← All posts

Browser RDP via WireGuard: Access Any Windows PC Without a Static IP

How to get browser-based RDP access to any Windows machine using WireGuard — no static IP, no port forwarding, no agent on the target.

Remote Desktop Protocol is the fastest way to access a Windows PC — but the classic setup requires either a static IP or some form of port forwarding. For MSPs managing dozens of client sites, that means either paying for static IPs everywhere or wrestling with dynamic DNS and firewall rules that break whenever an ISP rotates the address.

There is a cleaner way: route RDP through WireGuard. One tunnel on a router covers every Windows machine on that LAN. No port forwarding. No static IP. No software installed on the individual PCs.

Why WireGuard Instead of a VPN Client Per Machine

Traditional VPN solutions (OpenVPN, IPsec) require a client installed on each machine you want to reach. For a hotel with 20 Windows PCs, that is 20 VPN clients to maintain. WireGuard changes the topology: install one WireGuard peer on the router (MikroTik, pfSense, OpenWRT, or a dedicated Debian box), and the entire LAN becomes reachable through that single tunnel.

The tunnel connects your router to a relay server. All traffic to any IP on that LAN goes through the tunnel — including TCP port 3389 (RDP) on any machine behind the router.

The Problem with Raw WireGuard

WireGuard gives you the encrypted tunnel. It does not give you a browser. Your engineers still need a local RDP client (mstsc.exe, FreeRDP, Remmina) and they need to be running WireGuard on their own machine too. For field engineers who work from laptops on different networks, this is manageable. For anyone using a managed device with locked-down software policies, it is a blocker.

The other problem is logging. Raw WireGuard has no audit trail of who connected to which machine at what time — a requirement under NIS2 and most ISO 27001 implementations.

Browser RDP: How It Works

ProxyLink adds a browser interface on top of the WireGuard tunnel. The relay server runs Apache Guacamole (specifically guacd), which speaks RDP on one side and WebSocket on the other. Your engineer opens a URL in Chrome, the server connects to the target Windows PC over WireGuard, and the RDP session renders in the browser.

No client software. No VPN client on the engineer's machine. Any browser, any OS, any network.

Setting Up WireGuard on MikroTik (RouterOS 7)

MikroTik RouterOS 7 has native WireGuard support. The key firewall rules that MSPs frequently miss:

# Forward chain — allow ProxyLink traffic to reach LAN and return
/ip firewall filter add chain=forward action=accept \
  in-interface=Proxylink out-interface=Local \
  comment="ProxyLink to LAN"

/ip firewall filter add chain=forward action=accept \
  connection-state=established,related \
  in-interface=Local out-interface=Proxylink \
  comment="ProxyLink return traffic"

# Mangle — exempt ProxyLink traffic from load-balancing policy marks
/ip firewall mangle add chain=prerouting action=accept \
  src-address=192.168.1.0/24 dst-address=10.100.0.0/16 \
  comment="Proxylink"

/ip firewall mangle add chain=prerouting action=accept \
  src-address=10.100.0.0/16 dst-address=192.168.1.0/24 \
  comment="Proxylink"

Do not add srcnat masquerade — it breaks return routing because masquerade in RouterOS runs after the mangle table de-marks the packet.

For multi-VLAN sites (separate VLANs for cameras, PBX, servers), add additional subnets to the WireGuard peer's AllowedIPs and repeat the mangle rules for each VLAN subnet.

What You Get

  • Browser RDP to any Windows PC behind the router — no client software
  • Session recording (optional) — full audit trail with timestamps
  • Team access controls — assign specific devices to specific engineers
  • SSH and VNC in the same interface — one URL per device, not one VPN config per site
  • Zero open ports on the client network — the router initiates outbound to your relay, nothing inbound

The same tunnel that gives you RDP also gives you HTTP access to the NVR web UI, the PBX admin panel, or the switch management page — all through the browser, all without touching those devices.

Try ProxyLink free — Early Access, no card, no limits. One tunnel, the whole LAN.

ProxyLink is free during Early Access

One WireGuard tunnel on a router gives you browser RDP, VNC, and SSH to every device on the LAN. No agent on the target. No credit card. No trial countdown.

Get free access →
← Back to all posts