Archives
/
no-tethering-restrictions
mirror of https://github.com/nermur/no-tethering-restrictions
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
47 Commits
1 Branch
5 Tags
461 KiB
Shell 100%
 
master
v1
v2
v3
v4
v5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '112e57a86a'
${ noResults }
Go to file
nermur 112e57a86a v3 
- Fixed some props not setting correctly.
- Various minor documentation/README improvements.
 		1 year ago
META-INF/com/google/android Created a Magisk Module to automate some steps & README improvements 1 year ago
.gitattributes Update .gitattributes 1 year ago
LICENSE Update LICENSE 1 year ago
README.adoc v3 1 year ago
module.prop v3 1 year ago
service.sh v3 1 year ago
update.json v3 1 year ago

README.adoc 

:experimental:
ifdef::env-github[]
:icons:
:tip-caption: :bulb:
:note-caption: :information_source:
:important-caption: :heavy_exclamation_mark:
:caution-caption: :fire:
:warning-caption: :warning:
endif::[]

== About
[.lead]
This hotspot/tethering limitation bypass beats PDANet, FoxFi, NetShare, EasyTether, WiFi Tether Router, and sshuttle tunneling. Reasons being:

. Least amount or no speed reduction, is reliable, doesn't break apps/programs/software, and no increase in https://www.waveform.com/tools/bufferbloat[bufferbloat]/ping spikes.

. Works for as many client (tethered to) devices as possible. It's plug and play after setup.
** This means no programs are required to be installed on client devices.

. Difficult for telecoms to prove intentional bypassing of their tethering detections.

. Optionally can fully bypass DPI (Deep Packet Inspection); used to throttle & tamper with sites such as Netflix or YouTube by limiting video quality, and sometimes censorship.
** A good VPN provider is required for this goal.

== Requirements
* A rooted Android 5.0 or newer device with an active SIM card or eSIM.
** Android 4.4.4 is compatible if Magisk v20.4 or up to v22.0 is used.


== Requirements can't be met
* Get an unlocked Google Pixel phone that support all radio bands of your telecom.
** Use https://www.kimovil.com/en/[Kimovil] to check radio band support. Note that the same phone from different countries have different bands supported.
** The recommendation is an unlocked https://swappa.com/listings/google-pixel-4a-5g/unlocked[Pixel 4a (5G)] for $100 USD from https://swappa.com/vs/ebay[Swappa instead of Ebay].


== Preparation

. https://topjohnwu.github.io/Magisk/[Install Magisk]; read "Getting Started", then "Patching Images".

. Install the following apps:

* The https://f-droid.org/en/packages/com.termux/[Termux] terminal emulator from F-Droid only (https://wiki.termux.com/wiki/Termux_Google_Play[why?]).

* https://apkpure.com/network-signal-guru/com.qtrun.QuickTest[Network Signal Guru] for its radio band locking; helps maintain and potentially increase network speeds.
** Tinkering is required to find your current location's best radio bands.

* https://github.com/AdAway/AdAway/releases[AdAway] to block Network Signal Guru's advertising.
** AdAway requires you to enable "Systemless Hosts" in Magisk's settings.

=== A custom kernel with "xt_HL.ko" support
.Testing if "xt_HL.ko" (netfilter's TTL/HL packet mangling) is present:
. Open Termux.
. `$ su`
. `# iptables -t mangle -A POSTROUTING -o null -j TTL --ttl-inc 1; ip6tables -t mangle -A POSTROUTING -o null -j HL --hl-inc 1`
** If there's no output, skip ahead to "1. Blocking Android snitching...", as your kernel already has "xt_HL.ko" support.

=== Downloading a suitable custom kernel

NOTE: The listed kernels include the BBR or BBRv2 TCP congestion control algorithm to https://web.archive.org/web/20220313173158/http://web.archive.org/screenshot/https://docs.google.com/spreadsheets/d/1I1NcVVbuC7aq4nGalYxMNz9pgS9OLKcFHssIBlj9xXI[help maintain speeds over bad network conditions].

|===
| 1. momojuro's https://forum.xda-developers.com/search/member?user_id=5670369&content=thread[fsociety tribute]; recommended for the Pixel 4A (5G) and Pixel 5.
| 2. Freak07's https://forum.xda-developers.com/search/member?user_id=3428502&content=thread[Kirisakura]; recommended for the Pixel 6.
| 3. kdrag0n's https://forum.xda-developers.com/search/member?user_id=7291478&content=thread[Proton].
|===

TIP: Not for your device? +
Use these search terms on the https://forum.xda-developers.com/search/[XDA Forums] to find other kernels with "xt_HL.ko" support: +
`TTL spoofing`, `TTL target`, `IPtables TTL`, `TTL/HL target`, `TTL module`.


=== Installing a custom kernel
. Install https://github.com/SmartPack/BusyBox-Installer/releases[BusyBox Installer], then open it.
. Install https://github.com/libxzr/HorizonKernelFlasher/releases[Horizon Kernel Flasher], open it, then point it to the ZIP containing the custom kernel.


