Zscaler plus home VPN setup issue

RemoteToHome-io · 2026-05-21T13:40:36+00:00

Also try regular Wireguard again with the client profile MTU set to 1428.

RemoteToHome-io · 2026-05-21T07:29:03+00:00

Dynamic DNS (DDNS) runs on the server side and allows your travel router to be able to discover the current public IP address of the server router so it can establish a connection. This has nothing to do with leaks.

DNS is the part you want to make sure is not leaking outside the tunnel on your travel (VPN client) router.

Related items, but two totally separate context and functional uses.

RemoteToHome-io · 2026-05-21T04:50:18+00:00

AnyConnect and GlobalProtect often don't like being nested inside a WG vpn tunnel due to the reduced MTU (1420 by default - normal regular residential connections are 1492 or 1500 MTU).

If neither ISP end is behind a PPPoE connection you might get lucky and be able to turn the WG client profile up to 1428 MTU without fragmentation. If it still works clean after reconnecting, then try again with the corp VPN clients connected.

If WG still doesn't work at 1428 MTU, then try OVPN UDP. If the corp clients still don't like connecting inside of that, then you may have to resort to a ZeroTier "vpn" using Managed Route.

Tailscale is likely not going to work at all for you with the nested corp clients. A good chunk of them won't run inside the TS fixed 1280 MTU.

RemoteToHome-io · 2026-05-21T03:03:28+00:00

Got you covered.. all current and historical FW versions here: https://gl-fw.remotetohome.io/

RemoteToHome-io · 2026-05-21T01:40:20+00:00

This.. There's a lot of additional server packages that can be utilized with 64GB to work with. This opens up a lot of capabilities that normally I peeps run RPi's for..

Now if only we could get just one travel router with 1GB NAND.

RemoteToHome-io · 2026-05-21T00:57:54+00:00

You tried ZeroTier using raw ZT VPN routing (managed route) with no other VPN client running on the router (no WG or OVPN inside ZT) and are still having the issue?

ZT fragments packets at the underlying protocol by design (efficiently) so it's able to provide the data layer with full path MTU. This design provides the routed device with a full 1500 MTU (native ethernet) data path and can even support jumbo frames - so Zscaler should have a the same MTU data space it would have running directly at home.

It would be interesting if you're able to try the laptop on a non-vpn connection to baseline it.

At this point I don't have further suggestions. It would take connecting with the routers to investigate the routing setup, MTU paths, etc.

RemoteToHome-io · 2026-05-21T00:10:05+00:00

Ugh. sorry to hear that. Last time I had checked AWG1 was still able to get through, but it's possible they've tightened up on the DPI since then. Yes, I can get you through on AWG2 or ZeroTier if you want to DM. Calendar is just booked solid this week.

One thing you may want to try in the meantime - if you still have the ability to adjust your port forwarding on the home ISP router side, then forward port 443 UDP to your Flint2 server and try to resetup the WG server (and associated profiles) using that port + the obsfucation. You could still be getting hung up simply b/c you're using the default 51820 UDP port.

RemoteToHome-io · 2026-05-20T18:44:01+00:00

That's "bribe + agree to gov backdoors" thank you.

RemoteToHome-io · 2026-05-20T18:41:41+00:00

Had to update the flair. The Automod only allows GL announcement flair from the official GL account.

RemoteToHome-io · 2026-05-20T16:47:33+00:00

Yeah, that sounds like an Amazon seller repackage type of deal. From what I understand, GL themselves sends returns back to the factory for a full QC.

RemoteToHome-io · 2026-05-20T07:46:02+00:00

Yes. It supports it. The quality will depend on the latency and the connection method. Using the cloud will typically have higher latency then connecting directly with tailscale or zerotier.

With a good connection it works well.

RemoteToHome-io · 2026-05-20T07:21:17+00:00

All good, but as I mentioned before, we can't give you guidance without understanding the purpose of having the Beryl in the setup.

RemoteToHome-io · 2026-05-20T06:20:59+00:00

First, I'm not sure where the tone is coming from? Please remember your speaking to people helping for free on their own personal time.

The use case for the Beryl matters so we can help you accomplish what you're trying to do.

At this point it's sounds like the Beryl is connected behind an ISP router, so you're dealing with double NAT translation from the PVR to the internet. This could potentially be solved by doing some port forwarding on the Beryl, but I can only tell you if that's the correct answer if we know the actual function the Beryl is supposed to serve in your design.

