I turned a cheap travel router into the ultimate portable VPN


Last year, I bought a small Cudy TR3000 travel router with the kind of confidence people have before a project quietly disappears into a drawer. The idea was simple enough. I wanted a router I could carry around, plug in anywhere, and reach the devices on its local network from outside. Then I did what many of us do with small useful-looking gadgets. I put it aside, told myself I would set it up soon, and let it sit around for months.

When I finally picked it up again, I first checked the official Cudy firmware, and honestly, it was not bad. It was much better than the usual cheap-router firmware experience. Still, the stock firmware had one problem for me: it did not support Tailscale. ZeroTier was available, but the built-in ZeroTier options were limited. I wanted more control, so I finally had an excuse to do what I had probably bought the router for in the first place: flash OpenWrt on it.

Flashing OpenWrt

The intermediate firmware matters

The first step was not flashing OpenWrt directly. Cudy provides an intermediate firmware for the TR3000. The file I used was:

TR3000 V1.zip

Screenshot From 2026-06-30 10-35-05-mh

This intermediate firmware is important because its main job is to remove the RSA signature checks from the stock firmware. Without that step, the router may refuse normal OpenWrt images. The flashing path was fairly straightforward. I first downloaded Cudy’s OpenWrt intermediate firmware and flashed it through the firmware upgrade option under advanced settings in the stock interface. After the router rebooted into the intermediate firmware, I went to the OpenWrt Firmware Selector, selected the Cudy TR3000 v1, downloaded the correct sysupgrade image, flashed that image, and then booted into a clean OpenWrt installation.

Screenshot From 2026-06-30 10-37-53

The important detail is that the second OpenWrt file should be the sysupgrade image, not the factory image. You also have to match the exact hardware version. In my case, that meant Cudy TR3000 v1. You can use either the official OpenWrt download page or ImmortalWrt, depending on what build you want. I went with the OpenWrt route because I wanted a clean base first, then I could add only the packages I needed.


ASUS Wi-Fi 7 router.


Your router isn’t just for Wi-Fi—here’s everything else it can do

Your Wi-Fi router can do way more than you think

Creating the ZeroTier network

The router needs to join your overlay network

After the flash finished and the router rebooted, I opened the OpenWrt interface and set the root password first. Once OpenWrt was running, I checked that the LAN was working, then installed ZeroTier. ZeroTier is a software-defined networking tool that creates a VPN between your devices over the internet. Instead of manually exposing ports, setting up complex firewall rules, or relying on a public IP address at home, ZeroTier gives each authorized device an address inside a private network and routes traffic through that network.

The Unifi Dream Router 7.

9/10

Brand

Unifi

Range

1,750 square feet

Wi-Fi Bands

2.4/5/6GHz

Ethernet Ports

4 2.5G


The basic package that you need to install on OpenWrt is zerotier.Depending on the build and interface packages available, you may also want LuCI-related packages, but the main thing is getting the ZeroTier service installed and running.

After installing it, I enabled ZeroTier, added my network ID, and started the service. On the ZeroTier website, I created a new network. ZeroTier gives you a network ID, and that ID is what you add to the router.

screenshot of creating a network in zerotier

Once the TR3000 tries to join, it appears on the ZeroTier network management page as a new member. You have to approve it there before it can actually communicate with other clients.

screenshot of network members in zero tier

In my setup, the ZeroTier network was:

10.233.233.0/24

The TR3000 received this ZeroTier IP:

10.233.233.100

The router’s local LAN was:

192.168.233.0/24

That means the remote clients live on the ZeroTier side, while the devices behind the router live on the LAN side. The router’s job is to connect those two worlds.

Adding the routes

This is the part that makes LAN access work


dec 2 - wifi.avif


This $279 Wi-Fi 7 router is the ultimate home network upgrade

You don’t have to break the bank to get an awesome networking setup.

Joining ZeroTier is not enough by itself. Other clients need to know that the TR3000 is the path into the LAN.

On the ZeroTier network management page, I added these routes:

subnet-settings on zerotier

There are three route settings to configure. The first is 10.233.233.0/24, which is the network segment created for the ZeroTier network and is used for communication between ZeroTier clients, so the Via field should be left blank. The second is 192.168.233.0/24, which represents the LAN behind the TR3000.

Since other ZeroTier clients need to reach this local network through the TR3000, the Via field should be set to the TR3000’s ZeroTier IP address, which in this case is 10.233.233.100. The third route is 0.0.0.0/0, which acts as the default route and allows clients to forward all traffic through the specified device. For this route, Via should also be set to 10.233.233.100, allowing other devices to access the wider network through the TR3000.

After the router was approved, I added my phone and laptop to the same ZeroTier network. Each device also has to be approved in the ZeroTier dashboard. Once approved, the phone could reach the TR3000’s ZeroTier IP, and more importantly, it could reach devices inside the 192.168.233.x LAN.

