homelab-optimized/docs/infrastructure/glinet-travel-networking.md

# 🌐 GL.iNet Travel Networking Infrastructure

**🟡 Intermediate Guide**

This guide covers the complete GL.iNet travel networking setup, including travel routers, IoT gateway, and remote KVM for secure mobile connectivity and remote management.

---

## 🎒 GL.iNet Device Portfolio

### **GL.iNet Comet (GL-RM1) - Remote KVM**

#### **Hardware Specifications**
- **Model**: GL-RM1 Remote KVM over IP
- **Purpose**: Remote server management and troubleshooting
- **Video**: Up to 1920x1200@60Hz resolution
- **USB**: Virtual keyboard and mouse support
- **Network**: Ethernet connection for remote access
- **Power**: USB-C powered, low power consumption
- **Form Factor**: Compact, portable design

#### **Use Cases**
- **Remote Server Management**: Access BIOS, boot sequences, OS installation
- **Headless System Control**: Manage servers without physical access
- **Emergency Recovery**: Fix systems when SSH/network is down
- **Travel Troubleshooting**: Diagnose homelab issues from anywhere
- **Secure Access**: Out-of-band management independent of OS

#### **Integration with Homelab**
```
Homelab Server → GL-RM1 KVM → Network → Tailscale → Travel Device
```

---

### **GL.iNet Slate 7 (GL-BE3600) - Wi-Fi 7 Travel Router**

#### **Hardware Specifications**
- **Model**: GL-BE3600 Dual-Band Wi-Fi 7 Travel Router
- **Wi-Fi Standard**: Wi-Fi 7 (802.11be)
- **Speed**: Up to 3.6 Gbps total throughput
- **Bands**: Dual-band (2.4GHz + 5GHz)
- **Ports**: 1x Gigabit WAN, 1x Gigabit LAN
- **CPU**: Quad-core ARM processor
- **RAM**: 1GB DDR4
- **Storage**: 256MB flash storage
- **Power**: USB-C, portable battery support
- **VPN**: Built-in OpenVPN, WireGuard support

#### **Key Features**
- **Wi-Fi 7 Technology**: Latest wireless standard for maximum performance
- **Travel-Optimized**: Compact form factor, battery operation
- **VPN Client/Server**: Secure tunnel back to homelab
- **Captive Portal Bypass**: Automatic hotel/airport Wi-Fi connection
- **Dual WAN**: Ethernet + Wi-Fi uplink for redundancy
- **Guest Network**: Isolated network for untrusted devices

---

### **GL.iNet Beryl AX (GL-MT3000) - Wi-Fi 6 Pocket Router**

#### **Hardware Specifications**
- **Model**: GL-MT3000 Pocket-Sized Wi-Fi 6 Router
- **Wi-Fi Standard**: Wi-Fi 6 (802.11ax)
- **Speed**: Up to 2.4 Gbps total throughput
- **Bands**: Dual-band (2.4GHz + 5GHz)
- **Ports**: 1x Gigabit WAN/LAN
- **CPU**: Dual-core ARM Cortex-A53
- **RAM**: 512MB DDR4
- **Storage**: 128MB flash storage
- **Power**: USB-C, ultra-portable
- **Battery**: Optional external battery pack

#### **Use Cases**
- **Ultra-Portable Networking**: Smallest form factor for minimal travel
- **Hotel Room Setup**: Instant secure Wi-Fi in accommodations
- **Conference Networking**: Secure connection at events
- **Backup Connectivity**: Secondary router for redundancy
- **IoT Device Management**: Isolated network for smart devices

---

### **GL.iNet Mango (GL-MT300N-V2) - Compact Travel Router**

#### **Hardware Specifications**
- **Model**: GL-MT300N-V2 Mini Travel Router
- **Wi-Fi Standard**: Wi-Fi 4 (802.11n)
- **Speed**: Up to 300 Mbps
- **Band**: Single-band (2.4GHz)
- **Ports**: 1x Fast Ethernet WAN/LAN
- **CPU**: Single-core MIPS processor
- **RAM**: 128MB DDR2
- **Storage**: 16MB flash storage
- **Power**: Micro-USB, very low power
- **Size**: Ultra-compact, credit card sized

