Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fb00a325d1af18203b2a8a40a5799e71ed5b6b6c
homelab-optimized/docs/infrastructure/glinet-travel-networking.md
Gitea Mirror Bot fb00a325d1
Some checks failed
Documentation / Build Docusaurus (push) Failing after 5m14s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details
Sanitized mirror from private repository - 2026-04-18 11:19:59 UTC
2026-04-18 11:19:59 +00:00

19 KiB
Raw Blame History

🌐 GL.iNet Travel Networking Infrastructure

🟡 Intermediate Guide

This guide covers the complete GL.iNet travel networking setup, including travel routers, IoT gateway, and remote KVM for secure mobile connectivity and remote management.

🎒 GL.iNet Device Portfolio

GL.iNet Comet (GL-RM1) - Remote KVM

Hardware Specifications

  • Model: GL-RM1 Remote KVM over IP
  • Purpose: Remote server management and troubleshooting
  • Video: Up to 1920x1200@60Hz resolution
  • USB: Virtual keyboard and mouse support
  • Network: Ethernet connection for remote access
  • Power: USB-C powered, low power consumption
  • Form Factor: Compact, portable design

Use Cases

  • Remote Server Management: Access BIOS, boot sequences, OS installation
  • Headless System Control: Manage servers without physical access
  • Emergency Recovery: Fix systems when SSH/network is down
  • Travel Troubleshooting: Diagnose homelab issues from anywhere
  • Secure Access: Out-of-band management independent of OS

Integration with Homelab

Homelab Server → GL-RM1 KVM → Network → Tailscale → Travel Device

GL.iNet Slate 7 (GL-BE3600) - Wi-Fi 7 Travel Router

Hardware Specifications

  • Model: GL-BE3600 Dual-Band Wi-Fi 7 Travel Router
  • Wi-Fi Standard: Wi-Fi 7 (802.11be)
  • Speed: Up to 3.6 Gbps total throughput
  • Bands: Dual-band (2.4GHz + 5GHz)
  • Ports: 1x Gigabit WAN, 1x Gigabit LAN
  • CPU: Quad-core ARM processor
  • RAM: 1GB DDR4
  • Storage: 256MB flash storage
  • Power: USB-C, portable battery support
  • VPN: Built-in OpenVPN, WireGuard support

Key Features

  • Wi-Fi 7 Technology: Latest wireless standard for maximum performance
  • Travel-Optimized: Compact form factor, battery operation
  • VPN Client/Server: Secure tunnel back to homelab
  • Captive Portal Bypass: Automatic hotel/airport Wi-Fi connection
  • Dual WAN: Ethernet + Wi-Fi uplink for redundancy
  • Guest Network: Isolated network for untrusted devices

GL.iNet Beryl AX (GL-MT3000) - Wi-Fi 6 Pocket Router

Hardware Specifications

  • Model: GL-MT3000 Pocket-Sized Wi-Fi 6 Router
  • Wi-Fi Standard: Wi-Fi 6 (802.11ax)
  • Speed: Up to 2.4 Gbps total throughput
  • Bands: Dual-band (2.4GHz + 5GHz)
  • Ports: 1x Gigabit WAN/LAN
  • CPU: Dual-core ARM Cortex-A53
  • RAM: 512MB DDR4
  • Storage: 128MB flash storage
  • Power: USB-C, ultra-portable
  • Battery: Optional external battery pack

Use Cases

  • Ultra-Portable Networking: Smallest form factor for minimal travel
  • Hotel Room Setup: Instant secure Wi-Fi in accommodations
  • Conference Networking: Secure connection at events
  • Backup Connectivity: Secondary router for redundancy
  • IoT Device Management: Isolated network for smart devices

GL.iNet Mango (GL-MT300N-V2) - Compact Travel Router

Hardware Specifications

  • Model: GL-MT300N-V2 Mini Travel Router
  • Wi-Fi Standard: Wi-Fi 4 (802.11n)
  • Speed: Up to 300 Mbps
  • Band: Single-band (2.4GHz)
  • Ports: 1x Fast Ethernet WAN/LAN
  • CPU: Single-core MIPS processor
  • RAM: 128MB DDR2
  • Storage: 16MB flash storage
  • Power: Micro-USB, very low power
  • Size: Ultra-compact, credit card sized

