23 KiB
23 KiB
🌐 GL.iNet Travel Networking Infrastructure
🟡 Intermediate Guide
This guide covers the complete GL.iNet travel networking setup, including travel routers, IoT gateway, and remote KVM for secure mobile connectivity and remote management.
🎒 GL.iNet Device Portfolio
GL.iNet Comet (GL-RM1) - Remote KVM
Hardware Specifications
- Model: GL-RM1 Remote KVM over IP
- Purpose: Remote server management and troubleshooting
- Video: Up to 1920x1200@60Hz resolution
- USB: Virtual keyboard and mouse support
- Network: Ethernet connection for remote access
- Power: USB-C powered, low power consumption
- Form Factor: Compact, portable design
Use Cases
- Remote Server Management: Access BIOS, boot sequences, OS installation
- Headless System Control: Manage servers without physical access
- Emergency Recovery: Fix systems when SSH/network is down
- Travel Troubleshooting: Diagnose homelab issues from anywhere
- Secure Access: Out-of-band management independent of OS
Integration with Homelab
Homelab Server → GL-RM1 KVM → Network → Tailscale → Travel Device
GL.iNet Beryl 7 (GL-MT3600BE) - Wi-Fi 7 Primary Gateway
Hardware Specifications
- Model: GL-MT3600BE Dual-Band Wi-Fi 7 Router
- Wi-Fi Standard: Wi-Fi 7 (802.11be) with MLO
- Bands: Dual-band (2.4GHz + 5GHz)
- Ports: 1x 2.5G WAN, 1x 2.5G LAN
- SoC: MediaTek MT7987 (aarch64, quad-core ARM Cortex-A53)
- RAM: 512MB
- Storage: 354MB overlay (OpenWrt 21.02-SNAPSHOT base)
- Firmware: GL-inet 4.8.5
- Power: USB-C PD
Role in Homelab
- Primary gateway at remote subnet (replaced GL-MT3000 on 2026-04-16)
- Handles
jellyfish,moon, Home Assistant, and the travel-modegl-mt3000(as a wireless client) - Advertises
192.168.12.0/24as a Tailscale subnet route + exit node - Uplink: Spectrum cable (~1074 Mbps down / ~38 Mbps up)
See Current Homelab Deployment below for full details.
GL.iNet Slate 7 (GL-BE3600) - Wi-Fi 7 Travel Router
Hardware Specifications
- Model: GL-BE3600 Dual-Band Wi-Fi 7 Travel Router
- Wi-Fi Standard: Wi-Fi 7 (802.11be)
- Speed: Up to 3.6 Gbps total throughput
- Bands: Dual-band (2.4GHz + 5GHz)
- Ports: 1x Gigabit WAN, 1x Gigabit LAN
- CPU: Quad-core ARM processor
- RAM: 1GB DDR4
- Storage: 256MB flash storage
- Power: USB-C, portable battery support
- VPN: Built-in OpenVPN, WireGuard support
Key Features
- Wi-Fi 7 Technology: Latest wireless standard for maximum performance
- Travel-Optimized: Compact form factor, battery operation
- VPN Client/Server: Secure tunnel back to homelab
- Captive Portal Bypass: Automatic hotel/airport Wi-Fi connection
- Dual WAN: Ethernet + Wi-Fi uplink for redundancy
- Guest Network: Isolated network for untrusted devices
GL.iNet Beryl AX (GL-MT3000) - Wi-Fi 6 Pocket Router
Hardware Specifications
- Model: GL-MT3000 Pocket-Sized Wi-Fi 6 Router
- Wi-Fi Standard: Wi-Fi 6 (802.11ax)
- Speed: Up to 2.4 Gbps total throughput
- Bands: Dual-band (2.4GHz + 5GHz)
- Ports: 1x Gigabit WAN/LAN
- CPU: Dual-core ARM Cortex-A53
- RAM: 512MB DDR4
- Storage: 128MB flash storage
- Power: USB-C, ultra-portable
- Battery: Optional external battery pack
Use Cases
- Ultra-Portable Networking: Smallest form factor for minimal travel
- Hotel Room Setup: Instant secure Wi-Fi in accommodations
- Conference Networking: Secure connection at events
- Backup Connectivity: Secondary router for redundancy
- IoT Device Management: Isolated network for smart devices
GL.iNet Mango (GL-MT300N-V2) - Compact Travel Router
Hardware Specifications
- Model: GL-MT300N-V2 Mini Travel Router
- Wi-Fi Standard: Wi-Fi 4 (802.11n)
- Speed: Up to 300 Mbps
