For remote access, Teleport for IOT supports a similar use case using SSH, where an agent can be run on an embedded device, optionally or always enabled that phones home, and allows SSH connections to be reverse tunneled back to the device behind a firewall.
https://gravitational.com/blog/iot_security_teleport/
Disclaimer: I work for gravitational but not on teleport.
I have an X11 key listener. When someone reports a problem and they have access to the internet, I have them type "__medxremotedebug". An ngrok process is started, the machine beeps to notify the user that the backdoor is open. I then login to ngrok.com, see the tunnel and connect to it. All the units have a public ssh key and only I have the private key.
