Starting OpenWRT on GL.iNet Routers for New Users

[TanKianW]

FOREWORD:
Even though COVID19 restriction has not loosen much since the pandemic hit us in 2020, and it is still tough to travel abroad for vacation or business in 2021. However for some of us, we might still go for local staycation in hotels or prepare our overseas trip for essential businesses when the restriction loosen in the next few months (fingers crossed). So why not start preparing or look for solutions to provide ourselves with practical, reliable and secure internet when traveling? I guess some of the forumers here with satki "homelab" felt helpless or stripped down to the bare minimal when traveling. So let's take some time to also find ways to secure the internet while we are traveling regardless whether we are a techie or just network beginners. This lead us to one of the solutions which I will be covering here: The travel router from GL.iNet running OpenWRT.

*Take note that GL.iNet firmware is still consider a "fork" based on the OpenWRT. It is still configurable and could install packages for different applications. But it is still a good start for someone new to OpenWRT.

Objectives:​

• Yet again, to promote open source and remove some fear factor and obstacles for new users​
• Secure the internet even for individuals that travel overseas that constantly connect to unsecured internet from hotels, cafe or other hotspots.​
• Since most of us will not be lugging our network gear while traveling, we will have to look for "good enough" practical alternative to secure our internet access.​
• Simple and straight forward set up for your travel router connecting back to your "satki" network back at home, if any.​

NOTE: There may be longer lead time between the update to this thread from time to time, due to my current back to ofc arrangement, but I will try to contribute as much as I can when I have time to post on the forum. Therefore, please be patient with me. At times, I might refer back to the network infrastructure which I have set it up at home. You can check it out here:

TrueNAS Core (DIY NAS):
https://forums.hardwarezone.com.sg/threads/starting-truenas-core-for-new-users.6480129/
pfSense Firewall/Router:
https://forums.hardwarezone.com.sg/threads/starting-pfsense-for-new-users.6390714/

Experiences: I have been using GL-iNet Travel routers such as the Slate GL-AR750S & Mango for quite a while when traveling abroad and find them portable, reliable and yet met the needs of "techie individuals".

The GL-iNet router I will be using here will be the Beryl GL-MT1300. Just to be clear, I am in no position promoting the router since I am not paid by them for advertising and I paid for the router using my own dollars. They do have many models of travel routers which you could take a look at to suit your travel needs.

Beryl GL-MT1300: https://www.gl-inet.com/products/gl-mt1300/

Some of their other travel routers:
GL-AR750S Slate: https://www.gl-inet.com/products/gl-ar750s/

GL-MT300N-V2 Mango: https://www.gl-inet.com/products/gl-mt300n-v2/

Close Up shots of the travel router GL-MT1300
Complete box shot:

Front with collapsible antennas, side with configurable toggle switch and reset switch:

Rear with 3 Gigabit ports, USB 3.0 and type C power:

Side with MicroSD slot:

 

[TanKianW]

*Connection Mode: Tethering, Cable, Repeater and Modem*

The Different connection mode of the GL.iNet router. Extremely useful to frequent travelers or staycation families like mine. Sometimes the internet connections in cafe, hotels, hostels, rental place, villas, and hotspot could be very dynamic. And the router proof to be very versatile in this area.​

Connecting (LAN Cable) to Fiber internet with 1G speed upstream:

Connecting (USB) to Phone or mobile USB dongle tethering:

Connecting (USB) to 3G/4G Modem:

Connecting to existing Wifi as a repeater:

The mobile modem, mobile hotspot (Mifi) and mobile USB dongle I used:

*NOTE: Here I am using an industrial mobile modem carrier card that allows me to change out the modem cards and easily powered off a USB type C connector. It is running a compatible Huawei 4G modem

 

[TanKianW]

*Setting up WireGuard VPN on the GL-iNet Travel Router WebGUI

You can SSH into OpenWRT (using PuTTy) and set up the WireGuard VPN OR just choose to use the simple and intuitive WebGui by GL.iNet. I choose to use the WebGUI here, if you are interested and confident to SSH in and play around, please go ahead.

