Travel Routers

Travel Routers

Travel routers are compact, portable networking devices commonly used by security professionals, military personnel, and privacy-conscious travelers. This guide focuses on the GL.iNet ecosystem — particularly the Mudi V2 (GL-E750V2) — covering privacy hardening, automated reconnaissance, and field deployment.

For general router security, see Router Hardening.

Why a Travel Router?

• Network isolation — Place an encrypted tunnel between you and untrusted hotel/airport WiFi
• Consistent security posture — Same firewall rules, DNS, and VPN everywhere you go
• Portable recon platform — GPS logging, spectrum analysis, and packet capture in a pocket-sized device
• Cellular failover — Models with LTE/5G provide independent backhaul

GL.iNet Model Comparison

Model	CPU	RAM	Wi-Fi	Battery	Cellular	Best For
Mudi V2 (GL-E750V2)	QCA9531 @ 650 MHz	128 MB	AC750	7,000 mAh	LTE Cat-12	Mobile recon, wardriving
Mudi 7 (GL-E5800)	Qualcomm QC 2.2 GHz	2 GB	AX WiFi 7	5,380 mAh	5G NR	Next-gen mobile recon (~$370) 1
Beryl AX (GL-MT3000)	MT7981B @ 1.3 GHz	512 MB	AX3000	None	None	Hotel/travel VPN gateway
Slate AX (GL-AXT1800)	IPQ6000 @ 1.2 GHz	512 MB	AX1800	None	None	Best upstream OpenWrt support
Puli AX (GL-XE3000)	MT7981B @ 1.3 GHz	512 MB	AX3000	6,400 mAh	5G NR	5G mobile (higher cost)
Flint 2 (GL-MT6000)	MT7986A @ 2.0 GHz	512 MB	AX6000	None	None	Home base station (not portable)

Choosing a Model

The Mudi V2 is the only model with built-in battery + cellular + compact form factor at ~$130. The new Mudi 7 (announced CES 2026) adds WiFi 7, 5G NR, 2 GB RAM, dual SIM + eSIM, and a 2.8” touchscreen — but at 3x the price. For pure compute (Kismet, heavy logging), the Beryl AX or Slate AX have 4x the RAM and faster CPUs — but require external power and cellular.

GL.iNet Mudi V2 Specs

• SoC: Qualcomm QCA9531 @ 650 MHz (MIPS24Kc), ath9k driver (supports monitor mode on 2.4 GHz)
• Modem: Quectel EM060K (LTE Cat-12, swappable Mini PCIe), GNSS capable via AT commands
• Storage: 16 MB NOR + 128 MB NAND + microSD up to 1 TB
• Ports: 1x USB 2.0, 1x 10/100 Ethernet (LAN/WAN), nano-SIM slot
• Display: OLED status screen (IP, signal, battery)
• Battery: 7,000 mAh LiPo (~8 hours moderate use, <6 W draw)
• Dimensions: 145 x 78 x 23 mm, 285 g
• Firmware: GL.iNet SDK 4.x (based on OpenWrt 22.03, kernel 5.15)
• Default IP: 192.168.8.1 (SSH on port 22, user root)

Firmware: GL.iNet SDK vs Vanilla OpenWrt

GL.iNet ships a proprietary overlay on top of OpenWrt. Security-conscious users should understand the tradeoffs.

	GL.iNet SDK 4.x	Vanilla OpenWrt
Pros	VPN wizard, cellular modem UI, OLED driver, AdGuard Home toggle	Direct upstream security patches, smaller attack surface, full package catalog, community-audited 2
Cons	Slower CVE patch cadence, 15 telemetry packages pre-installed, unaudited proprietary components 3	Lose GL.iNet UI, cellular modem requires manual AT commands, no OLED status
Mudi V2 support	Full support	Not available — V2 has no upstream OpenWrt target 4

Mudi V2 Firmware Lock-in

The GL-E750V2 does not have a merged upstream OpenWrt target as of April 2026. You must use GL.iNet firmware. The original GL-E750 (V1) has upstream support. If long-term vanilla OpenWrt matters, the Slate AX (GL-AXT1800) is the better base. ⁴

Known GL.iNet CVEs

GL.iNet publishes security advisories at gl-inet.com/security-updates. Notable issues:

