I had the same concern as you initially. So I decided to to a quick TCPDump on every bit of traffic coming out of my MT300A, running a brand new fresh install of the GL-Inet firmware. What I found was to be expected. If your convenience, I uploaded the “glinet.cap” dump file if you want to take a look for yourself in wireshark, this TCPDump was taken from the moment the router booted up until about 5 minutes later.
Link to tcpdump: https://www.jgndata.biz/jgoetz/file2/glinet.cap
(Note for that file, ignore the SSDP packets from 172.16.100.10, that has nothing to do with the GL-Inet router, just something on my LAN unrelated to gl-inet thats being logged in the TCPDump).
If we break down the TCPDump file we can see in detail what the router was doing when connecting to the outside world. First thing it did was make an HTTP connection to gl-inet.com checking for a firmware upgrade. Next, it made an HTTP requests to the IPs 18.104.22.168, which is the site that hosts “checkip.dyndns.org”, a way for the router to find your public IP for GL-Inet’s DYDNS Service (which can be disabled from the /etc/config/glconfig file via SSH)
Next, it makes another connection to 22.214.171.124, which hosts “myip.com.tw”, which much like the checkip.dyndns.org checks for your public IP. I assume the router connects to both services for redundancy if one is down at the moment or something of the like. Logging into the router itself, all this information fits with the scrip that does the dynamic DNS updating, so no funny business is going on there. (If your interested, here it is: https://paste.aseriesoftubez.com/p/1475729211-eNUwP.txt)
Finally, it makes another connection to gl-inet.com, this time with a request for 404 Page not found - GL.iNet and fills in the rest of the URL with the info.
In total the router connected to 3 services, two being the IP checker services and the gl-inet website itself.
Now, I can’t say with 100% certainty that theres nothing nefarious going on, as I haven’t dissected the firmware line by line, but judging by the tcpdump data and my experience with using gl-inet products for the past 6 months, I highly doubt that Alfie and friends are up to anything bad
Regarding your question about the stock firmware not being truly “stock”, from what we’ve found it is. The only main difference we could find from stock is that the image uses gl-inet.com’s openwrt package mirror. We could technically use the public openwrt mirror, but we have some issues with packages not installing due to kernel dependency errors. So I assume that there are some custom packages built for the device itself that GL-Inet provides via its mirror. But other than that, from all that we’ve seen, the stock images are pretty much stock.
All in all, I’d personally say GL-Inet is very trustworthy and I would be more than happy to trust my OpenVPN config files on them. In fact where I work, we’ve setup at least 40 GL-Inet routers now that power city-wide wifi access