Pr-requisite: You need to set up a WireGuard VPN server. I am using a backend WireGuard Server on my pfSense appliance. Feel free to check it out here on the configuration if you are interested:​

https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-19#post-135190737

*Just to be clear. I have enabled "hardware off-loading" earlier before the tests:

Step 1:

Since the WebGUI interface do not generate a proper WG public and private key, you can generate it using a WG client app on Windows as show below. Then save the public and private keys somewhere. You will need to key in the public keys when creating a peer account on your WG server (Eg on pfSense). You will need the private keys later.​

Step 2:

Key in your private keys which you save earlier on the "Interface" section, followed by the public keys from your WG tunnel server in the "Peer" section. Do ensure that the IP address you input here is within the same range you set in your WG tunnel server. Since you may be connecting from a dynamic IP (Eg. CGNAT or Mobile SIM) while traveling, set the Allowed IPs to 0.0.0.0/0.​

Step 3:

Test it out by activating it using the WebGUI. You will see a "Green" dot showing it has been set-up correctly. If not, you will see a "Yellow" dot for not setting it up properly. I recommend to set up the toggle button on the travel router, where you can easily switch on and off the properly setup WG VPN.​

NOTE: I recommend users to NOT update the base OpenWRT of the GL-iNet travel router to the vanilla version of OpenWRT. Reason is simple, you still want to keep the easy to use WebGUI and some drivers are still proprietary to GL-iNet firmware. So when you update the base OpenWRT to the vanilla version, you lost some of the valuable function of the travel router. If you are serious in playing around with OpenWRT, do get a compatible router with OpenWRT. I will recommend compatible 'industrial developers board." If you do "Brick" your GL-iNet travel router, you can check out here to "debrick" it using the built-in U-Boot function.​

 

[TanKianW]

**Setting up VLANs on OpenWRT using Luci GUI**

Just to be clear, you really do not need to set up VLANs for a travel router where you likely only has 3-4 devices connected to it. However, if you do bring the travel router for vacation with a large family, it does make some sense to set up VLANs. Any way, since you are tech-geek of the family who still think about network security even on vacation, so why not also set up VLANs for your travel network or maybe boast to your family members that their network is seggregated into VLANs which they probably do not care?!

Step 1:
Navigate to the GL.iNet admin panel, More settings -> Advanced, then followed by installing the Luci GUI option here:

Step 2:
Log into OpenWRT Luci interface by clicking the advance option provided by the GL.iNet admin panel. Password is the same one you use for the admin panel. Take note that my Luci GUI may look different from yours, reason being I have installed the "material" themed version of Luci. You can do the same under the Application -> plugin to search and install the theme.

Step 3:
Under Network -> Switch settings, create a new VLAN ID here, I call it 3 here. And follow the tagged and untagged setting shown below. You see 5 LAN interfaces here is because by default the MTK CPU supports up to 5, but only 3 is usable since your router only has 3 physical ethernet ports. You need to tagged all VLANs under the CPU column to make sure it works.

Step 4:
Under Network -> Interface, create the interface (i name it VLAN33). Do set the IP address here, I will go with 192.168.33.XX here.

You need to choose the interface you like to use with this VLAN under the "Physical settings". If you want different SSID to be on different VLANs, you can bind it to a physical interface here. Do check the "Bridge interface" here. For my case, binding the 2G wireless SSID and eth0.3 means any devices using 2G wireless SSID and eth0.3 port will be on VLAN3 with 192.168.33.XX IP address. Do remember to click save and apply. Sometimes you might need to reboot the router for the setting to kick in.

Step 5:
Test it out on your wireless and LAN port connection with the new VLAN set up. You should be good to go. Below showing different SSIDs connecting to different VLANs on my mobile.

 

[TanKianW]

**Inter-VLAN "Zone Blocking" on OpenWRT**

You can use the zone firewall blocking functions of the OpenWRT Luci GUI to block the secondary (non-admin zone) VLAN from accessing the main (zone) VLAN.

Objectives you want to achieve here:​

• Block secondary or guest VLANs to access the admin LAN​
• Allow admin LAN to access the secondary or guest VLANs​
• Allow secondary or guest VLANs to access the internet​

To help some to better understand the IP tables in Linux, this diagram should provide a good picture without diving too deep in....yet. A step deeper will include the "mangle" and "filter" which are also commonly used in MikroTik RouterOS firewall since both are on Linux. Feel free to check out more, if you are interested.