CVE	Date	Severity	Description
CVE-2024-39227	Aug 2024	Critical	Unauthenticated RCE via gl-rpc path traversal + arbitrary library loading 5
CVE-2024-39226	Aug 2024	High	Authenticated command injection via s2s (root execution) 5
CVE-2024-57391	Apr 2025	High	Post-auth command injection 6
CVE-2025-2850	Apr 2025	Medium	Unauthorized file download 6
CVE-2025-2851	Apr 2025	Medium	Buffer overflow via plugins.so 6

Verify Firmware Version

Before any sensitive use, confirm your firmware is at or above the patched version for your model. Check the GL.iNet Security Advisories page.

---

Privacy Hardening

Mudi Configurator (Android App)

The mudi-configurator is an Android application that automates privacy and security hardening of GL.iNet routers over SSH — directly from your phone.

Credit: David L (@samedayhurt)

Supported models: GL-E750 (Mudi, fw 4.3.8+), GL-AXT1800 (Slate AX, fw 4.5.16+), GL-MT1300 (Beryl, fw 4.0+), GL-AR750S (Slate, fw 4.0+), GL-X3000 (Spitz AX, fw 4.0+)

What It Does

1. Removes GL.iNet telemetry — Strips 15 cloud/analytics packages:

   gl-cloud  gl-sdk4-cloud  gl-cloud-ui  gl-mqtt  mqtt
   gl-rtty   rtty-openssl   gl-traffic   gl-bigdata
   gl-upload gl-tertf       gl-ddns      gl-s2s
   gl-gps    gl-siderouter

2. Installs LuCI — Replaces GL.iNet’s proprietary UI with the standard OpenWrt web interface

3. MAC address spoofing — Randomizes WAN MAC using client-device OUIs (Apple, Samsung, Google, Dell, HP — 400+ OUIs) and radio MACs using router OUIs (Ubiquiti, Cisco, Netgear — 50+ OUIs)

4. Hostname randomization — Prevents router fingerprinting by generating random or custom hostnames

5. Firewall hardening — Blocks WAN inbound traffic, disables IPv6, sets TTL to 65 via iptables mangle rules (bypasses mobile hotspot tethering detection)

6. VPN configuration — Supports OpenVPN, WireGuard, L2TP/IPSec, PPTP, IKEv2 with kill-switch

7. DNS override — Cloudflare, Quad9, AdGuard, Mullvad, or custom DNS

8. Blue-merle IMEI randomization (Mudi GL-E750 only) — Downloads and installs the SRLabs blue-merle package for IMEI changes via shell, AT command, QMI, or MBIM

IMEI Legal Warning

Changing IMEI numbers is illegal in many jurisdictions, including the UK (Theft Act 1968), parts of the EU, and India. In the US, legality varies by state and use case. Only modify IMEI with proper authorization and legal guidance for your jurisdiction.

Getting Started

The app must be built from source (no published APK):

git clone https://github.com/samedayhurt/mudi-configurator.git
cd mudi-configurator
./gradlew assembleDebug
# Install APK from app/build/outputs/apk/debug/

The app connects to your router over WiFi via SSH (port 22, user root) and presents a before/after comparison of all changes before applying them.

No License File

The README claims MIT but no LICENSE file exists in the repository as of April 2026. Verify licensing before redistributing or forking.

Manual Hardening (Without the App)

If you prefer SSH-based hardening without the Android app:

# Connect to router
ssh root@192.168.8.1

# Remove telemetry packages
opkg remove gl-cloud gl-sdk4-cloud gl-cloud-ui gl-mqtt mqtt \
  gl-rtty rtty-openssl gl-traffic gl-bigdata gl-upload gl-tertf \
  gl-ddns gl-s2s gl-gps gl-siderouter

# Verify removal
opkg list-installed | grep gl-

# Install LuCI
opkg update && opkg install luci

# Restrict SSH to LAN only (prevent WAN exposure)
uci set dropbear.@dropbear[0].Interface='lan'
uci commit dropbear
service dropbear restart

# Change LAN subnet (avoid 192.168.8.x double-NAT conflicts in hotels)
uci set network.lan.ipaddr='10.70.74.1'
uci commit network

