Asus Router WireGuard Remote Access: Browser RDP and SSH to Your Entire LAN
How to set up a ProxyLink WireGuard tunnel on Asus routers (stock AX firmware or AsusWRT-Merlin) — browser RDP, SSH, and HTTP access to every LAN device, no static IP, no port forwarding.
Asus makes some of the most widely deployed routers in SMB and branch environments — the RT-AX88U at a hotel, the RT-AX3000 at a small office, the AiMesh node spanning a multi-floor retail space. AsusWRT-Merlin firmware has included WireGuard support since version 386.5, and stock AsusWRT on AX-series hardware added it in later builds. Either way, an Asus router running WireGuard client mode can serve as a ProxyLink tunnel host: one outbound connection covers every device on the LAN, with nothing installed on individual machines.
Stock Firmware vs AsusWRT-Merlin
If your Asus router runs firmware 386.7 or later on an AX-series model, WireGuard client support may already be present under VPN → VPN Client → WireGuard. Check your firmware version first — if the WireGuard tab is absent, AsusWRT-Merlin unlocks it on a much wider range of hardware including older AC-series models (RT-AC68U, RT-AC86U, etc.).
Merlin is a drop-in replacement for stock AsusWRT on supported models. It adds WireGuard kernel module support and finer routing control without changing the familiar Asus UI layout. Install it exactly like a stock firmware update: download from asuswrt-merlin.net, flash via Administration → Firmware Upgrade. Existing settings are preserved.
Getting the WireGuard Config from ProxyLink
In ProxyLink, create a new tunnel for the site. Name it after the location — "Retail Branch A" or "Client Hotel" — and set the LAN subnet to match the Asus router's local network. The Asus stock default is 192.168.1.0/24; Merlin on newer units often defaults to 192.168.50.0/24. Download the WireGuard configuration file. It will look like this:
[Interface]
PrivateKey = <generated-private-key>
Address = 10.100.0.X/32
[Peer]
PublicKey = <proxylink-server-public-key>
Endpoint = 46.225.153.241:51820
AllowedIPs = 10.100.0.0/16
PersistentKeepalive = 25AllowedIPs = 10.100.0.0/16 sends only ProxyLink tunnel traffic through the VPN — all other internet traffic on the LAN exits normally through the WAN. PersistentKeepalive = 25 is mandatory: it prevents the NAT session from expiring during idle periods and ensures the router re-initiates the handshake after a reboot or ISP reconnect.
Setting Up WireGuard on AsusWRT-Merlin
Log into the Asus admin panel at 192.168.1.1 (or router.asus.com) and navigate to VPN → VPN Client. On Merlin 386.5+:
- Click Add profile and select WireGuard
- Click Import .conf file and upload the config downloaded from ProxyLink, or paste the text directly
- Set Apply to WAN to No — the tunnel should carry only the ProxyLink range, not all WAN traffic
- Click OK, then Activate
On stock AX-series firmware, the same flow appears under VPN → VPN Client → WireGuard. Field names differ slightly between firmware versions but the config fields are identical.
Multi-VLAN Sites
Asus AiMesh and the AX-series models support VLAN-segmented guest networks. If the client site has multiple subnets — a main LAN, a guest VLAN, a CCTV VLAN — add each subnet to the tunnel in ProxyLink under Additional Subnets. ProxyLink expands the server-side routing to include all declared subnets through the same peer. No separate tunnels per subnet needed.
A hotel running a main LAN on 192.168.1.0/24, a PBX VLAN on 192.168.10.0/24, and an NVR VLAN on 192.168.20.0/24 uses one Asus router with one ProxyLink tunnel. All three subnets are reachable from the browser — PBX admin panel, NVR camera streams, Windows server RDP — with no agent on any of those devices.
What Engineers Access
Once the tunnel is up, create a proxy link for each device and service in ProxyLink:
- Windows PCs and servers (port 3389) — browser RDP session, no mstsc.exe or VPN client on the engineer's laptop
- Linux machines (port 22) — browser SSH terminal with optional session recording on paid plans
- IP cameras and NVR systems (port 80 or 443) — HTTP or HTTPS proxy link, camera web UI in any browser
- PBX admin panels — HTTP proxy link, direct browser access without touching the phone system's network config
- The Asus router itself (port 22 or 8443) — SSH browser terminal or HTTPS proxy to the admin UI
- Network printers and managed switches — HTTP proxy to embedded web UIs, no driver installation
Every session is logged: engineer identity, target IP and port, session start, and duration. RDP and SSH sessions can be recorded per proxy link on paid plans. The client LAN has zero open inbound ports — no port forwarding rules to manage, no static IP requirement, no exposure when the router reboots or the ISP rotates the WAN address.
Verifying the Tunnel
In the Asus admin panel, check VPN → VPN Client. The WireGuard profile should show a connected status. For a more detailed check, SSH into the router (Merlin enables SSH under Administration → System) and run:
wg show wg0The output should show a recent latest handshake time and a non-zero received bytes count. If the handshake is absent:
- Confirm outbound UDP 51820 is not blocked by an upstream firewall or the ISP
- Verify the relay public key matches exactly what ProxyLink shows — one wrong character silently prevents the handshake
- Confirm Apply to WAN is not routing all traffic through the tunnel, which would break normal internet access at the site
- Confirm
PersistentKeepalive = 25is in the imported config — without it, the tunnel drops silently after a period of inactivity
Try ProxyLink free at app.proxylink.dev — no card required, 14-day trial on all paid features. An Asus router site takes under 10 minutes to configure. Setup guides for MikroTik, pfSense, OPNsense, GL.iNet, and EdgeRouter are in the docs.