Use Cases

  • Emergency Connectivity: Basic internet access when needed
  • Legacy Device Support: Connect older devices to modern networks
  • IoT Prototyping: Simple network for development projects
  • Backup Router: Ultra-portable emergency networking
  • Budget Travel: Cost-effective secure connectivity

GL.iNet S200 - Multi-Protocol IoT Gateway

Hardware Specifications

  • Model: GL-S200 Multi-Protocol IoT Gateway
  • Protocols: Thread, Zigbee, Matter, Wi-Fi
  • Thread: Thread Border Router functionality
  • Zigbee: Zigbee 3.0 coordinator support
  • Matter: Matter over Thread/Wi-Fi support
  • CPU: ARM Cortex-A7 processor
  • RAM: 256MB DDR3
  • Storage: 128MB flash storage
  • Network: Ethernet, Wi-Fi connectivity
  • Power: USB-C powered

IoT Integration

  • Smart Home Hub: Central control for IoT devices
  • Protocol Translation: Bridge between different IoT standards
  • Remote Management: Control IoT devices via Tailscale
  • Travel IoT: Portable smart home setup for extended stays
  • Development Platform: IoT protocol testing and development

🗺️ Travel Networking Architecture

Multi-Layer Connectivity Strategy

Internet (Hotel/Airport/Cellular)
    │
    ├── GL-BE3600 (Primary Wi-Fi 7 Router)
    │   ├── Secure Tunnel → Tailscale → Homelab
    │   ├── Guest Network (Untrusted devices)
    │   └── Private Network (Trusted devices)
    │
    ├── GL-MT3000 (Backup Wi-Fi 6 Router)
    │   └── Secondary VPN Connection
    │
    ├── GL-MT300N-V2 (Emergency Router)
    │   └── Basic connectivity fallback
    │
    └── GL-S200 (IoT Gateway)
        └── Smart device management

Redundancy & Failover

  • Primary: GL-BE3600 with Wi-Fi 7 for maximum performance
  • Secondary: GL-MT3000 for backup connectivity
  • Emergency: GL-MT300N-V2 for basic internet access
  • Specialized: GL-S200 for IoT device management

🏠 Current Homelab Deployment

GL-MT3600BE and GL-BE3600 are deployed as permanent infrastructure in the homelab, connected to Headscale and providing subnet routing. GL-MT3000 is retired as a spare/travel router.

GL-MT3600BE (Beryl 7) — Primary Gateway

Property Value
Model GL-MT3600BE (Beryl 7)
Role Primary gateway for jellyfish, moon, Home Assistant
Firmware 4.8.5 (OpenWrt 21.02-SNAPSHOT, mediatek/mt7987)
CPU Dual-core ARM Cortex-A53 (aarch64)
RAM 512MB
Storage 354MB overlay
Wi-Fi Wi-Fi 7 (802.11be) — 2.4GHz + 5GHz, MLO support
SSID Aquabroom (2.4G), Aquabroom_5G (5G), Aquabroom_MLO (MLO)
LAN 192.168.12.0/24 (gateway: 192.168.12.1)
WAN Spectrum cable (76.93.212.229/20)
Tailscale IP 100.64.0.10
Headscale node ID:28 (gl-mt3600be)
Tailscale version 1.80.3
Subnet route 192.168.12.0/24 (approved)
Exit node Yes (approved: 0.0.0.0/0, ::/0)
SSH ssh root@192.168.12.1 via jellyfish (dropbear, key auth)
Speedtest ~1074 Mbps down / ~38 Mbps up (Spectrum, Mililani HI)
Deployed 2026-04-16

Devices on 192.168.12.0/24:

