Archives
/
no-tethering-restrictions
mirror of https://github.com/nermur/no-tethering-restrictions
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
45 Commits
1 Branch
5 Tags
461 KiB
Shell 100%
 
master
v1
v2
v3
v4
v5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2dd78a2f48'
${ noResults }
Go to file
nermur 2dd78a2f48 Add update notifier support 1 year ago
META-INF/com/google/android Created a Magisk Module to automate some steps & README improvements 1 year ago
.gitattributes Created a Magisk Module to automate some steps & README improvements 1 year ago
LICENSE Update LICENSE 1 year ago
README.adoc Update README.adoc 1 year ago
module.prop Add update notifier support 1 year ago
post-fs-data.sh Created a Magisk Module to automate some steps & README improvements 1 year ago
service.sh Update service.sh 1 year ago
system.prop Created a Magisk Module to automate some steps & README improvements 1 year ago
update.json Add update notifier support 1 year ago

README.adoc 

:experimental:
ifdef::env-github[]
:icons:
:tip-caption: :bulb:
:note-caption: :information_source:
:important-caption: :heavy_exclamation_mark:
:caution-caption: :fire:
:warning-caption: :warning:
endif::[]

== About
[.lead]
This hotspot/tethering limitation bypass beats PDANet, FoxFi, NetShare, EasyTether, WiFi Tether Router, and sshuttle tunneling. Reasons being:

. Least amount or no speed reduction, is reliable, doesn't break apps/programs/software, and no increase in https://www.waveform.com/tools/bufferbloat[bufferbloat]/ping spikes.

. Works for as many client (tethered to) devices as possible. It's plug and play after setup.
** This means no programs are required to be installed on client devices.

. Difficult for telecoms to prove intentional bypassing of their tethering detections.

. Optionally can fully bypass DPI (Deep Packet Inspection); used to throttle & tamper with sites such as Netflix or YouTube by limiting video quality, and sometimes censorship.
** A good VPN provider is required for this goal.

== Requirements
* A rooted Android 5.0 or newer device with an active SIM card or eSIM.
** Android 4.4.4 is compatible if Magisk v20.4 or up to v22.0 is used.


== Requirements can't be met
* Get an unlocked Google Pixel phone that support all radio bands of your telecom.
** Use https://www.kimovil.com/en/[Kimovil] to check radio band support. Note that the same phone from different countries have different bands supported.
** The recommendation is an unlocked https://swappa.com/listings/google-pixel-4a-5g/unlocked[Pixel 4a (5G)] for $100 USD from https://swappa.com/vs/ebay[Swappa instead of Ebay].


== Preparation

. https://topjohnwu.github.io/Magisk/[Install Magisk]; read "Getting Started", then "Patching Images".

. Install the following apps:

* The https://f-droid.org/en/packages/com.termux/[Termux] terminal emulator from F-Droid only (https://wiki.termux.com/wiki/Termux_Google_Play[why?]).

* https://apkpure.com/network-signal-guru/com.qtrun.QuickTest[Network Signal Guru] for its band locking, helps maintain reliable speeds, and/or avoid congested bands for higher speeds.

* https://github.com/AdAway/AdAway/releases[AdAway] to block Network Signal Guru's advertising.
** AdAway requires you to enable "Systemless Hosts" in Magisk's settings.

=== A custom kernel with "xt_HL.ko" support
.Testing if "xt_HL.ko" (netfilter's TTL/HL packet mangling) is present:
. Run Termux.
. `$ su`
. `# iptables -t mangle -A POSTROUTING -o null -j TTL --ttl-inc 1; ip6tables -t mangle -A POSTROUTING -o null -j HL --hl-inc 1`
** If there's no output, skip downloading and installing a custom kernel as there's already "xt_HL.ko" support.

=== Downloading a suitable custom kernel

NOTE: The listed kernels include the BBR or BBRv2 TCP congestion control algorithm to https://web.archive.org/web/20220313173158/http://web.archive.org/screenshot/https://docs.google.com/spreadsheets/d/1I1NcVVbuC7aq4nGalYxMNz9pgS9OLKcFHssIBlj9xXI[help maintain speeds over bad network conditions].

|===
| 1. momojuro's https://forum.xda-developers.com/search/member?user_id=5670369&content=thread[fsociety tribute]; recommended for the Pixel 4A (5G) and Pixel 5.
| 2. Freak07's https://forum.xda-developers.com/search/member?user_id=3428502&content=thread[Kirisakura]; recommended for the Pixel 6.
| 3. kdrag0n's https://forum.xda-developers.com/search/member?user_id=7291478&content=thread[Proton].
|===

TIP: Not for your device? +
Use these search terms on the https://forum.xda-developers.com/search/[XDA Forums] to find other kernels with "xt_HL.ko" support: +
`TTL spoofing`, `TTL target`, `IPtables TTL`, `TTL/HL target`, `TTL module`.