# Disable IPv6
uci set network.lan.ipv6='0'
uci set network.wan.ipv6='0'
uci commit network

# Set TTL to 65 (bypass tethering detection)
iptables -t mangle -A POSTROUTING -o eth0 -j TTL --ttl-set 65

# Change DNS to Cloudflare
uci set network.wan.dns='1.1.1.1 1.0.0.1'
uci commit network
/etc/init.d/network restart

For a more detailed hardening walkthrough, see Logan Marchione’s Beryl travel router with OpenWrt guide. ⁷

Encrypted DNS (DoT / DoH)

GL.iNet firmware 4.x supports four encrypted DNS modes natively in the web UI: DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), DNSCrypt-Proxy, and Oblivious DoH (ODoH). See the GL.iNet DNS documentation for the built-in configuration. ⁸

For full control with Unbound + DNS-over-TLS:

opkg update
opkg install unbound odhcpd unbound-control
opkg remove dnsmasq

Add to /etc/unbound/unbound_ext.conf:

forward-zone:
  name: "."
  forward-addr: 1.1.1.1@853
  forward-addr: 1.0.0.1@853
  forward-ssl-upstream: yes

For more detail, see the GL.iNet blog post on DNS-over-TLS with Unbound. ⁹

VPN Configuration

On low-power MIPS/ARM routers like the Mudi V2 (QCA9531), WireGuard throughput is 2-3x higher than OpenVPN due to kernel integration and ChaCha20-Poly1305 (hardware AES is absent). ¹⁰

Kill switch — The most reliable method on OpenWrt is firewall-based: remove WAN from the LAN firewall zone’s “Allow forward to destination zones.” When the WireGuard interface drops, the firewall drops all forwarded traffic instead of falling back to cleartext. This is more reliable than software kill switches that die with the VPN process. ¹¹

Split tunneling — Provision two VLANs via OpenWrt: one routes through the VPN interface, one through WAN directly. Policy-based routing (ip rule / ip route table) selects which VLAN a client joins. GL.iNet SDK 4.x also has a built-in “VPN Policy” feature in the web UI. ¹²

Blue-Merle IMEI Randomization

blue-merle v3.0 (June 2025) is the current release, supporting both GL-E750 (V1) and GL-E750V2 on firmware up to 4.3.26. ¹³

How it works:

• Sends AT+EGMR command to the Quectel baseband over the AT command port to change the IMEI
• Radio is brought offline first to prevent the old IMEI from registering during transition
• Two generation modes:
  • Deterministic — Hashes the SIM’s IMSI to produce a repeatable IMEI per SIM (consistent pseudonym across power cycles)
  • Random — Cryptographically random IMEI each activation
• Also randomizes: WAN MAC, WiFi BSSID, and wipes the MAC association log (prevents forensic recovery of connected client devices) ¹⁴

v2.0 fixes (October 2023): v1 did NOT randomize the upstream MAC when the router was in repeater mode — v2.0+ fixes this by modifying glconfig.general.macclone_addr. ¹⁴

OPSEC requirements:

• Always change physical location between SIM swap and IMEI swap — registering a new IMEI from the same cell tower as the old one defeats the purpose
• Never co-locate the IMEI-randomized device with identity-linked devices
• The deterministic mode is generally preferred — it produces the same IMEI for a given SIM, avoiding the suspicion of a brand-new IMEI on every boot

Install via opkg (v3.0+):

opkg update
opkg install blue-merle

A mirror with LuCI web interface branch is available at git.hackliberty.org if srlabs.de is inaccessible. ¹⁵

---

Cellular OPSEC

Separate Threat Surface

A travel router with VPN protects IP-layer traffic only. Voice calls, SMS, and any traffic that traverses the cellular baseband directly bypass the router entirely. The cellular and IP threat surfaces must be addressed separately.

