Retail IT Remote Access for MSPs: POS Back-Office, NVRs, and Overlapping Store Subnets
How MSPs remotely access POS back-office servers, NVRs, and switches across every store in a chain — one WireGuard tunnel per site, no port forwarding.
Retail is the one vertical where every client site is built from the same template. A 40-store chain does not have 40 bespoke networks — it has one network design deployed 40 times, down to the IP addressing. That uniformity makes retail cheap to build and, for its MSP, uniquely hostile to traditional remote access.
Each store sits on consumer broadband or LTE with no static IP, frequently behind CGNAT. Nobody is driving to a store to open a port. And the moment you pull all 40 stores into one hub-and-spoke VPN, you discover all 40 are on 192.168.1.0/24.
What a Store Network Actually Contains
A typical retail location runs:
- POS terminals — locked-down Windows or Android tills. Vendor-managed, often with a support contract that forbids third-party software.
- Back-office PC or server — inventory, stock receiving, end-of-day reconciliation, label printing. Windows, reachable over RDP.
- NVR and cameras — loss prevention. Hikvision, Dahua, or Uniview, on a web UI and RTSP.
- Managed switch — TP-Link Omada, UniFi, or Cisco SMB.
- Router or firewall — MikroTik, pfSense, or an ISP box the MSP does not control.
- Peripherals — label and receipt printers, scales, time clocks, signage players.
Exactly one category on that list can run a remote access agent. The NVR, switch, scales, and signage players run embedded firmware. The POS terminals sit in the card data environment and are usually contractually off-limits to anything the vendor did not ship.
Why Per-Device Agents Do Not Scale in Retail
Agent-based tools price per device or per concurrent technician, and retail multiplies device counts fast. Forty stores at six reachable devices each is 240 endpoints — and that count still excludes every NVR, switch, and printer you actually get called about. You pay for the endpoints the agent covers, then keep a separate method for everything it cannot. Agents also drift: a back-office PC reimaged by a store manager loses its agent silently, and you find out during an incident.
The Overlapping Subnet Problem
This is the failure that stops most MSPs from consolidating a retail estate onto one VPN. Standard hub-and-spoke WireGuard or OpenVPN cannot route to two sites sharing an RFC1918 range: when Store 3 and Store 17 are both 192.168.1.0/24, the server cannot decide which 192.168.1.50 you mean. The usual workaround is renumbering every store — a truck roll per site, plus reworking DHCP reservations, POS vendor allowlists, and printer IPs.
ProxyLink handles this at the server. Every gateway tunnel with a declared LAN subnet is automatically assigned a unique subnet out of 10.128.0.0/9, and an iptables NETMAP rule translates between the store's real addressing and its assigned range. Store 3's back-office PC and Store 17's back-office PC can both be 192.168.1.50 on the LAN; ProxyLink addresses them as distinct IPs and translates transparently on the way in. Nothing changes on the store side — no renumbering, no DHCP edits, no client-side reconfiguration.
One caveat worth designing around: only the primary LAN subnet is NETMAP-translated. Additional VLANs declared on a tunnel route directly over WireGuard, so if your stores also run a camera VLAN, give that VLAN a unique range per site.
One Tunnel Per Store
Install one WireGuard peer on the store router. It dials outbound and holds the tunnel open with a persistent keepalive, so CGNAT, dynamic IPs, and ISP port blocks are irrelevant — the store never accepts an inbound connection. Every device on that LAN becomes reachable, whether or not it can run software.
Engineers then work from a browser: RDP to the back-office PC, an HTTP proxy link to the NVR web UI, SSH to the switch, TCP links for RTSP. No mstsc, no PuTTY, no VPN client.
Mapping the Estate
ProxyLink's data model fits a chain directly: your MSP is the team, each store is a client group, each router is a tunnel, each service a proxy link. Engineers are assigned the groups they support; an employee-level tech can be scoped to individual devices. Peer isolation is enforced server-side with per-team ipsets, so one client's traffic can never reach another's.
Two features earn their keep in unattended stores. Network Automations fire when a tunnel drops and post to Slack or Teams, so you hear it before the morning shift calls. Wake-on-LAN over the tunnel brings a powered-down back-office PC up for overnight patching.
PCI DSS and the Audit Trail
PCI DSS requires multi-factor authentication for remote access into the cardholder data environment and prohibits exposing those systems directly to the public internet. An outbound tunnel with zero open inbound ports removes the exposure entirely — a scan of the store's ISP range finds nothing to connect to. ProxyLink supports two-factor authentication and logs every session with engineer identity, target IP and port, timestamp, and duration. RDP and SSH sessions can be recorded per link, retained for 14 days. None of that makes an estate compliant on its own — POS scoping is a conversation with your QSA — but it replaces a forwarded port and a shared password with an authenticated, logged path.
Rolling Out
Budget 15–20 minutes per store for the first tunnel. On MikroTik, ProxyLink's auto-configuration connects over SSH and deploys the WireGuard config for you — under five minutes. Where you do not control the router, a PowerShell one-liner deploys a tunnel on the back-office PC instead. Guides for MikroTik, pfSense, OPNsense, and OpenWRT are at proxylink.dev/docs.
Try ProxyLink free at app.proxylink.dev — no card required, free during early access, full access from day one.