Remote Access to Cisco and Ubiquiti Switches Without a VPN Client
Managed switches don't support remote access agents. Here's how to reach Cisco IOS, Ubiquiti UniFi, and any switch management interface from a browser — without installing anything on your laptop.
Managed switches are the one device category that every remote access tool ignores. TeamViewer, AnyDesk, and Splashtop all assume you are connecting to a computer — something that runs Windows or Linux and can install an agent. A Cisco Catalyst, Ubiquiti UniFi switch, MikroTik CRS, or HP Aruba switch cannot run any of these agents. They run their own firmware, full stop.
The result is that MSPs and network engineers typically have two options: drive to the site, or set up a jump server on the same LAN. Neither is acceptable at scale.
Why Switches Are Hard to Access Remotely
Most managed switches have a web management interface (HTTP/HTTPS) and SSH. The web interface is served from the switch itself — you browse to the switch's LAN IP and get a login page. Both interfaces are LAN-only by design. Switches should not be exposed to the internet directly — the attack surface is real, and the security model assumes the switch is only reachable from the local network.
The problem: when you need to change a VLAN or troubleshoot a port from your office or home, "LAN-only" means you cannot get there without physically being on-site or having a separate remote access path into the LAN.
The Common Workarounds and Why They Break
Jump server / bastion host. Put a Linux box on the LAN, SSH into it, then access the switch from there. Works — but requires a maintained Linux box at every client site with SSH exposed somewhere. For 20 client sites, that is 20 jump servers to manage.
Site-to-site VPN. Works at scale for clients where you have a permanent presence. Does not scale to ad-hoc access from engineers working remotely, and requires configuration on both ends.
Port forwarding to the switch. Never do this. The switch's web interface is not hardened for internet exposure, has no rate limiting on login attempts, and often has unpatched vulnerabilities. This is how managed switches get owned.
WireGuard on the Router: One Tunnel Reaches All Switches
The right approach is to install a WireGuard tunnel on the router or gateway at the client site — not on the switches themselves. Once the tunnel is up, every device on that LAN becomes reachable through it, including every switch on every VLAN.
The switches do not need any configuration changes. No agent. No firmware modification. No management VLAN reconfiguration. The WireGuard peer on the router handles everything.
Traffic from your laptop goes: browser → ProxyLink relay → WireGuard tunnel → client router → switch LAN IP. The switch thinks you are a local LAN client. Its management interface works exactly as it does on-site.
Accessing Cisco IOS Web Interface and SSH
Cisco Catalyst switches running IOS expose an HTTP management interface on port 80 and HTTPS on port 443. SSH (port 22) is available if configured. After setting up a WireGuard tunnel on the client router, create two proxy links in ProxyLink:
- One pointing to the switch IP on port 443 — for the web interface
- One pointing to the switch IP on port 22 — for browser SSH via ProxyLink's built-in SSH terminal
The web interface proxy link gives you a public HTTPS URL that loads Cisco's web UI directly in your browser. The SSH proxy link opens a browser-based terminal. No PuTTY. No VPN client on your laptop.
Ubiquiti UniFi: Controller and Switch Access
UniFi has two layers: the UniFi Network Application (the controller, running on a Cloud Key, Dream Machine, or a server) and the individual switch management interfaces. Most MSPs manage UniFi through the controller.
The controller typically runs on port 8443 (HTTPS) or 443. A single proxy link pointing to the controller IP and port gives you full UniFi Network Application access — you manage all switches, APs, and gateways from there. ProxyLink supports TCP proxy links with SSL termination on port 8443, so the browser shows a valid HTTPS connection without the self-signed certificate warning.
Multi-VLAN: Workstations on VLAN 1, Switches on VLAN 10, Cameras on VLAN 20
Managed environments typically segment traffic across VLANs. ProxyLink supports multiple subnets per tunnel — you declare all the VLAN subnets when setting up the tunnel, and all of them become reachable through a single WireGuard peer on the router.
An engineer can access a Windows PC via browser RDP (VLAN 1), check a Cisco switch via browser SSH (VLAN 10), and pull up the NVR camera feed (VLAN 20) — all through the same tunnel, without switching tools.
Network Automations: Run Commands on a Schedule
For Cisco and other SSH-capable network devices, ProxyLink has an automation engine that runs SSH commands on a schedule or trigger. You define the command (show vlan brief, show interface status, show log), set a schedule, and ProxyLink SSHes into the device through the tunnel and stores the output.
Useful for: nightly config backups (show running-config with diff), port monitoring (check for err-disabled ports hourly), and compliance evidence (scheduled show version to track firmware versions across the fleet).
What This Looks Like in Practice
For an MSP managing 30 client sites, each with a managed switch and some cameras:
- 30 WireGuard tunnels — one per site, installed on the router
- Proxy links per site: switch HTTP (×1), switch SSH (×1), NVR (×1), Windows PCs (×N)
- All accessible from a browser, no VPN client on engineer laptops
- Every session logged with timestamp, engineer identity, and target device
When an engineer needs to check a port on a switch at a client site at 11pm, they open ProxyLink, click the client group, click the switch SSH link, and they are in the CLI in a browser tab. No drive to site. No jump server. No VPN to configure.
Try ProxyLink free — no card required. MikroTik auto-config available in the dashboard; full setup guides for pfSense, OpenWRT, and Debian gateways in the docs.