gl inet travel edge config
GL-iNet Travel Edge Configuration
Date: 2026-01-07
Router: GL.iNet GL-BE3600
Purpose: Always-on travel router + optional exit node
Architecture Decision
Exit Node: YES (Recommended for travel security)
Subnet Router: YES (Advertise 192.168.8.0/24)
Travel Mode: ENABLED (Portable security edge)
Step 1: Configure Tailscale on Router
Install Tailscale
Via SSH:
ssh root@gl-be3600.tailcf98b3.ts.net # Install Tailscale opkg update opkg install tailscale # Start Tailscale tailscale up --authkey=tskey-...
Configure Hostname
Set hostname:
tailscale set --hostname=glinet-router
Or via Admin Console:
- Go to: https://login.tailscale.com/admin/machines
- Find router device
- Rename to:
glinet-router
Step 2: Configure Subnet Routing
Advertise Subnet
Via SSH:
ssh root@glinet-router.tailcf98b3.ts.net # Advertise subnet tailscale up --advertise-routes=192.168.8.0/24 --accept-routes
Approve in Admin Console:
- Go to: https://login.tailscale.com/admin/machines
- Find
glinet-router - Click "..." "Edit"
- Approve subnet route:
192.168.8.0/24
Step 3: Configure Exit Node
Enable Exit Node
Via SSH:
ssh root@glinet-router.tailcf98b3.ts.net # Enable exit node tailscale up --advertise-exit-node --accept-routes
Approve in Admin Console:
- Go to: https://login.tailscale.com/admin/machines
- Find
glinet-router - Click "..." "Edit"
- Enable "Use as exit node"
Use Exit Node from Devices
From Mac:
# Use router as exit node tailscale set --exit-node=glinet-router.tailcf98b3.ts.net # Verify curl ifconfig.me # Should show router's public IP # Disable exit node tailscale set --exit-node=
Step 4: Configure WiFi SSIDs
SSID 1: BlueflySecure (Trusted)
Via SSH:
ssh root@glinet-router.tailcf98b3.ts.net # Configure SSID uci set wireless.@wifi-iface[0].ssid='BlueflySecure' uci set wireless.@wifi-iface[0].encryption='psk2+ccmp' uci set wireless.@wifi-iface[0].key='YOUR_SECURE_PSK' uci set wireless.@wifi-iface[0].mode='ap' uci commit wireless wifi reload
Settings:
- SSID:
BlueflySecure - Security: WPA2/WPA3 Personal
- Channel: 149 (5GHz, avoid conflict with Deco)
- Band: 5GHz
- Client Isolation: Disabled (trusted network)
SSID 2: AgentMesh (Untrusted)
Via SSH:
ssh root@glinet-router.tailcf98b3.ts.net # Configure second SSID uci set wireless.@wifi-iface[1].ssid='AgentMesh' uci set wireless.@wifi-iface[1].encryption='psk2+ccmp' uci set wireless.@wifi-iface[1].key='DIFFERENT_SECURE_PSK' uci set wireless.@wifi-iface[1].mode='ap' uci set wireless.@wifi-iface[1].network='agentmesh' uci commit wireless wifi reload
Settings:
- SSID:
AgentMesh - Security: WPA2/WPA3 Personal
- Channel: 149 (5GHz)
- Band: 5GHz
- Client Isolation: Enabled (untrusted network)
Step 5: Configure Firewall Rules
Firewall Zones
Via SSH:
ssh root@glinet-router.tailcf98b3.ts.net # Create AgentMesh zone uci add firewall zone uci set firewall.@zone[-1].name='agentmesh' uci set firewall.@zone[-1].input='REJECT' uci set firewall.@zone[-1].output='ACCEPT' uci set firewall.@zone[-1].forward='REJECT' uci set firewall.@zone[-1].network='agentmesh' uci commit firewall /etc/init.d/firewall reload
Firewall Rules
BlueflySecure Internet:
# Allow outbound HTTPS uci add firewall rule uci set firewall.@rule[-1].name='BlueflySecure-HTTP' uci set firewall.@rule[-1].src='lan' uci set firewall.@rule[-1].dest_port='80 443' uci set firewall.@rule[-1].target='ACCEPT' uci commit firewall
AgentMesh Internet:
# Allow outbound HTTPS only uci add firewall rule uci set firewall.@rule[-1].name='AgentMesh-HTTP' uci set firewall.@rule[-1].src='agentmesh' uci set firewall.@rule[-1].dest_port='443' uci set firewall.@rule[-1].target='ACCEPT' uci commit firewall
AgentMesh Tailscale:
# Allow Tailscale control plane uci add firewall rule uci set firewall.@rule[-1].name='AgentMesh-Tailscale' uci set firewall.@rule[-1].src='agentmesh' uci set firewall.@rule[-1].dest_port='41641' uci set firewall.@rule[-1].proto='udp' uci set firewall.@rule[-1].target='ACCEPT' uci commit firewall
Block AgentMesh BlueflySecure:
