# 🌐 GL.iNet Travel Networking Infrastructure **🟑 Intermediate Guide** This guide covers the complete GL.iNet travel networking setup, including travel routers, IoT gateway, and remote KVM for secure mobile connectivity and remote management. --- ## πŸŽ’ GL.iNet Device Portfolio ### **GL.iNet Comet (GL-RM1) - Remote KVM** #### **Hardware Specifications** - **Model**: GL-RM1 Remote KVM over IP - **Purpose**: Remote server management and troubleshooting - **Video**: Up to 1920x1200@60Hz resolution - **USB**: Virtual keyboard and mouse support - **Network**: Ethernet connection for remote access - **Power**: USB-C powered, low power consumption - **Form Factor**: Compact, portable design #### **Use Cases** - **Remote Server Management**: Access BIOS, boot sequences, OS installation - **Headless System Control**: Manage servers without physical access - **Emergency Recovery**: Fix systems when SSH/network is down - **Travel Troubleshooting**: Diagnose homelab issues from anywhere - **Secure Access**: Out-of-band management independent of OS #### **Integration with Homelab** ``` Homelab Server β†’ GL-RM1 KVM β†’ Network β†’ Tailscale β†’ Travel Device ``` --- ### **GL.iNet Slate 7 (GL-BE3600) - Wi-Fi 7 Travel Router** #### **Hardware Specifications** - **Model**: GL-BE3600 Dual-Band Wi-Fi 7 Travel Router - **Wi-Fi Standard**: Wi-Fi 7 (802.11be) - **Speed**: Up to 3.6 Gbps total throughput - **Bands**: Dual-band (2.4GHz + 5GHz) - **Ports**: 1x Gigabit WAN, 1x Gigabit LAN - **CPU**: Quad-core ARM processor - **RAM**: 1GB DDR4 - **Storage**: 256MB flash storage - **Power**: USB-C, portable battery support - **VPN**: Built-in OpenVPN, WireGuard support #### **Key Features** - **Wi-Fi 7 Technology**: Latest wireless standard for maximum performance - **Travel-Optimized**: Compact form factor, battery operation - **VPN Client/Server**: Secure tunnel back to homelab - **Captive Portal Bypass**: Automatic hotel/airport Wi-Fi connection - **Dual WAN**: Ethernet + Wi-Fi uplink for redundancy - **Guest Network**: Isolated network for untrusted devices --- ### **GL.iNet Beryl AX (GL-MT3000) - Wi-Fi 6 Pocket Router** #### **Hardware Specifications** - **Model**: GL-MT3000 Pocket-Sized Wi-Fi 6 Router - **Wi-Fi Standard**: Wi-Fi 6 (802.11ax) - **Speed**: Up to 2.4 Gbps total throughput - **Bands**: Dual-band (2.4GHz + 5GHz) - **Ports**: 1x Gigabit WAN/LAN - **CPU**: Dual-core ARM Cortex-A53 - **RAM**: 512MB DDR4 - **Storage**: 128MB flash storage - **Power**: USB-C, ultra-portable - **Battery**: Optional external battery pack #### **Use Cases** - **Ultra-Portable Networking**: Smallest form factor for minimal travel - **Hotel Room Setup**: Instant secure Wi-Fi in accommodations - **Conference Networking**: Secure connection at events - **Backup Connectivity**: Secondary router for redundancy - **IoT Device Management**: Isolated network for smart devices --- ### **GL.iNet Mango (GL-MT300N-V2) - Compact Travel Router** #### **Hardware Specifications** - **Model**: GL-MT300N-V2 Mini Travel Router - **Wi-Fi Standard**: Wi-Fi 4 (802.11n) - **Speed**: Up to 300 Mbps - **Band**: Single-band (2.4GHz) - **Ports**: 1x Fast Ethernet WAN/LAN - **CPU**: Single-core MIPS processor - **RAM**: 128MB DDR2 - **Storage**: 16MB flash storage - **Power**: Micro-USB, very low power - **Size**: Ultra-compact, credit card sized #### **Use Cases** - **Emergency Connectivity**: Basic internet access when needed - **Legacy Device Support**: Connect older devices to modern networks - **IoT Prototyping**: Simple network for development projects - **Backup Router**: Ultra-portable emergency networking - **Budget Travel**: Cost-effective secure connectivity --- ### **GL.iNet S200 - Multi-Protocol IoT Gateway** #### **Hardware