#### **Use Cases**
- **Emergency Connectivity**: Basic internet access when needed
- **Legacy Device Support**: Connect older devices to modern networks
- **IoT Prototyping**: Simple network for development projects
- **Backup Router**: Ultra-portable emergency networking
- **Budget Travel**: Cost-effective secure connectivity

---

### **GL.iNet S200 - Multi-Protocol IoT Gateway**

#### **Hardware Specifications**
- **Model**: GL-S200 Multi-Protocol IoT Gateway
- **Protocols**: Thread, Zigbee, Matter, Wi-Fi
- **Thread**: Thread Border Router functionality
- **Zigbee**: Zigbee 3.0 coordinator support
- **Matter**: Matter over Thread/Wi-Fi support
- **CPU**: ARM Cortex-A7 processor
- **RAM**: 256MB DDR3
- **Storage**: 128MB flash storage
- **Network**: Ethernet, Wi-Fi connectivity
- **Power**: USB-C powered

#### **IoT Integration**
- **Smart Home Hub**: Central control for IoT devices
- **Protocol Translation**: Bridge between different IoT standards
- **Remote Management**: Control IoT devices via Tailscale
- **Travel IoT**: Portable smart home setup for extended stays
- **Development Platform**: IoT protocol testing and development

---

## 🗺️ Travel Networking Architecture

### **Multi-Layer Connectivity Strategy**
```
Internet (Hotel/Airport/Cellular)
    │
    ├── GL-BE3600 (Primary Wi-Fi 7 Router)
    │   ├── Secure Tunnel → Tailscale → Homelab
    │   ├── Guest Network (Untrusted devices)
    │   └── Private Network (Trusted devices)
    │
    ├── GL-MT3000 (Backup Wi-Fi 6 Router)
    │   └── Secondary VPN Connection
    │
    ├── GL-MT300N-V2 (Emergency Router)
    │   └── Basic connectivity fallback
    │
    └── GL-S200 (IoT Gateway)
        └── Smart device management
```

### **Redundancy & Failover**
- **Primary**: GL-BE3600 with Wi-Fi 7 for maximum performance
- **Secondary**: GL-MT3000 for backup connectivity
- **Emergency**: GL-MT300N-V2 for basic internet access
- **Specialized**: GL-S200 for IoT device management

---

## 🏠 Current Homelab Deployment

Both GL-MT3000 and GL-BE3600 are deployed as **permanent infrastructure** in the homelab (not travel use), connected to Headscale and providing subnet routing.

### GL-MT3000 — IoT/HA Gateway

| Property | Value |
|----------|-------|
| **Role** | Gateway for jellyfish + Home Assistant |
| **LAN** | `192.168.12.0/24` (gateway: `192.168.12.1`) |
| **WAN** | Separate uplink (`76.93.214.253`) — not on home LAN |
| **Tailscale IP** | `100.126.243.15` |
| **Tailscale version** | `1.92.5-tiny` (GL-inet custom build) |
| **Subnet route** | `192.168.12.0/24` (approved in Headscale) |
| **SSH** | `ssh gl-mt3000` (dropbear, key auth) |

Devices on `192.168.12.0/24` accessible via Tailscale:
- `jellyfish` (`100.69.121.120`) — jump host / device
- `homeassistant` (`100.112.186.90`) — Home Assistant OS

### GL-BE3600 — Wi-Fi Repeater

| Property | Value |
|----------|-------|
| **Role** | Wi-Fi repeater on home network |
| **Management IP** | `192.168.68.53` (upstream LAN) |
| **Own LAN** | `192.168.8.0/24` (gateway: `192.168.8.1`) |
| **Tailscale IP** | `100.105.59.123` |
| **Tailscale version** | `1.90.9-tiny` (GL-inet custom build) |
| **Subnet route** | `192.168.8.0/24` (approved in Headscale) |
| **SSH** | `ssh gl-be3600` (dropbear, key auth) |

> **Note**: GL-BE3600 ports are filtered from homelab VM (`192.168.0.210`) and NUC (`192.168.68.x`). It is only directly reachable from its own `192.168.8.x` LAN — or via its Tailscale IP (`100.105.59.123`).

