* Get an unlocked Google Pixel phone that support all radio bands of your telecom.
** Use link:https://www.kimovil.com/en/[Kimovil] to check radio band support. Note that the same phone from different countries have different bands supported.
** The recommendation is a link:https://swappa.com/buy/used/google-pixel-4a-5g/unlocked[Pixel 4a (5G)] for $100 USD off Swappa instead of Ebay due to their human review of listings, and requirements imposed on sellers to prevent scams or false advertising.
* Least amount of speed reduction with no increase in link:https://www.waveform.com/tools/bufferbloat[bufferbloat]; unlike the link:https://github.com/RiFi2k/unlimited-tethering[sshuttle method].
* Difficult for telecoms to prove intentional bypassing of their DPI firewall and tethering detections; unlike the link:https://github.com/krlvm/PowerTunnel-Android[PowerTunnel method].
* Fully bypassing DPI (Deep Packet Inspection); used to throttle & tamper with sites such as Netflix or YouTube (to force a low resolution like 480p), and sometimes censorship.
. link:https://topjohnwu.github.io/Magisk/[Install Magisk], then the link:https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf#installation[MagiskHide Props Config] module.
* The link:https://f-droid.org/en/packages/com.termux/[Termux] terminal emulator (link:https://wiki.termux.com/wiki/Termux_Google_Play[from F-Droid only]), and link:https://f-droid.org/en/packages/com.termux.boot/[Termux:Boot].
* link:https://apkpure.com/network-signal-guru/com.qtrun.QuickTest[Network Signal Guru for band locking], which can help maintain reliable speeds, and/or avoid congested bands for higher speeds.
** Enable "Systemless Hosts" in Magisk's settings, then install link:https://github.com/AdAway/AdAway/releases[AdAway]; use its root method before running Network Signal Guru to successfully block their advertising permanently (while AdAway is installed).
** If there's no output, the kernel successfully has "xt_HL.ko" support.
=== Installing a suitable custom kernel:
* We're looking for:
. Kernels with the BBR or BBRv2 TCP congestion control algorithm to link:https://web.archive.org/web/20220313173158/http://web.archive.org/screenshot/https://docs.google.com/spreadsheets/d/1I1NcVVbuC7aq4nGalYxMNz9pgS9OLKcFHssIBlj9xXI[help maintain speeds over bad network conditions].
| 1. momojuro's link:https://forum.xda-developers.com/search/member?user_id=5670369&content=thread[fsociety tribute] kernel; recommended for the Pixel 4A (5G) and Pixel 5.
| 2. Freak07's link:https://forum.xda-developers.com/search/member?user_id=3428502&content=thread[Kirisakura] kernel; recommended for the Pixel 6.
# Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice.
# Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice.
** Using their free WireGuard server is recommended.
. https://protonvpn.com/free-vpn/[ProtonVPN Free]
====
.Open-source VPN protocol comparison; what is suitable for your situation.
[%collapsible]
====
* *WireGuard*, the fastest on reliable internet; easily detected by DPI firewalls.
* *IKEv2/IPSec*, sometimes faster than WireGuard on unreliable internet. Depending on the VPN provider, IKEv2 can either be resistant to DPI firewalls (hide.me's implementation), or not at all.
* *SoftEther*, bypasses DPI firewalls easily with good speeds in general, but is more complicated to set up for non-Windows OSes.
* *OpenVPN3*, resistant to DPI firewalls if tls-crypt is used alongside port 443; China, Iran, and Egypt require OpenVPN over SSL which further reduces speeds. This protocol isn't efficient and has bufferbloat issues.
====
.How to find good paid VPN providers.
[%collapsible]
====
.*Good paid VPN providers have or do the following:*
. Show which servers are geolocated/virtual (fake location) servers, or have none.
. Addon available (or included) for a dedicated/static/streaming IP, to get around streaming service blocks, and other websites using anti-VPN services such as https://blocked.com.
. P2P/link:http://www.bittorrent.org/introduction.html[BitTorrent protocol] isn't blocked on all servers.
** If all servers have this protocol unblocked, it will narrow down the amount of hosting services that VPN provider can use. +
This means higher ping/latency for some ISPs/telecoms; low latency is important for online gaming and video conferencing, among others.
. SOCKS5 and HTTPS/SSL proxies provided.
** Some VPNs such as TorGuard use this to allow torrenting in countries where it's forbidden; a SOCKS5 proxy can allow torrenting by being located in Canada while you're connected to no VPN server, or a VPN server located in the United States.
. Ability to port forward at least 5 ports while supporting IPv6; this gauges a VPN provider's attention to detail, even if you never need port forwarding.
** link:https://web.archive.org/web/20220731172057/https://teddit.net/r/VPNTorrents/comments/s9f36q/list_of_vpns_that_allow_portforwarding_2022/[List of VPNs that support Port Forwarding].
. If the OpenVPN protocol is supported, its tls-crypt must be supported and for the VPN provider to allow establishing connection to their servers via port 443.
** OpenVPN over SSL or SSH is mandatory for China, Iran, and Egypt.
. Full IPv4 and IPv6 support across all servers.
** On some telecoms, connecting to a VPN server through IPv6 is required.
. Reliable software across multiple operating systems.
** The most problematic: Android TV, iOS/iPadOS, and Linux (especially distros not based on Ubuntu or Fedora).
*** Linux support for most VPNs lack a graphical interface, and lack features included in their Windows and/or macOS VPN software.
====
TorGuard is the gold standard for other VPNs to follow as of 23 January 2023.
NOTE: It's still recommended to review other options for yourself, link:https://torguard.net/network/[TorGuard's server locations] for instance might not be suitable for you.
___
* A lot of VPN review websites and videos are dishonest, since Kape Technologies owns many of the most popular VPN review websites to unfairly promote their products as the "best": +
. link:https://youtube.com/channel/UCXJWKuGh0qedrYviGEJmlWw[Tom Spark's Reviews] on YouTube, or directly at his link:https://www.vpntierlist.com/[VPN Tier List] website.
. link:https://web.archive.org/web/20220929090559/https://thatoneprivacysite.xyz/choosing-the-best-vpn-for-you/[An archive of "That One Privacy Site"], dated 19th December 2019. +
Use it as a second opinion for what justifies a good paid VPN provider.
====
== 5. Confirm the tethering is un-throttled
NOTE: Enable "Data Saver" while USB tethering. This tells Android to restrict data to USB tethering and what app is at the forefront only. +
. Use link:https://fast.com[Netflix's Speedtest], then after that's complete use link:https://www.waveform.com/tools/bufferbloat[Waveform's Bufferbloat Test]. +
This will test for throttling of streaming servers (Netflix), various forms of data fingerprinting, and tethering/hotspot detections.
. Connect to a VPN on the tethered-to device, then repeat the above step.
TIP: link:https://apkpure.com/root-ktweak-%E2%80%94-universal-kern/com.draco.ktweak[KTweak] can potentially increase speeds by using its "throughput" profile.
==== If the VPN can't connect:
. First check if IPv4 or IPv6 is being used to reach the VPN server.
** For T-Mobile, connecting through IPv6 may be required.
. If the VPN still can't connect, try each supported protocol in this order:
** WireGuard -> IKEv2/IPSec -> SoftEther -> AnyConnect [TorGuard only] -> OpenVPN (UDP, port 443) -> OpenVPN (TCP, port 443) -> OpenVPN over SSL (TCP, port 443)