MikroTik Remote Access for MSPs: Browser RDP, VNC, and SSH Without Agents
A practical guide for MSPs on setting up remote access to MikroTik-routed networks, browser RDP, VNC, and SSH to every device on the LAN, no agent required.
MikroTik routers are everywhere in European SMB and hotel networks. They are cheap, powerful, and deeply configurable, which means MSPs managing MikroTik sites have enormous flexibility. That flexibility also means the remote access problem is worth solving correctly once, rather than per-site.
This guide covers setting up WireGuard on a MikroTik router so that every device behind it, Windows servers, IP cameras, PBX systems, network switches, becomes reachable from a browser.
The Architecture in One Sentence
Your MikroTik connects outbound to a WireGuard relay server. All traffic destined for IPs on your client's LAN routes through that tunnel. Browser-based RDP, VNC, and SSH sessions run on the relay server, your engineers open a URL, not a VPN client.
RouterOS 7 WireGuard Setup
In RouterOS 7, WireGuard is a first-class interface type. Create the interface, add the relay server as a peer, and assign an IP inside the tunnel range:
/interface wireguard add name=Proxylink private-key="<generated-key>"
/interface wireguard peers add interface=Proxylink \
public-key="<relay-public-key>" \
endpoint-address="relay.example.com" \
endpoint-port=51820 \
allowed-address=10.100.0.0/16 \
persistent-keepalive=25s
/ip address add address=10.100.0.X/16 interface=Proxylink
The persistent-keepalive is important, it keeps the tunnel alive through NAT, which most client sites are behind.
Firewall Rules That Actually Work
The most common mistake MSPs make with MikroTik WireGuard: the forward chain rules are missing or in the wrong order.
# Allow ProxyLink → LAN and return traffic
/ip firewall filter add chain=forward action=accept \
in-interface=Proxylink out-interface=Local \
comment="ProxyLink to LAN"
/ip firewall filter add chain=forward action=accept \
connection-state=established,related \
in-interface=Local out-interface=Proxylink \
comment="ProxyLink return"
These rules must appear before any drop rules in the forward chain. RouterOS evaluates rules top-to-bottom and stops at the first match.
The mangle rules are equally critical if you have load balancing configured (common in dual-WAN MikroTik setups):
/ip firewall mangle add chain=prerouting action=accept \
src-address=192.168.1.0/24 dst-address=10.100.0.0/16 \
comment="Proxylink, skip LB"
/ip firewall mangle add chain=prerouting action=accept \
src-address=10.100.0.0/16 dst-address=192.168.1.0/24 \
comment="Proxylink, skip LB"
Without these, your load-balancer marks packets from the tunnel and they exit through the wrong WAN interface, breaking the return path silently.
Multi-VLAN Sites (Hotels, Offices With Separate Networks)
MikroTik makes VLAN management easy, and ProxyLink handles multi-VLAN access natively. Declare each VLAN subnet in ProxyLink under Additional Subnets and add the corresponding mangle rules on the MikroTik, the WireGuard peer's AllowedIPs stays 10.100.0.0/16. One tunnel, multiple VLANs, a hotel with a main LAN, a PBX VLAN, and a camera VLAN needs exactly one WireGuard peer.
This is the configuration that makes it possible to access a hotel's NVR web interface and PBX admin panel from a browser without touching either device, even when both are on different VLANs with no public IP anywhere.
What Each Engineer Sees
Once the tunnel is up, every device on the LAN gets a URL in ProxyLink. An engineer clicks the device, picks RDP/VNC/SSH, and the session opens in the browser. No VPN client. No local RDP application. Works from any machine on any network, including managed corporate laptops where software installation is restricted.
MikroTik Remote Management: Browser Access vs WinBox
MSPs managing MikroTik infrastructure typically use WinBox for router configuration, but WinBox requires the proprietary WinBox client and a direct network path to the router. For remote management from any machine on any network, a browser-based approach is more practical.
With a WireGuard tunnel on the MikroTik, you get three remote management options through ProxyLink:
- MikroTik remote management via HTTP: Create a proxy link to the router's WebFig interface (port 80). Access the full RouterOS web interface from any browser without WinBox.
- MikroTik remote access via SSH: Create an SSH link to the router's management IP. Terminal access to RouterOS from the browser, useful for scripted changes and diagnostics.
- MikroTik Winbox browser alternative: For full WinBox-style GUI access without installing the WinBox client, use a proxy link to the router's WebFig port combined with browser RDP to a Windows machine that has WinBox installed, reaching it via the same WireGuard tunnel.
The same tunnel that handles MikroTik remote management also gives you browser RDP to every Windows PC behind the router, no extra setup needed for mixed Windows + MikroTik environments.
Deployment Time
For a standard MikroTik site with a single LAN: tunnel up in about 10 minutes. For a multi-VLAN hotel setup: 20-30 minutes including testing. After that, every device on every VLAN is accessible indefinitely, no per-session setup, no per-device configuration.
Get free early access and connect your first MikroTik site today.