MikroTik Remote Access for MSPs: Browser RDP, VNC, and SSH Without Agents
A practical guide for MSPs on setting up remote access to MikroTik-routed networks — browser RDP, VNC, and SSH to every device on the LAN, no agent required.
MikroTik routers are everywhere in European SMB and hotel networks. They are cheap, powerful, and deeply configurable — which means MSPs managing MikroTik sites have enormous flexibility. That flexibility also means the remote access problem is worth solving correctly once, rather than per-site.
This guide covers setting up WireGuard on a MikroTik router so that every device behind it — Windows servers, IP cameras, PBX systems, network switches — becomes reachable from a browser.
The Architecture in One Sentence
Your MikroTik connects outbound to a WireGuard relay server. All traffic destined for IPs on your client's LAN routes through that tunnel. Browser-based RDP, VNC, and SSH sessions run on the relay server — your engineers open a URL, not a VPN client.
RouterOS 7 WireGuard Setup
In RouterOS 7, WireGuard is a first-class interface type. Create the interface, add the relay server as a peer, and assign an IP inside the tunnel range:
/interface wireguard add name=Proxylink private-key="<generated-key>"
/interface wireguard peers add interface=Proxylink \
public-key="<relay-public-key>" \
endpoint-address="relay.example.com" \
endpoint-port=51820 \
allowed-address=10.100.0.0/16 \
persistent-keepalive=25s
/ip address add address=10.100.0.X/16 interface=ProxylinkThe persistent-keepalive is important — it keeps the tunnel alive through NAT, which most client sites are behind.
Firewall Rules That Actually Work
The most common mistake MSPs make with MikroTik WireGuard: the forward chain rules are missing or in the wrong order.
# Allow ProxyLink → LAN and return traffic
/ip firewall filter add chain=forward action=accept \
in-interface=Proxylink out-interface=Local \
comment="ProxyLink to LAN"
/ip firewall filter add chain=forward action=accept \
connection-state=established,related \
in-interface=Local out-interface=Proxylink \
comment="ProxyLink return"These rules must appear before any drop rules in the forward chain. RouterOS evaluates rules top-to-bottom and stops at the first match.
The mangle rules are equally critical if you have load balancing configured (common in dual-WAN MikroTik setups):
/ip firewall mangle add chain=prerouting action=accept \
src-address=192.168.1.0/24 dst-address=10.100.0.0/16 \
comment="Proxylink — skip LB"
/ip firewall mangle add chain=prerouting action=accept \
src-address=10.100.0.0/16 dst-address=192.168.1.0/24 \
comment="Proxylink — skip LB"Without these, your load-balancer marks packets from the tunnel and they exit through the wrong WAN interface, breaking the return path silently.
Multi-VLAN Sites (Hotels, Offices With Separate Networks)
MikroTik makes VLAN management easy, and ProxyLink handles multi-VLAN access natively. Add each VLAN subnet to the WireGuard peer's AllowedIPs and add the corresponding mangle rules. One tunnel, multiple VLANs — a hotel with a main LAN, a PBX VLAN, and a camera VLAN needs exactly one WireGuard peer.
This is the configuration that makes it possible to access a hotel's NVR web interface and PBX admin panel from a browser without touching either device — even when both are on different VLANs with no public IP anywhere.
What Each Engineer Sees
Once the tunnel is up, every device on the LAN gets a URL in ProxyLink. An engineer clicks the device, picks RDP/VNC/SSH, and the session opens in the browser. No VPN client. No local RDP application. Works from any machine on any network, including managed corporate laptops where software installation is restricted.
Deployment Time
For a standard MikroTik site with a single LAN: tunnel up in about 10 minutes. For a multi-VLAN hotel setup: 20-30 minutes including testing. After that, every device on every VLAN is accessible indefinitely — no per-session setup, no per-device configuration.
Get free early access and connect your first MikroTik site today.