From 8dd70a143fea686b0bfaaa7c72552c7cf42af9bd Mon Sep 17 00:00:00 2001 From: nermur <29991266+nermur@users.noreply.github.com> Date: Fri, 31 Dec 2021 14:25:13 -0800 Subject: [PATCH] Make guide concise and less user-error prone --- README.adoc | 208 ++++++++++++++++++++++++++-------------------------- 1 file changed, 103 insertions(+), 105 deletions(-) diff --git a/README.adoc b/README.adoc index a0f55c1..8ca00ce 100644 --- a/README.adoc +++ b/README.adoc @@ -8,110 +8,114 @@ ifdef::env-github[] :warning-caption: :warning: endif::[] -WARNING: **Rooting is a very bad idea, as it will entirely break the security model of Android.** + -If you're considering using an unused phone to tether from (which is rooted, and contents were already wiped), check the bands it supports on link:https://www.kimovil.com/[Kimovil]. +== Introduction -== Requirements -* Magisk, and by that accord *root*; link:https://github.com/Iazos/Ez_Magisk[installing Magisk (via recovery)] +This guide showcases the fastest and most reliable way of tethering on Android (both non-root and root), but is incompatible with many ROMs and kernels. + +There are sections made within reason to make this guide compatible with more devices, with those being clearly defined as worse choices. -* link:https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf#installation[MagiskHide Props Config] module installed -* The link:https://f-droid.org/en/packages/com.termux/[Termux] terminal emulator (link:https://wiki.termux.com/wiki/Termux_Google_Play[from F-Droid only]) +WARNING: A rooted tethering device (Android phone likely) is faster and far more reliable than non-rooted devices with mobile data after finishing this guide. + +Just ensure the rooted tethering device has no sensitive information, as root entirely breaks Android's security measures. -* Installing Busybox Magisk module -. Magisk -> Modules (puzzle piece icon) -. Search for 'busybox' to find "Busybox for Android NDK", then install it +. Check the bands the phone or tablet supports before proceeding, at: link:https://www.kimovil.com/[Kimovil] + +If it doesn't support all of your telecom's bands, don't expect good results (for any guide). +. Enabling "Data Saver" while tethering is recommended. Which should restrict data usage to tethering, and what app is at the forefront only. + +** Don't use Google Play Services or microG if possible, as they may ignore "Data Saver" completely. +*** Those two apps can also slow the device down while also draining the device's battery heavily; this is more severe on older Android versions, and some ROMs deviating heavily from Google's AOSP. -.**Recommended (for root)** -[%collapsible] -==== -* Google Play Store, alternatively through link:https://gitlab.com/AuroraOSS/AuroraStore/-/releases[Aurora Store] -** link:https://play.google.com/store/apps/details?id=com.draco.ktweak[KTweak for higher network speeds], using its 'throughput' profile +== Rooted requirements +*1: link:https://topjohnwu.github.io/Magisk/[Install Magisk], then...* + +** The link:https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf#installation[MagiskHide Props Config] module. + +** The link:https://f-droid.org/en/packages/com.termux/[Termux] terminal emulator (link:https://wiki.termux.com/wiki/Termux_Google_Play[from F-Droid only]). +*** If you are using an F-Droid app to download and install Termux, don't use the official F-Droid app, use link:https://github.com/Iamlooker/Droid-ify/releases[Droid-ify] instead. + +** The Busybox Magisk module: +. Magisk -> `Modules` (puzzle piece icon) +. Search for 'busybox' to find "Busybox for Android NDK", then install it. + + +*2: Install the following apps; if needed, use the link:https://gitlab.com/AuroraOSS/AuroraStore/-/releases[Aurora Store] app for installing apps on the Google Play Store.* + +* link:https://play.google.com/store/apps/details?id=com.draco.ktweak[KTweak for higher network speeds], using its "throughput" profile. + +* link:https://adaway.org/[AdAway to block Network Signal Guru's ads]. + +Magisk's "Systemless Hosts" feature has to be enabled for AdAway to work. + +** link:https://play.google.com/store/apps/details?id=com.qtrun.QuickTest[Network Signal Guru for band locking], which is required to maintain reliable speeds. + -* Kernel with the "xt_HL.ko" module (netfilter's TTL packet mangling) enabled -** Known kernels with support (and seem high-quality): -*** Freak07's link:https://forum.xda-developers.com/t/kernel-23-07-2021-android-11-kirisakura-1-1-8-for-asus-zenfone-8-aka-sake.4295287/[Kirisakura] for ASUS ZenFone 8 -*** kdrag0n's link:https://forum.xda-developers.com/t/kernel-pixel-5-proton-kernel.4194683/[Proton Kernel] for Google Pixel 4a 5G/Pixel 5 -*** kristofpetho's link:https://forum.xda-developers.com/t/kernel-oos-omega-kernel-oos11-august-7-2021.4271027/[Omega Kernel] for OnePlus 9 Pro +*3: The kernel in use has the "xt_HL.ko" module built-in (netfilter's TTL packet mangling).