Step 1:
Create the named "VLAN33" Zone entry by clicking "ADD" below and simply input the information shown below other tabs could just leave it at default. To explain the configuration: what I'm trying to do here is to block the access of firewall (block input) from VLAN33 but allow admin LAN to access and (accept) forward requests to the WAN. At the same time, you want VLAN33 traffic to be able to process through the router (accept output). This will make more sense in Step 4:

Step 2:
Edit the default "LAN" Zone entry as shown below. This will allow the admin VLAN to access the firewall and also to VLAN33:

Step 3:
Check to ensure that your zone firewall section looks like the picture as shown below:

Step 4:
With the above configurations, you have blocked all traffic for your VLAN33 to your router, including important services like DHCP and DNS which is essential for internet access. Therefore, you need to create the exceptions for these traffic to pass through to be process by your router (Reason why in Step 1, you selected "accept output"). Add in the traffic exceptions as shown below on Network -> Firewall -> Traffic Rules Tab, add, name the rule, key in port 53, 67 and 68, save and finally save & apply:

Step 5:
If you have done everything correctly, you should be able to access the internet from admin VLAN and VLAN33. But on VLAN33, you should no longer has access to the router page anymore.

Video Tutorial
For those who still could not follow the step by step guide, feel free to check out this video. The Youtuber explained it quite clearly even for beginners:
​

 

[TanKianW]

**Recommendations on Install Packages for OpenWRT on GL.iNet travel Router**

As a travel router with limited install space for large packages, I will keep my recommendations to practical installs for a travel router its size. If I really intend to run more advanced and reliable package installs or functions on a router, I will be looking on other solutions (Eg. pfsense), but that could just be me. And I doubt such advanced functions are even necessary for professionals that is on the move. Some of the packages like WireGuard has been pre-installed on the router itself, therefore there should only be a few more you need unless you are feeling adventurous. Just take note that not all packages from the download repo are "tested" to work well on the router, therefore do try it at your own risk.

NOTE: You can find the list of install packages on GL.iNet Admin Panel or Luci interface under System -> Applications, to check out what packages has been installed and what are the extra packages you may want to install.

*Smart Queue Management (SQM)*
With limited bandwidth while you are on the move, I will think managing the bandwidth is pretty important to prevent someone or some devices hogging the network. If you have created VLANs, you can choose the interface to deploy SQM.

SQM in action (VLAN33) on OpenWRT:

*Simple Adblock for Luci*
This is a pretty light weight and self configured adblock package which you can try out. Even though AdGuard is the more popular choice, I find this package more suitable on a travel router.

Simple adblock interface:

Theme for OpenWRT Luci
It could just be me but I find the generic bootstrap theme extremely......generic. You can try a few theme (rosy?) but I find the "Material" theme strike a balance between function and GUI aesthetic.....though it still look quite basic...

Material theme on OpenWRT:

​

 

[TanKianW]

Part 1: Setting up and Pre-Configuring GL.iNet Travel Router on Firmware Version 4.X.XX

It has been a while since I upgraded the firmware of my travel router, so this time round I will take this chance to set up and re-configure the GL-iNet travel router for the upcoming year-end vacation with my family. I will be setting up 2x VPNs (Wireguard as main and Tailscale as standby), network attached storage (Samba share for storing and backing up photos) and maybe some security features like DNS filter and Adblocker (Adguard Home). Since I am using a Beryl GL-MT1300, I will be limited by the storage of the 32MB NOR flash for installing Apps/Plugins. However, to work around this limitation, I could easily use the "Mount Points" feature with the built-in TF card slot for storage expansion. Officially some of the apps/plugins/packgaes are "not by default" installed, such as the network storage (NAS) plugin which has been removed after the recent upgrade (due to limited internal storage capacity on Beryl), the same goes for Tailscale (beta), Tor router and Adguard home packages. But since the underbelly of GL-iNet router is actually "OpenWRT".......all things are possible! In fact with Beryl, the extra TF card slot and the USB 3.0 port could be put to good use with much more room for customisations. We will also install official GL.iNet packages in order to configure it from the user-friendly GUI page by GL.iNet.

