majorlinux/majorwiki
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
majorwiki/02-selfhosting/dns-networking/wake-on-lan-router-ssh.md
majorlinux 4126656c05 wiki: update fail2ban digest + netdata docker health + 3 new articles 
- fail2ban-digest-mode-fleet: recidive-only email model, sshd now silent,
  defaults-debian.conf gotcha added
- netdata-docker-health-alarm-tuning: 30m/10m config, tuning history table
- New: wp-fail2ban-logpath-debian-ubuntu, lora-adapter-gguf-conversion-fails,
  tailscale-status-json-hostname-localhost-ios
- Various article updates and nav index refreshes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-02 14:58:07 -04:00

2.6 KiB
Raw Blame History

title description tags created updated
Wake-on-LAN via Router SSH Send WOL magic packets through an Asus router over SSH
networking
wol
asus
ssh
2026-04-19 2026-04-30T05:21

Wake-on-LAN via Router SSH

Most Asus routers running AsusWRT (or Merlin) include ether-wake in their BusyBox environment. Combined with SSH access, this lets you wake machines remotely from anywhere — even over a VPN like Tailscale — without needing a dedicated WOL tool on the LAN.

Prerequisites

  • SSH enabled on the router — Administration → System → Enable SSH → LAN only
  • Target machine has WOL enabled in BIOS/firmware
  • MAC address of the target machine
  • sshpass installed on the client (for scripted/non-interactive use)

Router SSH Setup

Asus routers use a non-standard SSH port by default. Check your router's SSH settings for the port number.

# ~/.ssh/config entry
Host router
  HostName 192.168.50.1
  Port 1025
  User <your-username>

Sending a WOL Packet

# Interactive (will prompt for password)
ssh router 'ether-wake -i br0 AA:BB:CC:DD:EE:FF'

# Non-interactive (password from variable or file)
sshpass -p "$ROUTER_PASS" ssh router 'ether-wake -i br0 AA:BB:CC:DD:EE:FF'
  • -i br0 — the bridge interface for the LAN. This is br0 on most Asus routers.
  • Replace AA:BB:CC:DD:EE:FF with the target machine's MAC address.

Scripting with Ansible Vault

If your router password is stored in an Ansible vault, you can pull it at runtime:

#!/usr/bin/env bash
set -euo pipefail

VAULT_FILE="$HOME/MajorAnsible/group_vars/all/vault.yml"
VAULT_PASS_FILE="$HOME/.ansible/vault_pass"

password=$(ansible-vault view "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" 2>/dev/null \
  | grep '^router_password:' | sed 's/^router_password: *"\{0,1\}\([^"]*\)"\{0,1\}/\1/')

sshpass -p "$password" ssh router "ether-wake -i br0 AA:BB:CC:DD:EE:FF"

Troubleshooting

Issue Fix
Connection refused SSH not enabled on router, or wrong port
Permission denied Wrong username/password
Machine doesn't wake Check WOL is enabled in BIOS; verify MAC address; ensure machine is plugged in (not on battery)
ether-wake: not found Router firmware may not include it — check with which ether-wake

Why Not Use a Dedicated WOL Tool?

Tools like wakeonlan or etherwake on a Linux host work great — but only if that host is on the same LAN subnet. If your management machine connects via VPN (e.g., Tailscale), the magic packet won't traverse the VPN tunnel since WOL relies on Layer 2 broadcast. Sending it from the router sidesteps this entirely.