18 KiB
18 KiB
🌐 GL.iNet Travel Networking Infrastructure
🟡 Intermediate Guide
This guide covers the complete GL.iNet travel networking setup, including travel routers, IoT gateway, and remote KVM for secure mobile connectivity and remote management.
🎒 GL.iNet Device Portfolio
GL.iNet Comet (GL-RM1) - Remote KVM
Hardware Specifications
- Model: GL-RM1 Remote KVM over IP
- Purpose: Remote server management and troubleshooting
- Video: Up to 1920x1200@60Hz resolution
- USB: Virtual keyboard and mouse support
- Network: Ethernet connection for remote access
- Power: USB-C powered, low power consumption
- Form Factor: Compact, portable design
Use Cases
- Remote Server Management: Access BIOS, boot sequences, OS installation
- Headless System Control: Manage servers without physical access
- Emergency Recovery: Fix systems when SSH/network is down
- Travel Troubleshooting: Diagnose homelab issues from anywhere
- Secure Access: Out-of-band management independent of OS
Integration with Homelab
Homelab Server → GL-RM1 KVM → Network → Tailscale → Travel Device
GL.iNet Slate 7 (GL-BE3600) - Wi-Fi 7 Travel Router
Hardware Specifications
- Model: GL-BE3600 Dual-Band Wi-Fi 7 Travel Router
- Wi-Fi Standard: Wi-Fi 7 (802.11be)
- Speed: Up to 3.6 Gbps total throughput
- Bands: Dual-band (2.4GHz + 5GHz)
- Ports: 1x Gigabit WAN, 1x Gigabit LAN
- CPU: Quad-core ARM processor
- RAM: 1GB DDR4
- Storage: 256MB flash storage
- Power: USB-C, portable battery support
- VPN: Built-in OpenVPN, WireGuard support
Key Features
- Wi-Fi 7 Technology: Latest wireless standard for maximum performance
- Travel-Optimized: Compact form factor, battery operation
- VPN Client/Server: Secure tunnel back to homelab
- Captive Portal Bypass: Automatic hotel/airport Wi-Fi connection
- Dual WAN: Ethernet + Wi-Fi uplink for redundancy
- Guest Network: Isolated network for untrusted devices
GL.iNet Beryl AX (GL-MT3000) - Wi-Fi 6 Pocket Router
Hardware Specifications
- Model: GL-MT3000 Pocket-Sized Wi-Fi 6 Router
- Wi-Fi Standard: Wi-Fi 6 (802.11ax)
- Speed: Up to 2.4 Gbps total throughput
- Bands: Dual-band (2.4GHz + 5GHz)
- Ports: 1x Gigabit WAN/LAN
- CPU: Dual-core ARM Cortex-A53
- RAM: 512MB DDR4
- Storage: 128MB flash storage
- Power: USB-C, ultra-portable
- Battery: Optional external battery pack
Use Cases
- Ultra-Portable Networking: Smallest form factor for minimal travel
- Hotel Room Setup: Instant secure Wi-Fi in accommodations
- Conference Networking: Secure connection at events
- Backup Connectivity: Secondary router for redundancy
- IoT Device Management: Isolated network for smart devices
GL.iNet Mango (GL-MT300N-V2) - Compact Travel Router
Hardware Specifications
- Model: GL-MT300N-V2 Mini Travel Router
- Wi-Fi Standard: Wi-Fi 4 (802.11n)
- Speed: Up to 300 Mbps
- Band: Single-band (2.4GHz)
- Ports: 1x Fast Ethernet WAN/LAN
- CPU: Single-core MIPS processor
- RAM: 128MB DDR2
- Storage: 16MB flash storage
- Power: Micro-USB, very low power
- Size: Ultra-compact, credit card sized
Use Cases
- Emergency Connectivity: Basic internet access when needed
- Legacy Device Support: Connect older devices to modern networks
- IoT Prototyping: Simple network for development projects
- Backup Router: Ultra-portable emergency networking
- Budget Travel: Cost-effective secure connectivity
GL.iNet S200 - Multi-Protocol IoT Gateway
Hardware Specifications
- Model: GL-S200 Multi-Protocol IoT Gateway
