🟡 Trust Rating: Moderate

GL.iNet makes the most practical "VPN the whole connection" box on the market: an OpenWrt router with WireGuard, OpenVPN, and AdGuard Home baked in. The catch is who builds the firmware. The company is headquartered in Shenzhen, China, and ships its own OpenWrt fork loaded with cloud services. None of that is disqualifying, because the cloud is opt-in and you can flash vanilla OpenWrt on most models. But you have to actually do the lockdown. Out of the box, trust is conditional.

What is GL.iNet?

GL.iNet builds small routers that run OpenWrt, the open-source router operating system, with the company's own web interface bolted on top. Founded in 2010, it operates out of Shenzhen under the legal entity Shenzhen Guanglianzhitong Tech Co., Ltd., with distribution and offices in the United States and Hong Kong and a cloud team in Chengdu.[1]

The pitch is simple. You load a VPN provider's WireGuard config into the router once, and every device on that network, your phone, laptop, work tablet, the smart TV in the hotel, rides the tunnel automatically. No per-device app, no forgetting to toggle the VPN on. The travel models are pocket-sized and run off a USB-C battery. The home models replace your ISP router entirely and block ads for the whole house.

That is genuinely useful. It is also the exact spot where you should ask the obvious question: whose code is deciding what my whole network talks to?

Critical Privacy Concerns

⚠️ Read This Before You Buy

  • Chinese-HQ firmware, running your whole network. A router sees every DNS query and every destination from every device behind it. GL.iNet's stock firmware is a fork of OpenWrt, not vanilla OpenWrt, so you are trusting the vendor's build, not just the open-source project. The company's HQ jurisdiction is a real consideration for anyone whose threat model includes the Chinese state.
  • GoodCloud remote management. GL.iNet runs a cloud platform called GoodCloud that lets you manage the router remotely. Per the official docs it is opt-in and off by default, which is the right default. It also, by design, does not go through the VPN by default, which the docs say "ensures a more stable connection to GoodCloud services," unless you change that setting.[2] If you never want the router phoning a cloud, leave GoodCloud unbound and confirm it is disabled.
  • Cloud servers sit in three regions. GoodCloud data servers are hosted in Asia Pacific (Japan), America (Oregon), and Europe (Ireland).[1] Enabling remote management means picking one of those and trusting it.
  • The safeguard exists, but it is on you. The strongest answer to all of the above is to flash vanilla OpenWrt and drop the vendor firmware entirely. It works on most models. It is also a step most buyers will never take.

OpenWrt Base and the Vendor Fork

The reason GL.iNet earns a moderate rating instead of a low one is the OpenWrt foundation. Models like the Beryl AX and Flint 2 use MediaTek Filogic chipsets that the upstream OpenWrt project supports well, which means you are not locked into the vendor's build forever. Community documentation walks through flashing plain OpenWrt onto a Flint 2, replacing the fork's preinstalled cloud services, preconfigured tunnels, and extra plugins with a clean upstream image.[3] If you do not trust the vendor firmware, you have a real exit. That is a stronger position than any closed consumer router gives you.

WireGuard and OpenVPN, the Actual Point

Every current GL.iNet router runs both a WireGuard and an OpenVPN client and server. You paste in a config from a provider like Mullvad or IVPN, and the router tunnels everything. Throughput is the thing that separates the models. WireGuard on the pocket-sized Beryl AX tops out around 300 Mbps, the Slate AX around 550 Mbps, and the home-class Flint 2 is rated up to 900 Mbps.[4][5][6] If your home internet is faster than the router's VPN ceiling, the VPN becomes your bottleneck, so match the box to your line. For picking a provider to load into it, see our VPN strategy guide and home WireGuard server walkthrough.

AdGuard Home and Network-Level Ad Blocking

AdGuard Home ships in the firmware on the current lineup, including the Beryl AX, Slate AX, Flint 2, and Flint 3.[4][5][6][7] It is a DNS-level ad and tracker blocker that covers every device on the network, the same idea as Pi-hole but without a separate Raspberry Pi to babysit. For the tradeoffs between the two approaches, read our network ad-blocking guide. Some GL.iNet firmware builds also ship a built-in Tor client alongside Tailscale and ZeroTier, though it is not advertised on every model's spec page, so check your specific unit before relying on it.[3]

Technical Specifications

Current lineup (verified July 2026)