- Band: Single-band (2.4GHz)
- Ports: 1x Fast Ethernet WAN/LAN
- CPU: Single-core MIPS processor
- RAM: 128MB DDR2
- Storage: 16MB flash storage
- Power: Micro-USB, very low power
- Size: Ultra-compact, credit card sized
Use Cases
- Emergency Connectivity: Basic internet access when needed
- Legacy Device Support: Connect older devices to modern networks
- IoT Prototyping: Simple network for development projects
- Backup Router: Ultra-portable emergency networking
- Budget Travel: Cost-effective secure connectivity
GL.iNet S200 - Multi-Protocol IoT Gateway
Hardware Specifications
- Model: GL-S200 Multi-Protocol IoT Gateway
- Protocols: Thread, Zigbee, Matter, Wi-Fi
- Thread: Thread Border Router functionality
- Zigbee: Zigbee 3.0 coordinator support
- Matter: Matter over Thread/Wi-Fi support
- CPU: ARM Cortex-A7 processor
- RAM: 256MB DDR3
- Storage: 128MB flash storage
- Network: Ethernet, Wi-Fi connectivity
- Power: USB-C powered
IoT Integration
- Smart Home Hub: Central control for IoT devices
- Protocol Translation: Bridge between different IoT standards
- Remote Management: Control IoT devices via Tailscale
- Travel IoT: Portable smart home setup for extended stays
- Development Platform: IoT protocol testing and development
🗺️ Travel Networking Architecture
Multi-Layer Connectivity Strategy
Internet (Hotel/Airport/Cellular)
│
├── GL-BE3600 (Primary Wi-Fi 7 Router)
│ ├── Secure Tunnel → Tailscale → Homelab
│ ├── Guest Network (Untrusted devices)
│ └── Private Network (Trusted devices)
│
├── GL-MT3000 (Backup Wi-Fi 6 Router)
│ └── Secondary VPN Connection
│
├── GL-MT300N-V2 (Emergency Router)
│ └── Basic connectivity fallback
│
└── GL-S200 (IoT Gateway)
└── Smart device management
Redundancy & Failover
- Primary: GL-BE3600 with Wi-Fi 7 for maximum performance
- Secondary: GL-MT3000 for backup connectivity
- Emergency: GL-MT300N-V2 for basic internet access
- Specialized: GL-S200 for IoT device management
🏠 Current Homelab Deployment
GL-MT3600BE and GL-BE3600 are deployed as permanent infrastructure connected to Headscale. GL-MT3000 is an active travel router running in repeater mode behind GL-MT3600BE (no longer retired — repurposed 2026-04-18).
GL-MT3600BE (Beryl 7) — Primary Gateway
| Property | Value |
|---|---|
| Model | GL-MT3600BE (Beryl 7) |
| Role | Primary gateway for jellyfish, moon, Home Assistant |
| Firmware | 4.8.5 (OpenWrt 21.02-SNAPSHOT, mediatek/mt7987) |
| CPU | Quad-core ARM Cortex-A53 (aarch64) |
| RAM | 512MB |
| Storage | 354MB overlay |
| Wi-Fi | Wi-Fi 7 (802.11be) — 2.4GHz + 5GHz, MLO support |
| SSID | Aquabroom (2.4G), Aquabroom_5G (5G), Aquabroom_MLO (MLO) |
| LAN | 192.168.12.0/24 (gateway: 192.168.12.1) |
| WAN | Spectrum cable (76.93.212.229/20) |
| Tailscale IP | 100.64.0.10 |
| Headscale node | ID:28 (gl-mt3600be) |
| Tailscale version | 1.92.5 (OpenWrt, upgraded via opkg 2026-04-18 from 1.80.3) |
| Subnet route | 192.168.12.0/24 (approved) |
| Exit node | Yes (approved: 0.0.0.0/0, ::/0) |
| SSH | ssh -J lulu@100.69.121.120 root@192.168.12.1 (ProxyJump via jellyfish) |
| Speedtest | ~1074 Mbps down / ~38 Mbps up (Spectrum, Mililani HI) |
| Deployed | 2026-04-16 |
⚠️ Firmware/package upgrade caveat (observed 2026-04-18): opkg upgrade of the tailscale package wiped
/usr/bin/tailscale-watchdog.shfrom overlay and rotated the SSH host key for192.168.12.1. After such upgrades: (1) reinstall the watchdog script, (2)ssh-keygen -R 192.168.12.1on client, (3) verify tailscale re-auths via the watchdog. Consider adding/usr/bin/tailscale-watchdog.shto/etc/sysupgrade.conffor persistence.