* + +* High-quality kernels with "xt_HL.ko" support, that also use the BBR TCP congestion control algorithm (which link:https://docs.google.com/spreadsheets/d/1I1NcVVbuC7aq4nGalYxMNz9pgS9OLKcFHssIBlj9xXI/edit#gid=1926845420[greatly increases reliability]): +** kdrag0n's link:https://forum.xda-developers.com/search/member?user_id=7291478&content=thread[Proton Kernel]. +** Freak07's link:https://forum.xda-developers.com/search/member?user_id=3428502&content=thread[Kirisakura] kernel. NOTE: Search terms to use on link:https://forum.xda-developers.com/search/[XDA Forums] to find other kernels with "xt_HL.ko" support: + -TTL spoofing + -TTL target + -IPtables TTL + -TTL/HL target + -TTL module + - -NOTE: Testing "xt_HL.ko" support: + -1. Launch Termux + -2. `$ su` + -4. `# iptables -t mangle -A POSTROUTING -o wlan+ -j TTL --ttl-set 64` + -5. `# ip6tables -t mangle -A POSTROUTING -o wlan+ -j HL --hl-set 64` + -If there's no output, the commands succeeded (kernel has "xt_HL.ko" support) - -TIP: If your preferred custom kernel does not support `--ttl-set` and `--hl-set`, inform them of this repository + - For kernel tweakers: link:https://web.archive.org/web/20210423030541/https://forum.xda-developers.com/t/magisk-stock-bypass-tether-restrictions.4262265/[an aid with enabling "xt_HL.ko" support through Magisk] +`TTL spoofing`, `TTL target`, `IPtables TTL`, `TTL/HL target`, `TTL module`. -==== +* Testing "xt_HL.ko" support: + +. Launch Termux. + +. `$ su` + +. `# iptables -t mangle -A POSTROUTING -o wlan+ -j TTL --ttl-set 64` + +. `# ip6tables -t mangle -A POSTROUTING -o wlan+ -j HL --hl-set 64` + +** If there's no output, the commands succeeded (kernel has "xt_HL.ko" support). + +TIP: If your preferred custom kernel does not support `--ttl-set` and `--hl-set`, inform them of this repository. + + For kernel tweakers: link:https://web.archive.org/web/20210423030541/https://forum.xda-developers.com/t/magisk-stock-bypass-tether-restrictions.4262265/[an example of enabling "xt_HL.ko" support through Magisk]. -=== Don't meet the root requirement? +== For non-rooted -* This is the preferred way, if... -** The ROM used explicitly stops Android from snitching: +* *Using a ROM that explicitly stops Android from snitching is required:* *** https://github.com/GrapheneOS/platform_frameworks_base/commit/d4e03e77dd590e3ed89af8b72d5c09f875fc46b0 *** https://github.com/GrapheneOS/platform_build/commit/b22db418509758b781699898dc43c1c1d3a94999 -* With this or despite this... -** Always set TTL to 65 on the devices being tethered to -*** Adjusting TTL alone could work on a few telecoms, but it's meant as a supplemental step for telecoms with smarter detections +* Caveats: +** Cell band locking is likely not possible; don't expect reliable stationary speeds. +** TTL detections have to be bypassed per device, or a router has to do it with one of the following firmwares: +*** Asuswrt-Merlin: `WAN` -> enable `Extend the TTL value` and `Spoof LAN TTL value`. +*** DD-WRT, Tomato, OpenWrt, or GoldenOrb (the best option for anything telecom related). -NOTE: Some router firmware (Asuswrt-Merlin, DD-WRT, Tomato, OpenWrt) can set TTL for all devices connected to it. -TIP: Skip straight to the "About" section, then "3. Test TTL & HL change on the tethered device"; these are the only root-less sections +== About telecoms (mobile providers/carriers) +* Telecoms do know about these tricks, but the offensive (this guide) is much stronger than the defensive. +** Telecoms' defenses being: +*** Using link:https://en.wikipedia.org/wiki/Deep_packet_inspection[DPI software] to detect and/or shape traffic based on certain criteria, such as Video Streaming (throttling YouTube and/or Netflix to force low video quality), which VPNs directly counter. +**** If VPNs are pwned (blocked and/or throttled), try these protocols: IKEv2, SoftEther, then OpenVPN with tls-crypt (use TCP if UDP is pwned). +*** Android and iOS telling the telecom that it's tethered/hotspot data. +*** Checking the IMEI of the device to see if it's a phone/tablet or not. +**** Sometimes blocking IMEIs (usually non-Sierra LTE modems like Quectel, but can be easily spoofed into an allowed IMEI anyway...) -== About -* Your