On Android, if you want all internet traffic to go through the TR3000, you also need to enable the “Route all traffic through ZeroTier” option, then update the connection.

screenshot of android joining network

Without that option, Android can still access the LAN route if the route is configured correctly. With that option enabled, it can also use the TR3000 as an internet gateway.


A tiny router that opens a path back into its LAN

Now TR3000 can sit anywhere with internet access. Devices behind it can stay on its normal LAN but my phone or laptop can join the ZeroTier network from outside. Once connected, I can access the router’s LAN as if I had a private path into that network.


An old Medialink router on a table.


Don’t toss your old router: 5 practical ways to reuse it

You’ll regret throwing out that old router!

That means I do not need to install ZeroTier on every device behind the router. The router handles the tunnel, the small boxes, dashboards, NAS devices, or test machines behind it just stay on the LAN. It also avoids opening ports on the upstream router. That alone makes the setup worth it, because I do not want random services exposed to the internet just because I need remote access once in a while.



Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


TL;DR

Meta stripped NameTag facial recognition code from its AI app one day after WIRED exposed it on 50 million phones. Meta says no decision has been made.

Meta removed nearly all traces of an unreleased facial recognition system from its smart glasses companion app on Friday, one day after WIRED reported that the software had been quietly embedded in an app installed on more than 50 million phones. The feature, which Meta internally called NameTag, was designed to convert faces captured by the company’s Ray-Ban smart glasses into unique biometric signatures and compare them against a database stored on the user’s device. WIRED also found that faces the system failed to recognise were cropped, indexed, and stored locally for future processing.

Andy Stone, Meta’s vice president of communications, told WIRED on Monday that the feature is “purely exploratory,” adding that no final decision has been made on what to do with it. That characterisation sits uneasily with the evidence WIRED documented. The version of Meta AI published the day of WIRED’s Thursday report contained several code libraries explicitly named for face recognition, a process for running the NameTag recognition pipeline, and a “Person recognised” alert the app would have shown if someone were identified.

Friday’s release stripped all of it out, along with a folder where the app would have stored the cropped images and biometric signatures of unrecognised faces. Meta did not answer WIRED’s questions about why the code was removed or whether the changes were planned before the story was published. A few fragments remain in the latest version, including an internal debug menu label and a dormant link meant to open a recognised person’s profile, pointing to parts of the system that are no longer there.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

The gap between Meta’s public statements and the code WIRED found is the central tension. Before the Thursday report, Stone dismissed the findings by writing that the company could not answer questions about how the system would work because “the feature does not exist.” Andrew Bosworth, Meta’s chief technology officer, called the reporting “incredibly misleading” and “absolutely dishonest.” Yet the code was functional enough to include three AI models, one to detect faces, another to crop them, and a third to encode them as biometric data, all embedded in the companion app for a product already at the centre of a mounting privacy crisis.

Meta declined to answer ten questions WIRED posed before publishing, including whether it had already created the database of face profiles NameTag uses, how long the app retains photographs and biometric data of unrecognised people, and whether that data would ever be sent back to Meta’s servers. The company also did not respond to questions about whether it was building NameTag for blind or low-vision users, or to criticism from privacy advocates who warned the system could let stalkers and abusers identify strangers in public.

NameTag first surfaced in February, when The New York Times, citing internal Meta documents, reported that the company was developing face recognition for its smart glasses and considering a launch as early as this year. One internal memo reportedly described releasing the feature during a “dynamic political environment” when privacy and civil liberties advocates would be distracted by other concerns. WIRED subsequently found that much of NameTag’s machinery had been built into the Meta AI app as early as January, months before any public acknowledgement, adding another layer to the company’s pattern of shipping first and disclosing later when it comes to its smart glasses.

Kade Crockford, director of the technology for liberty programme at the American Civil Liberties Union of Massachusetts, said the removal does not undo the original decision to ship the code and pointed to it as evidence that consumer privacy needs stronger legal protection than Congress has been willing to provide. The Massachusetts House of Representatives last week unanimously passed a consumer privacy bill that, if enacted as written, would impose strong enforcement provisions including a private right of action allowing aggrieved users to sue. “State lawmakers need to do their job and step up to protect consumer privacy,” Crockford said.

Meta’s sneaky tactics in slipping the face-recognition code into its smart glasses show exactly why data privacy bills need the teeth of strong enforcement,” Crockford added. “Companies like Meta prioritise their bottom line, so lawmakers need to speak in the only language its C-suite understands.” Whether a code removal prompted by investigative reporting constitutes a victory or merely a tactical retreat depends on what Meta does next, and on whether the regulatory pressure building on both sides of the Atlantic produces enforceable consequences before the feature quietly returns under a different name.



Source link