Devices on 192.168.12.0/24:
jellyfish(192.168.12.181eth0,.182wlan0) — Tailscale100.69.121.120moon(192.168.12.223) — Tailscale100.64.0.6homeassistant(100.112.186.90) — Home Assistant OS
GL-MT3000 (Beryl AX) — Travel Router
| Property | Value |
|---|---|
| Role | Travel router, wireless repeater behind GL-MT3600BE |
| Headscale node | ID:16 (gl-mt3000) |
| Tailscale IP | 100.126.243.15 |
| Tailscale version | 1.96.3-tiny.by.admon.1214 (GL-inet custom build) |
| Own LAN | 192.168.99.0/24 (gateway: 192.168.99.1) |
| Uplink | Wireless client on GL-MT3600BE's 192.168.12.0/24 (DHCP lease 192.168.12.146) |
| Advertises | Exit node only (0.0.0.0/0, ::/0) — no subnet routing |
| Exit node | Yes (approved: 0.0.0.0/0, ::/0) |
| SSH | WAN-side SSH blocked by OpenWRT firewall in repeater mode — reach via: ssh moon → ssh root@192.168.99.1 |
| Directly connected | moon (192.168.99.223) — has its own Tailscale daemon |
| Repurposed | 2026-04-18 (previously marked retired) |
GL-BE3600 (Slate 7) — Travel Router
| Property | Value |
|---|---|
| Role | Travel router, exit node |
| Headscale node | ID:17 (gl-be3600) |
| Own LAN | 192.168.8.0/24 (gateway: 192.168.8.1) |
| Tailscale IP | 100.105.59.123 |
| Tailscale version | 1.96.3-tiny.by.admon.1214 (GL-inet custom build) |
| Advertises | Exit node only (0.0.0.0/0, ::/0) — no subnet routing |
| Exit node | Yes (approved: 0.0.0.0/0, ::/0) |
| SSH | ssh gl-be3600 (Tailscale IP, dropbear, key auth) |
| Repurposed | 2026-04-18 (previously advertised 192.168.8.0/24 + 192.168.68.0/22) |
🔑 SSH Access
All GL-inet routers use dropbear SSH (not OpenSSH). Authorized keys are stored at /etc/dropbear/authorized_keys.
# GL-MT3600BE: reachable via jellyfish (on its LAN)
ssh jellyfish "ssh root@192.168.12.1"
# GL-BE3600: reachable via Tailscale IP
ssh gl-be3600 # 100.105.59.123, root
# Add a new SSH key manually (from the router shell)
echo "ssh-ed25519 AAAA... your-key-comment" >> /etc/dropbear/authorized_keys
Authorized Keys (GL-MT3600BE)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuJ4f8YrXxhvrT+4wSC46myeHLuR98y9kqHAxBIcshx admin@thevish.io
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaNVe8rwzp1OtxOJO92U/3LDPUjDnBK5DCgTuwkBxVI lulu@jellyfish
📡 Headscale / Tailscale Setup on GL-inet Routers
GL-inet routers ship with a custom Tailscale build (tailscale-tiny). The standard install script does not work — use the GL-inet package manager or the pre-installed binary.
