This guide showcases the fastest and most reliable way of tethering on Android (both non-root and root), but is incompatible with many ROMs and kernels. +
.This guide for Android bypasses Deep Packet Inspection (DPI) and tethering/hotspot detections, with two other main goals:
There are sections made within reason to make this guide compatible with more devices, with those being clearly defined as worse choices.
* No large speed reduction, as is the case with the SSH or SSL tunneling methods.
* Making it difficult for telecoms to prove intentional bypassing of their DPI firewall and tethering detections.
** "Anti-DPI" software which are not VPNs, make it very obvious to a telecom that you intentionally bypassed their restrictions and/or throttling.
WARNING: A rooted tethering device (Android phone likely) is faster and far more reliable than non-rooted devices with mobile data after finishing this guide. +
.Before proceeding, check the bands the phone or tablet (tethering device) supports at link:https://cacombos.com[Bands & Combos].
Just ensure the rooted tethering device has no sensitive information, as root entirely breaks Android's security measures.
* If its LTE category is 6 or lower, don't expect good network speeds from that device for any guide.
. Check the bands the phone or tablet supports before proceeding, at: link:https://www.kimovil.com/[Kimovil] +
If it doesn't support all of your telecom's bands, don't expect good results (for any guide).
. Enabling "Data Saver" while tethering is recommended. Which should restrict data usage to tethering, and what app is at the forefront only. +
** Don't use Google Play Services or microG if possible, as they may ignore "Data Saver" completely.
*** Those two apps can also slow the device down while also draining the device's battery heavily; this is more severe on older Android versions, and some ROMs deviating heavily from Google's AOSP.
Enabling "Data Saver" while USB tethering is recommended, as it should restrict data usage to USB tethering, and what app is at the forefront only. +
Regardless, WiFi "hotspot" tethering will block "Data Saver".
** The link:https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf#installation[MagiskHide Props Config] module.
A paid VPN is recommended as they provide protocols which bypass DPI blocking, and shouldn't reduce speeds if:
** The link:https://f-droid.org/en/packages/com.termux/[Termux] terminal emulator (link:https://wiki.termux.com/wiki/Termux_Google_Play[from F-Droid only]).
* The protocol used is IKEv2 (fastest on unreliable links), or SoftEther (the best at bypassing DPI software, with good speeds). +
*** If you are using an F-Droid app to download and install Termux, don't use the official F-Droid app, use link:https://github.com/Iamlooker/Droid-ify/releases[Droid-ify] instead.
** NOTE: WireGuard is fastest on *not* unreliable links, but is easily detected by DPI software.
** If the speeds are lower than expected on all protocols, connect to the VPN on a different device, specifically one with link:https://en.wikipedia.org/wiki/AES_instruction_set#x86_architecture_processors[AES-NI supported].
** The Busybox Magisk module:
.Good paid VPN providers do the following
. Magisk -> `Modules` (puzzle piece icon)
[%collapsible]
. Search for 'busybox' to find "Busybox for Android NDK", then install it.
====
. Transparent communication and easily accessible forums, or a Discord "guild".
. Only bare-metal (dedicated) servers used, with no hard drives (RAM only).
** Bare-metal is faster and more secure than virtual servers ("VPS" / "VDS").
. State all their geolocated (fake) server locations, or have none.
. All server locations allow all traffic except outbound port 25.
** P2P should never be blocked, despite also being abuse-prone.
. Ability to link:https://airvpn.org/faq/port_forwarding/[select ports to forward]; this heavily gauges if a VPN provider is worth your time, even if you never need port forwarding.
** AirVPN, hide.me, Mullvad, and TorGuard have the best implementations of port forwarding as of 31 December 2021.
*** link:https://teddit.net/r/VPNTorrents/comments/oqnnrq/list_of_vpns_that_allow_portforwarding_2021/[List of VPNs that allow Port Forwarding].
. Provide SoftEther and IKEv2 protocols.
*2: Install the following apps; if needed, use the link:https://gitlab.com/AuroraOSS/AuroraStore/-/releases[Aurora Store] app for installing apps on the Google Play Store.*
====
* link:https://play.google.com/store/apps/details?id=com.draco.ktweak[KTweak for higher network speeds], using its "throughput" profile.
== Non-rooted requirements
* link:https://adaway.org/[AdAway to block Network Signal Guru's ads]. +
* The ROM must explicitly stop Android from snitching:
Magisk's "Systemless Hosts" feature has to be enabled for AdAway to work.
** link:https://play.google.com/store/apps/details?id=com.qtrun.QuickTest[Network Signal Guru for band locking], which is required to maintain reliable speeds.
For rooted devices, you force the ROM to stop snitching instead.
== Rooted requirements
*3: The kernel in use has the "xt_HL.ko" module built-in (netfilter's TTL packet mangling).*
WARNING: This guide can work regardless of root, but a rooted tethering device is recommended for additional control that is useful for increasing and/or maintaining speeds. +
Just ensure the rooted tethering device has no sensitive information, as root entirely breaks Android's security measures.