IMSI Catcher Detection

Rayhunter (EFF, March 2025) is an open-source IMSI catcher detector that runs on a $20 Orbic RC400L hotspot. It analyzes control-plane traffic between the hotspot and cell tower, flagging 2G downgrade requests and anomalous IMSI disclosure events. ^{16 17}

2G Downgrade Mitigation

IMSI catchers exploit 2G’s breakable A5/1 cipher by forcing a downgrade from LTE. Disable 2G fallback on the Quectel modem:

# Lock to LTE-only (disable 2G/3G fallback)
echo -e "AT+CNMP=38\r" > /dev/ttyUSB2

This is the most effective software mitigation short of a Faraday bag. ¹⁸

SIM OPSEC

In order of anonymity (strongest first):

1. Cash-purchased prepaid SIM at retail in a non-home area with no ID (US does not require ID for prepaid in most states)
2. eSIM purchased with Monero via Bitrefill or similar ¹⁹
3. Standard prepaid SIM with pseudonymous registration
4. Contract SIM — fully identity-linked, no anonymity

Best practices: activate on public WiFi with a clean device; never co-locate the SIM with identity-linked devices; store in a Faraday bag when not in active use. ²⁰

Baseband Isolation Limits

The Quectel modem runs its own RTOS on a separate processor with no memory isolation from the application processor on the Mudi. A compromised baseband can theoretically access the Linux filesystem. Google Project Zero documented 18 zero-click vulnerabilities in Samsung Exynos basebands (2023); similar risk categories apply to Quectel chipsets. ²¹

Mitigations: Keep modem firmware updated; disable 2G fallback; use a VPN kill switch so even if the baseband is compromised, IP traffic remains encrypted. Airplane mode is insufficient — baseband processors have documented cases of maintaining radio activity independently of the OS power state. ²⁰

---

Automated Reconnaissance Setup

This section covers configuring a Mudi V2 as an automated recon platform that captures GPS coordinates and WiFi spectrum data with zero interaction after power-on.

Credit: David D

Prerequisites

• SSH access to the router (default: ssh root@192.168.8.1)
• GPS source: USB NMEA dongle (recommended, e.g., u-blox 7/8 VK-172) or built-in Quectel modem GNSS
• OpenWrt with opkg access

Clear SSH Keys After Factory Reset

If you’ve factory-reset the router, clear the stale host key first:

ssh-keygen -R 192.168.8.1

Install Packages

ssh root@192.168.8.1

opkg update && opkg install tmux nano horst gpsd gpsd-clients python3 python3-pyserial tcpdump

Optional packages:

• zerotier — Remote access to the router from anywhere via ZeroTier overlay network
• kmod-usb-acm — Kernel module for USB GPS dongles that appear as /dev/ttyACM0
• aircrack-ng — For monitor mode management (airmon-ng)

Storage Overflow on Flash

If packages + captures exceed the internal flash, redirect opkg and captures to USB/microSD:

mkdir /mnt/sda1/packages
echo "dest usb /mnt/sda1/packages/" >> /etc/opkg.conf
opkg --dest usb install tcpdump aircrack-ng
ln -s /mnt/sda1/packages/usr/bin/tcpdump /usr/bin/tcpdump

Add swap if running memory-intensive tools: mkswap /dev/sda2 && swapon /dev/sda2 ²²

Create Working Directories

mkdir -p /root/scripts /root/logs/gps /root/pcap

GPS Logging

Option A: USB GPS Dongle (Recommended)

A u-blox-based USB GPS dongle (e.g., VK-172, BU-353S4) is the most reliable option. It appears as /dev/ttyUSB0 or /dev/ttyACM0 and outputs standard NMEA sentences.

Save as /root/scripts/gps.py:

#!/usr/bin/env python3
"""GPS NMEA logger — reads serial GPS and writes timestamped log files."""
import serial
from datetime import datetime

PORT = "/dev/ttyUSB0"       # Adjust if your dongle uses ttyACM0
BAUD = 9600
LOG_DIR = "/root/logs/gps/"

timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
log_file = f"{LOG_DIR}gps_{timestamp}.log"

try:
    with serial.Serial(PORT, BAUD, timeout=1) as ser, open(log_file, "w") as f:
        print(f"Logging GPS to {log_file}")
        while True:
            line = ser.readline().decode("utf-8", errors="replace").strip()
            if line:
                f.write(line + "\n")
                f.flush()
except serial.SerialException as e:
    print(f"GPS serial error: {e}")
except KeyboardInterrupt:
    print("GPS logging stopped")

chmod +x /root/scripts/gps.py

Option B: Built-in Quectel Modem GNSS

The Mudi V2’s Quectel modem supports GNSS via AT commands. This avoids using the USB port but requires manual activation:

