no-tethering-restrictions/README.adoc

:experimental:
ifdef::env-github[]
:icons:
:tip-caption: :bulb:
:note-caption: :information_source:
:important-caption: :heavy_exclamation_mark:
:caution-caption: :fire:
:warning-caption: :warning:
endif::[]

.Learning resources used
[%collapsible]
====

* Read these in order if interested:
. https://conferences2.sigcomm.org/imc/2014/papers/p173.pdf
. https://www.sandvine.com/hubfs/downloads/archive/technology-showcase-policy-control-for-connected-and-tethered-devices.pdf
. https://geneva.cs.umd.edu/papers/geneva_ccs19.pdf
====

== Introduction

.This guide for Android bypasses Deep Packet Inspection (DPI) and tethering/hotspot detections, with two other main goals:
* No large speed reduction, as is the case with the SSH or SSL tunneling methods.
* Making it difficult for telecoms to prove intentional bypassing of their DPI firewall and tethering detections.
** "Anti-DPI" software which are not VPNs, make it very obvious to a telecom that you intentionally bypassed their restrictions and/or throttling.

.Before proceeding, check the bands the phone or tablet (tethering device) supports at link:https://cacombos.com[Bands & Combos].
* If its LTE category is 6 or lower, don't expect good network speeds from that device for any guide.

Enabling "Data Saver" while USB tethering is recommended, as it should restrict data usage to USB tethering, and what app is at the forefront only. +
Regardless, WiFi "hotspot" tethering will block "Data Saver". 

== A paid VPN is likely required

Free VPNs don't offer effective DPI bypassing, most don't have good speeds, and some are malicious. Cloudflare WARP is fast and non-malicious, but only provides WireGuard (easy to block).

* A good paid VPN shouldn't reduce speeds if:
** The protocol used is IKEv2 (fastest on unreliable links), or SoftEther (the best at bypassing DPI firewalls, with good speeds). +
*** NOTE: WireGuard is fastest on *not* unreliable links, but is easily detected by DPI firewalls.
*** If the speeds are lower than expected on all protocols, connect to the VPN on a different device, specifically one with link:https://en.wikipedia.org/wiki/AES_instruction_set#x86_architecture_processors[AES-NI supported].

.*Good paid VPN providers do the following:*
. Transparent communication and easily accessible forums, or a Discord "guild".
. Only bare-metal (dedicated) servers used, with no hard drives (RAM only).
** Bare-metal is faster and more secure than virtual servers ("VPS" / "VDS").
. State all their geolocated (fake) server locations, or have none.
. All server locations allow all traffic except outbound port 25.
** P2P should never be blocked, despite also being abuse-prone.
. Ability to link:https://airvpn.org/faq/port_forwarding/[select ports to forward]; this heavily gauges if a VPN provider is good, even if you never need port forwarding.
** AirVPN, hide.me, Mullvad, and TorGuard have the best implementations of port forwarding as of 31 December 2021.
*** link:https://teddit.net/r/VPNTorrents/comments/oqnnrq/list_of_vpns_that_allow_portforwarding_2021/[List of VPNs that allow Port Forwarding].
. Provide IKEv2 and SoftEther protocols.


== Non-rooted requirements

* The ROM must explicitly stop Android from snitching:
*** https://github.com/GrapheneOS/platform_frameworks_base/commit/d4e03e77dd590e3ed89af8b72d5c09f875fc46b0
*** https://github.com/GrapheneOS/platform_build/commit/b22db418509758b781699898dc43c1c1d3a94999

Rooted devices can force the ROM to stop snitching instead.

== Rooted requirements

WARNING: This guide can work regardless of root, but a rooted tethering device is recommended for additional control that is useful for increasing and/or maintaining speeds. +
Just ensure the rooted tethering device has no sensitive information, as root entirely breaks Android's security measures.

*1: link:https://topjohnwu.github.io/Magisk/[Install Magisk], then the link:https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf#installation[MagiskHide Props Config] module.*

*2: Install the following apps; if needed, use the link:https://gitlab.com/AuroraOSS/AuroraStore/-/releases[Aurora Store] app for installing apps on the Google Play Store.*

* The link:https://f-droid.org/en/packages/com.termux/[Termux] terminal emulator (link:https://wiki.termux.com/wiki/Termux_Google_Play[from F-Droid only]).
** If using the official F-Droid app to download and install Termux, try using link:https://github.com/Iamlooker/Droid-ify/releases[Droid-ify] instead as the official app is unreliable.

* link:https://play.google.com/store/apps/details?id=com.draco.ktweak[KTweak for higher network speeds], using its "throughput" profile.