Specifications** - **Model**: GL-S200 Multi-Protocol IoT Gateway - **Protocols**: Thread, Zigbee, Matter, Wi-Fi - **Thread**: Thread Border Router functionality - **Zigbee**: Zigbee 3.0 coordinator support - **Matter**: Matter over Thread/Wi-Fi support - **CPU**: ARM Cortex-A7 processor - **RAM**: 256MB DDR3 - **Storage**: 128MB flash storage - **Network**: Ethernet, Wi-Fi connectivity - **Power**: USB-C powered #### **IoT Integration** - **Smart Home Hub**: Central control for IoT devices - **Protocol Translation**: Bridge between different IoT standards - **Remote Management**: Control IoT devices via Tailscale - **Travel IoT**: Portable smart home setup for extended stays - **Development Platform**: IoT protocol testing and development --- ## πŸ—ΊοΈ Travel Networking Architecture ### **Multi-Layer Connectivity Strategy** ``` Internet (Hotel/Airport/Cellular) β”‚ β”œβ”€β”€ GL-BE3600 (Primary Wi-Fi 7 Router) β”‚ β”œβ”€β”€ Secure Tunnel β†’ Tailscale β†’ Homelab β”‚ β”œβ”€β”€ Guest Network (Untrusted devices) β”‚ └── Private Network (Trusted devices) β”‚ β”œβ”€β”€ GL-MT3000 (Backup Wi-Fi 6 Router) β”‚ └── Secondary VPN Connection β”‚ β”œβ”€β”€ GL-MT300N-V2 (Emergency Router) β”‚ └── Basic connectivity fallback β”‚ └── GL-S200 (IoT Gateway) └── Smart device management ``` ### **Redundancy & Failover** - **Primary**: GL-BE3600 with Wi-Fi 7 for maximum performance - **Secondary**: GL-MT3000 for backup connectivity - **Emergency**: GL-MT300N-V2 for basic internet access - **Specialized**: GL-S200 for IoT device management --- ## 🏠 Current Homelab Deployment GL-MT3600BE and GL-BE3600 are deployed as **permanent infrastructure** in the homelab, connected to Headscale and providing subnet routing. GL-MT3000 is retired as a spare/travel router. ### GL-MT3600BE (Beryl 7) β€” Primary Gateway | Property | Value | |----------|-------| | **Model** | GL-MT3600BE (Beryl 7) | | **Role** | Primary gateway for jellyfish, moon, Home Assistant | | **Firmware** | 4.8.5 (OpenWrt 21.02-SNAPSHOT, mediatek/mt7987) | | **CPU** | Dual-core ARM Cortex-A53 (aarch64) | | **RAM** | 512MB | | **Storage** | 354MB overlay | | **Wi-Fi** | Wi-Fi 7 (802.11be) β€” 2.4GHz + 5GHz, MLO support | | **SSID** | `Aquabroom` (2.4G), `Aquabroom_5G` (5G), `Aquabroom_MLO` (MLO) | | **LAN** | `192.168.12.0/24` (gateway: `192.168.12.1`) | | **WAN** | Spectrum cable (`76.93.212.229/20`) | | **Tailscale IP** | `100.64.0.10` | | **Headscale node** | ID:28 (`gl-mt3600be`) | | **Tailscale version** | 1.80.3 | | **Subnet route** | `192.168.12.0/24` (approved) | | **Exit node** | Yes (approved: `0.0.0.0/0`, `::/0`) | | **SSH** | `ssh root@192.168.12.1` via jellyfish (dropbear, key auth) | | **Speedtest** | ~1074 Mbps down / ~38 Mbps up (Spectrum, Mililani HI) | | **Deployed** | 2026-04-16 | Devices on `192.168.12.0/24`: - `jellyfish` (`192.168.12.181` eth0, `.182` wlan0) β€” Tailscale `100.69.121.120` - `moon` (`192.168.12.223`) β€” Tailscale `100.64.0.6` - `homeassistant` (`100.112.186.90`) β€” Home Assistant OS ### GL-MT3000 (Beryl AX) β€” Retired/Spare | Property | Value | |----------|-------| | **Status** | Offline β€” replaced by GL-MT3600BE | | **Headscale node** | ID:16 (`gl-mt3000`, offline) | | **Tailscale IP** | `100.126.243.15` | | **Notes** | Available as backup/travel router | ### GL-BE3600 (Slate 7) β€” Wi-Fi Repeater | Property | Value | |----------|-------| | **Role** | Wi-Fi repeater on home network | | **Management IP** | `192.168.68.53` (upstream LAN) | | **Own LAN** | `192.168.8.0/24` (gateway: `192.168.8.1`) | | **Tailscale IP** | `100.105.59.123` | | **Tailscale version** | `1.90.9-tiny` (GL-inet custom build) | | **Subnet route** | `192.168.8.0/24` (approved in Headscale) | | **SSH** | `ssh gl-be3600` (dropbear, key auth) | > **Note**: