver app
€0 license cost

~ = Partial or limited support. Based on publicly available documentation as of 2026.

Why This Matters

The Stakes Are Higher Than a Charging Session

OpenCPO isn't just a better platform. It changes what's possible for the industry.

For Small CPOs

Enterprise Security, Zero Budget

Building a PKI, mTLS, and zero trust networking stack from scratch takes significant engineering investment. OpenCPO gives you that foundation for free. Small operators get the same security architecture as enterprise players.

For Municipalities

Specifiable. Auditable. Yours.

Write "OpenCPO" into procurement specs. Full source visibility means no black-box surprises. No vendor lock-in means you own your infrastructure — not a SaaS provider.

For the Energy Transition

Lower Barriers = More Chargers

Every friction point removed — cost, complexity, security — means more operators entering the market. More operators means more chargers. More chargers means faster EV adoption. The math is simple.

For the Industry

A Rising Tide

Every security improvement in OpenCPO benefits every installation running it. Community contributions raise the baseline for everyone. The Red Hat model: the software is free — the expertise is the product.

6 Production-ready components
€0 OpenCPO license cost
<1s Time to revoke a compromised device
100% Open source, Apache 2.0

Quick Start

Up in 3 Commands

No complex setup. No configuration maze. Clone, setup, compose.

Clone the repository
The mono-repo includes all five components and a shared docker-compose.
Run setup
Generates config, creates secrets, initializes your local PKI, and checks dependencies.
Compose up
Docker pulls images and starts all services. Core, Admin, Charge — everything, including your CA.
Open http://localhost:8080 — your CPO admin panel is ready.
Production Deployment

For production, connect chargers via Tailscale — every device gets a WireGuard identity and joins your private mesh automatically. No public endpoints needed. See the deployment guide for Tailscale integration and certificate provisioning.

bash
# Clone OpenCPO
$ git clone https://github.com/opencpo/opencpo
 
# Run setup (generates PKI + config)
$ cd opencpo && ./setup.sh
✓ Checking dependencies...
✓ Generating Root CA...
✓ Generating CPO Sub-CA...
✓ Generating config...
✓ Setup complete
 
# Launch the platform
$ docker compose up
⚡ opencpo-core started on :9000
🖥 opencpo-admin started on :8080
📱 opencpo-charge started on :3000
🔒 pki-service started on :8443
 
# For production: add Tailscale
$ tailscale up --advertise-tags=tag:cpo
✓ Chargers are now invisible on internet

Credibility

Built by Practitioners.
Not a Research Project.

OpenCPO is production code from a team that charges real vehicles every day. Not a consultancy slide deck. Not a university project. Not a proof of concept.

We run our own CPO network — real chargers, real drivers, real revenue. Every feature in OpenCPO was built because we needed it ourselves. Every edge case was encountered in production and fixed in the codebase.

Tested against real charger hardware in the field — with a profile-driven compatibility system designed to scale to any manufacturer
Profile-driven compatibility system handles real-world firmware quirks that kill generic implementations — contribute profiles for your hardware
Zero trust architecture born from running critical infrastructure, not from security theater
Designed with NIS2 requirements in mind — encrypted communications, device identity, audit logging
"

The software is free. The expertise is the product.

We built the security infrastructure every CPO needs. Now we're sharing it with the industry — and offering the expertise to deploy it right.

Stroomlijnen B.V.
CPO & OpenCPO maintainer — Netherlands

Community

Build the Open Charging Ecosystem

OpenCPO gets better when the whole industry contributes. Join us.

Discord

Real-time chat. Get help, share what you're building, join discussions about OCPP, security, and EV charging.
GitHub Discussions

Long-form conversations, feature requests, RFC proposals, and Q&A — all tracked in the open.
Contribute

Bug fixes, new charger profiles, security improvements, protocol support. Every contribution raises the bar for everyone. See CONTRIBUTING.md.
Charger Profiles

Community database of charger behavior profiles. Running a vendor's hardware? Test it, generate a profile, submit a PR. Your fix helps every CPO using that charger.
Open Source, Open Governance

Apache 2.0 license. No premium tier. No feature flags behind a paywall. Everything in the open source release.

Security First

Found a vulnerability? We take security seriously. Responsible disclosure process via SECURITY.md. Security fixes are prioritized above all else.

What's Next
  • Full ISO 15118 EXI encode/decode
  • Kubernetes Helm chart
  • Automated certificate renewal
  • V2G (vehicle-to-grid) extensions
  • More charger vendor profiles

The Complete CPO Handbook

Everything you need to become a Charge Point Operator — from your first charger to multi-site OCPI roaming with Plug & Charge. Technical deep dives, deployment architecture, EU subsidies, and business model guidance. Free with demo access.

Covers OCPP 1.6j + 2.0.1 · ISO 15118 PKI · OCPI 2.2.1 roaming · multi-node HA deployment · financial incentives across 10 EU countries

See it in action

Get access to a live demo environment with 20 simulated chargers running real OCPP sessions. Full admin dashboard, driver app, charger farm, API, and the complete CPO handbook — yours to explore.

Want to read first? Read the full CPO guide — installation, pricing, PKI, OCPI roaming, and EU subsidies.

Or email us directly at [email protected]