- Protocols: Thread, Zigbee, Matter, Wi-Fi
- Thread: Thread Border Router functionality
- Zigbee: Zigbee 3.0 coordinator support
- Matter: Matter over Thread/Wi-Fi support
- CPU: ARM Cortex-A7 processor
- RAM: 256MB DDR3
- Storage: 128MB flash storage
- Network: Ethernet, Wi-Fi connectivity
- Power: USB-C powered
IoT Integration
- Smart Home Hub: Central control for IoT devices
- Protocol Translation: Bridge between different IoT standards
- Remote Management: Control IoT devices via Tailscale
- Travel IoT: Portable smart home setup for extended stays
- Development Platform: IoT protocol testing and development
🗺️ Travel Networking Architecture
Multi-Layer Connectivity Strategy
Internet (Hotel/Airport/Cellular)
│
├── GL-BE3600 (Primary Wi-Fi 7 Router)
│ ├── Secure Tunnel → Tailscale → Homelab
│ ├── Guest Network (Untrusted devices)
│ └── Private Network (Trusted devices)
│
├── GL-MT3000 (Backup Wi-Fi 6 Router)
│ └── Secondary VPN Connection
│
├── GL-MT300N-V2 (Emergency Router)
│ └── Basic connectivity fallback
│
└── GL-S200 (IoT Gateway)
└── Smart device management
Redundancy & Failover
- Primary: GL-BE3600 with Wi-Fi 7 for maximum performance
- Secondary: GL-MT3000 for backup connectivity
- Emergency: GL-MT300N-V2 for basic internet access
- Specialized: GL-S200 for IoT device management
🏠 Current Homelab Deployment
Both GL-MT3000 and GL-BE3600 are deployed as permanent infrastructure in the homelab (not travel use), connected to Headscale and providing subnet routing.
GL-MT3000 — IoT/HA Gateway
| Property | Value |
|---|---|
| Role | Gateway for jellyfish + Home Assistant |
| LAN | 192.168.12.0/24 (gateway: 192.168.12.1) |
| WAN | Separate uplink (76.93.214.253) — not on home LAN |
| Tailscale IP | 100.126.243.15 |
| Tailscale version | 1.92.5-tiny (GL-inet custom build) |
| Subnet route | 192.168.12.0/24 (approved in Headscale) |
| SSH | ssh gl-mt3000 (dropbear, key auth) |
Devices on 192.168.12.0/24 accessible via Tailscale:
jellyfish(100.69.121.120) — jump host / devicehomeassistant(100.112.186.90) — Home Assistant OS
GL-BE3600 — Wi-Fi Repeater
| Property | Value |
|---|---|
| Role | Wi-Fi repeater on home network |
| Management IP | 192.168.68.53 (upstream LAN) |
| Own LAN | 192.168.8.0/24 (gateway: 192.168.8.1) |
| Tailscale IP | 100.105.59.123 |
| Tailscale version | 1.90.9-tiny (GL-inet custom build) |
| Subnet route | 192.168.8.0/24 (approved in Headscale) |
| SSH | ssh gl-be3600 (dropbear, key auth) |
Note
: GL-BE3600 ports are filtered from homelab VM (
192.168.0.210) and NUC (192.168.68.x). It is only directly reachable from its own192.168.8.xLAN — or via its Tailscale IP (100.105.59.123).
🔑 SSH Access
Both routers use dropbear SSH (not OpenSSH). Authorized keys are stored at /etc/dropbear/authorized_keys.
# Connect via Tailscale (preferred)
ssh gl-mt3000 # 100.126.243.15, root
ssh gl-be3600 # 100.105.59.123, root
# Add a new SSH key manually (from the router shell)
echo "ssh-ed25519 AAAA... your-key-comment" >> /etc/dropbear/authorized_keys
SSH config entries (in ~/.ssh/config on homelab VM):
Host gl-mt3000
HostName 100.126.243.15
User root
Host gl-be3600
HostName 100.105.59.123
User root
📡 Headscale / Tailscale Setup on GL-inet Routers
GL-inet routers ship with a custom Tailscale build (tailscale-tiny). The standard install script does not work — use the GL-inet package manager or the pre-installed binary.