# Find the AT command port (usually ttyUSB2 on Mudi)
echo -e "AT+QGPS=1\r" > /dev/ttyUSB2

# Configure gpsd to read NMEA from the modem
uci set gpsd.@gpsd[0].device="/dev/ttyUSB1"
uci set gpsd.@gpsd[0].enabled="1"
uci commit gpsd
/etc/init.d/gpsd restart

# Verify GPS fix
gpspipe -r | head -20

Wardriving Tool Comparison

Tool	Best For	OpenWrt Package	GPS	WiGLE Export	Passive Only	RAM Usage
HORST	Lightweight spectrum/channel assessment	horst (opkg)	No	No	Yes	~5 MB
Kismet	Full wardriving, WIDS, multi-source	Stale in opkg 23	gpsd native	kismetdb_to_wiglecsv	Yes	~150 MB
airodump-ng	Quick capture, handshake collection	aircrack-ng (opkg)	gpsd (CSV)	Manual conversion	No (sends probes)	Low
Sparrow WiFi	GUI analysis with BT/SDR integration	Desktop Linux only	gpsd + MAVLink	No	Configurable	High 24

Spectrum Scanning with HORST

HORST (Highly Optimized Radio Scanning Tool) is a lightweight 802.11 analyzer that shows per-node RSSI, channel utilization, encryption type, and ESSID. At ~5 MB RAM, it is the practical choice for the Mudi V2’s 128 MB limit.

# Basic scan with file output
horst -i wlan0 -o /root/logs/horst_$(date +%Y%m%d_%H%M%S).log

Useful HORST Flags

Flag	Purpose
-i <iface>	Specify interface (e.g., wlan0 or wlan0mon for monitor mode)
-C <channel>	Lock to a specific channel
-V spectrum	Spectrum analyzer view (signal level + utilization per channel)
-V history	Scrolling packet history with RSSI bars
-V essid	Group results by ESSID
-V statistics	Aggregate packet type counts
-o <file>	Write records to file
-s	Start directly in spectrum mode
-d <ms>	Display refresh interval

Kismet Wardrive Mode

Kismet is the standard tool for GPS-correlated WiFi surveys with WiGLE export. The --override wardrive flag disables HT/VHT channels, enables AP-only survey mode, and simultaneously writes a .kismet database and .wiglecsv file. ²⁵

Kismet on OpenWrt is Stale

The Kismet OpenWrt package has had no maintainer since 2016 and may not build on current firmware. The recommended approach is to run Kismet on a companion device (Raspberry Pi, laptop) using remote capture, with the GL.iNet router providing the WAN uplink. ²³

Alternatively, if your router has sufficient storage (microSD), you can attempt to build Kismet from source or use a pre-compiled binary.

On a companion device (recommended):

# On the companion device (Pi/laptop):
kismet --override wardrive \
  --source wlan0mon:type=linuxwifi \
  --gps gpsd:host=localhost,port=2947

Converting and uploading to WiGLE:

# Convert .kismet database to WiGLE CSV
kismetdb_to_wiglecsv --in capture.kismet --out capture.wiglecsv

# Convert to KML for Google Earth visualization
kismetdb_to_kml --in capture.kismet --out capture.kml

# Convert to PCAP-NG for Wireshark analysis
kismetdb_to_pcap --in capture.kismet --out capture.pcapng

Upload the .wiglecsv file at wigle.net/uploads. WiGLE accepts Kismet native, NetStumbler, WiGLE WiFi Android, and other formats. ²⁶

For the Kismet wardrive documentation, see kismetwireless.net. For a practical wardriving walkthrough, see th4ntis.com. ^{25 27}

WiGLE Cardinal Rules

The WiGLE community requires passive mapping only — no packet payloads, no TCP logging. Capturing payload data may violate wiretap statutes. Review the WiGLE Cardinal Rules before uploading. ²⁸

USB WiFi Adapter Selection

The Mudi V2’s internal radio (QCA9531/ath9k) supports monitor mode on 2.4 GHz only. For dual-band capture or 5 GHz injection, add an external USB adapter. Choose adapters with in-tree OpenWrt drivers — out-of-tree (DKMS) drivers break on kernel updates.