  • jellyfish (192.168.12.181 eth0, .182 wlan0) — Tailscale 100.69.121.120
  • moon (192.168.12.223) — Tailscale 100.64.0.6
  • homeassistant (100.112.186.90) — Home Assistant OS

GL-MT3000 (Beryl AX) — Retired/Spare

Property Value
Status Offline — replaced by GL-MT3600BE
Headscale node ID:16 (gl-mt3000, offline)
Tailscale IP 100.126.243.15
Notes Available as backup/travel router

GL-BE3600 (Slate 7) — Wi-Fi Repeater

Property Value
Role Wi-Fi repeater on home network
Management IP 192.168.68.53 (upstream LAN)
Own LAN 192.168.8.0/24 (gateway: 192.168.8.1)
Tailscale IP 100.105.59.123
Tailscale version 1.90.9-tiny (GL-inet custom build)
Subnet route 192.168.8.0/24 (approved in Headscale)
SSH ssh gl-be3600 (dropbear, key auth)

Note

: GL-BE3600 ports are filtered from homelab VM (192.168.0.210) and NUC (192.168.68.x). It is only directly reachable from its own 192.168.8.x LAN — or via its Tailscale IP (100.105.59.123).

🔑 SSH Access

All GL-inet routers use dropbear SSH (not OpenSSH). Authorized keys are stored at /etc/dropbear/authorized_keys.

# GL-MT3600BE: reachable via jellyfish (on its LAN)
ssh jellyfish "ssh root@192.168.12.1"

# GL-BE3600: reachable via Tailscale IP
ssh gl-be3600    # 100.105.59.123, root

# Add a new SSH key manually (from the router shell)
echo "ssh-ed25519 AAAA... your-key-comment" >> /etc/dropbear/authorized_keys

Authorized Keys (GL-MT3600BE)

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuJ4f8YrXxhvrT+4wSC46myeHLuR98y9kqHAxBIcshx admin@thevish.io
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaNVe8rwzp1OtxOJO92U/3LDPUjDnBK5DCgTuwkBxVI lulu@jellyfish

📡 Headscale / Tailscale Setup on GL-inet Routers

GL-inet routers ship with a custom Tailscale build (tailscale-tiny). The standard install script does not work — use the GL-inet package manager or the pre-installed binary.

Joining Headscale

# 1. Generate a pre-auth key on the Headscale server
ssh calypso
sudo /usr/local/bin/docker exec headscale headscale preauthkeys create --user <numeric-user-id> --expiration 1h
# Note: --user requires numeric ID in Headscale v0.28, not username
# Find ID with: sudo /usr/local/bin/docker exec headscale headscale users list

# 2. On the GL-inet router shell:
tailscale up --login-server=https://headscale.vish.gg:8443 --authkey=<preauthkey> --accept-routes --advertise-routes=192.168.X.0/24 --advertise-exit-node --hostname=gl-<model>

# 3. Approve the subnet route and exit node on Headscale:
sudo /usr/local/bin/docker exec headscale headscale nodes list  # get node ID
sudo /usr/local/bin/docker exec headscale headscale nodes approve-routes -i <ID> -r '0.0.0.0/0,::/0,192.168.X.0/24'

Tailscale Status

# Check status on the router
ssh gl-mt3000 "tailscale status"
ssh gl-be3600 "tailscale status"

# Check from Headscale
ssh calypso "sudo /usr/local/bin/docker exec headscale headscale nodes list"

Headscale v0.28 Command Reference

Old command New command
headscale routes list headscale nodes list-routes --identifier <ID>
headscale routes enable -r <ID> headscale nodes approve-routes --identifier <ID> --routes <CIDR>
headscale preauthkeys create --user <name> headscale preauthkeys create --user <numeric-id>

🔄 Tailscale Autostart on Boot

How GL-inet Manages Tailscale

GL-inet routers use a custom wrapper script /usr/bin/gl_tailscale that is called on boot by the tailscale init service. This wrapper reads UCI config from /etc/config/tailscale and constructs the tailscale up command automatically.

