So my current Tailscale VPN client setup plan is to connect the Beryl WAN port to local Wi-Fi router’s LAN port, then a wired connection from Beryl’s LAN port to my laptop… but sometimes I may want to use my iPhone as a wired connection with the Beryl as well. I don’t want to lug around a switch while traveling for this so I’ve thought of the following two options.
Option 1
Can I put the Beryl AX into repeater mode and use the WAN and LAN ports both as LANs to my laptop and iPhone?
Option 2
Can I use an ethernet splitter on the Beryl’s LAN port to connect my laptop and iPhone to?
… 'cause if so, you should know no pro network tech is going to plug in one of those into their gear. There’s no way its going to maintain electrical/signal stability to properly carry clean 8P8C. Hell, it could even fry the equipment. IIRC even that whiny, skinny goofball, Linus of Linus Tech ‘Tips’ did a video on how bad they were.
Can I put the Beryl AX into repeater mode and use the WAN and LAN ports both as LANs to my laptop and iPhone?
You can by re-designating the WAN port to another LAN but what’d be the point? Then your ‘WAN’ becomes Wi-Fi to two devices instead of just one (the iPhone).
It can be done though. GL GUI → Internet → Ethernet → Change to LAN… but I’d really only do that after putting the device into Repeater mode & connected first. WAN → LAN might very well drop your DHCP leases, forcing you log back in.
Out of curiosity what’d’ya need a hard wire iPhone for? I don’t think many mobile devices are capable of handling 1 Gbps streams. I could be wrong.
The reason I want to wire the iPhone is to use it (if needed) without enabling Wi-Fi which will receive nearby networks and report my location. It’s a work device which I intend to keep connected only to my VPN server.
Then I must be due for another cup of coffee then because I can’t see how an iPhone’s Wi-Fi can report anything if it’s not already authenticated/logged onto a Wi-Fi access point/network.
If you’ve got Firmware 4.2.1-r4, you should be able set a static DHCP reservation (GL GUI → Clients → $client → […] → Modify, then set your VPN policy to ensure the mobile always tunnels.
(GL GUI → VPN → VPN Dashboard → Global Proxy → Based on the Client Device)
I’d check the phone doesn’t give out a random MAC every time it connects to the Beryl, though. That should be somewhere in its system settings for Wi-Fi.
AdGuard Home can block any outgoing 'net connections it makes that you don’t want (GL GUI → Applications → AdGuard Home).
Shyte; I see you’re looking to use Tailscale. That changes things as the Tailscale tunnel/logging will most likely over-rule AdGuard Home.
Good point, it can’t report anything as long as cellular remains turned off. But once it does connect to the intended network via Wi-Fi it would then regain that ability to report.
Is this static DHCP reservation setting to always tunnel something I’d want to do to my laptop device as well?
Good point, it can’t report anything as long as cellular remains turned off.
My phone is always in Flight Mode.
But once it does connect to the intended network via Wi-Fi it would then regain that ability to report.
Yup… & that’s a problem. You know what I’d do? I’d setup your Beryl w/ AdGuard Home but no WAN/Internet uplink, cable, repeater or smoke signals. Then I’d use the phone as much as possible, days even. Gaming, surfing, idling… whatever. AdGuard should do the logging quite nicely. IDK how much effort it’d be pull those logs but that data could be used to build a custom blocklist.
How you deploy that blocklist onto your ‘tailnet’ to ‘zero out’ or ‘null route’ those particular DNS requests is up to you… but you might be surprised how often tracking is a concern.
Eg: I have a custom curated block list that nulls out specific domains I don’t like on my Slate AX & a service that takes care of some claimed 70000 other sites which they update. The capability to run this already ships in f/w 4.2.1-r4. It’s just a matter of collecting the domains to build the list & some manual configuration.
Your goal of using Tailscale is a little more complex setup than mine but the more I think of it, I don’t think there’d be much of a problem replicating a similar blocking setup I have for your goals. I’m already using WireGuard, just not via Tailscale.
IDK; I always set static DHCP. I like to know my devices are where I put them. Whether you choose to assign them to tunnel is up to you but there’s more than just an ‘all or nothing’ option under Global Proxy. How paranoid ya’wanna get? You are properly paranoid, right?
(Side note: I think you’ll want to click that link in this post. I really do.)
Sorry, I think you misunderstand what I’m trying to do here. AdGuard Home (that I know of) is not going to block the functionality of Location Services which uses trilateration of nearby Wi-Fi hotspots to define your location (using an online database of SSIDs and MAC addresses). This is how a lot of laptops and phones obtain rough locations.
So, in order to avoid this on any device, the only way is to use a wired connection.
So does your employer has custom security policy on that iPhone that precludes you from toggling Location off? I don’t know; I’ve read of similar such setups on Samsung’s Knox Enterprise device management software so I wouldn’t rule it out as a possibility. You should check if that’s another setting you can adjust.
Regardless if it can scan, record nearby SSID/MACs it’d still need a way to transmit the payload… so Internet access of some type & no double a domain name to connect pre-upload. AdGuard Home can help determine that DNS request in logs. Then you can block it.
You’d still be faced with this potential ‘phoning home’/reporting threat even if you hard wired. There’s nothing that says they’re not also recording what cell towers you’re ‘hitting’ in your travels. That is speculation in this case but technically possible.
Wow, I’m an idiot. I actually already manually switched off the Location Services on my work phone and it even explicitly says it disables the Wi-Fi hotspot localization… Looks like I’m good to go!
You’re not an idiot; that’s just what they want you to think. I’ve seen some dirty, dirty sh!t from so many corpos/manufacturers it’d make ya sick… but don’t take my word for it: check out Louis Rossman on Youtube (… but watch though your closest Invidious instance!).
Back on topic: I’d still use AdGuard to monitor that mobile for a good long spell… just to be sure.