Chipset	Example Adapter	Bands	Driver	OpenWrt In-Tree	Monitor	Injection	Notes
MT7612U	Alfa AWUS036ACM	2.4+5 GHz	mt76	Yes	Yes	Yes	Best current pick for OpenWrt 29
AR9271	Alfa AWUS036NHA	2.4 GHz	ath9k_htc	Yes	Yes	Yes	Zero driver friction, 2.4 GHz only
RT5572	Panda PAU09 N600	2.4+5 GHz	rt2800usb	Yes	Yes	Yes	Reliable dual-band, lower power
RTL8812AU	Alfa AWUS036ACH	2.4+5 GHz	DKMS only	No	Yes	Yes	Popular but requires out-of-tree driver 30

For a comprehensive compatibility list, see the morrownr/USB-WiFi project — the authoritative community reference for Linux WiFi adapter support. ²⁹

Monitor Mode

The QCA9531’s ath9k driver supports monitor mode on 2.4 GHz. This enables raw 802.11 frame capture:

# Method 1: Using airmon-ng
opkg install aircrack-ng
airmon-ng check kill       # Kill interfering processes (wpa_supplicant, etc.)
airmon-ng start wlan0      # Creates wlan0mon

# Method 2: Manual iw (no airmon-ng dependency)
wifi down
iw phy phy0 interface add wlan0mon type monitor
ip link set wlan0mon up

# Use with horst or tcpdump
horst -i wlan0mon -V spectrum -o /root/logs/horst_$(date +%Y%m%d_%H%M%S).log

# Or capture PCAPs
tcpdump -i wlan0mon -w /root/pcap/capture_$(date +%Y%m%d_%H%M%S).pcap

5 GHz Monitor Mode

The 5 GHz radio (ath10k) can throw kernel errors during packet injection. Passive capture works on both bands, but for active testing on 5 GHz, add an external adapter — the Alfa AWUS036ACM (MT7612U, in-tree mt76 driver) is recommended over the RTL8812AU options that require DKMS. ²⁹

Confirmed monitor mode support across GL.iNet models: GL-USB150, AR150, AR300M, AR750, AR750S, AXT1800, A1300. Not supported: MT300N-V2. Unstable: MT3000 on stock firmware (requires upstream OpenWrt). ³¹

Automated Startup

This tmux script launches GPS logging and spectrum scanning automatically on boot.

Save as /root/scripts/autostart.sh:

#!/bin/sh
# Automated recon startup — runs GPS logger and HORST in a tmux session
LOGDIR="/root/logs"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)

tmux new-session -d -s recon

# Pane 1: GPS logging
tmux send-keys -t recon "python3 /root/scripts/gps.py" C-m

# Pane 2: Spectrum scanning
tmux split-window -v -t recon
tmux send-keys -t recon "horst -i wlan0 -o ${LOGDIR}/horst_${TIMESTAMP}.log" C-m

chmod +x /root/scripts/autostart.sh

Why a variable for the timestamp?

The original guide embedded $(date ...) directly inside a heredoc, which would expand at script-write-time (giving every boot the same timestamp). Using a variable at the top of the script ensures the timestamp is generated fresh at each boot.

Enable on Boot

Edit /etc/rc.local and add before exit 0:

# Wait for interfaces to initialize
sleep 10
/root/scripts/autostart.sh &

Retrieving Data

Pull logs from the router to your workstation:

# Sync all logs (removes source files after transfer)
rsync -avz --remove-source-files root@192.168.8.1:/root/logs/ ~/Desktop/recon-data/

# Or sync without deleting source
rsync -avz root@192.168.8.1:/root/logs/ ~/Desktop/recon-data/

# Sync PCAPs separately
rsync -avz root@192.168.8.1:/root/pcap/ ~/Desktop/recon-data/pcap/

rsync —remove-source-files

The --remove-source-files flag deletes files from the router after successful transfer. Only use this if you’re confident your local destination is correct. Consider doing a dry run first: rsync -avzn --remove-source-files ...