  • Beryl AX (GL-MT3000): Wi-Fi 6 travel router, WireGuard up to 300 Mbps, AdGuard Home
  • Slate AX (GL-AXT1800): Wi-Fi 6 travel router, WireGuard up to 550 Mbps, OpenVPN up to 560 Mbps, OpenWrt 23.05, AdGuard Home
  • Slate 7 (GL-BE3600): Wi-Fi 7 travel router with touchscreen, dual 2.5G ports
  • Flint 2 (GL-MT6000): Wi-Fi 6 home router, WireGuard up to 900 Mbps, six Ethernet ports, AdGuard Home
  • Flint 3 (GL-BE9300): Wi-Fi 7 home router, WireGuard up to 680 Mbps, five 2.5G ports, AdGuard Home

Pricing Structure

Model Type Wi-Fi WireGuard Price (USD)
Beryl AX (GL-MT3000) Travel Wi-Fi 6 ~300 Mbps $98.99
Slate AX (GL-AXT1800) Travel Wi-Fi 6 ~550 Mbps $119.99
Slate 7 (GL-BE3600) Travel Wi-Fi 7 ~490 Mbps $169.99
Flint 2 (GL-MT6000) Home Wi-Fi 6 ~900 Mbps $169.99
Flint 3 (GL-BE9300) Home Wi-Fi 7 ~680 Mbps $209.99

Prices are the official GL.iNet US store listings and move around with frequent sales, so check current pricing before buying.

GL.iNet vs. Alternatives

GL.iNet vs. Firewalla

  • GL.iNet: A router first. WireGuard, OpenVPN, AdGuard Home, and an OpenWrt base you can replace. Best when the job is "tunnel my whole connection" or "safe Wi-Fi in a hotel."
  • Firewalla: A security appliance first. Deep traffic inspection, per-device blocking, and intrusion alerts, usually sitting behind an existing router. Different job, higher price. See our Firewalla review.

GL.iNet vs. Your ISP's Router

The stock box your ISP rented you logs your DNS, often can't run a VPN client at all, and never gets flashed to open firmware. A GL.iNet router at least lets you tunnel everything, block ads at the network level, and walk away from the vendor firmware. For the fuller matchup, read our privacy router comparison and the article on how ISP routers track you.

When to Use GL.iNet

Good Fit

Travel Wi-Fi safety. Drop a Beryl AX or Slate between you and a sketchy hotel or airport network, tunnel it to your VPN provider, and every device rides the encrypted link.

Whole-home VPN. A Flint 2 or Flint 3 replaces the ISP router and puts the entire house behind one WireGuard tunnel, no per-device apps.

Network-level ad blocking without standing up a separate Pi-hole box.

Buyers who will flash vanilla OpenWrt and want capable, well-supported hardware to run it on.

Poor Fit

Threat models that include the Chinese state, unless you flash vanilla OpenWrt and never touch the cloud features.

People who will never open the admin panel. The safeguards are opt-in. If you won't verify GoodCloud is off and won't update firmware, you are trusting the default fork blindly.

Gigabit-plus lines paired with a low-end model, where the router's WireGuard ceiling throttles your connection.

The Bottom Line

Consider GL.iNet if:
  • You want one box that VPNs your whole connection at home or on the road
  • Network-level ad blocking and a real OpenWrt base matter to you
  • You are willing to disable cloud features, keep firmware current, or flash vanilla OpenWrt
Avoid GL.iNet if:
  • Your threat model rules out trusting Chinese-HQ vendor firmware and you won't flash it clean
  • You want a plug-it-in-and-ignore-it device with no configuration
  • You need VPN throughput a small router can't deliver

⚠️ Final Assessment

GL.iNet solves a real problem better than almost anyone: putting an entire network behind a VPN with a config file and a couple of clicks. The moderate rating is about who controls the firmware, not whether the hardware works. Buy it, then do the three things that earn the trust: turn off GoodCloud, keep firmware updated, and if your threat model calls for it, flash vanilla OpenWrt. Do that and it is a strong, honest tool. Skip it and you are handing your whole network to a default fork you never inspected.

Shop GL.iNet →

Resources

  1. RocketReach: GL.iNet company profile (HQ, entity, cloud regions)
  2. GL.iNet Docs: GoodCloud (opt-in status, VPN bypass note)
  3. Tech Shinobi: Flashing vanilla OpenWrt onto a GL.iNet Flint 2
  4. GL.iNet: Beryl AX (GL-MT3000) specs and price
  5. GL.iNet: Slate AX (GL-AXT1800) specs and price
  6. GL.iNet: Flint 2 (GL-MT6000) specs and price
  7. GL.iNet: Flint 3 (GL-BE9300) specs and price