majorwiki/02-selfhosting/dns-networking/wake-on-lan-router-ssh.md

---
title: Wake-on-LAN via Router SSH
description: Send WOL magic packets through an Asus router over SSH
tags:
  - networking
  - wol
  - asus
  - ssh
created: 2026-04-19
updated: 2026-04-27T00:53
---

# Wake-on-LAN via Router SSH

Most Asus routers running AsusWRT (or Merlin) include `ether-wake` in their BusyBox environment. Combined with SSH access, this lets you wake machines remotely from anywhere — even over a VPN like Tailscale — without needing a dedicated WOL tool on the LAN.

> **Status: Deployed 2026-04-27.** `wake-majormac` script live on MajorMac and MajorRig. Router SSH confirmed working on RT-AX82U (AsusWRT 388, `ether-wake` at `/usr/sbin/ether-wake`). Credentials stored in Ansible vault as `router_username` / `router_password`.

## Prerequisites

- **SSH enabled on the router** — Administration → System → Enable SSH → LAN only
- **Target machine** has WOL enabled in BIOS/firmware
- **MAC address** of the target machine
- `sshpass` installed on the client (for scripted/non-interactive use)

## Router SSH Setup

Asus routers use a non-standard SSH port by default. Check your router's SSH settings for the port number.

```bash
# ~/.ssh/config entry
Host router
  HostName 192.168.50.1
  Port 1025
  User majorlinux
```

> RT-AX82U confirmed on port 1025. `sshpass` required for non-interactive use — install via `brew install sshpass` on Mac.

## Sending a WOL Packet

```bash
# Interactive (will prompt for password)
ssh router 'ether-wake -i br0 AA:BB:CC:DD:EE:FF'

# Non-interactive (password from variable or file)
sshpass -p "$ROUTER_PASS" ssh router 'ether-wake -i br0 AA:BB:CC:DD:EE:FF'
```

- **`-i br0`** — the bridge interface for the LAN. This is `br0` on most Asus routers.
- Replace `AA:BB:CC:DD:EE:FF` with the target machine's MAC address.

## Scripting with Ansible Vault

Router credentials are stored in the Ansible vault as `router_username` and `router_password`. The `wake-majormac` script at `~/.local/bin/wake-majormac` (deployed on MajorMac and MajorRig) handles this automatically:

```bash
#!/usr/bin/env bash
set -euo pipefail

VAULT_FILE="$HOME/MajorAnsible/group_vars/all/vault.yml"
VAULT_PASS_FILE="$HOME/.ansible/vault_pass"
MAC="9c:76:0e:3f:10:58"  # MajorMac (Mac Studio) en0

password=$(ansible-vault view "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" 2>/dev/null \
  | grep '^router_password:' | sed 's/^router_password: *"\{0,1\}\([^"]*\)"\{0,1\}/\1/')

echo "Sending WOL magic packet to MajorMac ($MAC)..."
sshpass -p "$password" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 \
  -p 1025 majorlinux@192.168.50.1 "ether-wake -i br0 $MAC"
echo "Done. MajorMac should wake within ~30 seconds."
```

To wake MajorMac from any machine on the fleet:

```bash
wake-majormac
```

## Troubleshooting

| Issue | Fix |
|-------|-----|
| `Connection refused` | SSH not enabled on router, or wrong port |
| `Permission denied` | Wrong username/password |
| `sshpass: command not found` | `brew install sshpass` on Mac; `apt install sshpass` on Debian |
| Machine doesn't wake | Check `womp 1` in `pmset -g`; verify MAC address; machine must be plugged in |
| `ether-wake: not found` | Router firmware may not include it — check with `which ether-wake` |
| SSH times out | Router SSH is LAN-only; must be on LAN or send via a LAN-connected host |

## Why Not Use a Dedicated WOL Tool?

Tools like `wakeonlan` or `etherwake` on a Linux host work great — but only if that host is on the same LAN subnet. If your management machine connects via VPN (e.g., Tailscale), the magic packet won't traverse the VPN tunnel since WOL relies on Layer 2 broadcast. Sending it from the router sidesteps this entirely.