← All posts

Hotel IT Remote Access for MSPs: PMS, PBX, NVR, and Switches From a Browser

How MSPs remotely access hotel PMS servers, PBX admin panels, NVR cameras, and switches from a browser — one WireGuard tunnel, no agents, no static IP.

Hotels are one of the most demanding environments for MSP remote access. A mid-size property runs four distinct system categories: a property management system (PMS) on a Windows server, a PBX telephone system on its own VLAN, an NVR with 8–32 cameras on an isolated camera VLAN, and a managed switch fabric connecting all of it. None of the last three categories can run a remote access agent. And most hotels — particularly independent properties and small chains — are on a consumer ISP connection without a static IP.

Port forwarding on a per-device basis is the traditional answer, but it does not hold up at hotel scale. Exposing an NVR directly to the internet is how you end up indexed in Shodan. PBX admin interfaces are not hardened for internet exposure. And when the ISP rotates the WAN IP, every forwarded port stops working until DDNS propagates.

What Hotel IT Actually Looks Like

A typical 50-room independent hotel has:

  • Property Management System (PMS) — Opera, Mews, Cloudbeds, or an older Windows-based platform like Protel Air. Runs as a web app or Windows desktop application on a dedicated server on the main LAN.
  • PBX telephone system — Matrix Comsec, Yeastar P-Series, Grandstream UCM, or Panasonic KX. Typically on a dedicated VLAN. Has a web admin panel for extension management, call routing, and SIP trunk diagnostics.
  • NVR and IP cameras — Hikvision, Dahua, or Uniview. Also VLAN-isolated. Web interface for live view and playback; RTSP streams on separate ports for raw video access.
  • Managed switches — TP-Link Omada, Ubiquiti UniFi, or Cisco SMB. Web management on port 80 or 443, SSH available on most models.
  • Windows server or PC — front desk PMS, accounting software, or PMS server. RDP is the standard access method.
  • Router or firewall — MikroTik, pfSense, or OPNsense. The gateway for all of the above.

The NVR, PBX, and managed switches cannot run TeamViewer, AnyDesk, or any VPN client. They run embedded firmware. Installing third-party software on a hotel PBX voids the support contract. A remote access platform priced per device that still leaves the majority of hotel infrastructure unreachable is not a workable solution for an MSP.

The WireGuard Router Tunnel Approach

Instead of installing anything on individual hotel devices, install one WireGuard tunnel on the hotel's router. The router dials outbound to a relay server and maintains the tunnel with a persistent keepalive interval. The relay can then route to any IP on any VLAN behind that router — regardless of whether the target device runs any software.

A concrete example: Hotel Anna in Greece runs a MikroTik router with three VLANs — main LAN at 192.168.1.0/24, PBX VLAN at 192.168.10.0/24, and camera VLAN at 192.168.20.0/24. No static IP; standard DSL. One WireGuard tunnel on the MikroTik, with all three subnets declared in ProxyLink. The PBX admin panel at 192.168.10.5:80 and the NVR at 192.168.20.10:80 are both accessible from any browser, from anywhere, with zero open ports on the hotel network.

CGNAT and dynamic IPs are irrelevant — the tunnel initiates outbound from the router, so whatever IP the ISP assigns at any given moment does not affect access.

What MSP Engineers Actually Access

Once the tunnel is up, create a proxy link in ProxyLink for each service. A standard hotel setup includes:

  • PMS server (port 3389) — browser RDP to the Windows server running the front desk system. No mstsc.exe, no VPN client on the engineer's laptop. Covers software updates, user account management, and troubleshooting Opera or Mews.
  • PBX admin panel (port 80 or 443) — HTTP or HTTPS proxy link to the PBX web interface. Extension management, call routing changes, SIP trunk diagnostics, and voicemail configuration — all without a site visit.
  • NVR web interface (port 80 or 443) — HTTP proxy link to the camera system. Live view, playback, and camera configuration work through the proxied web UI. Most Hikvision, Dahua, and Uniview NVRs stream live video through their own web server on this same port.
  • RTSP streams (TCP link) — for raw RTSP access on a dedicated port, a TCP proxy link pointing at the NVR's RTSP port (typically 554) covers protocols that go beyond the NVR web UI.
  • Managed switch (port 22 or 443) — browser SSH terminal for CLI access, or an HTTPS proxy link for the web management UI. No PuTTY, no local VPN.
  • MikroTik router (port 22 or 80) — browser SSH for RouterOS CLI, or HTTP proxy link to WebFig. No WinBox client required.

Multi-VLAN Setup

When creating the tunnel in ProxyLink, add all hotel VLAN subnets under Additional Subnets. ProxyLink adds server-side routes for each subnet through the same WireGuard peer — no separate tunnels per VLAN needed.

LAN subnet:        192.168.1.0/24   (main LAN — Windows server, switches)
Additional subnet: 192.168.10.0/24  (PBX VLAN)
Additional subnet: 192.168.20.0/24  (camera VLAN)

On MikroTik, add mangle rules for each VLAN subnet to exempt ProxyLink traffic from load-balancing marks — documented in the MikroTik remote access guide. On pfSense or OPNsense, add firewall pass rules for each VLAN on the WireGuard interface. One router, one peer, all VLANs reachable.

Audit Trail for Hotel Compliance

Hotels storing guest payment data operate under PCI DSS. Properties in the EU have GDPR obligations for any system handling guest records. NIS2 may apply to larger hospitality groups. Remote access to any of these systems needs an audit trail: who accessed what, when, and for how long.

ProxyLink logs every session automatically — engineer identity, target device IP and port, connection timestamp, and session duration — in an immutable audit log on paid plans. RDP sessions to the PMS server and SSH sessions to network devices can be recorded per proxy link. If a guest data incident is ever investigated, those logs are the difference between a defensible response and an unknown exposure window.

Deployment Time

For a standard hotel with a MikroTik router and three VLANs, the tunnel setup takes 20–30 minutes. With ProxyLink's MikroTik auto-configuration — which connects to the router via SSH and deploys WireGuard automatically — it takes under five minutes. After that, every device on every VLAN is accessible indefinitely: no per-session VPN setup, no per-device agent maintenance, no open ports on the hotel network.

Try ProxyLink free at app.proxylink.dev — no card required, 14-day trial on all paid features. Setup guides for MikroTik, pfSense, OPNsense, and OpenWRT are in the docs.

ProxyLink is free during Early Access

One WireGuard tunnel on a router gives you browser RDP, VNC, and SSH to every device on the LAN. No agent on the target. No credit card. No trial countdown.

Get free access →
← Back to all posts