telecom cannot: -** Directly prove this method (link:https://github.com/RiFi2k/unlimited-tethering[among some others]) is being used -*** Telecoms do know about this, but the offensive (this guide) is much stronger than the defensive, their defense being: DPI software, and the OS (Android and iOS) telling the telecom that it's tethered + -This guide can solve the OS problem unless it's iOS (buy the latest Google Pixel next time, it has proper firmware & hardware & software security as iPhones do) +=== VPNs -* Your telecom can (if no traffic encryptor such as Tor or a VPN is used): -** Check for specific domains being connected to that only a Windows PC or Mac would connect to, but not an Android phone. -** Use link:https://en.wikipedia.org/wiki/Deep_packet_inspection[DPI software] to shape traffic based on certain criteria(s), such as Video Streaming (throttling YouTube videos and/or Netflix, and/or forcing lower video quality) +A paid VPN is recommended as it's easy to route all traffic through it, and shouldn't reduce speeds if: -* A paid VPN is recommended since it's easy to route all traffic through it, and shouldn't reduce speeds, given the following criteria: -** Protocol used is WireGuard (fastest, expect on unreliable links), IKEv2 (best on unreliable links), or SoftEther (reasonably fast and best at bypassing DPI). + -** If the speeds are lower than expected on all protocols, connect to the VPN on a different device, specifically one with link:https://en.wikipedia.org/wiki/AES_instruction_set#x86_architecture_processors[AES-NI supported] +* The protocol used is IKEv2 (fastest on unreliable links), or SoftEther (the best at bypassing DPI software, with good speeds). + +** WireGuard is fastest on not unreliable links, but is easily detected by DPI software. +** If the speeds are lower than expected on all protocols, connect to the VPN on a different device, specifically one with link:https://en.wikipedia.org/wiki/AES_instruction_set#x86_architecture_processors[AES-NI supported]. -WARNING: VPNs don't grant privacy, Tor and I2P do; these can easily be used alongside a VPN if desired + -For this guide, VPNs are used for the intention of hiding traffic from your telecom, and ensuring web content isn't blocked + -*`Ultimately, usage of a VPN is optional`* - -.Good paid VPN providers do the following (and VPN recommendations) +.Good paid VPN providers do the following [%collapsible] ==== -* Transparent communication -* Use only dedicated/physical/bare metal servers -** Dedis are faster and more secure than virtual servers ("VPS" / "VDS") -** No hard drives installed in the servers is a good bonus -* No fake (geo-located) server locations -** Unless they are stated as such -* All server locations allow all traffic except outbound port 25 (to prevent email spam abuse) -* Ability to link:https://airvpn.org/faq/port_forwarding/[select ports to forward]. -** AirVPN, hide.me, and TorGuard have the best implementations of port forwarding -*** link:https://teddit.net/r/VPNTorrents/comments/oqnnrq/list_of_vpns_that_allow_portforwarding_2021/[List of VPNs that allow P2P and Port Forwarding] - -* Recommendations based on the above criteria and personal experiences: -. link:https://airvpn.org[AirVPN] -** Mirrors: link:https://airvpn.dev[AirVPN #2] | link:http://airvpn3epnw2fnsbx5x2ppzjs6vxtdarldas7wjyqvhscj7x43fxylqd.onion[AirVPN via Tor] -. link:https://mullvad.net[Mullvad] -** Mirror: link:http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion[Mullvad via Tor] -. link:https://hide.me[hide.me] (supports IKEv2 and SoftEther; the other recommendations don't) +. Transparent communication, and easily accessible forums or a Discord "guild". +. Only bare-metal (dedicated) servers used, with no hard drives (RAM only). +** Bare-metal is faster and more secure than virtual servers ("VPS" / "VDS"). +. State their geolocated (fake) server locations, or have none. +. All server locations allow all traffic except outbound port 25. +** P2P should never be blocked, despite also being abuse-prone. +. Ability to link:https://airvpn.org/faq/port_forwarding/[select ports to forward]; this heavily gauges if a VPN provider is worth your time, even if you never need port forwarding. +** AirVPN, hide.me, Mullvad, and TorGuard have the best implementations of port forwarding as of 31 December 2021. +*** link:https://teddit.net/r/VPNTorrents/comments/oqnnrq/list_of_vpns_that_allow_portforwarding_2021/[List of VPNs that allow Port Forwarding]. ==== -== 1. Configure props -. Launch Termux +== 1. Start of the root-only guide: Configure props + +NOTE: For non-root, skip to *3.