Need pointers/overview for VPN/NAT security for Beryl

Hi all.
I just got a GL-MT1300 (Beryl). I have it set up for WiFi relay to use at my office, Starbucks, hotels, etc and it works at my office with the captive VPN there. However, I’m still a bit fuzzy on security on public Wifis. I know the Beryl gives me the usual protection of a NAT router. But not sure how a VPN (e.g. Nord) would help and where I would use this. The Beryl can be a VPN client and/or host. Do I use VPN from my Macbook/iPhone to the Beryl? Do I use it from the Beryl to the Internet? Both? From my Macbook/iPhone to the Internet?

I’d really appreciate some info on which of these configurations would help most and how to set them up.

Also, anyone using Apple’s VPN-ish iCloud Private Relay ( About iCloud Private Relay - Apple Support )? How would it work with the Beryl?



You connect Beryl to the public wifi
Then you connect vpn on Beryl to your vpn server

That is it.

You don’t need to connect vpn on your mac again.

VPN is overrated. Are you planning to carry a VPN router with you throughout the hotel lobby, restaurant and bar and whenever you go into Starbucks, McDonald’s, public library, etc.? Unless you intend to do nefarious things, the normal websites, email systems and smartphone apps already have encryption. The normal public hotspots also set up their guest wifi with client isolation. When you are not at a hotspot and just use LTE on a smartphone, there is no additional protection unless you have the VPN app turned on all the time.

Sure, hotspots see the IP addresses that you go to, but do you think Starbucks cares to spend a lot of money on I.T. to monitor and record everyone’s MAC addresses and the IP addresses, when you only spend $3 for a cup of coffee? If so, then you can turn on randomized MAC addresses and the VPN app on your device.

Commercial VPN providers like to advertise that other people can see your banking information, but all the financial institutions use strong encryption on their websites and apps.

I do not work for and I do not have formal association with GL.iNet