Joining Headscale
# 1. Generate a pre-auth key on the Headscale server
ssh calypso
sudo /usr/local/bin/docker exec headscale headscale preauthkeys create --user <numeric-user-id> --expiration 1h
# Note: --user requires numeric ID in Headscale v0.28, not username
# Find ID with: sudo /usr/local/bin/docker exec headscale headscale users list
# 2. On the GL-inet router shell:
tailscale up --login-server=https://headscale.vish.gg:8443 --authkey=<preauthkey> --accept-routes --advertise-routes=192.168.X.0/24 --advertise-exit-node --hostname=gl-<model>
# 3. Approve the subnet route and exit node on Headscale:
sudo /usr/local/bin/docker exec headscale headscale nodes list # get node ID
sudo /usr/local/bin/docker exec headscale headscale nodes approve-routes -i <ID> -r '0.0.0.0/0,::/0,192.168.X.0/24'
Tailscale Status
# Check status on the router
ssh gl-mt3000 "tailscale status"
ssh gl-be3600 "tailscale status"
# Check from Headscale
ssh calypso "sudo /usr/local/bin/docker exec headscale headscale nodes list"
Headscale v0.28 Command Reference
| Old command | New command |
|---|---|
headscale routes list |
headscale nodes list-routes --identifier <ID> |
headscale routes enable -r <ID> |
headscale nodes approve-routes --identifier <ID> --routes <CIDR> |
headscale preauthkeys create --user <name> |
headscale preauthkeys create --user <numeric-id> |
🔄 Tailscale Autostart on Boot
How GL-inet Manages Tailscale
GL-inet routers use a custom wrapper script /usr/bin/gl_tailscale that is called on boot by the tailscale init service. This wrapper reads UCI config from /etc/config/tailscale and constructs the tailscale up command automatically.
Important: The GL-inet wrapper calls tailscale up --reset ... on every boot, which wipes any flags set manually or stored in the state file. This means --login-server, --advertise-exit-node, and --hostname must be baked into the wrapper script itself — they cannot be set once and remembered.
Current Configuration (both routers)
Both routers have been patched so /usr/bin/gl_tailscale always passes the correct flags on boot. The relevant line in the wrapper:
gl-be3600:
timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s \
--accept-dns=false \
--login-server=https://headscale.vish.gg:8443 \
--advertise-exit-node \
--hostname=gl-be3600 > /dev/null
gl-mt3000:
timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s \
--accept-dns=false \
--login-server=https://headscale.vish.gg:8443 \
--advertise-exit-node \
--hostname=gl-mt3000 > /dev/null
The $param variable is built by the wrapper from UCI settings and includes --advertise-routes=192.168.X.0/24 automatically based on lan_enabled=1 in /etc/config/tailscale.
Persistence Across Firmware Upgrades
Both routers have /etc/sysupgrade.conf entries to preserve the patched files:
/usr/sbin/tailscale
/usr/sbin/tailscaled
/etc/config/tailscale
/usr/bin/gl_tailscale
/etc/init.d/tailscale-up
Re-applying the Patch After Firmware Upgrade
If a firmware upgrade overwrites /usr/bin/gl_tailscale (check with tailscale status — if "Logged out", patch was lost):
# SSH to the router
ssh gl-be3600 # or gl-mt3000
# Edit the gl_tailscale wrapper
vi /usr/bin/gl_tailscale
# Find the tailscale up line (around line 226):
# timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false > /dev/null
# Change it to (for be3600):
# timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false --login-server=https://headscale.vish.gg:8443 --advertise-exit-node --hostname=gl-be3600 > /dev/null
# Or use sed:
sed -i 's|tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false|tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false --login-server=https://headscale.vish.gg:8443 --advertise-exit-node --hostname=gl-be3600|' /usr/bin/gl_tailscale
update-tailscale.sh
There is a community script at /root/update-tailscale.sh on both routers — this is the GL-inet Tailscale Updater by Admon. It updates the tailscale/tailscaled binaries to a newer version than GL-inet ships in firmware. It also restores /usr/bin/gl_tailscale from /rom before patching for SSH support — re-apply the headscale patch after running this script.