---

## 🔑 SSH Access

Both routers use **dropbear SSH** (not OpenSSH). Authorized keys are stored at `/etc/dropbear/authorized_keys`.

```bash
# Connect via Tailscale (preferred)
ssh gl-mt3000    # 100.126.243.15, root
ssh gl-be3600    # 100.105.59.123, root

# Add a new SSH key manually (from the router shell)
echo "ssh-ed25519 AAAA... your-key-comment" >> /etc/dropbear/authorized_keys
```

SSH config entries (in `~/.ssh/config` on homelab VM):
```
Host gl-mt3000
    HostName 100.126.243.15
    User root

Host gl-be3600
    HostName 100.105.59.123
    User root
```

---

## 📡 Headscale / Tailscale Setup on GL-inet Routers

GL-inet routers ship with a custom Tailscale build (`tailscale-tiny`). The standard install script does not work — use the GL-inet package manager or the pre-installed binary.

### Joining Headscale

```bash
# 1. Generate a pre-auth key on the Headscale server
ssh calypso
sudo /usr/local/bin/docker exec headscale headscale preauthkeys create --user <numeric-user-id> --expiration 1h
# Note: --user requires numeric ID in Headscale v0.28, not username
# Find ID with: sudo /usr/local/bin/docker exec headscale headscale users list

# 2. On the GL-inet router shell:
tailscale up --login-server=https://headscale.vish.gg:8443 --authkey=<preauthkey> --accept-routes --advertise-routes=192.168.X.0/24 --advertise-exit-node --hostname=gl-<model>

# 3. Approve the subnet route and exit node on Headscale:
sudo /usr/local/bin/docker exec headscale headscale nodes list  # get node ID
sudo /usr/local/bin/docker exec headscale headscale nodes approve-routes -i <ID> -r '0.0.0.0/0,::/0,192.168.X.0/24'
```

### Tailscale Status

```bash
# Check status on the router
ssh gl-mt3000 "tailscale status"
ssh gl-be3600 "tailscale status"

# Check from Headscale
ssh calypso "sudo /usr/local/bin/docker exec headscale headscale nodes list"
```

### Headscale v0.28 Command Reference

| Old command | New command |
|-------------|-------------|
| `headscale routes list` | `headscale nodes list-routes --identifier <ID>` |
| `headscale routes enable -r <ID>` | `headscale nodes approve-routes --identifier <ID> --routes <CIDR>` |
| `headscale preauthkeys create --user <name>` | `headscale preauthkeys create --user <numeric-id>` |

---

## 🔄 Tailscale Autostart on Boot

### How GL-inet Manages Tailscale

GL-inet routers use a custom wrapper script `/usr/bin/gl_tailscale` that is called on boot by the `tailscale` init service. This wrapper reads UCI config from `/etc/config/tailscale` and constructs the `tailscale up` command automatically.

**Important**: The GL-inet wrapper calls `tailscale up --reset ...` on every boot, which wipes any flags set manually or stored in the state file. This means `--login-server`, `--advertise-exit-node`, and `--hostname` must be baked into the wrapper script itself — they cannot be set once and remembered.

### Current Configuration (both routers)

Both routers have been patched so `/usr/bin/gl_tailscale` always passes the correct flags on boot. The relevant line in the wrapper:

**gl-be3600:**
```sh
timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s \
  --accept-dns=false \
  --login-server=https://headscale.vish.gg:8443 \
  --advertise-exit-node \
  --hostname=gl-be3600 > /dev/null
```

**gl-mt3000:**
```sh
timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s \
  --accept-dns=false \
  --login-server=https://headscale.vish.gg:8443 \
  --advertise-exit-node \
  --hostname=gl-mt3000 > /dev/null
```

The `$param` variable is built by the wrapper from UCI settings and includes `--advertise-routes=192.168.X.0/24` automatically based on `lan_enabled=1` in `/etc/config/tailscale`.

