How to configure my Beryl for maximum privacy and security?

I just bought a Beryl and have set it up, but want to make sure I check in with the experts here on my settings before I bring this with me on my travels or use it with public WiFi. I don't want to use my Beryl without knowing it's not configured securely.

I set this up at a relative's place who is using an ISP-supplied router/modem. They're using the default username/password. Definitely a bad idea, but if a properly configured Beryl is connected to this network, are those devices secured?

I set the Beryl up in Repeater mode. Band selection is set to 5ghz. Any reason I should consider auto when all of my devices are modern and support 5ghz? Not only do I get better speed, but the shorter range could be a blessing in disguise in terms of security. I allow switching to other saved networks.

Under wireless, I disabled all the 2.4ghz networks and 5ghz guest WiFi. TX power is set to max. Security is set to WPA3-SAE. SSID visibility is set to show. What should WiFi mode, bandwidth, and channel be set to? For channel, I notice 132 (DFS) is the default.

Under VPN, I only use the client tab. I am using Proton VPN and used the Wireguard configuration from Proton. I uploaded them to the Beryl. It seems like I'm connected when there is a green light next to the VPN server. Is this right? If so, is there a way to set up a kill switch where the internet is blocked when the VPN connection is lost? My biggest worry with privacy and security is that I have no way of knowing if I'm always connected to the VPN. I'm afraid I might be spied upon with the VPN disconnected without me knowing. The only way to know is to always check the Beryl's GUI. I am used to using VPN on my Android as I see the VPN icon on the screen and that is proof I'm still connected. How do I address this? I also use TCP and is there a way to apply Proton's Stealth protocol? Is there a way to set up a split tunnel at the router level? Again, something that's easy to configure and use with the VPN on my phone.

Under applications and network storage, I have Samba enabled. I intend to attach a flash drive to the Beryl's USB port. How do I access any files like PDFs and movies from my iPhone, Google Pixel, and Samsung Galaxy S25 Ultra? Any other settings to turn on or off for performance, privacy, and security?

I have Adguard Home turned on and let it handle client requests.

I notice some DNS settings don't appear with Adguard Home on. Can that compromise my privacy and security? I currently have DNS Rebinding Attack Protection and Override DNS Settings of All Clients turned on. Allow Custom DNS to Override VPN DNS is off. I am using encrypted DNS, DNS over TLS, and Cloudflare. Is there any way to use these settings with Adguard Home on?

For Adguard Home, I'm assuming it's on when it's lighted green? Under DNS blocklists, I have Adguard DNS filter, AdAway Default Block, Hagezi Pro++ Block, Steven Black's List, 1Hosts (Lite), and OIST Blocklist Big turned on. Are there any redundancies? Any other block list I should have for maximum security and privacy?

Any other settings I should have on or off with Adguard Home? I don't know what else to consider.

I have changed the password under the system tab. I have also updated to the latest firmware. Once I get the hang of it, I'll consider flashing to OpenWRT instead of GL.iNet's own GUI on top of OpenWRT. I don't know how I should set up the toggle button and how you guys are setting it.

Really looking forward to hearing from you guys! I'm eager to learn. Thank you!

It has nothing to do with the default account name/password of the superior ISP. Relay or WAN connection is just a safe one. It is better to use a VPN.

If you are using a fixed position, there is no need to turn on automatic switching, just fix repeat to a primary WiFi.

This configuration is very safe and there is no problem.
The channel is automatic.

Enable KillSwitch (Block Non-VPN Traffic).

There is no such feature, and this feature has no sense, including not improving security.

After ADG is enabled, DNS requests are processed by ADG and are no longer processed by the router's local dnsmasq.

You can configure encrypted DNS and DNS over TLS in ADG DNS.

Please go to the openwrt official website to download Beryl's vanilla openwrt firmware.

Hi Bruce,

I had to go and fix the OP as there are some typos.