== 1. Blocking Android snitching, and spoofing TTL & HL

. Download our https://github.com/felikcat/unlimited-hotspot/releases/download/v3/unlimited-hotspot-v3.zip[Unlimited Hotspot] Magisk module.
. Open Magisk -> Modules -> Install from storage -> Select the "unlimited-hotspot-v3.zip" that was downloaded.
. Reboot.

[.lead] 
For routers to also be plug and play, additional steps are required:

.Asuswrt-Merlin
[%collapsible]
====
. `Advanced Settings - WAN` -> disable `Extend the TTL value` and `Spoof LAN TTL value`.
. `Advanced Settings - Administration`
** `Enable JFFS custom scripts and configs` -> "Yes"
** `Enable SSH` -> "LAN only"
. Replace the LAN IP and login name if needed: `$ ssh 192.168.50.1 -l asus`
** Use other SSH clients if preferred, such as MobaXterm or Termius.
. `# nano /jffs/scripts/wan-event`

[source, shell]
----
#!/bin/sh
# Martineau wrote this script:
# https://www.snbforums.com/threads/wan-start-script-also-run-on-wan-stop.61295/#post-542636
#
#   v384.15 Introduced wan-event script, (wan-start will be deprecated in a future release.)
#
#          wan-event      {0 | 1} {stopping | stopped | disconnected | init | connecting | connected}
#
# shellcheck disable=SC2068
Say() {
  printf '%s%s' "$$" "$@" | logger -st "($(basename "$0"))"
}
#========================================================================================================================================
WAN_IF=$1
WAN_STATE=$2

# Call appropriate script based on script_type
SERVICE_SCRIPT_NAME="wan${WAN_IF}-${WAN_STATE}"
SERVICE_SCRIPT_LOG="/tmp/WAN${WAN_IF}_state"

# Execute and log script state
if [ -f "/jffs/scripts/${SERVICE_SCRIPT_NAME}" ]; then
  Say "     Script executing.. for wan-event: $SERVICE_SCRIPT_NAME"
  echo "$SERVICE_SCRIPT_NAME" >"$SERVICE_SCRIPT_LOG"
  sh /jffs/scripts/"${SERVICE_SCRIPT_NAME}" "$@"
else
  Say "     Script not defined for wan-event: $SERVICE_SCRIPT_NAME"
fi

##@Insert##
----

`# nano /jffs/scripts/wan0-connected`
[source, shell]
----
#!/bin/sh

# HACK: Not sure what to check for exactly; do it too early and the TTL & HL won't get set.
sleep 5s

modprobe xt_HL; wait

# Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice.
iptables -t mangle -D PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -D POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2

# Bypass TTL & HL detections for hotspot/tethering.
## Increments the TTL & HL by 2 (1 for the router, 1 for the devices connected to the router).
iptables -t mangle -I PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -I POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -I PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2
----
Have to set permissions correctly to avoid this: `custom_script: Found wan-event, but script is not set executable!` +
`# chmod a+rx /jffs/scripts/*` +
`# reboot`

___
====


.GoldenOrb or OpenWrt via LuCI
[%collapsible]
====
. GoldenOrb specific: `Network` -> `Firewall` -> `Custom TTL Settings`
** Ensure its option is disabled.
. `Network` -> `Firewall` -> `Custom Rules`
[source, shell]
----
# Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice.
iptables -t mangle -D PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -D POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2

# Bypass TTL & HL detections for hotspot/tethering.
## Increments the TTL & HL by 2 (1 for the router, 1 for the devices connected to the router).
iptables -t mangle -I PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -I POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -I PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2
----

___
====


== 2. Check TTL & HL

* If the TTL and/or HL isn't exactly the same as the tethering device, then modify the `ttl-inc` and `hl-inc` to match.
** inc = increment, dec = decrement; `ttl-inc 2` adds to the TTL by 2, `ttl-dec 1` subtracts the TTL by 1.

* IPv4/TTL: `$ ping -4 bing.com`
** For Android & macOS: `$ ping bing.com` 
* IPv6/HL: `$ ping -6 bing.com`
** For Android & macOS: `$ ping6 bing.com`


== 3. Using a VPN to bypass DPI-based throttling, shaping, and censorship

.Least shady free VPNs; not recommended.
[%collapsible]
====

* Ordered from best to worst:
. https://cloudflarewarp.com/[Cloudflare WARP] (never torrent on this). +
You can get the https://github.com/TheCaduceus/WARP-UNLIMITED-ADVANCED[paid WARP+ for free], in which the "Railway App" method is recommended.

. https://cryptostorm.is/cryptofree[Cryptofree]
** Using their free WireGuard server is recommended.

. https://protonvpn.com/free-vpn/[ProtonVPN Free]

====


.Open-source VPN protocol comparison; what is suitable for your situation.
[%collapsible]
====
* *WireGuard*, the fastest on reliable internet; easily blockable by DPI firewalls.
* *IKEv2/IPSec*, sometimes faster than WireGuard on unreliable internet. Depending on the VPN provider, IKEv2 can either be resistant to DPI firewalls (hide.me's implementation), or not at all.
* *SoftEther*, bypasses most DPI firewalls with good speeds in general, but is more complicated to set up for non-Windows OSes.
* *OpenVPN3*, resistant to DPI firewalls if tls-crypt is used alongside port 443; China, Iran, and Egypt require OpenVPN over SSL which further reduce speeds. This protocol isn't efficient and has bufferbloat issues.