GL-BE3600 ports are filtered from homelab VM (`192.168.0.210`) and NUC (`192.168.68.x`). It is only directly reachable from its own `192.168.8.x` LAN β€” or via its Tailscale IP (`100.105.59.123`). --- ## πŸ”‘ SSH Access All GL-inet routers use **dropbear SSH** (not OpenSSH). Authorized keys are stored at `/etc/dropbear/authorized_keys`. ```bash # GL-MT3600BE: reachable via jellyfish (on its LAN) ssh jellyfish "ssh root@192.168.12.1" # GL-BE3600: reachable via Tailscale IP ssh gl-be3600 # 100.105.59.123, root # Add a new SSH key manually (from the router shell) echo "ssh-ed25519 AAAA... your-key-comment" >> /etc/dropbear/authorized_keys ``` ### Authorized Keys (GL-MT3600BE) ``` ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuJ4f8YrXxhvrT+4wSC46myeHLuR98y9kqHAxBIcshx admin@thevish.io ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaNVe8rwzp1OtxOJO92U/3LDPUjDnBK5DCgTuwkBxVI lulu@jellyfish ``` --- ## πŸ“‘ Headscale / Tailscale Setup on GL-inet Routers GL-inet routers ship with a custom Tailscale build (`tailscale-tiny`). The standard install script does not work β€” use the GL-inet package manager or the pre-installed binary. ### Joining Headscale ```bash # 1. Generate a pre-auth key on the Headscale server ssh calypso sudo /usr/local/bin/docker exec headscale headscale preauthkeys create --user --expiration 1h # Note: --user requires numeric ID in Headscale v0.28, not username # Find ID with: sudo /usr/local/bin/docker exec headscale headscale users list # 2. On the GL-inet router shell: tailscale up --login-server=https://headscale.vish.gg:8443 --authkey= --accept-routes --advertise-routes=192.168.X.0/24 --advertise-exit-node --hostname=gl- # 3. Approve the subnet route and exit node on Headscale: sudo /usr/local/bin/docker exec headscale headscale nodes list # get node ID sudo /usr/local/bin/docker exec headscale headscale nodes approve-routes -i -r '0.0.0.0/0,::/0,192.168.X.0/24' ``` ### Tailscale Status ```bash # Check status on the router ssh gl-mt3000 "tailscale status" ssh gl-be3600 "tailscale status" # Check from Headscale ssh calypso "sudo /usr/local/bin/docker exec headscale headscale nodes list" ``` ### Headscale v0.28 Command Reference | Old command | New command | |-------------|-------------| | `headscale routes list` | `headscale nodes list-routes --identifier ` | | `headscale routes enable -r ` | `headscale nodes approve-routes --identifier --routes ` | | `headscale preauthkeys create --user ` | `headscale preauthkeys create --user ` | --- ## πŸ”„ Tailscale Autostart on Boot ### How GL-inet Manages Tailscale GL-inet routers use a custom wrapper script `/usr/bin/gl_tailscale` that is called on boot by the `tailscale` init service. This wrapper reads UCI config from `/etc/config/tailscale` and constructs the `tailscale up` command automatically. **Important**: The GL-inet wrapper calls `tailscale up --reset ...` on every boot, which wipes any flags set manually or stored in the state file. This means `--login-server`, `--advertise-exit-node`, and `--hostname` must be baked into the wrapper script itself β€” they cannot be set once and remembered. ### Current Configuration (both routers) Both routers have been patched so `/usr/bin/gl_tailscale` always passes the correct flags on boot. The relevant line in the wrapper: **gl-be3600:** ```sh timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s \ --accept-dns=false \ --login-server=https://headscale.vish.gg:8443 \ --advertise-exit-node \ --hostname=gl-be3600 > /dev/null ``` **gl-mt3000:** ```sh timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s \ --accept-dns=false \ --login-server=https://headscale.vish.gg:8443 \ --advertise-exit-node \ --hostname=gl-mt3000 > /dev/null ``` The `$param` variable is built by