* + +. Launch Termux. . `$ su` . `# settings delete system tether_entitlement_check_state; settings delete global tether_dun_required` . `# props` @@ -128,20 +132,20 @@ For this guide, VPNs are used for the intention of hiding traffic from your tele == 2. Adjust TTL & HL -* Getting the correct network interface(s); look for 'rmnet' and/or 'rndis' (example: "v4-rmnet_data2") +* Getting the correct network interface(s); look for 'rmnet' and/or 'rndis' (example: "v4-rmnet_data2"). ** `$ netstat -i` .Termux:Boot [%collapsible] ==== -* link:https://f-droid.org/en/packages/com.termux.boot/[Install Termux:Boot] and disable "battery optimizations" for Termux and Termux:Boot in your phone's settings +* link:https://f-droid.org/en/packages/com.termux.boot/[Install Termux:Boot] and disable "battery optimizations" for Termux and Termux:Boot in your device's settings. * Make the script: -. `$ mkdir -p ~/.termux/boot` + -. `$ cd ~/.termux/boot` + +. `$ mkdir -p ~/.termux/boot` +. `$ cd ~/.termux/boot` . `$ nano set-tether-ttl.sh` -NOTE: Replace "v4-rmnet_data2" with your network interface if it's different +NOTE: Replace "v4-rmnet_data2" with your network interface if it's different. [source, shell] ---- @@ -152,8 +156,7 @@ ip6tables -t mangle -A POSTROUTING -o v4-rmnet_data2 -j HL --hl-set 64" * Launch the script: ** `$ chmod +x set-tether-ttl.sh && sh set-tether-ttl.sh` - -Termux:Boot will automatically run set-tether-ttl.sh after startup/boot, though it will break if the interface name changes, which I cannot test nor know if this happens on Android, and if it does it may be specific to a ROM +*** Termux:Boot will automatically run set-tether-ttl.sh after startup/boot, though it will break if the interface name changes, which I cannot test nor know if this happens on Android, and if it does it may be specific to a ROM. ==== @@ -162,14 +165,14 @@ Termux:Boot will automatically run set-tether-ttl.sh after startup/boot, though ==== * link:https://github.com/ukanth/afwall#availability[Install AFWall+] -. Open AFWall+ -> 3 vertical dots (hamburger menu) -> Preferences -- UI Preferences -** Confirm AFWall+ disable -> Enabled -- Binaries -** Iptables binary -> System iptables -** BusyBox binary -> System BusyBox -. Open AFWall+ -> 3 vertical dots (hamburger menu) -> Set custom script -. Put in "Enter custom script below" +. Open AFWall+ -> 3 vertical dots (hamburger menu) -> `Preferences` +- `UI Preferences` +** `Confirm AFWall+ disable` -> Enabled +- `Binaries` +** `Iptables binary` -> System iptables +** `BusyBox binary` -> System BusyBox +. Open AFWall+ -> 3 vertical dots (hamburger menu) -> `Set custom script` +. Put in "Enter custom script below": NOTE: Replace "v4-rmnet_data2" with your network interface if it's different @@ -184,26 +187,21 @@ ip6tables -t mangle -A POSTROUTING -o v4-rmnet_data2 -j HL --hl-set 64 [%collapsible] ==== -. Install link:https://play.google.com/store/apps/details?id=org.segin.ttleditor[TTL Editor] -. Open TTL Editor -. Check "Apply to all network interfaces using /proc" -** Or specify a specific interface, "v4-rmnet_data2" being an example -. Press OK to the side of "Set new TTL" to apply a chosen TTL, likely 64 +. Install then open link:https://play.google.com/store/apps/details?id=org.segin.ttleditor[TTL Editor]. +. Check "Apply to all network interfaces using /proc"... +** Or specify a specific interface, "v4-rmnet_data2" being an example. +. Press OK to the side of "Set new TTL" to apply a chosen TTL, likely 64. -NOTE: TTL changes aren't persistent with this method, rebooting/shutdown will lose these changes until you apply them manually again +WARNING: TTL changes aren't persistent with this method, rebooting/shutdown will lose these changes until you apply them manually again. ==== == 3. Test TTL & HL change on the tethered device -TIP: kbd:[Ctrl + C] to stop pinging at any time - * IPv4 (test TTL): `$ ping -4 gnu.org` * IPv6 (test HL): `$ ping -6 gnu.org` -If the TTL & HL is 64, you've successfully completed this guide +If the TTL & HL is 64 (or what you know works for your telecom), then you've successfully completed this guide. TIP: If this works, then Star this repository! + -Purpose being to make this repository more discoverable, so more can easily bypass these restrictions set in place by telecom providers. - -NOTE: If this didn't work, try link:https://github.com/RiFi2k/unlimited-tethering[RiFi2k's method] \ No newline at end of file +- If this didn't work, try link:https://github.com/RiFi2k/unlimited-tethering[RiFi2k's guide]