Joining Headscale
# 1. Generate a pre-auth key on the Headscale server
ssh calypso
sudo /usr/local/bin/docker exec headscale headscale preauthkeys create --user <numeric-user-id> --expiration 1h
# Note: --user requires numeric ID in Headscale v0.28, not username
# Find ID with: sudo /usr/local/bin/docker exec headscale headscale users list
# 2. On the GL-inet router shell:
tailscale up --login-server=https://headscale.vish.gg:8443 --authkey=<preauthkey> --accept-routes --advertise-routes=192.168.X.0/24 --advertise-exit-node --hostname=gl-<model>
# 3. Approve the subnet route and exit node on Headscale:
sudo /usr/local/bin/docker exec headscale headscale nodes list # get node ID
sudo /usr/local/bin/docker exec headscale headscale nodes approve-routes -i <ID> -r '0.0.0.0/0,::/0,192.168.X.0/24'
Tailscale Status
# Check status on the router
ssh gl-mt3000 "tailscale status"
ssh gl-be3600 "tailscale status"
# Check from Headscale
ssh calypso "sudo /usr/local/bin/docker exec headscale headscale nodes list"
Headscale v0.28 Command Reference
| Old command | New command |
|---|---|
headscale routes list |
headscale nodes list-routes --identifier <ID> |
headscale routes enable -r <ID> |
headscale nodes approve-routes --identifier <ID> --routes <CIDR> |
headscale preauthkeys create --user <name> |
headscale preauthkeys create --user <numeric-id> |
🔄 Tailscale Autostart on Boot
How GL-inet Manages Tailscale
GL-inet routers use a custom wrapper script /usr/bin/gl_tailscale that is called on boot by the tailscale init service. This wrapper reads UCI config from /etc/config/tailscale and constructs the tailscale up command automatically.
Important: The GL-inet wrapper calls tailscale up --reset ... on every boot, which wipes any flags set manually or stored in the state file. This means --login-server, --advertise-exit-node, and --hostname must be baked into the wrapper script itself — they cannot be set once and remembered.
Current Configuration (both routers)
Both routers have been patched so /usr/bin/gl_tailscale always passes the correct flags on boot. The relevant line in the wrapper:
gl-be3600:
timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s \
--accept-dns=false \
--login-server=https://headscale.vish.gg:8443 \
--advertise-exit-node \
--hostname=gl-be3600 > /dev/null
gl-mt3000:
timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s \
--accept-dns=false \
--login-server=https://headscale.vish.gg:8443 \
--advertise-exit-node \
--hostname=gl-mt3000 > /dev/null
The $param variable is built by the wrapper from UCI settings and includes --advertise-routes=192.168.X.0/24 automatically based on lan_enabled=1 in /etc/config/tailscale.
Persistence Across Firmware Upgrades
Both routers have /etc/sysupgrade.conf entries to preserve the patched files:
/usr/sbin/tailscale
/usr/sbin/tailscaled
/etc/config/tailscale
/usr/bin/gl_tailscale
/etc/init.d/tailscale-up
Re-applying the Patch After Firmware Upgrade
If a firmware upgrade overwrites /usr/bin/gl_tailscale (check with tailscale status — if "Logged out", patch was lost):
# SSH to the router
ssh gl-be3600 # or gl-mt3000
# Edit the gl_tailscale wrapper
vi /usr/bin/gl_tailscale
# Find the tailscale up line (around line 226):
# timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false > /dev/null
# Change it to (for be3600):
# timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false --login-server=https://headscale.vish.gg:8443 --advertise-exit-node --hostname=gl-be3600 > /dev/null
# Or use sed:
sed -i 's|tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false|tailscale up --reset --accept-routes $param --timeout 3s --accept-dns=false --login-server=https://headscale.vish.gg:8443 --advertise-exit-node --hostname=gl-be3600|' /usr/bin/gl_tailscale
update-tailscale.sh
There is a community script at /root/update-tailscale.sh on both routers — this is the GL-inet Tailscale Updater by Admon. It updates the tailscale/tailscaled binaries to a newer version than GL-inet ships in firmware. It also restores /usr/bin/gl_tailscale from /rom before patching for SSH support — re-apply the headscale patch after running this script.