* High-quality kernels with "xt_HL.ko" support, that also use the BBR TCP congestion control algorithm (which link:https://docs.google.com/spreadsheets/d/1I1NcVVbuC7aq4nGalYxMNz9pgS9OLKcFHssIBlj9xXI/edit#gid=1926845420[greatly increases reliability]):
*1: link:https://topjohnwu.github.io/Magisk/[Install Magisk], then the link:https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf#installation[MagiskHide Props Config] module.*
NOTE: Search terms to use on link:https://forum.xda-developers.com/search/[XDA Forums] to find other kernels with "xt_HL.ko" support: +
*2: Install the following apps; if needed, use the link:https://gitlab.com/AuroraOSS/AuroraStore/-/releases[Aurora Store] app for installing apps on the Google Play Store.*
* The link:https://f-droid.org/en/packages/com.termux/[Termux] terminal emulator (link:https://wiki.termux.com/wiki/Termux_Google_Play[from F-Droid only]).
. Launch Termux. +
** If you are using the official F-Droid app to download and install Termux, try using link:https://github.com/Iamlooker/Droid-ify/releases[Droid-ify] instead as the official app is unreliable.
** If there's no output, the commands succeeded (kernel has "xt_HL.ko" support).
TIP: If your preferred custom kernel does not support `--ttl-set` and `--hl-set`, inform them of this repository. +
* link:https://play.google.com/store/apps/details?id=com.draco.ktweak[KTweak for higher network speeds], using its "throughput" profile.
For kernel tweakers: link:https://web.archive.org/web/20210423030541/https://forum.xda-developers.com/t/magisk-stock-bypass-tether-restrictions.4262265/[an example of enabling "xt_HL.ko" support through Magisk].
== For non-rooted
* link:https://adguard-dns.com/en/public-dns.html[Configure AdGuard DNS manually] before using Network Signal Guru.
** link:https://github.com/AdAway/AdAway/releases[AdAway] is the alternative if you're not willing to change DNS servers, or using a paid VPN with no option to change the DNS servers used.
* *Using a ROM that explicitly stops Android from snitching is required:*
* link:https://play.google.com/store/apps/details?id=com.qtrun.QuickTest[Network Signal Guru for band locking], which can help maintain reliable speeds, and/or avoid congested bands for higher speeds.
** Cell band locking is likely not possible; don't expect reliable stationary speeds.
** TTL detections have to be bypassed per device, or a router has to do it with one of the following firmwares:
*** Asuswrt-Merlin: `WAN` -> enable `Extend the TTL value` and `Spoof LAN TTL value`.
*** DD-WRT, Tomato, OpenWrt, or GoldenOrb (the best option for anything telecom related).
*3: Kernel in use must have the "xt_HL.ko" module built-in (netfilter's TTL/HL packet mangling).*
== About telecoms (mobile providers/carriers)
* Testing for "xt_HL.ko" support:
* Telecoms do know about these tricks, but the offensive (this guide) is much stronger than the defensive.
. Launch Termux.
** Telecoms' defenses being:
. `$ su`
*** Using link:https://en.wikipedia.org/wiki/Deep_packet_inspection[DPI software] to detect and/or shape traffic based on certain criteria, such as Video Streaming (throttling YouTube and/or Netflix to force low video quality), which VPNs directly counter.
*** Android and iOS telling the telecom that it's tethered/hotspot data.
** If there's no output, the commands succeeded (kernel has "xt_HL.ko" support).
*** Checking the IMEI of the device to see if it's a phone/tablet or not.
**** Sometimes blocking IMEIs (usually non-Sierra LTE modems like Quectel, but can be easily spoofed into an allowed IMEI anyway...)
=== VPNs
TIP: If your preferred custom kernel does not support `--ttl-set` and `--hl-set`, inform them of this repository. +
For kernel tweakers: link:https://web.archive.org/web/20210423030541/https://forum.xda-developers.com/t/magisk-stock-bypass-tether-restrictions.4262265/[an example of enabling "xt_HL.ko" support through Magisk].
A paid VPN is recommended as it's easy to route all traffic through it, and shouldn't reduce speeds if:
=== List of high-quality kernels with "xt_HL.ko" support, that also use the BBR TCP congestion control algorithm (which helps link:https://docs.google.com/spreadsheets/d/1I1NcVVbuC7aq4nGalYxMNz9pgS9OLKcFHssIBlj9xXI[maintains speeds over bad network conditions]):
* The protocol used is IKEv2 (fastest on unreliable links), or SoftEther (the best at bypassing DPI software, with good speeds). +
** If the speeds are lower than expected on all protocols, connect to the VPN on a different device, specifically one with link:https://en.wikipedia.org/wiki/AES_instruction_set#x86_architecture_processors[AES-NI supported].