What I meant to say is that if the Beryl is connected to what is essentially an unsecured network since it's using the default router password, will all devices connected to the Beryl be unsecured if the VPN is on? My gut feeling is that even though the Beryl is repeating the WiFi signal, the VPN on the Beryl will encrypt all devices connected to it so that even if the default password is used or if it's a password-less WiFi, I'll still be safe since the Beryl has the VPN on. True or false?

I don't understand what you mean by relay or WAN in that sentence.

I also don't understand what you mean by "if you are using a fixed position, there is no need to turn on automatic switching, just fix repeat to a primary WiFi." I read my post again and it seems clear to me.

What does channel 132 (DFS) mean? That's the best option? Wouldn't 160mhz be better?

Where is it in the GUI can I enable a kill switch? I didn't see such an option in Proton VPN's configuration page nor in Beryl's GUI.

Any way to enable split-tunnel at the router level?

How do I configure Adguard on the Beryl to use encrypted DNS, DNS over TLS, and Cloudflare?

What about the blocklists that I have on? Any additional lists to consider or disable?

Thank you.

Help?

Help?

Hello?

If the primary router has a default password change it, this should be mandatory in all security practices.

if that is not into your reach then your devices are still protected because the primary router does not know about the device ips from the beryl it only sees the beryl as source traffic.

The beryl will drop all inputs when the source ip was not from lan directly but wan i.e your primary router, it only accept it as a response on the same line, so this only goes one direction and never the other direction as first iniator.

Since you speak about a primary router, you are behind two firewalls, the firewall of the Beryl and the firewall of the primary router, this space is known, you know the devices at this scope so you are secure there.

Now that alot is secure, the traffic can still be sniffed or dns poisoned/hijacked after the primary router at the isp level, for a isp this is rarely a thing although hackers like to respond on predictfull patterns sometimes a isp doesn't even know they are luring there in case of compromise, so if you have a build server which ocassional downloads dependencies and compiles it, you are far more at risk than somebody whos just surfing the web and is less predictfull, they are often after your keys, but if you are not a sysops, engineer, admin, it is very unlikely you are being targeted.

you can use a vpn for this on the beryl, as for adguardhome this one is a little tricky from what i observed this dns option does not route over vpn, however you can add a DoH or DoT resolver just like cloudflare to it and that is more than fine, and this encrypts it.

For wifi repeating to unknown networks i would surely do this, also because if the repeated network doesn't isolate clients properly one could easily impersonate as the gateway and become a middle man, this is far more easier than compromising a isp.

So it comes down to:

Know your network, and know the network you connect to, if you don't know it i.e you are at a vacation place on a repeated network with bad isolated clients you want to secure it.

What does channel 132 (DFS) mean? That's the best option? Wouldn't 160mhz be better?

Where is it in the GUI can I enable a kill switch? I didn't see such an option in Proton VPN's configuration page nor in Beryl's GUI.

Any way to enable split-tunnel at the router level?

How do I configure Adguard on the Beryl to use encrypted DNS, DNS over TLS, and Cloudflare?

What about the blocklists that I have on? Any additional lists to consider or disable?

Channel 132 is just a channel for wifi, the higher the more mhz you use the better the speed.

However this is only acceptable if your country accept these channels , usually you use the channel which is the best for you with the least interference.

DFS comes here at play when your selected channel conflicts with a countries limitation, you surely don't want to cause interference with airships, military, police and what not, under normal situations they can kick down your wifi this is called radar detection, but you can set this on auto then it auto adjust automaticly, if you got radar detected it searches for a other channel.

DFS can take longer to get up, this is normal.

^ best is to set the country aswell in luci, this can be done by visting the menu left in the gl ui, then under advanced settings just click on the link, then login as root, password same as router, then navigate to network -> wireless -> edit wifi -> there should be the option to specify country it can be behind a tab there.

Jup for speed that is correct, but not all routers accept this be advised that this may cause adverse effects like crashing, the driver may not accept it in the router.

There must be a tab in the menu called vpn dashboard and then on the right of vpn client you have global options.

I believe this is easy first enable adguardhome and then click here under the adguardhome page:

Screenshot_2025-03-22-07-53-50-420_com.brave.browser-edit1220×2712 269 KB

Then you click on the hamburger menu (the navigation on the left), and then dns settings.