### Persistence Across Firmware Upgrades

Both routers have `/etc/sysupgrade.conf` entries to preserve the patched files:

```
/usr/sbin/tailscale
/usr/sbin/tailscaled
/etc/config/tailscale
/usr/bin/gl_tailscale
/etc/init.d/tailscale-up
```

### Re-applying the Patch After Firmware Upgrade

If a firmware upgrade overwrites `/usr/bin/gl_tailscale` (check with `tailscale status` — if "Logged out", patch was lost):

```bash
# SSH to the router
ssh gl-be3600  # or gl-mt3000

# Edit the gl_tailscale wrapper
vi /usr/bin/gl_tailscale

# Find the tailscale up line (around line 226):
#   timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false > /dev/null
# Change it to (for be3600):
#   timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false --login-server=https://headscale.vish.gg:8443 --advertise-exit-node --hostname=gl-be3600 > /dev/null

# Or use sed:
sed -i 's|tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false|tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false --login-server=https://headscale.vish.gg:8443 --advertise-exit-node --hostname=gl-be3600|' /usr/bin/gl_tailscale
```

### update-tailscale.sh

There is a community script at `/root/update-tailscale.sh` on both routers — this is the [GL-inet Tailscale Updater by Admon](https://github.com/Admonstrator/glinet-tailscale-updater). It updates the `tailscale`/`tailscaled` binaries to a newer version than GL-inet ships in firmware. It also restores `/usr/bin/gl_tailscale` from `/rom` before patching for SSH support — **re-apply the headscale patch after running this script**.

---

## 🔧 Configuration & Setup

### **GL-BE3600 Primary Setup**

#### **Initial Configuration**
```bash
# Access router admin panel
http://192.168.8.1

# Configure WAN connection
- Set to DHCP for hotel/public Wi-Fi
- Configure static IP if needed
- Enable MAC address cloning for captive portals

# Configure VPN
- Enable WireGuard client
- Import Tailscale configuration
- Set auto-connect on boot
```

#### **Network Segmentation**
```bash
# Private Network (192.168.8.0/24)
- Trusted devices (laptop, phone, tablet)
- Full access to homelab via VPN
- Local device communication allowed

# Guest Network (192.168.9.0/24)
- Untrusted devices
- Internet-only access
- Isolated from private network
```

### **Remote KVM (GL-RM1) Setup**

#### **Physical Connection**
```bash
# Connect to target server
1. USB-A to server for keyboard/mouse emulation
2. HDMI/VGA to server for video capture
3. Ethernet to network for remote access
4. USB-C for power

# Network Configuration
- Assign static IP: 192.168.8.100
- Configure port forwarding: 8080 → 80
- Enable HTTPS for secure access
```

#### **Tailscale Integration**
```bash
# Install Tailscale on KVM device
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --accept-routes

# Access via Tailscale
https://gl-rm1.tail.vish.gg
```

### **IoT Gateway (GL-S200) Configuration**

#### **Thread Border Router Setup**
```bash
# Enable Thread functionality
- Configure as Thread Border Router
- Set network credentials
- Enable Matter support

# Zigbee Coordinator Setup
- Configure Zigbee channel
- Set network key
- Enable device pairing mode
```

---

## 🛡️ Security Configuration

### **VPN Security**
- **WireGuard Tunnels**: All traffic encrypted back to homelab
- **Kill Switch**: Block internet if VPN disconnects
- **DNS Security**: Use homelab Pi-hole for ad blocking
- **Firewall Rules**: Strict ingress/egress filtering

### **Network Isolation**
- **Guest Network**: Completely isolated from private devices
- **IoT Segmentation**: Smart devices on separate VLAN
- **Management Network**: KVM and admin access isolated
- **Zero Trust**: All connections authenticated and encrypted