Important: The GL-inet wrapper calls tailscale up --reset ... on every boot, which wipes any flags set manually or stored in the state file. This means --login-server, --advertise-exit-node, and --hostname must be baked into the wrapper script itself — they cannot be set once and remembered.

Current Configuration (both routers)

Both routers have been patched so /usr/bin/gl_tailscale always passes the correct flags on boot. The relevant line in the wrapper:

gl-be3600:

timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s \
  --accept-dns=false \
  --login-server=https://headscale.vish.gg:8443 \
  --advertise-exit-node \
  --hostname=gl-be3600 > /dev/null

gl-mt3000:

timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s \
  --accept-dns=false \
  --login-server=https://headscale.vish.gg:8443 \
  --advertise-exit-node \
  --hostname=gl-mt3000 > /dev/null

The $param variable is built by the wrapper from UCI settings and includes --advertise-routes=192.168.X.0/24 automatically based on lan_enabled=1 in /etc/config/tailscale.

Persistence Across Firmware Upgrades

Both routers have /etc/sysupgrade.conf entries to preserve the patched files:

/usr/sbin/tailscale
/usr/sbin/tailscaled
/etc/config/tailscale
/usr/bin/gl_tailscale
/etc/init.d/tailscale-up

Re-applying the Patch After Firmware Upgrade

If a firmware upgrade overwrites /usr/bin/gl_tailscale (check with tailscale status — if "Logged out", patch was lost):

# SSH to the router
ssh gl-be3600  # or gl-mt3000

# Edit the gl_tailscale wrapper
vi /usr/bin/gl_tailscale

# Find the tailscale up line (around line 226):
#   timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false > /dev/null
# Change it to (for be3600):
#   timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false --login-server=https://headscale.vish.gg:8443 --advertise-exit-node --hostname=gl-be3600 > /dev/null

# Or use sed:
sed -i 's|tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false|tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false --login-server=https://headscale.vish.gg:8443 --advertise-exit-node --hostname=gl-be3600|' /usr/bin/gl_tailscale

update-tailscale.sh

There is a community script at /root/update-tailscale.sh on both routers — this is the GL-inet Tailscale Updater by Admon. It updates the tailscale/tailscaled binaries to a newer version than GL-inet ships in firmware. It also restores /usr/bin/gl_tailscale from /rom before patching for SSH support — re-apply the headscale patch after running this script.

🔧 Configuration & Setup

GL-BE3600 Primary Setup

Initial Configuration

# Access router admin panel
http://192.168.8.1

# Configure WAN connection
- Set to DHCP for hotel/public Wi-Fi
- Configure static IP if needed
- Enable MAC address cloning for captive portals

# Configure VPN
- Enable WireGuard client
- Import Tailscale configuration
- Set auto-connect on boot

Network Segmentation

# Private Network (192.168.8.0/24)
- Trusted devices (laptop, phone, tablet)
- Full access to homelab via VPN
- Local device communication allowed

# Guest Network (192.168.9.0/24)
- Untrusted devices
- Internet-only access
- Isolated from private network

Remote KVM (GL-RM1) Setup

Physical Connection

# Connect to target server
1. USB-A to server for keyboard/mouse emulation
2. HDMI/VGA to server for video capture
3. Ethernet to network for remote access
4. USB-C for power

# Network Configuration
- Assign static IP: 192.168.8.100
- Configure port forwarding: 808080
- Enable HTTPS for secure access

Tailscale Integration

# Install Tailscale on KVM device
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --accept-routes

# Access via Tailscale
https://gl-rm1.tail.vish.gg

IoT Gateway (GL-S200) Configuration

Thread Border Router Setup

# Enable Thread functionality
- Configure as Thread Border Router
- Set network credentials
- Enable Matter support

# Zigbee Coordinator Setup
- Configure Zigbee channel
- Set network key
- Enable device pairing mode

🛡️ Security Configuration

VPN Security

  • WireGuard Tunnels: All traffic encrypted back to homelab
  • Kill Switch: Block internet if VPN disconnects
  • DNS Security: Use homelab Pi-hole for ad blocking
  • Firewall Rules: Strict ingress/egress filtering