Remove the dns ips and paste https://dns.cloudflare.com/dns-query like this:

Screenshot_2025-03-22-07-58-58-592_com.brave.browser1220×2712 235 KB

I would advise to not use alot due to space issues, but my guess you could go with oisd maybe if they have it, oisd already uses multiple lists combined as one, hagezi is fine too but you need to keep eye on your space usage.

I myself don't use adguardhome only nextdns.

Thank you! You've been so helpful. I was seriously thinking of returning the Beryl, but I think I'll keep it now.

For DNA Settings, the default is 8.8.8.8, 9.9.9.9. Is that secured in itself? I replaced it with https://dns.cloudflare.com/dns-query as you said. Just that setting mean it'll be encrypted DNS and DNS over TLS? So I'm getting the best possible security and performance?

Is NextDNS free? Is it any better than the default Adguard Home? Why did you go with NextDNS?

What do you mean by space issues with the lists? With the lists that I have on, I noticed a lot of queries are blocked, which is good to know. Do you know if any specific lists that specifically target Amazon, LG, and Samsung telemetries? I've read that their IoT and TVs are constantly spying.

I looked into the channels and DFS. Apparently, I can't change it since my Beryl is in repeater mode. I'm assuming it's taking the settings from my ISP-supplied modem/router. I guess I'll have to change it there and then maybe the Beryl will copy those settings? Yes, I want to use the channel with the least interference and the best performance.

8.8.8.8 and 9.9.9.9 use port 53, this port can be hijacked and is not encrypted.

As for the cloudflare one, this one is DoH since it uses https, also since that it uses encryption with key authentication, it is not possible to hijack it, that will break the chain of trust and fail

Both DoT and DoH are secure, DoT however could be blocked easier where DoH is harder.

Nextdns is free but until your queries reach a certain threshold then it stops blocking it's not that usefull if it randomly stops, i pay for my own instance to have unlimited queries.

Between adguard and nextdns alot of lists are the same, the main difference is that adguardhome stores the lists on the router where nextdns doesn't.

for easier administration it was a better solution for me to use it external, they also come with AI detection (so far never had a success it found something), but it has a interesting one: block domains not older than 2-3 months old this is especially usefull against phishing campaigns and this helped me alot of times when i accidentally clicked on a bad link.

and since i use pure openwrt not gl firmware i use the luci-app-nextdns package which allows me to monitor every client queries appart.

The beryl doesn't have alot of flash memory, the adguardhome feature downloads lists to that router to block domains, some lists are too big, multiple ones especially, a too full router will cause unwanted effects, so it is important after adding a list to check if your space is still okay.

hmm I'm not sure about this, but usually if you set your wireless settings to host a AP it should be possible even with the repeater active, if not you can do it via luci in the same place where you could set the country, what i think what is going on is: if you edit a country on a band on the AP it wants to do it for all including the repeater.

the gl software may be not so fan about that, but it should be possible there, i guess that is the error in the gl ui

also if you repeater don't use that channel you need to apply it on the primary router aswell, only the repeater function takes the data from the other router it connects to, but 2 same channels can cause interference so you may choose a bit lower one, either way it can work fine, there are some apps for android which can help for your phone like wifi analyzer, wifiman to give more visibility how those channels lay out.

I tried to find the country option in luci, but I don't see it under wireless settings. Is it relevant if I use this router for traveling?

It's too bad that Beryl doesn't have a lot of memory. I wonder why? Increase profit margin by GL.iNet? I wonder if the new Slate 7 will have more memory?

I noticed that you don't have Adguard handle client requests turned in. Why?

Using my example, I get that changing the ISP password is a good security practice. However, how is it any different than using Starbuck's WiFi? It's not like I can change the WiFi password anyway. With your help, I think I have my Beryl fully configured for the best possible security, performance, and privacy. I have changed the password on my Beryl. Whether I connect my Beryl to an unsecured ISP router or Starbucks, am I not very secure already since all of my devices are behind the Beryl's firewall as you have said. I get that nothing will ever be perfectly secured, but it's all about making it as hard as possible for anyone wanting to hack me.