the wrapper from UCI settings and includes `--advertise-routes=192.168.X.0/24` automatically based on `lan_enabled=1` in `/etc/config/tailscale`. ### Persistence Across Firmware Upgrades Both routers have `/etc/sysupgrade.conf` entries to preserve the patched files: ``` /usr/sbin/tailscale /usr/sbin/tailscaled /etc/config/tailscale /usr/bin/gl_tailscale /etc/init.d/tailscale-up ``` ### Re-applying the Patch After Firmware Upgrade If a firmware upgrade overwrites `/usr/bin/gl_tailscale` (check with `tailscale status` β€” if "Logged out", patch was lost): ```bash # SSH to the router ssh gl-be3600 # or gl-mt3000 # Edit the gl_tailscale wrapper vi /usr/bin/gl_tailscale # Find the tailscale up line (around line 226): # timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false > /dev/null # Change it to (for be3600): # timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false --login-server=https://headscale.vish.gg:8443 --advertise-exit-node --hostname=gl-be3600 > /dev/null # Or use sed: sed -i 's|tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false|tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false --login-server=https://headscale.vish.gg:8443 --advertise-exit-node --hostname=gl-be3600|' /usr/bin/gl_tailscale ``` ### update-tailscale.sh There is a community script at `/root/update-tailscale.sh` on both routers β€” this is the [GL-inet Tailscale Updater by Admon](https://github.com/Admonstrator/glinet-tailscale-updater). It updates the `tailscale`/`tailscaled` binaries to a newer version than GL-inet ships in firmware. It also restores `/usr/bin/gl_tailscale` from `/rom` before patching for SSH support β€” **re-apply the headscale patch after running this script**. --- ## πŸ”§ Configuration & Setup ### **GL-BE3600 Primary Setup** #### **Initial Configuration** ```bash # Access router admin panel http://192.168.8.1 # Configure WAN connection - Set to DHCP for hotel/public Wi-Fi - Configure static IP if needed - Enable MAC address cloning for captive portals # Configure VPN - Enable WireGuard client - Import Tailscale configuration - Set auto-connect on boot ``` #### **Network Segmentation** ```bash # Private Network (192.168.8.0/24) - Trusted devices (laptop, phone, tablet) - Full access to homelab via VPN - Local device communication allowed # Guest Network (192.168.9.0/24) - Untrusted devices - Internet-only access - Isolated from private network ``` ### **Remote KVM (GL-RM1) Setup** #### **Physical Connection** ```bash # Connect to target server 1. USB-A to server for keyboard/mouse emulation 2. HDMI/VGA to server for video capture 3. Ethernet to network for remote access 4. USB-C for power # Network Configuration - Assign static IP: 192.168.8.100 - Configure port forwarding: 8080 β†’ 80 - Enable HTTPS for secure access ``` #### **Tailscale Integration** ```bash # Install Tailscale on KVM device curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up --accept-routes # Access via Tailscale https://gl-rm1.tail.vish.gg ``` ### **IoT Gateway (GL-S200) Configuration** #### **Thread Border Router Setup** ```bash # Enable Thread functionality - Configure as Thread Border Router - Set network credentials - Enable Matter support # Zigbee Coordinator Setup - Configure Zigbee channel - Set network key - Enable device pairing mode ``` --- ## πŸ›‘οΈ Security Configuration ### **VPN Security** - **WireGuard Tunnels**: All traffic encrypted back to homelab - **Kill Switch**: Block internet if VPN disconnects - **DNS Security**: Use homelab Pi-hole for ad blocking - **Firewall Rules**: Strict ingress/egress filtering ### **Network Isolation** - **Guest Network**: Completely isolated from private devices - **IoT Segmentation**: Smart devices on separate VLAN - **Management Network**: