A Router / Gateway tunnel is ProxyLink’s most powerful setup. One WireGuard peer on a router covers the entire LAN and all VLANs — cameras, NVRs, PBX systems, switches, printers — without installing anything on those devices.
| Platform | Support | Notes |
|---|
| MikroTik RouterOS 7 | ✅ Full | WireGuard native + auto-config |
| pfSense / OPNsense | ✅ Full | WireGuard package |
| OpenWRT | ✅ Full | luci-proto-wireguard package |
| Linux (Debian, Ubuntu, Raspberry Pi) | ✅ Full | Install script, works everywhere |
| Omada (TP-Link) | ⚠️ Limited | WireGuard client mode may not forward traffic to LAN — see note below |
| Most consumer routers | ⚠️ Varies | Depends on whether the firmware supports WireGuard LAN forwarding |
Router requirement: the gateway tunnel requires your router to support WireGuard LAN forwarding — the ability to forward traffic arriving through the WireGuard tunnel to devices on the local network. Some firmware (including certain Omada versions) implements WireGuard in client-only mode and cannot forward tunnel traffic to the LAN. If your router falls into this category, place a dedicated Linux gateway (Raspberry Pi, mini PC, or VM) on the LAN and run WireGuard there instead — it takes about 10 minutes and works reliably.
Setup
Create a Router / Gateway tunnel
Go to Tunnels → + New Tunnel → select Router / Gateway. Enter a name and your LAN subnet (e.g. 192.168.1.0/24).
Install the config on the router
Click Activate & Download and select your platform. MikroTik
pfSense / OPNsense
OpenWRT
Linux Gateway
Use Auto-Config Router for fully automatic setup via SSH. Or download the .rsc script and run it manually in the MikroTik terminal:/import file=proxylink-config.rsc
Install the WireGuard package, add a new tunnel, and import the peer config. Add a gateway route for 10.100.0.0/16 via the WireGuard interface.
Run the downloaded .sh script as root. It installs the WireGuard package and sets up the interface automatically.
Run the install script as root:sudo bash proxylink-gateway-setup.sh
Add proxy links for each device
Once the tunnel is connected, go to Proxy Links → + Create Proxy Link. Enter the device’s LAN IP and port. One proxy link per service — repeat for each device or service you want to expose.
Multi-VLAN support
Add extra subnets from the tunnel detail page under Additional Subnets. ProxyLink updates the WireGuard AllowedIPs and routing immediately — no reconnection needed.
Example — Hotel Anna setup:
| VLAN | Subnet | Devices |
|---|
| Main LAN | 192.168.1.0/24 | Windows PCs, printers, NAS |
| PBX VLAN | 192.168.40.0/24 | PBX admin panel, VoIP phones |
| Camera VLAN | 192.168.20.0/24 | NVR, IP cameras |
Overlapping subnets
If two client sites use the same subnet (e.g. both use 192.168.1.0/24), ProxyLink handles this via NETMAP — each tunnel gets a unique assigned subnet in the 10.128.0.0/9 range for translation. No conflict between clients, no reconfiguration needed on either site.
MikroTik firewall rules
If configuring MikroTik manually, add these rules. Repeat the mangle rules for each additional VLAN subnet:
# Forward chain
/ip firewall filter add chain=forward action=accept in-interface=ProxyLink out-interface=Local comment="ProxyLink to LAN"
/ip firewall filter add chain=forward action=accept connection-state=established,related in-interface=Local out-interface=ProxyLink comment="ProxyLink return traffic"
# Mangle — exempt from load-balancing (must be before load-balance rules)
/ip firewall mangle add chain=prerouting action=accept src-address=192.168.1.0/24 dst-address=10.100.0.0/16 comment="ProxyLink"
/ip firewall mangle add chain=prerouting action=accept src-address=10.100.0.0/16 dst-address=192.168.1.0/24 comment="ProxyLink"
Do not add srcnat masquerade rules for ProxyLink traffic. Masquerade breaks return routing in RouterOS because mangle runs before NAT de-masquerade. ProxyLink uses NETMAP for overlapping subnet translation, not masquerade.
Wake-on-LAN
Set a MAC address on any proxy link and a Wake button appears. ProxyLink sends the magic packet through the tunnel to wake the device remotely — no broadcast relay needed on-site.
LAN scan
From the tunnel detail page, click LAN Scan to discover devices on the network automatically. ProxyLink probes the subnet and fingerprints devices, then lets you create proxy links for all of them in one click. 
