← All posts

Ubiquiti EdgeRouter WireGuard Remote Access: Browser RDP and SSH to Your Entire LAN

How to configure WireGuard on Ubiquiti EdgeRouter for ProxyLink — browser RDP, SSH, and HTTP access to every LAN device, no static IP, no port forwarding, no agent on targets.

Ubiquiti EdgeRouter devices — the ER-X at small branch sites, the ER-4 and ER-6P at offices and hotels — are a common fixture in MSP-managed networks. They run EdgeOS, a Vyatta-based CLI platform with a proven forwarding stack and good VLAN support. With the WireGuard kernel module installed, an EdgeRouter becomes a reliable ProxyLink tunnel host: one outbound peer covers every device on the LAN and every VLAN, with nothing installed on individual machines.

Installing WireGuard on EdgeRouter

EdgeOS does not ship WireGuard by default. The wireguard-vyatta-ubnt package, published by the WireGuard project on GitHub, provides the kernel module and EdgeOS CLI integration for EdgeOS 2.x. Install the package matching your hardware:

  • ER-X, ER-X-SFP (MIPS): the mipsel package for the e50 platform
  • ER-4, ER-6P, EdgeRouter Pro (MIPS64): the mips64 package
  • EP-R6 (ARM): the ARM package

Install via SSH:

curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/latest/download/<package>.deb
sudo dpkg -i <package>.deb

Store key files in /config/auth/ — this directory persists across firmware upgrades. Keys stored elsewhere are wiped on upgrade.

Generating Keys and Creating the ProxyLink Tunnel

Generate a WireGuard keypair on the router:

wg genkey | sudo tee /config/auth/proxylink.key | wg pubkey | sudo tee /config/auth/proxylink.pub

In ProxyLink, create a new tunnel for the site and paste in the EdgeRouter public key. ProxyLink assigns a peer address in the 10.100.0.0/16 range and shows you the relay public key and endpoint. You need both for the configuration below.

EdgeOS WireGuard Configuration

Enter configuration mode and build the WireGuard interface:

configure

set interfaces wireguard wg0 address 10.100.0.X/32
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 private-key /config/auth/proxylink.key

set interfaces wireguard wg0 peer <RELAY_PUBLIC_KEY> allowed-ips 10.100.0.0/16
set interfaces wireguard wg0 peer <RELAY_PUBLIC_KEY> endpoint 46.225.153.241:51820
set interfaces wireguard wg0 peer <RELAY_PUBLIC_KEY> persistent-keepalive 25

commit
save

route-allowed-ips true tells EdgeOS to automatically install kernel routes for the peer's allowed IP ranges — without it, the tunnel forms but traffic does not route toward the relay. persistent-keepalive 25 maintains the NAT session and ensures the EdgeRouter re-initiates the handshake after a reboot or link drop.

Firewall Rules

EdgeOS applies a default-drop policy on new interfaces. Traffic arriving on wg0 needs an explicit accept rule before it can reach the LAN:

configure

set firewall name WG_IN description "ProxyLink inbound"
set firewall name WG_IN default-action drop
set firewall name WG_IN rule 10 action accept
set firewall name WG_IN rule 10 description "ProxyLink to LAN"
set firewall name WG_IN rule 10 source address 10.100.0.0/16

set interfaces wireguard wg0 firewall in name WG_IN

commit
save

If the site uses zone-based firewall policies, add wg0 to a zone and define inter-zone rules to your LAN zone instead. The ruleset approach above covers most EdgeRouter deployments without an existing zone policy.

Multi-VLAN Sites

EdgeRouter manages VLANs via sub-interfaces — eth1.10 for VLAN 10, eth1.20 for VLAN 20. ProxyLink covers all declared subnets through a single WireGuard peer. Add each VLAN subnet to the peer's allowed-ips:

configure

set interfaces wireguard wg0 peer <RELAY_PUBLIC_KEY> allowed-ips 10.100.0.0/16
set interfaces wireguard wg0 peer <RELAY_PUBLIC_KEY> allowed-ips 192.168.1.0/24
set interfaces wireguard wg0 peer <RELAY_PUBLIC_KEY> allowed-ips 192.168.10.0/24
set interfaces wireguard wg0 peer <RELAY_PUBLIC_KEY> allowed-ips 192.168.20.0/24

commit
save

Declare the same subnets in ProxyLink when creating the tunnel. A hotel with a main LAN, a PBX VLAN, and a camera VLAN needs exactly one WireGuard peer on the EdgeRouter.

What Engineers Access

Once the tunnel is up, create a proxy link for each device and service. A typical site includes:

  • Windows servers (port 3389) — browser RDP, no mstsc.exe or VPN client on the engineer's laptop
  • Linux servers (port 22) — browser SSH terminal, session recording on paid plans
  • NVR cameras (port 80 or 443) — HTTP/HTTPS proxy link, camera web UI in any browser
  • PBX admin panels — HTTP proxy link, direct browser access without port forwarding
  • The EdgeRouter itself (port 22) — SSH browser terminal for CLI management
  • Managed switches — HTTP or HTTPS proxy link, web management UI in a tab

The client LAN has zero open inbound ports. Every session is logged with engineer identity, target IP and port, session start, and duration. RDP and SSH sessions can be recorded per proxy link on paid plans.

Verifying the Tunnel

Check tunnel status from the CLI:

show interfaces wireguard wg0
sudo wg show wg0

The peer should show a recent handshake time. If the handshake is not completing:

  • Confirm outbound UDP 51820 is not blocked — run show firewall and check WAN rules
  • Verify the relay public key is entered exactly — one wrong character silently prevents the handshake
  • Confirm route-allowed-ips true is set on the interface, not just the peer
  • Confirm persistent-keepalive 25 is set — without it, the EdgeRouter will not re-initiate a dropped handshake

Try ProxyLink free at app.proxylink.dev — no card required. A standard EdgeRouter site takes about 15 minutes to configure. Setup guides for MikroTik, pfSense, OPNsense, and GL.iNet are in the docs.

ProxyLink is free during Early Access

One WireGuard tunnel on a router gives you browser RDP, VNC, and SSH to every device on the LAN. No agent on the target. No credit card. No trial countdown.

Get free access →
← Back to all posts