Network Isolation

  • Guest Network: Completely isolated from private devices
  • IoT Segmentation: Smart devices on separate VLAN
  • Management Network: KVM and admin access isolated
  • Zero Trust: All connections authenticated and encrypted

Access Control

  • Strong Passwords: Unique passwords for each device
  • SSH Keys: Key-based authentication where possible
  • Regular Updates: Firmware updates for security patches
  • Monitoring: Log analysis for suspicious activity

📱 Mobile Device Integration

Seamless Connectivity

# Device Auto-Connection Priority
1. GL-BE3600 (Primary Wi-Fi 7)
2. GL-MT3000 (Backup Wi-Fi 6)
3. GL-MT300N-V2 (Emergency)
4. Cellular (Last resort)

# Tailscale Configuration
- All devices connected to Tailscale mesh
- Automatic failover between networks
- Consistent homelab access regardless of uplink

Performance Optimization

  • Wi-Fi 7: Maximum throughput for data-intensive tasks
  • QoS: Prioritize critical traffic (VPN, video calls)
  • Band Steering: Automatic 2.4GHz/5GHz selection
  • Load Balancing: Distribute devices across routers

🔍 Monitoring & Management

Remote Monitoring

  • Router Status: Monitor via web interface and mobile app
  • VPN Health: Check tunnel status and throughput
  • Device Connectivity: Track connected devices and usage
  • Performance Metrics: Bandwidth, latency, packet loss

Troubleshooting Tools

  • Network Diagnostics: Built-in ping, traceroute, speed test
  • Log Analysis: System logs for connection issues
  • Remote Access: SSH access for advanced configuration
  • Factory Reset: Hardware reset button for recovery

🎯 Use Case Scenarios

Business Travel

  1. Hotel Setup: GL-BE3600 for secure Wi-Fi, KVM for server access
  2. Conference: GL-MT3000 for portable networking
  3. Emergency: GL-MT300N-V2 for basic connectivity
  4. IoT Devices: GL-S200 for smart device management

Extended Stay

  1. Primary Network: GL-BE3600 with full homelab access
  2. Smart Home: GL-S200 for temporary IoT setup
  3. Backup Connectivity: Multiple routers for redundancy
  4. Remote Management: KVM for homelab troubleshooting

Digital Nomad

  1. Mobile Office: Secure, high-speed connectivity anywhere
  2. Content Creation: High-bandwidth for video uploads
  3. Development Work: Full access to homelab resources
  4. IoT Projects: Portable development environment

📋 Maintenance & Updates

Regular Tasks

  • Firmware Updates: Monthly security and feature updates
  • Configuration Backup: Export settings before changes
  • Performance Testing: Regular speed and latency tests
  • Security Audit: Review firewall rules and access logs

Travel Checklist

  • All devices charged and firmware updated
  • VPN configurations tested and working
  • Backup connectivity options verified
  • Emergency contact information accessible
  • Documentation and passwords secured

🔗 Integration with Homelab

Tailscale Mesh Network

  • Seamless Access: All GL.iNet devices join Tailscale mesh
  • Split-Brain DNS: Local hostname resolution while traveling
  • Subnet Routing: Access homelab subnets via travel routers
  • Exit Nodes: Route internet traffic through homelab

Service Access

  • Media Streaming: Plex, Jellyfin via high-speed VPN
  • Development: GitLab, Portainer, development environments
  • Productivity: Paperless-NGX, Vaultwarden, file sync
  • Monitoring: Grafana, Uptime Kuma for homelab status

This GL.iNet travel networking infrastructure provides enterprise-level connectivity and security for mobile work, ensuring seamless access to homelab resources from anywhere in the world.

Last Updated: 2026-04-16 (added GL-MT3600BE Beryl 7 deployment, retired GL-MT3000, updated SSH access)

Reference in New Issue View Git Blame Copy Permalink