Glad you’ve been satisfied with your gl-inet purchase, dm.
Regarding the future patches and updates for gl-inet, they seem like a very reliable company when it comes to software updates. And if for whatever reason they did decide one day to stop pushing new updates, we have all the information on how to compile our own OpenWRT images for the devices, so I’m sure the community here would be more than happy to continue building new and updated images.
alzhao, Any reason why telnet and samba ports were open by default? It adds unnecessary attack surface. (I’d at least want fail2ban running if those were open.)
For Telnet I think the first time you set the password it will disable telnet and enable SSH by default.
Only the LAN side can access those services.
@dm
As you said, “I didn’t have time for a full security audit” so it’s reasonable to give Justin and GLI the benefit of the doubt until you do so and can detail otherwise.
Regarding travelmate, I have been testing it and it appears to work as advertised. It’s a great solution for a stock OpenWrt\LEDE device, however it relies upon manually editing the wireless file to add STAtions, making it really not usable for a road warrior who frequently needs to add new STAtions. If you rotate exclusively between a fixed set of stations (home, office vacation home, etc) then it’s fine. I have not tried the 4.x versions as yet.
All but one station is disabled in the wireless file. I would rather a separate file for stations and update wireless, but I did not design this. Related, there is a LuCi bug which, if I recall, displays incorrect station names in the Luci Wireless display. Bug has been reported, but it’s not likely to get fixed anytime soon. Again, it’s NOT a travelmate issue, it’s a Luci issue. I have not been successful adding or manually changing STAtions with Luci while travelmate is running.
You may want to see this solution, which I still run on a Kingston MLWG2, but it has some issues. Not sure if it is the tool or device, but about half the time I end up with a 169.254 address on boot. 404 Page not found - GL.iNet Again, it’s problematic with needing to add new stations like travelmate.
I have been an evangelist for adding this functionality to OpenWrt, but there is just not enough interest by those with the correct skills. I also would like to see a phone app (preferable). Search OpenWrt for my user name. There are dozens of solutions, but the only one that seems to work every time is to remove the STAtion on boot, forcing the user to create a new STAtion in Luci, however as noted, I find anything done in Luci just is to tedious to do at Starbucks etc when I want to connect for ten minutes. ( I use openVPN)
The Gli gui is still the best tool. Details and comments can be seen here: Overview - GL.iNet Docs
…AND I CAN USE IT ON A PHONE’S DISPLAY
I will suggest that there may be a trade off between security and functionality, but personaly do not feel I am giving up ANYTHING.
Regarding using a USB device as a second radio, did this (edimax-7811). It solved the AP-STAtion hang issue, but wireless performance was reduced as compared to using the single radio (not intuitive). Since given up. It is unknown why. Some users have reported improved performance by placing the USB radio on an extension cable.
Regarding telent, not sure if was in 15.05 or LEDE 17.01 telent is replaced by SSH.
@dm, I re-formarted your post: edit it, copy the content from “visual editor”, change to “text editor” and remove all the content, then paste the copied content.
I checked the code of travalmate and it seems good. Hope it works fine. We like hardware hobbyist and they always encourage us. But to be honest most of the users only care about software and UI. Without firmware development we would have already closed.
@Passter, I think the major development team of OpenWrt has shifted to LEDE and we will built our firmware based on LEDE 17.01 later.
Samba port is opened in LAN so that people plug-in USB stick and they can access the content in their PC. SSH port is also opened in LAN. This is true for all OpenWRT and LEDE. LEDE has disabled telnet port and only use SSH even there is no password. But you have to set up a password otherwise people can still login without password.
Thanks very much @alzhao!
It’s refreshing to find a vendor who cares enough about security to get involved. If industry practices are anything to go by, VERY few vendors understand how important Internet access is for people and how much serious damage compromised devices can inflict. (It’s becoming a serious public safety issue).
Moving to LEDE is a great move and I’m glad to hear you’ve done it. Since posting, I’ve seen your LEDE firmwares available too.
For Telnet, personally I’d suggest maybe just dropping it. The only people who are like to use the CLI instead are probably technical people anyway and SSH is safer. Plus won’t leak the new password in cleartext when it’s changed. With more and more cheap, random consumer appliances, IoT, etc. devices coming out, most with terrible security standards (and some not even cheap! https://twitter.com/Bry_Campbell/status/846080444533784577), even the LAN side of networks is no longer trustworthy.
Regarding Samba, I can’t say I read the documentation to know, but is it shared without password by default? If so, I wonder if that default behaviour is clear to most users. It’s probably more work, but guess ideally, inserting a storage USB might trigger starting the daemon.
Thanks for having taken the time to reply. You’ve got great products and I wish you every success.
Please don’t take my professional paranoia of re-flashing it immediately as anything personal. It sounds like you haven’t, thanks! 
I fully expect you’ve got a nicely secured device, with a few usability trade-offs that sound easy to change config on.