====


.Requirements for a good paid VPN provider.
[%collapsible]
====

NOTE: TorGuard is the recommendation if streaming (Netflix, Hulu, Amazon Prime, etc) is necessary. Otherwise, try TorGuard -> hide.me -> Mullvad.

. Show which servers are geolocated/virtual (fake location) servers, or have none.

. Addon available (or included) for a dedicated/static/streaming IP, to get around streaming service blocks, and other websites using anti-VPN services such as https://blocked.com.

. P2P/http://www.bittorrent.org/introduction.html[BitTorrent protocol] isn't blocked on all servers.
** If all servers have this protocol unblocked, it will narrow down the amount of hosting services that VPN provider can use. +
This means higher ping/latency for some ISPs/telecoms; low latency is important for online gaming and video conferencing, among others.

. SOCKS5 and HTTPS/SSL proxies provided.
** Some VPNs such as TorGuard use this to allow BitTorrent in countries where it's forbidden; a SOCKS5 proxy can allow BitTorrent by being located in Canada while you're connected to no VPN server, or a VPN server located in the United States.

. Ability to port forward at least 5 ports while supporting IPv6; this gauges a VPN provider's attention to detail, even if you never need port forwarding.
** https://web.archive.org/web/20220731172057/https://teddit.net/r/VPNTorrents/comments/s9f36q/list_of_vpns_that_allow_portforwarding_2022/[List of VPNs that support Port Forwarding].

. If the OpenVPN protocol is supported, its tls-crypt must be supported and for the VPN provider to allow establishing connection to their servers via port 443.

** OpenVPN over SSL or SSH is mandatory for China, Iran, and Egypt.
. Full IPv4 and IPv6 support across all servers.
** On some telecoms, connecting to a VPN server through IPv6 is required.

. Reliable software across multiple operating systems.
** The most problematic: Android TV, iOS/iPadOS, and Linux (especially distros not based on Ubuntu or Fedora).
*** Linux support for most VPNs lack a graphical interface, and lack features included in their Windows and/or macOS VPN software.

====


.Honest VPN reviews or information.
[%collapsible]
====

. https://youtube.com/channel/UCXJWKuGh0qedrYviGEJmlWw[Tom Spark's Reviews] on YouTube, or directly at his https://www.vpntierlist.com/[VPN Tier List] website.

. https://restoreprivacy.com/vpn/best/[RestorePrivacy].

. https://web.archive.org/web/20220929090559/https://thatoneprivacysite.xyz/choosing-the-best-vpn-for-you/[An archive of "That One Privacy Site"], dated 19th December 2019. +
Use it as a second opinion on what justifies a good paid VPN provider.

TIP: Many VPN review websites and videos are dishonest, as Kape Technologies owns many popular VPN review websites to unfairly promote their products as the "best". +
https://restoreprivacy.com/kape-technologies-owns-expressvpn-cyberghost-pia-zenmate-vpn-review-sites/

====


== 4. Confirm the tethering is un-throttled

NOTE: Enable "Data Saver" while USB tethering. This tells Android to restrict data to USB tethering and what app is at the forefront only.

WARNING: If Wi-Fi or Bluetooth tethering is used, Android will forcefully disable "Data Saver".

. Disconnect from the VPN.
. Use https://fast.com[Netflix's Speedtest], then after that's complete use https://www.waveform.com/tools/bufferbloat[Waveform's Bufferbloat Test]. +
This will test for throttling of streaming servers (Netflix), various forms of data fingerprinting, and tethering/hotspot detections.
. Connect to a VPN on the tethered-to (client) device, then repeat the above step.

. Optionally, speedtest again after installing https://github.com/tytydraco/KTweak-Android-App/releases[KTweak] and applying its "throughput" profile.

=== If the VPN can't connect:
. First check if IPv4 or IPv6 is being used to reach the VPN server.
** For T-Mobile, connecting through IPv6 may be required.
. If the VPN still can't connect, try each supported protocol in this order:
** WireGuard -> IKEv2/IPSec -> SoftEther -> AnyConnect [TorGuard only] -> OpenVPN (UDP, port 443) -> OpenVPN (TCP, port 443) -> OpenVPN over SSL (TCP, port 443)


== Appendices

.Learning resources used
[%collapsible]
====

. https://archive.org/download/p173_20220313/p173.pdf
. https://archive.org/download/technology-showcase-policy-control-for-connected-and-tethered-devices/technology-showcase-policy-control-for-connected-and-tethered-devices.pdf
. https://archive.org/download/geneva_ccs19/geneva_ccs19.pdf
. Random XDA forums posts and threads to accumulate personal experiences with hotspot/tethering bypass attempts.

====

*You've reached the end of this guide.* Star it if you liked it.