.Good paid VPN providers do the following
NOTE: Search terms to use on link:https://forum.xda-developers.com/search/[XDA Forums] to find other kernels with "xt_HL.ko" support: +
. Transparent communication, and easily accessible forums or a Discord "guild".
. Only bare-metal (dedicated) servers used, with no hard drives (RAM only).
** Bare-metal is faster and more secure than virtual servers ("VPS" / "VDS").
. State their geolocated (fake) server locations, or have none.
. All server locations allow all traffic except outbound port 25.
** P2P should never be blocked, despite also being abuse-prone.
. Ability to link:https://airvpn.org/faq/port_forwarding/[select ports to forward]; this heavily gauges if a VPN provider is worth your time, even if you never need port forwarding.
** AirVPN, hide.me, Mullvad, and TorGuard have the best implementations of port forwarding as of 31 December 2021.
*** link:https://teddit.net/r/VPNTorrents/comments/oqnnrq/list_of_vpns_that_allow_portforwarding_2021/[List of VPNs that allow Port Forwarding].
====
== 1. Start of the root-only guide: Configure props
NOTE: For non-root, skip to *3.*
== 1. Skip to 2 if non-rooted: Configure props
. Launch Termux.
. Launch Termux.
. `$ su`
. `$ su`
. `# settings delete system tether_entitlement_check_state; settings delete global tether_dun_required`
. `# settings delete system tether_entitlement_check_state; settings delete global tether_dun_required`
* Getting the correct network interface(s); look for 'rmnet' and/or 'rndis' (example: "v4-rmnet_data2").
== 2. Spoof TTL & HL
** `$ netstat -i`
=== Router methods
.Asuswrt-Merlin >unfinished, TODO<
[%collapsible]
====
. `WAN` -> disable `Extend the TTL value` and `Spoof LAN TTL value`.
====
.Termux:Boot
.GoldenOrb & OpenWrt via LuCI
[%collapsible]
[%collapsible]
====
====
* link:https://f-droid.org/en/packages/com.termux.boot/[Install Termux:Boot] and disable "battery optimizations" for Termux and Termux:Boot in your device's settings.
* Compare the TTL and HL of the tethering (Android) device and the router (or any device connected to that router), they should both be the same TTL and HL. If not, change the increment (ttl-inc, hl-inc).
** IPv4/TTL: `$ ping -4 bing.com`
*** For Android & macOS: `$ ping bing.com`
** IPv6/HL: `$ ping -6 bing.com`
*** For Android & macOS: `$ ping6 bing.com`
====
NOTE: For unlisted firmwares, if you get TTL & HL spoofing functional, please edit README.adoc to include instructions for that firmware, then make a Pull Request once you're done. +
As proof, provide a screenshot for each step of the new instructions.
=== Rooted tether device
* Show the currently used network interfaces; it's helpful for troubleshooting if needed.
** `$ chmod +x set-tether-ttl.sh && sh set-tether-ttl.sh`
** `$ chmod +x set-tether-ttl.sh && sh set-tether-ttl.sh`
*** Termux:Boot will automatically run set-tether-ttl.sh after startup/boot, though it will break if the interface name changes, which I cannot test nor know if this happens on Android, and if it does it may be specific to a ROM.
*** Termux:Boot will automatically run set-tether-ttl.sh after startup/boot, though it will break if the interface name changes, which I cannot test nor know if this happens on Android, and if it does it may be specific to a ROM.
====
.AFWall+ (will not work on ROMs with their own Firewall app, such as CalyxOS)
.For kernels with no "xt_HL.ko" support; not recommended
[%collapsible]
====
. Install then open link:https://play.google.com/store/apps/details?id=org.segin.ttleditor[TTL Editor].
. Check "Apply to all network interfaces using /proc"...
** Or specify a specific interface, "v4-rmnet_data2" being an example.
. Press OK to the side of "Set new TTL" to apply a chosen TTL, likely 64.
WARNING: TTL changes aren't persistent with this method, rebooting/shutdown will lose these changes until you apply them manually again.
====
== 3. Test TTL & HL change on the tethered device
== 4. Confirm the tether is unthrottled
* IPv4 (test TTL): `$ ping -4 gnu.org`
NOTE: If your telecom doesn't charge $$ for going over the hotspot/tethering data limit, max out its cap before proceeding. +
* IPv6 (test HL): `$ ping -6 gnu.org`
It helps make it easy to determine if this works, as some telecoms will use more tactics to ensure you're in line with how they want you to use their service.
If the TTL & HL is 64 (or what you know works for your telecom), then you've successfully completed this guide.
. After the desired TTL is reached, use link:https://fast.com[Netflix's Speedtest]. This will test for throttling of streaming servers (Netflix), tethering/"hotspot data" detections, OS fingerprinting, DNS fingerprinting, >TODO<
TIP: If this works, then Star this repository! +
TIP: + If this guide worked, then Star this repository!
- If this didn't work, try link:https://github.com/RiFi2k/unlimited-tethering[RiFi2k's guide]
nermur
2 years ago
committed by
GitHub