OpenWrt Setup on Travel Router

For transparency, the following is similar to work I have posted on my own blog: OpenWrt Setup | Haris Qazi. I have modified it slightly to fit the community better. I still wanted to contribute this to the PG Wiki for ease for others.

Background

I’ve been using the Proton VPN application on my phone ad hoc when I needed it. This led to two problems: I would need to enable it every time I required my traffic to go through a VPN, and the rest of the traffic (GrapheneOS updates, etc.) is all going through the main (ISP) router by default. I recently purchased a Beryl AX (GL-MT3000) from GL.iNet. I heard about this company from Michael Bazzell in his Extreme Privacy (5th Edition) book. Eventually, I settled on the Beryl AX model, as it fit my needs and price point. This document is a walk-through of the steps I conducted to get WireGuard from Proton VPN set up on the Beryl AX. I also set up the device as a wireless router for mobile devices to be able to connect to it as well.

Even though the steps in this post are for the Beryl, they should be similar for all devices using/supported by OpenWrt.

WireGuard Configuration

I created the config in Proton VPN’s settings for Wireguard and then saved the .conf file locally. I looked around and was able to find the configuration portal in the settings, but the same steps are documented here: How to download WireGuard configuration files | Proton VPN .

GL.iNet to Default OpenWrt Firmware

I visited the https://openwrt.org/toh/gl.inet/gl-mt3000 page and downloaded all the files I needed. The files I will use now, and the files I would potentially need in the future. It included the following:

• Firmware OpenWrt Install URL: https://downloads.openwrt.org/releases/24.10.4/targets/mediatek/filogic/openwrt-24.10.4-mediatek-filogic-glinet_gl-mt3000-initramfs-kernel.bin

• Firmware OpenWrt Upgrade URL: https://downloads.openwrt.org/releases/24.10.4/targets/mediatek/filogic/openwrt-24.10.4-mediatek-filogic-glinet_gl-mt3000-squashfs-sysupgrade.bin

• Firmware OEM Stock URL (Download for common upgrade): https://fw.gl-inet.com/firmware/mt3000/release/mt3000-4.8.1-0819-1755615825.tar

• Firmware OEM Stock URL (Download for U-boot): https://fw.gl-inet.com/firmware/mt3000/release/mt3000-4.8.1-0819-1755615825.img

I also saved the checksums for the version (4.8.1) in a file as well:

Version 4.8.1
Common Upgrade
ee038ee0f399c1454cc660dd47811b44697f5304e0f61af145c7dca6817d0e5c
U-boot
fc2938dcd26cf8e576a99a47da9ad1e9bdce6e649b82e79acb23535affebc6cb

I save these files and the checksums. In case the website goes down, I no longer have to visit it for the files. I also print out (print to PDF) the OpenWrt page for the item as well, in case the site is no longer reachable as well.

Initially, I connected with a laptop to the Beryl device to flash the sysupgrade file (Unfortunately, I did not document the specific steps during the process). Once OpenWrt was installed, I then connected with my main PC over Ethernet. Per OpenWrt I visited http://192.168.1.1/ or http://openwrt.lan/ to access the portal. Proton had a walk-through for this portion ( How to set up Proton VPN on an OpenWrt router using WireGuard | Proton VPN ), and Mullvad has one as well ( WireGuard on a router ). As they both support the WireGuard protocol, the workflow should be similar.