* link:https://adguard-dns.com/en/public-dns.html[Configure AdGuard DNS manually] before using Network Signal Guru.
** link:https://github.com/AdAway/AdAway/releases[AdAway] is the alternative if you're not willing to change DNS servers, or using a paid VPN with no option to change the DNS servers used.

* link:https://play.google.com/store/apps/details?id=com.qtrun.QuickTest[Network Signal Guru for band locking], which can help maintain reliable speeds, and/or avoid congested bands for higher speeds.


*3: Kernel in use must have the "xt_HL.ko" module built-in (netfilter's TTL/HL packet mangling).*

* Testing for "xt_HL.ko" support:
. Launch Termux.
. `$ su`
. `# iptables -t mangle -A POSTROUTING -o null -j TTL --ttl-inc 1`
. `# ip6tables -t mangle -A POSTROUTING -o null -j HL --hl-inc 1`
** If there's no output, the commands succeeded (kernel has "xt_HL.ko" support).

TIP: If your preferred custom kernel doesn't have "xt_HL.ko", inform them of this repository. +
 For kernel tweakers: link:https://web.archive.org/web/20210423030541/https://forum.xda-developers.com/t/magisk-stock-bypass-tether-restrictions.4262265/[an example of enabling "xt_HL.ko" support through Magisk].

=== List of high-quality kernels with "xt_HL.ko" support, that also use the BBR TCP congestion control algorithm (which helps link:https://docs.google.com/spreadsheets/d/1I1NcVVbuC7aq4nGalYxMNz9pgS9OLKcFHssIBlj9xXI[maintain speeds over bad network conditions]):

* kdrag0n's link:https://forum.xda-developers.com/search/member?user_id=7291478&content=thread[Proton Kernel].
* Freak07's link:https://forum.xda-developers.com/search/member?user_id=3428502&content=thread[Kirisakura] kernel.

NOTE: Search terms to use on link:https://forum.xda-developers.com/search/[XDA Forums] to find other kernels with "xt_HL.ko" support: +
`TTL spoofing`, `TTL target`, `IPtables TTL`, `TTL/HL target`, `TTL module`.


== 1. Configure props (skip to 2 if non-rooted)

. Launch Termux.
. `$ su`
. `# settings delete system tether_entitlement_check_state; settings delete global tether_dun_required`
. `# props`
** "Select an option below." -> "Add/edit custom props" kbd:[5 ↵]
** Select "New custom prop" with kbd:[n ↵]
*** `net.tethering.noprovisioning` kbd:[↵] -> kbd:[true ↵] -> kbd:[y ↵]
**** "Do you want to reboot now?" kbd:[n ↵]
** Select "New custom prop" with kbd:[n ↵]
*** `tether_entitlement_check_state` kbd:[↵]
**** "Are you sure you want to proceed?" kbd:[y ↵] -> kbd:[0 ↵] -> kbd:[y ↵]
**** "Do you want to reboot now?" kbd:[n ↵]
** Select "New custom prop" with kbd:[n ↵]
*** `tether_dun_required` kbd:[↵] -> kbd:[0 ↵] -> kbd:[y ↵]
**** "Do you want to reboot now?" -> kbd:[y ↵]


== 2. Spoof TTL & HL

NOTE: For dual (or more) router setups, each router has to apply TTL/HL spoofing of their own.

=== Router methods
.Asuswrt-Merlin
[%collapsible]
====
. `Advanced Settings - WAN` -> disable `Extend the TTL value` and `Spoof LAN TTL value`.
. `Advanced Settings - Administration`
** `Enable JFFS custom scripts and configs` -> "Yes"
** `Enable SSH` -> "LAN only"
. Replace the LAN IP and login name if needed: `$ ssh 192.168.50.1 -l asus`
** Use other SSH clients if preferred, such as MobaXterm or Termius.
. `# nano /jffs/scripts/wan-event`

[source, shell]
----
#!/bin/sh
# wan-event
# Martineau wrote this script
# See https://www.snbforums.com/threads/wan-start-script-also-run-on-wan-stop.61295/#post-542636
#
#   v384.15 Introduced wan-event script, (wan-start will be deprecated in a future release.)
#
#          wan-event      {0 | 1} {stopping | stopped | disconnected | init | connecting | connected}
#
# shellcheck disable=SC2068
Say() {
  printf '%s%s' "$$" "$@" | logger -st "($(basename "$0"))"
}
#========================================================================================================================================
WAN_IF=$1
WAN_STATE=$2

# Call appropriate script based on script_type
SERVICE_SCRIPT_NAME="wan${WAN_IF}-${WAN_STATE}"
SERVICE_SCRIPT_LOG="/tmp/WAN${WAN_IF}_state"