Step 1: Upgrade the Router's firmware
I will upgrade my router firmware to the latest 4.X.XX (4.3.19 for my case of Beryl GL-MT1300). I chose the U-boot flash method to wipe everything and set it up from ground zero.

Step 2: Expand the router's internal storage for Apps/Plugins installation
I will access the option under the Luci interface, System -> Mount Points. Select the attached SD (TF) card as the mount point for /overlay to increase the plugin/app storage capacity. Save and reboot. Take note that the router will reset to default and the GUI access IP will reset back to 192.168.8.1. The new firmware has made this really easy to set up without the need for any CLI.

Step-by-step configuration can also be found: HERE

NOTE: Do format the SD card to the ext4 file system before using it for storage expansion. You can either format it in the router which is slow (through SSH) or format using a Linux machine which is much faster. OR do a vUSB passthrough on a hypervisor running Linux VMs.

Step 3: Install all the Required Apps/Plugins/Packages
Install all Apps/Plugins/Packages listed below. We will be downloading the native "gl-sdk4-ui-#your_app#view" packages for all the apps we are using so that we can configure it on the default user-friendly GL.iNet GUI. Some of the apps such as Adguard Home and Tailscale will require you to install their official package too. Just do a simple filter search will do.

NOTE: You will realise the "free space" on the top left-hand side of the Software page shows the storage space of your SD card if all are set up correctly in Step 2.

Step 4: Reboot and Configure the Apps/Plugins and (my) Settings
From here onwards, with the GL-iNet UI plugins and APIs installed, you could just configure all under the default router page.

1. Enable IPv6
Simply enable and select passthrough for most cases, especially for our fibre BB. The router will restart and you will receive an IPv6 address after that.

2. Setup WireGuard (main VPN):
Configuring it as a VPN client, since I will be running my pfsense as the WG server and routing all my traffic through my firewall to bypass country restrictions. Key in all the essential information for your tunnel and peers like what you normally do, Eg. public keys, private keys, UDP ports, registered domain name if you have one (instead if IP address), etc. Choose "Item mode"

For ease of enabling and disabling WG VPN, suggest setting up the side toggle button

3. Setup Tailscale (Standby VPN):
This is easy on the GL.iNet router GUI. Under Applications -> Tailscale options, toggle to enable Tailscale, suggest leaving the other two options uncheck unless you need it. Then follow the on-screen prompt to bind the router to tailscale. You will be asked to log into your existing tailscale account or just create one. I will be running my pfsense firewall as the "exit node" so all traffic will pass through it when I log onto tailscale.

You will also see that your router (OpenWRT) was connected to the tailscale admin page.

NOTE: If you are leaning more towards Zerotier, it is also supported by GL-iNet router which could be easily configured under the applications section. Just install the official ZT packages and the official "gl" packages.

4. Install and Configure AdGuard Home
This can be easily done by just toggling to enable AdGuard Home. For more settings, you could do it in the Settings page.​

NOTE: You should bind your router to Tailscale before enabling AdGuard Home, just in case the DNS was blocked. And once AdGuard Home is enabled, the router must use the DNS server provided by AdGuard Home, you can't customize DNS servers under the DNS settings.​

 

[TanKianW]

Part 2: Setting up and Pre-Configuring GL.iNet Travel Router on Firmware Version 4.X.XX

Connecting to a portable SSD for backing up photos on the move

5. Install network-attached (nas) packages
Install all the "nas" packages listed below from the Luci interface (preferred) with the "gl" start heading packages.

This is where you will be able to configure the network storage on the GL.iNet WebGUI, create samba share and access through the network when connected to the router on the move.

The GL.iNet router app has also made it very easy and intuitive to back up your photos when you are travelling on vacation or on the move. You can also easily create a folder and enable Samba to share it with your family members who are connected to the travel router.

6. Install ClamAV and fresh-clam
This is for scanning connected disks and file systems (attached storage). Install the packages shown below and leave all as default. Since this is not present in the GL.iNet GUI, you can only configure it on the Luci GUI side. Install "fresh clam" to update the virus definitions.

7. (Optional) Install the Tor router
if you need the "Anonymity", installing the Tor router plugins may be what you are looking for. Install the software packages below and use the GL.iNet GUI to do the configuration.