🔧 Configuration & Setup
GL-BE3600 Primary Setup
Initial Configuration
# Access router admin panel
http://192.168.8.1
# Configure WAN connection
- Set to DHCP for hotel/public Wi-Fi
- Configure static IP if needed
- Enable MAC address cloning for captive portals
# Configure VPN
- Enable WireGuard client
- Import Tailscale configuration
- Set auto-connect on boot
Network Segmentation
# Private Network (192.168.8.0/24)
- Trusted devices (laptop, phone, tablet)
- Full access to homelab via VPN
- Local device communication allowed
# Guest Network (192.168.9.0/24)
- Untrusted devices
- Internet-only access
- Isolated from private network
Remote KVM (GL-RM1) Setup
Physical Connection
# Connect to target server
1. USB-A to server for keyboard/mouse emulation
2. HDMI/VGA to server for video capture
3. Ethernet to network for remote access
4. USB-C for power
# Network Configuration
- Assign static IP: 192.168.8.100
- Configure port forwarding: 8080 → 80
- Enable HTTPS for secure access
Tailscale Integration
# Install Tailscale on KVM device
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --accept-routes
# Access via Tailscale
https://gl-rm1.tail.vish.gg
IoT Gateway (GL-S200) Configuration
Thread Border Router Setup
# Enable Thread functionality
- Configure as Thread Border Router
- Set network credentials
- Enable Matter support
# Zigbee Coordinator Setup
- Configure Zigbee channel
- Set network key
- Enable device pairing mode
🛡️ Security Configuration
VPN Security
- WireGuard Tunnels: All traffic encrypted back to homelab
- Kill Switch: Block internet if VPN disconnects
- DNS Security: Use homelab Pi-hole for ad blocking
- Firewall Rules: Strict ingress/egress filtering
Network Isolation
- Guest Network: Completely isolated from private devices
- IoT Segmentation: Smart devices on separate VLAN
- Management Network: KVM and admin access isolated
- Zero Trust: All connections authenticated and encrypted
Access Control
- Strong Passwords: Unique passwords for each device
- SSH Keys: Key-based authentication where possible
- Regular Updates: Firmware updates for security patches
- Monitoring: Log analysis for suspicious activity
📱 Mobile Device Integration
Seamless Connectivity
# Device Auto-Connection Priority
1. GL-BE3600 (Primary Wi-Fi 7)
2. GL-MT3000 (Backup Wi-Fi 6)
3. GL-MT300N-V2 (Emergency)
4. Cellular (Last resort)
# Tailscale Configuration
- All devices connected to Tailscale mesh
- Automatic failover between networks
- Consistent homelab access regardless of uplink
Performance Optimization
- Wi-Fi 7: Maximum throughput for data-intensive tasks
- QoS: Prioritize critical traffic (VPN, video calls)
- Band Steering: Automatic 2.4GHz/5GHz selection
- Load Balancing: Distribute devices across routers
🔍 Monitoring & Management
Remote Monitoring
- Router Status: Monitor via web interface and mobile app
- VPN Health: Check tunnel status and throughput
- Device Connectivity: Track connected devices and usage
- Performance Metrics: Bandwidth, latency, packet loss
Troubleshooting Tools
- Network Diagnostics: Built-in ping, traceroute, speed test
- Log Analysis: System logs for connection issues
- Remote Access: SSH access for advanced configuration
- Factory Reset: Hardware reset button for recovery
🎯 Use Case Scenarios
Business Travel
- Hotel Setup: GL-BE3600 for secure Wi-Fi, KVM for server access
- Conference: GL-MT3000 for portable networking
- Emergency: GL-MT300N-V2 for basic connectivity
- IoT Devices: GL-S200 for smart device management
Extended Stay
- Primary Network: GL-BE3600 with full homelab access
- Smart Home: GL-S200 for temporary IoT setup
- Backup Connectivity: Multiple routers for redundancy
- Remote Management: KVM for homelab troubleshooting
Digital Nomad
- Mobile Office: Secure, high-speed connectivity anywhere
- Content Creation: High-bandwidth for video uploads
- Development Work: Full access to homelab resources
- IoT Projects: Portable development environment
📋 Maintenance & Updates
Regular Tasks
- Firmware Updates: Monthly security and feature updates
- Configuration Backup: Export settings before changes
- Performance Testing: Regular speed and latency tests
- Security Audit: Review firewall rules and access logs
Travel Checklist
- All devices charged and firmware updated
- VPN configurations tested and working
- Backup connectivity options verified
- Emergency contact information accessible
- Documentation and passwords secured
🔗 Integration with Homelab
Tailscale Mesh Network
- Seamless Access: All GL.iNet devices join Tailscale mesh
- Split-Brain DNS: Local hostname resolution while traveling
- Subnet Routing: Access homelab subnets via travel routers
- Exit Nodes: Route internet traffic through homelab
Service Access
- Media Streaming: Plex, Jellyfin via high-speed VPN
- Development: GitLab, Portainer, development environments
- Productivity: Paperless-NGX, Vaultwarden, file sync
- Monitoring: Grafana, Uptime Kuma for homelab status
This GL.iNet travel networking infrastructure provides enterprise-level connectivity and security for mobile work, ensuring seamless access to homelab resources from anywhere in the world.
Last Updated: 2026-03-11 (added Tailscale autostart section, gl_tailscale patch details, update-tailscale.sh note)