🐕 Watchdog Cron (Belt-and-Suspenders)
All three GL-inet routers (gl-mt3600be, gl-mt3000, gl-be3600) run a secondary watchdog script that complements the gl_tailscale wrapper patch above. While the wrapper handles the boot path, the watchdog catches runtime logouts (e.g., headscale restart, network blip, manual tailscale logout).
Files
| Path | Purpose |
|---|---|
/usr/bin/tailscale-watchdog.sh (0755) |
Checks tailscale state every 5 min, re-auths if logged out |
/etc/tailscale/authkey (0600) |
Reusable headscale preauth key (prefix hskey-auth-…) |
crontab: */5 * * * * /usr/bin/tailscale-watchdog.sh |
Runs watchdog every 5 minutes |
/tmp/tailscale-watchdog.log |
Log (tmpfs, wiped on reboot) |
Behavior
- If
pidof tailscaledfails →/etc/init.d/tailscale restart - If
tailscale statusreturnsLogged out/NeedsLogin/not logged in→ runstailscale up --login-server=https://headscale.vish.gg:8443 --authkey=$(cat /etc/tailscale/authkey) --advertise-exit-node --accept-routes --accept-dns=false --hostname=<router> --reset - Otherwise: no-op (no log entry)
Important Pitfalls
pgrep -x tailscaledis broken on busybox — always usepidof tailscaledon OpenWRT.- OpenWRT dropbear lacks sftp-server — cannot
scpfiles. Usessh … 'cat > /path/to/file' < local_fileinstead. - Firmware/package upgrades wipe
/usr/bin/tailscale-watchdog.sh(observed on gl-mt3600be 2026-04-18 after opkg tailscale upgrade). Cron entry survives but points at missing script. Mitigation: add the script path to/etc/sysupgrade.conffor persistence, or re-deploy after any firmware/opkg action. - Travel routers advertise exit-node only (
0.0.0.0/0,::/0) — the--advertise-routesflag is intentionally absent from the watchdogupcommand.
Deployment History
| Date | Router | Event |
|---|---|---|
| 2026-04-11 | gl-mt3000, gl-be3600 | Initial watchdog + reusable authkey deploy |
| 2026-04-15 | gl-mt3600be | Initial watchdog deploy |
| 2026-04-18 | gl-mt3600be | Watchdog wiped by tailscale opkg upgrade → rebuilt, verified re-auth in ~3s |
| 2026-04-18 | gl-mt3000 | Watchdog had wrong --advertise-routes=192.168.12.0/24 → corrected to exit-node-only |
| 2026-04-18 | gl-be3600 | Watchdog missing --advertise-exit-node + stale live routes → corrected to exit-node-only |
🔧 Configuration & Setup
GL-BE3600 Primary Setup
Initial Configuration
# Access router admin panel
http://192.168.8.1
# Configure WAN connection
- Set to DHCP for hotel/public Wi-Fi
- Configure static IP if needed
- Enable MAC address cloning for captive portals
# Configure VPN
- Enable WireGuard client
- Import Tailscale configuration
- Set auto-connect on boot
Network Segmentation
# Private Network (192.168.8.0/24)
- Trusted devices (laptop, phone, tablet)
- Full access to homelab via VPN
- Local device communication allowed
# Guest Network (192.168.9.0/24)
- Untrusted devices
- Internet-only access
- Isolated from private network
Remote KVM (GL-RM1) Setup
Physical Connection
# Connect to target server
1. USB-A to server for keyboard/mouse emulation
2. HDMI/VGA to server for video capture
3. Ethernet to network for remote access
4. USB-C for power
# Network Configuration
- Assign static IP: 192.168.8.100
- Configure port forwarding: 8080 → 80
- Enable HTTPS for secure access
Tailscale Integration
# Install Tailscale on KVM device
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --accept-routes
# Access via Tailscale
https://gl-rm1.tail.vish.gg
IoT Gateway (GL-S200) Configuration
Thread Border Router Setup
# Enable Thread functionality
- Configure as Thread Border Router
- Set network credentials
- Enable Matter support
# Zigbee Coordinator Setup
- Configure Zigbee channel
- Set network key
- Enable device pairing mode
🛡️ Security Configuration
VPN Security
- WireGuard Tunnels: All traffic encrypted back to homelab
- Kill Switch: Block internet if VPN disconnects