8. Other Misc Settings
Enable IGMP Snooping v3. Followed by Enable HW acceleration on the GL-iNet GUI without going the CLI route

Set the Multi-WAN failover/load-balance. Useful when you connect to the hotel wired, wireless and mobile tether at the same time.

 

[xiaofan]

Nice one.

This portable router seems to include quite some features.

Now that Linksys EA7500 V2 and EA8100 v1 have working OpenWRT port, if one does not need portability, maybe they are good low cost choices as well. But I am not so sure if it is easy to install some of the add-on features. By right, OpenVPN/wireguard should not be so difficult to install on the vanilla OpenWRT installation. Not so sure about others. I have only played with simple OpenWRT features with my WRT-1900AC and EA7500 V2 (using as router, AP or wireless bridge), not so much on firewall, VPN or VLAN.

 

[TanKianW]

Updated on Post #1

Close Up shots of the travel router GL-MT1300

 

[Apex]

I been using GL-AR750S for awhile.

Quite stable. havent found any issue yet. (plus busy don't have much time to explore)

Very compact body also.

 

[TanKianW]

I been using GL-AR750S for awhile.

Quite stable. havent found any issue yet. (plus busy don't have much time to explore)

Been using the Slate for quite a while until I upgraded to Beryl.

Works well too but heat up easily when loaded. I prefer the size though.

 

[Apex]

Been using the Slate for quite a while until I upgraded to Beryl.

Works well too but heat up easily when loaded. I prefer the size though.

Yes it get a little warm when u load the router. But so far nv hung on me yet.

At one point I did consider to upgrade to Beryl but decided to wait until Slate spoil first. Since not much different (to me).

Is a good router (for the performance and size) for those who wanna place a router in the DB box. But for $83 (today price) there are a lot other router we can choose from also.

 

[TanKianW]

*Updated on Post #2

*Connection Mode: Tethering, Cable, Repeater and Modem*

The Different connection mode of the GL.iNet router. Extremely useful to frequent travelers or staycation families like mine. Sometimes the internet connections in cafe, hotels, hostels, rental place, villas, and hotspot could be very dynamic. And the router proof to be very versatile in this area.​

 

[blimey]

Interesting. Correct to say one can essential use this as a vpn router for streaming services like Netflix etc?

 

[TanKianW]

*WireGuard VPN Speedtest on GL.iNet Beryl Travel Router with 1G Fiber Upstream*

*Just to be clear. I have enabled "hardware off-loading" earlier before the tests:

*Backend WireGuard Server running on pfSense. Interested can check out more here:
https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-19#post-135190737

With WireGuard OFF:

With WireGuard ON:

Marketed WireGuard Speed:

 

[TanKianW]

*Updated on Post #3

*Setting up WireGuard VPN on the GL-iNet Travel Router WebGUI

You can SSH into OpenWRT (using PuTTy) and set up the WireGuard VPN OR just choose to use the much simpler and intuitive WebGui by GL.iNet. I choose to use the WebGUI here, if you are interested and confident to SSH in and play around, please go ahead.

*Tidy up the thread, please see above on Post #3​

 

[xiaofan]

What is the capability of the wireguard server? For example if you use a Windows PC client or a mobile client, what is the speed?

Just want to know how bad (or how good) is the common MTK CPU in these openwrt routers.

 

[xiaofan]

I tend to believe the best way to play with openwrt is still those mini PCs with low power Intel CPU and with at least two Intel based gigabit Ethernet card, basically similar to pfSense but with much lower requirements on memory (1GB will be more than enough but typically minimum configuration is 4GB RAM and 32GB SSD, which are more than enough for OpenWRT, and also sufficient for pfSense for home use).

 

[TanKianW]

What is the capability of the wireguard server? For example if you use a Windows PC client or a mobile client, what is the speed?

Just want to know how bad (or how good) is the common MTK CPU in these openwrt routers.

With my experiences with MTK CPU, also seen in some MikroTik RouterBOARD, I will assume it is around the 50-80 range, though I have not actually tested it (I might be wrong). I think most using the travel router will be connecting it as "Peer" instead of running it as a "Tunnel server" with its limited computing power and bandwidth in a mobile environment. Maybe when I have more time, I will set it up as a server.