I’ll likely leave this current device on stock LEDE for now, because I’ve added a bunch of things (e.g. WPA2 Enterprise EAP-TLS with FreeRadius3). But I’ll take the time to have a better look at GLi’s firmware when I buy the next device - which will probably be quite soon. 
Cheers.
My apologies for derailing the conversation a bit, but @dm, I’m purely curious, do you host the Radius server on the router itself or externally? If you do host it on the router itself, what has performance been like? I’ve been wanting to test this since forever but unfortunately never had the time.
Thanks everyone for all the very useful info on these posts!
One issue is does GL-Inet keep packages updated with OpenWRT team? If there is update to say OpenSSL and any other packages updated by OpenWRT does Gl-Inet update it in its repos?
Hi @justin, Yes, I’m runnin FreeRadius3 (just with sqllite and file backends). It’s very light on resource usage, so runs well. I don’t have many stations connecting to the access point, or hard performance metrics (from perf or anything), but it seems just as fast with WPA2 EAP-TLS as it was with EAP-PSK. Also much faster than my old router. Reconnect are very fast too.
You need openssl installed (luci-openssl package is one option if running LEDE). You’ll also need to replace wpad-mini with wpad.
This should get you started (although the instructions are for FreeRadius2, but similar will work): howto/802.1xOnOpenWRTUsingFreeRadius.md at master · ouaibe/howto · GitHub.
Nice thing is, if you remove all other preferred networks from clients (so they’re not scanning for weaker networks), then it’s really hard to do evil twin or karma attacks on them (because of EAP-TLS’s strong mutual auth). It’s just a pity EAP-TTLS/EAP-TLS isn’t more widely support (i.e. EAP-TLS inside EAP-TTLS), because that’d keep client identity more confidential too.
Out of the blue my password was no longer accepted. I was no longer able to login to my router and was forced to do a factory reset; This occurred no less than 6-7 hours after receiving the item, and updating to the latest firmware. I had disabled samba, ipv6, ddns, and wan3.
It is protected behind An asus68u router with Merlin, hardened and secured with skynet & dnscrypt/dnssec; I had only one device connected to it at the time, that being an Iphone over wifi. wan was set to the Asus router. The iphone was also plugged directly into the USB port in the router in the timeframe this occurred.
So it appears either the Iphone was hacked, and the hacker was able to easily bypass router security via iphone wifi, or via direct usb; or the gl has known exploitable hardware/software vulnerabilities.
One possible vector is the ntp server which connects to a dedicated wrt.ntp.com server or similar address of the like, exposing the fact you’re using a openwrt router.
Looking a little deeper; My sandboxied browser had unexpectedly crashed while typing into this forum; I have since cleared the sandbox. This suggests it is possible a parasite had gotten its hands on my password. Though once again, the only device connected to the GL at the time of this password change was my Iphone.
Other suspicious activity:
There were 9 firewall inbound and outbound entries on my windows pc that had been enabled without my permission; and which were previously disabled; previously I allowed zero inbound connections, and most of these rules pointed to ports whos services and drivers had already previously been disabled.
network discovery (WSD-In)
network discovery (WSD EventsSecure-In)
network discovery (WSD Events-In)
network discovery (UPnP-In)
network discovery (SSDP-In)
network discovery (Pub-WSD-In)
network discovery (NB-Name-In)
network discovery (NB-Datagram-In)
network discovery (LLMNR-UDP-In)
Outbound was also enabled for these as well which I had intentionally disabled previously.
strange activity in the last week: the only thing I had noticed was, on two isolated occasions open folder in new window was enabled; I had not done this personally; Other than that I had no obvious hacker activity until I set up the GL
And how do you think got the attackes access into your Router? the network behind your asus router and your iphone should be NAT unless you allow port forwarding.
Turns out it was a false positive @rene, the problem occurred a second and third and fourth time, this time while totally disconnected from the internet, and on another machine; turns out there is some kind of bug that breaks the password; I can’t get in luci, or the main gui; In luci, I would log in successfully, but accessing page from the drop down menu resulted in my falling back to the login screen, where it says “no password set” and I’d proceed to put in a new password, and the loop would continue over and over again. At one point I had managed to login successfully into luci, and managed to access the dhcp page in the link near the bottom of initial login page, but was promptly logged out as soon as I accessed the drop down menu. Then I was unable to login to the main gui menu! So its a bug, not a hacker. At other times, I was able to login to the main gui, but not luci.
(update) seems to be browser specific problem; typically works in firefox, chrome had an issue, mind you im using at least a dozen extensions.
@alzhao said
Yes you have checked all our script. From v2.2 you can just disable ddns and all the ip checks will be gone. You can can just disable /usr/lib/ddns/glddnsupdater.sh
How do you disable /usr/lib/ddns/glddnsupdater.sh; just delete or rename it?
The next firmware release will only use LEDE sourcecode.
You can test it out now
http://gl-inet.com/firmware/testing/
Just be careful which one you choose, I wasn’t paying close enough attention and bricked my router; and Uboot doesn’t work on it.
##v2.27
if you don’t enable “wan access” in the UI, this script even don’t run. Of course you can just remove that.