- DNS Security: Use homelab Pi-hole for ad blocking
- Firewall Rules: Strict ingress/egress filtering
Network Isolation
- Guest Network: Completely isolated from private devices
- IoT Segmentation: Smart devices on separate VLAN
- Management Network: KVM and admin access isolated
- Zero Trust: All connections authenticated and encrypted
Access Control
- Strong Passwords: Unique passwords for each device
- SSH Keys: Key-based authentication where possible
- Regular Updates: Firmware updates for security patches
- Monitoring: Log analysis for suspicious activity
📱 Mobile Device Integration
Seamless Connectivity
# Device Auto-Connection Priority
1. GL-BE3600 (Primary Wi-Fi 7)
2. GL-MT3000 (Backup Wi-Fi 6)
3. GL-MT300N-V2 (Emergency)
4. Cellular (Last resort)
# Tailscale Configuration
- All devices connected to Tailscale mesh
- Automatic failover between networks
- Consistent homelab access regardless of uplink
Performance Optimization
- Wi-Fi 7: Maximum throughput for data-intensive tasks
- QoS: Prioritize critical traffic (VPN, video calls)
- Band Steering: Automatic 2.4GHz/5GHz selection
- Load Balancing: Distribute devices across routers
🔍 Monitoring & Management
Remote Monitoring
- Router Status: Monitor via web interface and mobile app
- VPN Health: Check tunnel status and throughput
- Device Connectivity: Track connected devices and usage
- Performance Metrics: Bandwidth, latency, packet loss
Troubleshooting Tools
- Network Diagnostics: Built-in ping, traceroute, speed test
- Log Analysis: System logs for connection issues
- Remote Access: SSH access for advanced configuration
- Factory Reset: Hardware reset button for recovery
🎯 Use Case Scenarios
Business Travel
- Hotel Setup: GL-BE3600 for secure Wi-Fi, KVM for server access
- Conference: GL-MT3000 for portable networking
- Emergency: GL-MT300N-V2 for basic connectivity
- IoT Devices: GL-S200 for smart device management
Extended Stay
- Primary Network: GL-BE3600 with full homelab access
- Smart Home: GL-S200 for temporary IoT setup
- Backup Connectivity: Multiple routers for redundancy
- Remote Management: KVM for homelab troubleshooting
Digital Nomad
- Mobile Office: Secure, high-speed connectivity anywhere
- Content Creation: High-bandwidth for video uploads
- Development Work: Full access to homelab resources
- IoT Projects: Portable development environment
📋 Maintenance & Updates
Regular Tasks
- Firmware Updates: Monthly security and feature updates
- Configuration Backup: Export settings before changes
- Performance Testing: Regular speed and latency tests
- Security Audit: Review firewall rules and access logs
Travel Checklist
- All devices charged and firmware updated
- VPN configurations tested and working
- Backup connectivity options verified
- Emergency contact information accessible
- Documentation and passwords secured
🔗 Integration with Homelab
Tailscale Mesh Network
- Seamless Access: All GL.iNet devices join Tailscale mesh
- Split-Brain DNS: Local hostname resolution while traveling
- Subnet Routing: Access homelab subnets via travel routers
- Exit Nodes: Route internet traffic through homelab
Service Access
- Media Streaming: Plex, Jellyfin via high-speed VPN
- Development: GitLab, Portainer, development environments
- Productivity: Paperless-NGX, Vaultwarden, file sync
- Monitoring: Grafana, Uptime Kuma for homelab status
This GL.iNet travel networking infrastructure provides enterprise-level connectivity and security for mobile work, ensuring seamless access to homelab resources from anywhere in the world.
Last Updated: 2026-04-18 (GL-MT3000 returned to service as travel router behind GL-MT3600BE; both GL-MT3000 and GL-BE3600 converted to exit-node-only; added Watchdog Cron section; flagged opkg-upgrade-wipes-/usr/bin caveat on GL-MT3600BE; tailscale versions refreshed)