# Block cross-zone access uci add firewall rule uci set firewall.@rule[-1].name='Block-AgentMesh-LAN' uci set firewall.@rule[-1].src='agentmesh' uci set firewall.@rule[-1].dest='lan' uci set firewall.@rule[-1].target='REJECT' uci commit firewall
Step 6: Configure DNS
Force Router DNS
Via SSH:
ssh root@glinet-router.tailcf98b3.ts.net # Configure DNS uci set dhcp.@dnsmasq[0].local='router' uci set dhcp.@dnsmasq[0].domain='tailcf98b3.ts.net' uci commit dhcp /etc/init.d/dnsmasq restart
Block Outbound DNS
Via SSH:
# Block outbound DNS (force router DNS) iptables -t nat -A PREROUTING -p udp --dport 53 ! -d 192.168.8.1 -j DNAT --to-destination 192.168.8.1 iptables -t nat -A PREROUTING -p tcp --dport 53 ! -d 192.168.8.1 -j DNAT --to-destination 192.168.8.1
Step 7: Configure Cloudflare Tunnel (Migration)
Install Cloudflared
Via SSH:
ssh root@glinet-router.tailcf98b3.ts.net # Download cloudflared wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64 -O /usr/bin/cloudflared chmod +x /usr/bin/cloudflared # Create config directory mkdir -p /etc/cloudflared
Configure Tunnel
Config: /etc/cloudflared/config.yml
tunnel: f6da7bdf-d0f8-4796-a804-afb7984bbe11 credentials-file: /etc/cloudflared/f6da7bdf-d0f8-4796-a804-afb7984bbe11.json ingress: # GitLab Duo Agent Mesh Gateway - hostname: mesh.bluefly.internal service: http://bluefly-m4.tailcf98b3.ts.net:3005 # GitLab Webhook Endpoint - hostname: api.blueflyagents.com service: http://bluefly-m4.tailcf98b3.ts.net:3005 # Catch-all - service: http_status:404
Run as Service
Create init script: /etc/init.d/cloudflared
#!/bin/sh /etc/rc.common START=99 start() { /usr/bin/cloudflared tunnel --config /etc/cloudflared/config.yml run } stop() { killall cloudflared }
Enable service:
chmod +x /etc/init.d/cloudflared /etc/init.d/cloudflared enable /etc/init.d/cloudflared start
Step 8: Travel Mode Configuration
WAN Modes
Ethernet (Primary):
- Connect Ethernet cable to router WAN port
- Router uses Ethernet as WAN
WiFi Repeater (Secondary):
- Router connects to hotel WiFi
- Router creates secure WiFi network
USB Tethering (Tertiary):
- Connect phone via USB
- Router uses phone's internet
Configure WiFi Repeater
Via SSH:
ssh root@glinet-router.tailcf98b3.ts.net # Enable WiFi repeater uci set wireless.@wifi-device[0].disabled='0' uci set wireless.@wifi-iface[0].mode='sta' uci set wireless.@wifi-iface[0].ssid='HotelWiFi' uci set wireless.@wifi-iface[0].key='HotelPassword' uci commit wireless wifi reload
Step 9: Verify Configuration
Check Tailscale
ssh root@glinet-router.tailcf98b3.ts.net tailscale status # Should show: glinet-router, subnet routes, exit node
Check Firewall
ssh root@glinet-router.tailcf98b3.ts.net iptables -L -n -v # Should show firewall rules
Check WiFi
ssh root@glinet-router.tailcf98b3.ts.net uci show wireless # Should show: BlueflySecure, AgentMesh
Check Cloudflare Tunnel
ssh root@glinet-router.tailcf98b3.ts.net ps | grep cloudflared # Should show: cloudflared running
Security Checklist
- Tailscale installed and configured
- Hostname set:
glinet-router - Subnet routing enabled:
192.168.8.0/24 - Exit node enabled
- WiFi SSIDs configured:
BlueflySecure,AgentMesh - Firewall zones configured
- Firewall rules configured (isolation)
- DNS forced to router
- Cloudflare Tunnel migrated (optional)
- Travel mode configured
Troubleshooting
Router Not Reachable via Tailscale
-
Check Tailscale status:
ssh root@glinet-router.tailcf98b3.ts.net tailscale status -
Re-authenticate if needed:
tailscale up --authkey=tskey-...
Exit Node Not Working
-
Check exit node enabled:
- Tailscale Admin Console Machines
- Verify "Use as exit node" enabled
-
Check device configuration:
tailscale set --exit-node=glinet-router.tailcf98b3.ts.net
WiFi Not Broadcasting
- Check WiFi configuration:
ssh root@glinet-router.tailcf98b3.ts.net uci show wireless wifi reload