Deployment Checklist

1. Power on router
2. rc.local runs autostart.sh after 10s delay
3. tmux session "recon" starts GPS + HORST
4. Logs saved automatically to /root/logs/
5. Retrieve via rsync when ready

---

Field Deployment Tips

Power

• Internal 7,000 mAh battery lasts ~8 hours at <6 W draw
• Disable 5 GHz + set 2.4 GHz TX power to LOW to extend runtime to 13-15 hours (community-tested) ³²
• Turning off the LTE modem when not needed is the single largest power saving on cellular models
• A 20,000 mAh USB-C power bank extends runtime to ~12-14 hours beyond internal battery
• For static deployments, a 10 W+ solar panel (5V/2A) can sustain the device indefinitely

Storage

• Format microSD as ext4 for large pcap writes: mkfs.ext4 /dev/mmcblk0p1
• Mount for capture storage: mount /dev/mmcblk0p1 /mnt/sdcard
• With 1 TB microSD, storage is effectively unlimited for text logs; budget ~1 GB/hour for full pcap on busy networks

USB Port Management

The single USB 2.0 port is a bottleneck. If you need both an external WiFi adapter and a GPS dongle, use a powered USB hub. Priorities:

1. GPS dongle only — Most common field config
2. GPS + external WiFi adapter — Requires USB hub
3. Built-in modem GNSS + external WiFi — Frees USB port but GNSS setup is less reliable

Captive Portal Bypass

When connecting through hotel/airport WiFi:

1. Try Extender mode first (not Repeater) — triggers automatic captive portal page on simple networks ³³
2. Browse to 1.1.1.1 directly (not a domain name) to force the portal redirect ³⁴
3. MAC Clone mode — clone your phone’s MAC via Repeater > MAC Mode > Clone for portals that lock by MAC address ³⁴
4. Temporarily disable DNS rebind protection for captive portals that use split-horizon DNS:

   uci set dhcp.@dnsmasq[0].rebind_protection='0'
   uci commit dhcp && service dnsmasq restart
   # After authenticating, re-enable:
   uci set dhcp.@dnsmasq[0].rebind_protection='1'
   uci commit dhcp && service dnsmasq restart

Remote Access

Install ZeroTier for remote management without exposing ports:

opkg install zerotier
# Configure with your network ID
uci set zerotier.sample_config.enabled='1'
uci set zerotier.sample_config.join='<your-network-id>'
uci commit zerotier
/etc/init.d/zerotier restart

Operational Use Cases

Red team portable kit: Mudi V2 + AWUS036ACM (USB hub) + VK-172 GPS dongle covers: cellular uplink with IMEI randomization (blue-merle), WiFi survey (Kismet wardrive + HORST), passive packet capture (tcpdump to microSD), remote management (ZeroTier), and full VPN tunnel with kill switch. Total kit weight under 500g.

Journalist/activist travel: Priority is network isolation and DNS privacy, not recon. Configuration: disable all GL.iNet cloud packages, enable WireGuard to a trusted exit node (Mullvad or self-hosted), enforce DoT or ODoH, enable firewall-based kill switch. Carry Rayhunter on a secondary device to detect IMSI catcher activity at checkpoints. ¹⁶

Supply chain baseline: Treat all pre-loaded firmware as untrusted. After reflashing, run tcpdump -i eth0 not port 53 and not port 123 for 5 minutes to baseline outbound traffic. Audit /etc/crontabs/root and /etc/rc.local after first boot. ³⁵

---

Legal and Ethical Considerations

Know Your Legal Boundaries

Wireless scanning legality varies by jurisdiction and activity type. Understand the law before deploying.

Generally Accepted (Low Legal Risk)

• Passive beacon/probe collection — SSIDs, BSSIDs, signal strength, GPS coordinates from public spaces
• Spectrum analysis — Channel utilization and RF congestion assessment
• Your own networks — Full testing authority on networks you own or administer

Requires Authorization

• Active probing — Sending probe requests or associating with networks
• Packet capture of traffic — Capturing payload data from any network
• Deauthentication frames — Illegal under FCC Part 15 and 47 U.S.C. 333 (interference)
• Network penetration testing — Requires written rules of engagement