# Execute and log script state
if [ -f "/jffs/scripts/${SERVICE_SCRIPT_NAME}" ]; then
  Say "     Script executing.. for wan-event: $SERVICE_SCRIPT_NAME"
  echo "$SERVICE_SCRIPT_NAME" >"$SERVICE_SCRIPT_LOG"
  sh /jffs/scripts/"${SERVICE_SCRIPT_NAME}" "$@"
else
  Say "     Script not defined for wan-event: $SERVICE_SCRIPT_NAME"
fi

##@Insert##
----

`# nano /jffs/scripts/wan0-connected`
[source, shell]
----
#!/bin/sh

# HACK: Not sure what to check for exactly; do it too early and the TTL & HL don't get set.
sleep 5s

modprobe xt_HL; wait

# If present, remove the previous four entries once each.
iptables -t mangle -D PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -D POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2

iptables -t mangle -I PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -I POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -I PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2
----
Have to set permissions correctly to avoid this: `custom_script: Found wan-event, but script is not set executable!` +
`# chmod a+rx /jffs/scripts/*` +
`# reboot`

___
====

.GoldenOrb & OpenWrt via LuCI
[%collapsible]
====
. GoldenOrb specific: `Network` -> `Firewall` -> `Custom TTL Settings`
** Ensure its option is disabled.
. `Network` -> `Firewall` -> `Custom Rules`
[source, shell]
----
# If present, remove the previous four entries once each.
iptables -t mangle -D PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -D POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2

iptables -t mangle -I PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -I POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -I PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2
----

___
====

.If a router method is used:
* Compare the TTL and HL of the tethering (Android) device and any device connected to that router, they should both be the same TTL and HL. If not, change the increment (ttl-inc, hl-inc).
** IPv4/TTL: `$ ping -4 bing.com`
*** For Android & macOS: `$ ping bing.com` 
** IPv6/HL: `$ ping -6 bing.com`
*** For Android & macOS: `$ ping6 bing.com`

NOTE: For unlisted firmwares, if you get TTL & HL spoofing functional, please edit README.adoc to include instructions for that firmware, then make a Pull Request once you're done. +
As proof, provide a screenshot for each step of the new instructions.

=== Rooted tether device

* Show the currently used network interfaces; it's helpful for troubleshooting if needed.
** `$ netstat -i`
* link:https://f-droid.org/en/packages/com.termux.boot/[Install Termux:Boot].
** Open Termux:Boot at least once, this allows it to run at boot while installed.

* Make the script:
. `$ mkdir -p ~/.termux/boot`
. `$ cd ~/.termux/boot`
. `$ nano set-tether-ttl.sh`

[source, shell]
----
#!/bin/sh
su -c "iptables -t mangle -D PREROUTING -i v4-rmnet_data+ -j TTL --ttl-inc 1 && \
iptables -t mangle -D POSTROUTING -o v4-rmnet_data+ -j TTL --ttl-inc 1 && \
ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i v4-rmnet_data+ -j HL --hl-inc 1 && \
ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o v4-rmnet_data+ -j HL --hl-inc 1
iptables -t mangle -I PREROUTING -i v4-rmnet_data+ -j TTL --ttl-inc 1 && \
iptables -t mangle -I POSTROUTING -o v4-rmnet_data+ -j TTL --ttl-inc 1 && \
ip6tables -t mangle -I PREROUTING ! -p icmpv6 -i v4-rmnet_data+ -j HL --hl-inc 1 && \
ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o v4-rmnet_data+ -j HL --hl-inc 1"
----

* Launch the script:
** `$ chmod +x set-tether-ttl.sh && sh set-tether-ttl.sh`
*** Termux:Boot will automatically run set-tether-ttl.sh after startup/boot, though it will break if the interface name changes, which I cannot test nor know if this happens on Android, and if it does it may be specific to a ROM.


== 3. Check TTL & HL

* Do this for both the tethering device (Android), and a device being tethered to. 
** If the TTL and/or HL isn't exactly the same as the tethering device, then modify the `ttl-inc` and `hl-inc` to match.
*** inc = increment, dec = decrement; `ttl-inc 2` adds to the TTL by 2, `ttl-dec 1` subtracts the TTL by 1.
* IPv4/TTL: `$ ping -4 bing.com`
** For Android & macOS: `$ ping bing.com` 
* IPv6/HL: `$ ping -6 bing.com`
** For Android & macOS: `$ ping6 bing.com`

== 4. Confirm the tether is unthrottled

NOTE: If your telecom doesn't charge $$ for going over the hotspot/tethering data limit, max out its cap before proceeding. +
It'll make it easy to determine if this works, as after maxing the cap, some telecoms will use more tactics to ensure you're in line with how they want you to use their service.

* Use link:https://fast.com[Netflix's Speedtest]. This will test for throttling of streaming servers (Netflix), various forms of fingerprinting, and tethering/hotspot detections.

TIP: + If this guide worked, then Star this repository!