Ignore this guide past this section, and try either of these choices...
* Anti-DPI apps such as link:https://github.com/zhenyolka/DPITunnel-android[DPI Tunnel] or link:https://github.com/krlvm/PowerTunnel-Android[PowerTunnel (less recommended)].
** Note that you must install their software on every device which is tethered to, making the OS support limited.
** This method makes it very obvious to a telecom that you intentionally bypassed their restrictions and/or throttling.
** This method isn't obvious to telecoms, but can drastically lower speed on low-end CPUs (CPU matters heavily for both the tethering device, and the tethered to devices), and will add additional bufferbloat.
.This guide is for bypassing firewalls utilizing Deep Packet Inspection (DPI), which are used to throttle & tamper with tethering/hotspot data, and enact censorship for some; the three other main goals with this guide are:
* Minor or no (download & upload) speed reduction and no increase in bufferbloat, unlike the SSH or SSL tunneling methods.
* Making it difficult for telecoms to prove intentional bypassing of their tethering detections, and consequently their DPI firewall.
* Must work for as many tethered to devices as possible.
** Currently not met due to a lack of instructions for OS specific TTL & HL spoofing (for those using a non-rooted tethering device), and needs instructions for more router firmwares.
** *WireGuard*, the fastest on reliable internet, but is easily detected by DPI firewalls.
** *IKEv2/IPSec*, sometimes faster than WireGuard on unreliable internet. Depending on the VPN provider, IKEv2 can either be resistant to DPI firewalls, or not at all.
** *SoftEther*, bypasses DPI firewalls easily with good speeds in general, but is more complicated to setup for non-Windows OSes.
** *OpenVPN3*, resistant to DPI firewalls (outside of China, Iran, and Egypt; unless OpenVPN over SSL is used, which impacts speeds greatly and increases bufferbloat further) if tls-crypt is used alongside port 443. This protocol isn't efficient and has bufferbloat issues; OpenVPN3 makes great strides in improving its situation, but is still inferior to other choices here.
** *L2TP/IPSec*, never worth using.
** *PPTP*, if a VPN has this option, they aren't even pretending to care about your security and privacy. Never worth using.
* If the speeds are lower than expected on all protocols, connect to the VPN on a device that hardware accelerates the cryptography used, such as link:https://web.archive.org/web/20220314000051/https://wikiless.org/wiki/AES_instruction_set?lang=en[AES-NI] for x86_64 processors.
. Ability to link:https://airvpn.org/faq/port_forwarding/[select ports to forward]; this heavily gauges if a VPN provider is good, even if you never need port forwarding.
** AirVPN, hide.me (uses UPnP; not selecting specific ports), Mullvad, and TorGuard have the best implementations of port forwarding as of 31 December 2021.
*** link:https://web.archive.org/web/20220313235113/https://teddit.net/r/VPNTorrents/comments/s9f36q/list_of_vpns_that_allow_portforwarding_2022/[List of VPNs that allow Port Forwarding].
. SoftEther protocol support.
. No PPTP protocol support.
. If the OpenVPN protocol is supported, its tls-crypt must be supported and for the VPN provider to allow establishing connection to their servers via port 443.
** OpenVPN over SSL or SSH is mandatory to use OpenVPN for China, Iran, and Egypt.
. Full IPv4 and IPv6 support across all servers.
** On some telecoms, connecting to a VPN server through IPv6 is required.
WARNING: Root comes at the cost of security; do not leave important content (files, logins...) on a rooted device. +
If you plan on using an old phone or tablet as the rooted tethering device, check its bands and LTE category at link:https://cacombos.com[Bands & Combos]; if its LTE category is 6 or lower, don't expect good network speeds from that device for any guide.
*1: link:https://topjohnwu.github.io/Magisk/[Install Magisk], then the link:https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf#installation[MagiskHide Props Config] module.*
*2: Install the following apps; if needed, use the link:https://gitlab.com/AuroraOSS/AuroraStore/-/releases[Aurora Store] app for installing apps located on the Google Play Store.*
** If checking for Termux app updates is desired, use link:https://github.com/Iamlooker/Droid-ify/releases[Droid-ify] instead of the official F-Droid app (which is unreliable and uses outdated Android APIs, lessening the security of their app).
* link:https://play.google.com/store/apps/details?id=com.qtrun.QuickTest[Network Signal Guru for band locking], which can help maintain reliable speeds, and/or avoid congested bands for higher speeds.
** link:https://adguard-dns.com/en/public-dns.html[Configure AdGuard DNS manually] before using Network Signal Guru.
*** link:https://github.com/AdAway/AdAway/releases[AdAway] is the alternative if you're not willing to change DNS servers, or using a paid VPN (on tethered to devices; outside of the tethering device, since only one VPN can be used at a time on Android) with no option to change the DNS servers used.
For kernel tweakers: link:https://web.archive.org/web/20210423030541/https://forum.xda-developers.com/t/magisk-stock-bypass-tether-restrictions.4262265/[an example of enabling "xt_HL.ko" support through Magisk].
=== List of high-quality kernels with "xt_HL.ko" support, and use the BBR or BBRv2 TCP congestion control algorithm to help link:https://web.archive.org/web/20220313173158/http://web.archive.org/screenshot/https://docs.google.com/spreadsheets/d/1I1NcVVbuC7aq4nGalYxMNz9pgS9OLKcFHssIBlj9xXI[maintain speeds over bad network conditions]:
# Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice.
# Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice.
NOTE: For unlisted router firmwares, if you get TTL & HL spoofing functional, please edit README.adoc to include instructions for that firmware, then make a Pull Request once you're done.
*** Termux:Boot will automatically run set-tether-ttl.sh after startup/boot, though it will break if the interface name changes, which I cannot test nor know if this happens on Android, and if it does it may be specific to a ROM.
It'll make it easy to determine if this works, as after maxing the cap, some telecoms will use more tactics to ensure you're in line with how they want you to use their service.
* Use link:https://fast.com[Netflix's Speedtest], then after that's complete use link:https://www.waveform.com/tools/bufferbloat[Waveform's Bufferbloat Test]. This will test for throttling of streaming servers (Netflix), various forms of fingerprinting, and tethering/hotspot detections.
* Connect to a VPN, then repeat the above step.
NOTE: If the VPN can't connect, first check if IPv4 or IPv6 is being used to reach the VPN server; on T-Mobile, connecting through IPv6 may be required. +
If the VPN still can't connect, change its protocol used in this order: +
WireGuard -> IKEv2/IPSec -> SoftEther -> OpenVPN (UDP, port 443) -> OpenVPN (TCP, port 443) -> OpenVPN over SSL (TCP, port 443)