Key US Laws

• Computer Fraud and Abuse Act (CFAA, 18 U.S.C. 1030) — Criminalizes “unauthorized access” to computer systems; “without authorization” is not precisely defined
• FCC Part 15 — Governs unlicensed radio devices; intentional interference is prohibited
• State laws — California Penal Code 502 and similar state statutes may impose stricter standards than federal law
• Wiretap Act (18 U.S.C. 2511) — Prohibits interception of electronic communications; passive beacon collection is generally excluded

---

Resources

• GL.iNet Documentation — Official firmware guides and specs
• GL.iNet Security Advisories — CVE notifications and patches
• mudi-configurator — Android privacy hardening app (David L)
• blue-merle — IMEI randomization for GL-E750 (SRLabs)
• Rayhunter — IMSI catcher detector (EFF)
• HORST — Lightweight 802.11 analyzer
• Kismet — Full wireless network detector and sniffer
• Sparrow WiFi — GUI WiFi analyzer with BT/SDR integration
• morrownr/USB-WiFi — Linux WiFi adapter compatibility reference
• OpenWrt Packages — Community package repository
• WiGLE — Wardriving database and community
• Router Hardening — General router security guide

---

References

Footnotes

1. Mudi 7 (GL-E5800) Product Page — GL.iNet ↩

2. MT6000 GL.iNet firmware vs OpenWrt discussion — OpenWrt Forum ↩

3. GL.iNet suggestion for recommendation — Privacy Guides Community ↩

4. GL-E750V2 upstream OpenWrt support thread — OpenWrt Forum ↩ ↩²

5. Security Advisories Aug 1, 2024 (CVE-2024-39226/39227/39228) — GL.iNet ↩ ↩²

6. Security Advisories Apr 24, 2025 (CVE-2024-57391/2025-2811/2850/2851) — GL.iNet ↩ ↩² ↩³

7. Beryl travel router with OpenWrt — Logan Marchione ↩

8. DNS configuration guide — GL.iNet Docs ↩

9. Privacy-Protecting Portable Router: Adding DNS-Over-TLS with Unbound — GL.iNet Blog ↩

10. Empirical Performance Analysis: WireGuard vs OpenVPN — MDPI Computers ↩

11. WireGuard gateway with killswitch and port forwards on WAN — OpenWrt Forum ↩

12. Split Tunnel via VPN Policy or WireGuard AllowedIPs — GL.iNet Forum ↩

13. blue-merle Releases — SRLabs GitHub ↩

14. blue-merle README — SRLabs GitHub; SRLabs Blog Post ↩ ↩²

15. blue-merle LuCI mirror — HackLiberty ↩

16. Meet Rayhunter: A New Open Source Tool from EFF to Detect Cellular Spying — EFF ↩ ↩²

17. Rayhunter: Device to Detect Cellular Surveillance — Schneier on Security ↩

18. Cell-Site Simulators / IMSI Catchers — EFF Street Level Surveillance ↩

19. Bitrefill eSIM — cryptocurrency-purchased eSIMs ↩

20. Cell Phones in Combat Zones — SLNT ↩ ↩²

21. Multiple Internet-to-Baseband Remote Code Execution in Exynos Modems — Google Project Zero ↩

22. GL-iNet sniff setup gist — GitHub ↩

23. Kismet, Monitor Mode, Wardriving — stale package discussion — OpenWrt Forum ↩ ↩²

24. Sparrow WiFi — ghostop14, GitHub ↩

25. Kismet Wardrive Mode Documentation — Kismet ↩ ↩²

26. WiGLE Uploads — WiGLE ↩

27. Wardriving Guide — th4ntis (March 2024) ↩

28. WiGLE Cardinal Rules of Wardriving FAQ — WiGLE ↩

29. USB WiFi Adapters with Linux In-Kernel Drivers — morrownr/USB-WiFi ↩ ↩² ↩³

30. rtl8812au out-of-tree driver — aircrack-ng, GitHub ↩

31. Updated list of routers which support Monitor Mode — GL.iNet Forum ↩

32. 13-15 hours of battery life with Mudi E750 — GL.iNet Forum ↩

33. Easy captive portal login with Beryl — GL.iNet Forum ↩

34. Connect to public hotspot with Captive Portal — GL.iNet Docs ↩ ↩²

35. How secure are GLiNET devices? — GL.iNet Forum ↩