← All posts

GL.iNet WireGuard Remote Access: Browser RDP and SSH to Your Entire LAN

How to set up a ProxyLink WireGuard tunnel on GL.iNet 4.x — browser RDP, SSH, and HTTP access to every LAN device, no static IP, no port forwarding.

GL.iNet routers run OpenWRT under the hood and ship with WireGuard support built into the 4.x firmware. That makes them a practical choice for MSPs deploying a remote access tunnel at a small client site — a restaurant, retail outlet, or branch office — without the overhead of a full pfSense or MikroTik setup. One WireGuard tunnel on a GL.iNet gives the same result: every device on the LAN reachable from a browser, no port forwarding, no static IP.

The same OpenWRT principles apply to any OpenWRT-based router, but GL.iNet is the easiest starting point because WireGuard client mode is built into the 4.x admin UI — no SSH configuration required.

Why GL.iNet Works for MSP Tunnels

GL.iNet devices are compact, inexpensive, and treat WireGuard as a first-class feature. Models like the GL-MT3000 (Beryl AX), GL-AX1800 (Flint), and the pocket-sized GL-MT300N (Mango) all support WireGuard client mode out of the box on firmware 4.x — no packages, no CLI required to enable it.

For MSPs, GL.iNet covers the gap between "site too small for a rack firewall" and "site that still needs remote access." A small client on a consumer ISP connection gets a GL.iNet on the LAN. The ProxyLink tunnel runs on the GL.iNet, covering every device behind it. CGNAT, dynamic IP, residential ISP: none of that matters because the GL.iNet initiates the tunnel outbound.

Getting the WireGuard Config from ProxyLink

In ProxyLink, create a new tunnel for the site and download the WireGuard configuration file. It looks like this:

[Interface]
PrivateKey = <generated-private-key>
Address = 10.100.0.X/32

[Peer]
PublicKey = <proxylink-server-public-key>
Endpoint = 46.225.153.241:51820
AllowedIPs = 10.100.0.0/16
PersistentKeepalive = 25

Two settings are critical. AllowedIPs = 10.100.0.0/16 routes only ProxyLink's tunnel range through the VPN — all other internet traffic continues through the WAN normally. PersistentKeepalive = 25 maintains the handshake through NAT. Without it, the NAT session expires after inactivity, the handshake silently drops, and the tunnel stops working.

Importing the Config into GL.iNet 4.x

Log into the GL.iNet admin panel at 192.168.8.1 and navigate to VPN → WireGuard Client. On firmware 4.x:

  1. Click Add a New VPN Configuration
  2. Choose Manually Add Configuration
  3. Paste the config text or upload the .conf file downloaded from ProxyLink
  4. Name the connection (e.g. ProxyLink) and save
  5. Enable the toggle to connect

In the connection options, disable Global Proxy if it is on. Global Proxy overrides AllowedIPs to 0.0.0.0/0, routing all client internet traffic through the VPN — which would break the site's internet connection. With it off, only traffic destined for 10.100.0.0/16 goes through the tunnel.

Once connected, the status panel shows the last handshake time. Confirm a recent handshake before testing device access.

Setting the LAN Subnet and Creating Proxy Links

In ProxyLink, set the LAN subnet for this tunnel to the GL.iNet's LAN range. The GL.iNet default is 192.168.8.0/24. ProxyLink adds a server-side route for that subnet through the WireGuard peer — from that point, every IP on that subnet is reachable through the tunnel, including devices that run no software at all.

Create a proxy link for each device and service:

  • Windows PC (192.168.8.50, port 3389): RDP link — full browser RDP session, no mstsc.exe needed on the engineer's laptop
  • NVR camera system (192.168.8.20, port 443): HTTPS proxy link — the NVR web UI loads in any browser, no Hikvision cloud account, no port forwarding
  • Linux server (192.168.8.10, port 22): SSH link — browser terminal, session recording available on paid plans
  • Managed switch (192.168.8.1, port 80): HTTP proxy link — switch web management in any browser tab

Multiple VLANs

If the site runs VLANs — a PBX subnet at 192.168.10.0/24, a camera subnet at 192.168.20.0/24 — declare each subnet in ProxyLink when creating the tunnel. ProxyLink adds server-side routes for all declared subnets through the same WireGuard peer. One GL.iNet tunnel, all VLANs reachable. No changes to the WireGuard config on the GL.iNet are needed — only the subnet list in ProxyLink needs updating.

Deployment Scenarios Where GL.iNet Fits

  • Small retail or hospitality sites: Consumer ISP, probable CGNAT, no rack space. A GL.iNet on the LAN with a ProxyLink tunnel covers the POS system, NVR cameras, and any other device. The consumer ISP router needs no changes.
  • Temporary installations: Construction sites, pop-up events, mobile offices. The GL.iNet goes in, the tunnel connects automatically, the site is reachable from day one. When the installation ends, the device is retrieved and the tunnel removed in ProxyLink.
  • Engineers on managed corporate laptops: A GL.iNet plugged into a hotel ethernet port provides a known-clean network with a ProxyLink tunnel. The engineer gets full access to client sites without installing any software on the corporate device.

Verifying the Tunnel

If the handshake does not complete, check three things:

  • Outbound UDP is not blocked on the WAN. Most consumer routers allow all outbound UDP — but explicit block rules can prevent the handshake.
  • The relay server public key in the config matches exactly what ProxyLink shows for the tunnel. A single wrong character silently prevents the handshake.
  • PersistentKeepalive = 25 is present in the config. Without it, GL.iNet behind NAT will not initiate the handshake proactively.

Security Profile

The tunnel initiates outbound from the GL.iNet — no inbound ports are opened on the client network. Every device behind the router is dark to the internet. Access to any device requires a ProxyLink login with two-factor authentication. Every session is logged with engineer identity, target device, timestamp, and duration. For EU clients under NIS2, this is the audit trail the directive requires for privileged access to network infrastructure.

Try ProxyLink free at app.proxylink.dev — no card required. A GL.iNet tunnel typically takes under 10 minutes to configure. Setup guides for MikroTik, pfSense, OPNsense, and other OpenWRT-based routers are in the docs.

ProxyLink is free during Early Access

One WireGuard tunnel on a router gives you browser RDP, VNC, and SSH to every device on the LAN. No agent on the target. No credit card. No trial countdown.

Get free access →
← Back to all posts