### **Access Control**
- **Strong Passwords**: Unique passwords for each device
- **SSH Keys**: Key-based authentication where possible
- **Regular Updates**: Firmware updates for security patches
- **Monitoring**: Log analysis for suspicious activity

---

## 📱 Mobile Device Integration

### **Seamless Connectivity**
```bash
# Device Auto-Connection Priority
1. GL-BE3600 (Primary Wi-Fi 7)
2. GL-MT3000 (Backup Wi-Fi 6)
3. GL-MT300N-V2 (Emergency)
4. Cellular (Last resort)

# Tailscale Configuration
- All devices connected to Tailscale mesh
- Automatic failover between networks
- Consistent homelab access regardless of uplink
```

### **Performance Optimization**
- **Wi-Fi 7**: Maximum throughput for data-intensive tasks
- **QoS**: Prioritize critical traffic (VPN, video calls)
- **Band Steering**: Automatic 2.4GHz/5GHz selection
- **Load Balancing**: Distribute devices across routers

---

## 🔍 Monitoring & Management

### **Remote Monitoring**
- **Router Status**: Monitor via web interface and mobile app
- **VPN Health**: Check tunnel status and throughput
- **Device Connectivity**: Track connected devices and usage
- **Performance Metrics**: Bandwidth, latency, packet loss

### **Troubleshooting Tools**
- **Network Diagnostics**: Built-in ping, traceroute, speed test
- **Log Analysis**: System logs for connection issues
- **Remote Access**: SSH access for advanced configuration
- **Factory Reset**: Hardware reset button for recovery

---

## 🎯 Use Case Scenarios

### **Business Travel**
1. **Hotel Setup**: GL-BE3600 for secure Wi-Fi, KVM for server access
2. **Conference**: GL-MT3000 for portable networking
3. **Emergency**: GL-MT300N-V2 for basic connectivity
4. **IoT Devices**: GL-S200 for smart device management

### **Extended Stay**
1. **Primary Network**: GL-BE3600 with full homelab access
2. **Smart Home**: GL-S200 for temporary IoT setup
3. **Backup Connectivity**: Multiple routers for redundancy
4. **Remote Management**: KVM for homelab troubleshooting

### **Digital Nomad**
1. **Mobile Office**: Secure, high-speed connectivity anywhere
2. **Content Creation**: High-bandwidth for video uploads
3. **Development Work**: Full access to homelab resources
4. **IoT Projects**: Portable development environment

---

## 📋 Maintenance & Updates

### **Regular Tasks**
- **Firmware Updates**: Monthly security and feature updates
- **Configuration Backup**: Export settings before changes
- **Performance Testing**: Regular speed and latency tests
- **Security Audit**: Review firewall rules and access logs

### **Travel Checklist**
- [ ] All devices charged and firmware updated
- [ ] VPN configurations tested and working
- [ ] Backup connectivity options verified
- [ ] Emergency contact information accessible
- [ ] Documentation and passwords secured

---

## 🔗 Integration with Homelab

### **Tailscale Mesh Network**
- **Seamless Access**: All GL.iNet devices join Tailscale mesh
- **Split-Brain DNS**: Local hostname resolution while traveling
- **Subnet Routing**: Access homelab subnets via travel routers
- **Exit Nodes**: Route internet traffic through homelab

### **Service Access**
- **Media Streaming**: Plex, Jellyfin via high-speed VPN
- **Development**: GitLab, Portainer, development environments
- **Productivity**: Paperless-NGX, Vaultwarden, file sync
- **Monitoring**: Grafana, Uptime Kuma for homelab status

---

*This GL.iNet travel networking infrastructure provides enterprise-level connectivity and security for mobile work, ensuring seamless access to homelab resources from anywhere in the world.*

*Last Updated*: 2026-03-11 (added Tailscale autostart section, gl_tailscale patch details, update-tailscale.sh note)