KVM and admin access isolated - **Zero Trust**: All connections authenticated and encrypted ### **Access Control** - **Strong Passwords**: Unique passwords for each device - **SSH Keys**: Key-based authentication where possible - **Regular Updates**: Firmware updates for security patches - **Monitoring**: Log analysis for suspicious activity --- ## πŸ“± Mobile Device Integration ### **Seamless Connectivity** ```bash # Device Auto-Connection Priority 1. GL-BE3600 (Primary Wi-Fi 7) 2. GL-MT3000 (Backup Wi-Fi 6) 3. GL-MT300N-V2 (Emergency) 4. Cellular (Last resort) # Tailscale Configuration - All devices connected to Tailscale mesh - Automatic failover between networks - Consistent homelab access regardless of uplink ``` ### **Performance Optimization** - **Wi-Fi 7**: Maximum throughput for data-intensive tasks - **QoS**: Prioritize critical traffic (VPN, video calls) - **Band Steering**: Automatic 2.4GHz/5GHz selection - **Load Balancing**: Distribute devices across routers --- ## πŸ” Monitoring & Management ### **Remote Monitoring** - **Router Status**: Monitor via web interface and mobile app - **VPN Health**: Check tunnel status and throughput - **Device Connectivity**: Track connected devices and usage - **Performance Metrics**: Bandwidth, latency, packet loss ### **Troubleshooting Tools** - **Network Diagnostics**: Built-in ping, traceroute, speed test - **Log Analysis**: System logs for connection issues - **Remote Access**: SSH access for advanced configuration - **Factory Reset**: Hardware reset button for recovery --- ## 🎯 Use Case Scenarios ### **Business Travel** 1. **Hotel Setup**: GL-BE3600 for secure Wi-Fi, KVM for server access 2. **Conference**: GL-MT3000 for portable networking 3. **Emergency**: GL-MT300N-V2 for basic connectivity 4. **IoT Devices**: GL-S200 for smart device management ### **Extended Stay** 1. **Primary Network**: GL-BE3600 with full homelab access 2. **Smart Home**: GL-S200 for temporary IoT setup 3. **Backup Connectivity**: Multiple routers for redundancy 4. **Remote Management**: KVM for homelab troubleshooting ### **Digital Nomad** 1. **Mobile Office**: Secure, high-speed connectivity anywhere 2. **Content Creation**: High-bandwidth for video uploads 3. **Development Work**: Full access to homelab resources 4. **IoT Projects**: Portable development environment --- ## πŸ“‹ Maintenance & Updates ### **Regular Tasks** - **Firmware Updates**: Monthly security and feature updates - **Configuration Backup**: Export settings before changes - **Performance Testing**: Regular speed and latency tests - **Security Audit**: Review firewall rules and access logs ### **Travel Checklist** - [ ] All devices charged and firmware updated - [ ] VPN configurations tested and working - [ ] Backup connectivity options verified - [ ] Emergency contact information accessible - [ ] Documentation and passwords secured --- ## πŸ”— Integration with Homelab ### **Tailscale Mesh Network** - **Seamless Access**: All GL.iNet devices join Tailscale mesh - **Split-Brain DNS**: Local hostname resolution while traveling - **Subnet Routing**: Access homelab subnets via travel routers - **Exit Nodes**: Route internet traffic through homelab ### **Service Access** - **Media Streaming**: Plex, Jellyfin via high-speed VPN - **Development**: GitLab, Portainer, development environments - **Productivity**: Paperless-NGX, Vaultwarden, file sync - **Monitoring**: Grafana, Uptime Kuma for homelab status --- *This GL.iNet travel networking infrastructure provides enterprise-level connectivity and security for mobile work, ensuring seamless access to homelab resources from anywhere in the world.* *Last Updated*: 2026-04-16 (added GL-MT3600BE Beryl 7 deployment, retired GL-MT3000, updated SSH access)