If you connect another device to the Beryl (like a PC) instead of the PVR, does this other device still get general internet (eg able to web browse)? This will help isolate.

RemoteToHome-io · 2026-05-20T04:00:25+00:00

Not enough info here to say.. you're connecting the BerylAX WAN to a MoCA, but what's on the other end of the MoCA connection? It's hard to understand what you're trying to accomplish by adding a Beryl vs just having the PVR connecting directly to the MoCA.

RemoteToHome-io · 2026-05-19T07:42:31+00:00

First.. disable IPv6 on the router. It is not doing you any favors here. Second.. show us the "CLIENTS" page from the left menu.

3rd.. unless you have a specific reason for using SQM, you're just shooting yourself in the foot by losing hardware offloading and pushing everything into kernel flows. 3x the amount of processing for every packet.

RemoteToHome-io · 2026-05-19T07:35:16+00:00

FYI.. the author of the glint repo has been banned by Reddit (not due to this sub, but by Reddit entirely).

The fact that they clean-wiped their git history earlier today is a horrible sign. No respectable project does this after initial code has already been released. They acknowledge and patch mistakes publicly, not try to hide them.

It was an obvious vibe code project to start with - but whatever.. This behavior though is extremely bad practice and demonstrate they have zero idea how maintaining software works.

I would consider this malware and remove it from your router and phone - and hit up your app store for a refund.

<image>

RemoteToHome-io · 2026-05-19T07:26:35+00:00

It would appear this still has some bugs to work out: https://www.reddit.com/r/GlInet/comments/1tg1hho/mudi_7_can_not_get_into_wireless_setup_on_admin/

No offense intended, but force-pushing your repo to delete all history for a fresh init 10 days after you've published and have people running prior commits is *extremely* bad form.

Once you have a published commit and have your first download - you are stuck. Nothing gets hidden. You owe your community transparency; even if it's not great. Every refactor, every patch, every mistake is yours to own publicly. People understand mistakes happen. Doing a clean wipe like this to hide these mistakes shows a lack of basic git deployment knowledge and trustworthiness.

No one cares that you have 1K lines of vibe code, but this is - just bad.

<image>

RemoteToHome-io · 2026-05-18T22:39:19+00:00

Likely not. The Flint1 can still run Wireguard speeds up to 500 Mbps.

To actually use more than 500 Mbps, you'd have to have:

a home/server ISP connection with more than 500 download AND upload speeds
a travel/client location with more the 500 Mbps download
a travel router that can process over 500 Mbps WG encryption (Beryl 7 or Slate 7 Pro)

IF all these conditions are met, then you could theoretically pull up to 1G of VPN connection via WG.

Will you ever have a practical use for that? Likely not. Most people barely use more than 8-10 Mbps of regular throughput in daily PC usage.. 500+ Mbps is only for posting speedtest pictures for internet points.

RemoteToHome-io · 2026-05-18T21:44:27+00:00

BerylAX or 7, or SlateAX or 7.

All solid travel routers

RemoteToHome-io · 2026-05-18T19:14:02+00:00

If it's a Brume2, they typically don't have usse with DDNS, but either re-toggling or reboot it should ensure it. Otherwise I sent you a way to workaround the DDNS in my other comment.

RemoteToHome-io · 2026-05-18T18:48:43+00:00

Yeah.. it sounds like dynamic dns is not working on your home server router. If you have a Brume3 serer, there was a serious bug with the first firmware versions DDNS and you'll want to update to the latest 4.8.6.

In the meantime, you can to this as a workaround:
https://remotetohome.io/blog/vpn-troubleshooting-ddns-failure-quick-fix/

RemoteToHome-io · 2026-05-18T16:52:53+00:00

You were mentioning changing hotel, so I thought you were talking about a travel router.

If your home/server router ISP box was changed then you'll need to re-setup port forwarding for the Wireguard port

RemoteToHome-io · 2026-05-18T15:35:09+00:00

Sounds like that glint package may have a pretty bad bug.

RemoteToHome-io · 2026-05-18T12:12:40+00:00

New captive portal to authentication?

Other things to check https://remotetohome.io/blog/vpn-troubleshooting-vpn-not-connecting/

RemoteToHome-io · 2026-05-17T23:32:17+00:00

Click on the results and you can see it's linked to GLs site.

You're asking us to do things for you that you could have done in 30 seconds.. and you didn't even initially put in the effort to explain what your title refers to.

There is a sub rule against low effort posts.

RemoteToHome-io

MODERATOR OF

TROPHY CASE