As for the VPN kill switch, I see something under global options in the VPN dashboard. Is it block non-VPN traffic?

Any MAC settings to change? Or stick with GL.iNet's default?

Anything else to consider or that's it and my Beryl is fully configured?

Thank you!

Only if you get issues, DFS can do still alot but it isn't perfect on all situations, under wireless you need to edit a wifi interface, and then near the channel settings likely you have tabs there it needs to be.

Well routers orginally are small based embeded devices, with a fork of linux with alot of it removed called busybox in (OpenWrt) , routers are never designed for these kind of tasks, but i believe you could use a usb stick or disk drive on it, you only have to figure out how to make adguardhome write to it, there are probably alot of posts about this on the forum.

This was for demonstration purposes not really a reason , since i don't use adguard i had to check the settings myself on a different router than my main.

The issue lies in the type of attack let me elaborate:

if you are on a public network, there are also other devices on the wan side of the beryl who could act malicious if this network doesn't do client isolation they could arp spoof and spam that they are the main router and eventually become a middle man, here is encryption very recommendated, they will not be able to read it nor act malicious as a middleman.

Whereas for how your situation is now beryl <-> isp router there is only one side who can be malicious and in this case it is much more unlikely and harder for them to do so.

Correct​:+1:

Not really needed, you may only want to do so if you connect to a AP as repeater which doesn't accept routers, you can clone the mac of your mobile phone.

Not really everything seem fine

By default, a public network is always vulnerable to compromise because it's not a trusted network. On public Wi-Fi, it's possible to see other connected devices, and it could be used to impersonate a guest portal and the Starbucks SSID itself. The way to prevent other devices from being seen on a network is to enable "isolated" mode (gl.inet has this option on Wi-Fi). If you use your Beryl and establish a VPN, your traffic is encrypted, making it more difficult for someone to capture that data.

If you don't enable WAN interface management, no one should be able to access your computer when you connect it to that public network either.

How does changing the default password on the ISP modem address the security of my setup when all of my devices are behind the Beryl? If I was clear earlier then yes, I do have a VPN on all the time. I also have the kill switch enabled.

How do I enable isolated mode?

How do I disable WAN interface management? Why is it enabled by default in the first place?

Thank you!

You can see it in the manuals. It tells you how and where.

Hello, I just want to thank everyone again for the help.

I thought everything was good to go and everything was set up. Now I seem to be experiencing some connectivity issues that started yesterday. It all started when I replaced the USB-C charger with something else. I had to turn off the Beryl. Upon booting up again, I went to the VPN to turn it back on so that I have internet since the kill switch was on. Everything seemed fine until I went away and turned off my phone's screen to conserve power. I come back 10-15 minutes later and I notice my phone isn't connected to the Beryl. The connection was dropped. So I go to my Pixel's WiFi page and the Beryl isn't even showing in the list of available networks. I had to turn off and on the WiFi and wait a few seconds before the Beryl appeared. Then I have to connect and reenable the VPN to have internet. Unfortunately, this problem continues. Even my second phone is also experiencing a problem with staying connected to the Beryl. As soon as I turn off the screen and the phone goes to sleep, it loses the WiFi connection. I never experienced this issue until yesterday and I can't figure out why. It's very annoying having to go through the process of reconnecting to the Beryl. What's going on?

This sound to me the router is searching for a stable channel due to DFS, does this also occur on the 2.4ghz band?

Also if you use repeater mode, then it is normal the band it connects to goes offline aswell.

Not sure what the effects are if you use the same ssid on both 2.4ghz and 5ghz and a repeater function is involved, in my use case I explicity made abstraction between the two because of possible incompatibilities with devices not prefering the right band, so for the 5ghz band i append -5G behind my ssid name.

You changed the USB power to what? Might not be outputting enough power to run the device.

If that's the case then how come my phone doesn't have any connection issues when I'm actually using it?