The rest of the steps I followed are as follows:

• I started off by logging in on 192.168.1.1. The password for the account root (username) was root (password)
• Change the root password
• On http://192.168.1.1/cgi-bin/luci/admin/network/network update br-lan or Interfaces >> lan to an IPv4 address of a different subnet. This can be any address but 192.168.1.1. This could be 192.168.2.1, 192.168.3.1, etc.
• I then accessed the main page on 192.168.X.1 (new subnet), and was able to access the portal
• Visit http://192.168.3.1/cgi-bin/luci/admin/network/wireless (for the following, replace “X” with your subnet octet value, I will use 3 for this example)
• Hit “Scan” on the “MediaTek MT7981 802.11ax/b/g/n” radio0 option
  • Select “Replace wireless configuration”
  • Enter the password for the WiFi address
  • Assigned the suggested firewall zones (the default will work for us)
  • I didn’t change any advance settings
  • Hit save and apply
• Reboot.
• Visit http://192.168.3.1/cgi-bin/luci/admin/system/package-manager and hit “Update lists…”
• Install the luci-proto-wireguard package.
  • check to make sure wireguard-tools are installed as well
• Reboot
• Log in and go to (Network >> Interfaces >> Add new interface…) OR http://192.168.3.1/cgi-bin/luci/admin/network/network
• Set the following values
  • Interface Name: proton0 (or what you prefer)
  • Interface Protocol: Wireguard VPN
  • Click “Create Interface” (This should automatically load you into the next page; if not go to “Interfaces >> proton0 >> Import configuration”)
  • Copy and paste the text from the initial Wireguard configuration
  • Hit “Import settings”
  • Go to Peers under Interfaces >> proton0 (Interfaces >> proton0 >> Edit peer)
  • Enable “Route Allowed IPs”
  • Hit “Save”
  • Back on config page, hit “Save”
• Hit “Save & Apply” on the bottom of the page
• Visit (Network >> Firewall >> Zones >> Add) (http://192.168.3.1/cgi-bin/luci/admin/network/firewall).
• Set the following
  • Name: Choose a suitable name, such as vpn
  • Input: Reject
  • Output: Accept
  • Forward: Reject
  • Masquerading: Enabled
  • Covered networks: Select the WireGuard interface we created Step three (proton0 in our example)
  • Allow forward from source zones: lan
• Hit “Save”
• Edit the “lan” zone (Network >> Firewall >> Zones)
  • Enable “MSS clamping”
  • Under “Allow forward to destination zones” deselect everything but “vpn proton0”
  • Hit “Save” after
• Visit (Network >> Interfaces >> wan >> Edit)
  • Advanced Settings tab >> deselect the checkbox for “Use DNS servers advertised by peer”
  • I added Quad9’s IPv4 addresses ( Service Addresses & Features | Quad9 ) under DNS Servers
  • Hit Save
• Hit “Save & Apply” on the bottom of the page you were on or select the “Unsaved Changes” button on the top right and apply those changes
• Enabled radio1 and change the ESSID (to something other than “OpenWRT” as that would be a dead giveaway for it)
  • Under “Wireless Security” set it to the “WPA3-SAE (strong security)”
  • In the same window, set the “Key” as the WiFi password you would like.
  • Save and Apply - if required
  • Reboot
• Visit http://192.168.3.1/cgi-bin/luci/admin/system/flash or (System >> Backup Flash Firmware)
• Under “Backup”, Hit “Generate archive”
  • Add this to your personal files you backup as part of your backup protocol

That’s all the steps that I did. If you are using this as a travel router at a hotel, refer to the following resources:

• OpenWrt - Travelmate
• Travelmate support thread - Community Builds, Projects & Packages - OpenWrt Forum

Feel free to add any other items you may have added on to your config that enforced your privacy/security!

Last edited by @Harisfromcyber 2026-03-01T21:38:50Z

I may be buying a travel router from GLi soon but their newer WiFi 7 one. Might use this guide for that.

Thanks for sharing.

Excellent guide! I love my mudiV2 and it has this module GitHub - srlabs/blue-merle: The blue-merle package enhances anonymity and reduces forensic traceability of the GL-E750 Mudi 4G mobile wi-fi router

The only thing worrying me was, it has outdated Linux version

Does installing the latest firmware from openWRT ensures that, that is not a problem

It seems to be only for that router I guess, but its a nice feature to have. For MACs, those I believe can be manually edited to be “framed” as another vendor (https://mac2vendor.com/) - not sure how much that affects privacy.