=== Installing a custom kernel
. Install https://github.com/SmartPack/BusyBox-Installer/releases[BusyBox Installer], then run it.
. Install https://github.com/libxzr/HorizonKernelFlasher/releases[Horizon Kernel Flasher], run it, then point it to the ZIP containing the custom kernel.


== 1. Blocking Android snitching, and spoofing TTL & HL

. Download our https://github.com/felikcat/unlimited-hotspot/releases/download/v1/unlimited_hotspot_v1.zip[Unlimited Hotspot] Magisk module.
. Open Magisk -> Modules -> Install from storage -> Select the "unlimited_hotspot_v1.zip" that was downloaded.
. Reboot.

[.lead] 
For routers to also be plug and play, additional steps are required:

.Asuswrt-Merlin
[%collapsible]
====
. `Advanced Settings - WAN` -> disable `Extend the TTL value` and `Spoof LAN TTL value`.
. `Advanced Settings - Administration`
** `Enable JFFS custom scripts and configs` -> "Yes"
** `Enable SSH` -> "LAN only"
. Replace the LAN IP and login name if needed: `$ ssh 192.168.50.1 -l asus`
** Use other SSH clients if preferred, such as MobaXterm or Termius.
. `# nano /jffs/scripts/wan-event`

[source, shell]
----
#!/bin/sh
# Martineau wrote this script:
# https://www.snbforums.com/threads/wan-start-script-also-run-on-wan-stop.61295/#post-542636
#
#   v384.15 Introduced wan-event script, (wan-start will be deprecated in a future release.)
#
#          wan-event      {0 | 1} {stopping | stopped | disconnected | init | connecting | connected}
#
# shellcheck disable=SC2068
Say() {
  printf '%s%s' "$$" "$@" | logger -st "($(basename "$0"))"
}
#========================================================================================================================================
WAN_IF=$1
WAN_STATE=$2

# Call appropriate script based on script_type
SERVICE_SCRIPT_NAME="wan${WAN_IF}-${WAN_STATE}"
SERVICE_SCRIPT_LOG="/tmp/WAN${WAN_IF}_state"

# Execute and log script state
if [ -f "/jffs/scripts/${SERVICE_SCRIPT_NAME}" ]; then
  Say "     Script executing.. for wan-event: $SERVICE_SCRIPT_NAME"
  echo "$SERVICE_SCRIPT_NAME" >"$SERVICE_SCRIPT_LOG"
  sh /jffs/scripts/"${SERVICE_SCRIPT_NAME}" "$@"
else
  Say "     Script not defined for wan-event: $SERVICE_SCRIPT_NAME"
fi

##@Insert##
----

`# nano /jffs/scripts/wan0-connected`
[source, shell]
----
#!/bin/sh

# HACK: Not sure what to check for exactly; do it too early and the TTL & HL won't get set.
sleep 5s

modprobe xt_HL; wait

# Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice.
iptables -t mangle -D PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -D POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2

# Bypass TTL & HL detections for hotspot/tethering.
## Increments the TTL & HL by 2 (1 for the router, 1 for the devices connected to the router).
iptables -t mangle -I PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -I POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -I PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2
----
Have to set permissions correctly to avoid this: `custom_script: Found wan-event, but script is not set executable!` +
`# chmod a+rx /jffs/scripts/*` +
`# reboot`

___
====


.GoldenOrb or OpenWrt via LuCI
[%collapsible]
====
. GoldenOrb specific: `Network` -> `Firewall` -> `Custom TTL Settings`
** Ensure its option is disabled.
. `Network` -> `Firewall` -> `Custom Rules`
[source, shell]
----
# Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice.
iptables -t mangle -D PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -D POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2

# Bypass TTL & HL detections for hotspot/tethering.
## Increments the TTL & HL by 2 (1 for the router, 1 for the devices connected to the router).
iptables -t mangle -I PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -I POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -I PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2
----

___
====


== 2. Check TTL & HL

Do this for both the tethering device, and the devices being tethered to.

* If the TTL and/or HL isn't exactly the same as the tethering device, then modify the `ttl-inc` and `hl-inc` to match.
** inc = increment, dec = decrement; `ttl-inc 2` adds to the TTL by 2, `ttl-dec 1` subtracts the TTL by 1.

* IPv4/TTL: `$ ping -4 bing.com`
** For Android & macOS: `$ ping bing.com` 
* IPv6/HL: `$ ping -6 bing.com`
** For Android & macOS: `$ ping6 bing.com`


== 3. Using a VPN to bypass DPI-based throttling, shaping, and censorship

.Least shady free VPNs; not recommended.
[%collapsible]
====

* Ordered from best to worst:
. https://cloudflarewarp.com/[Cloudflare WARP] (never torrent on this). +
You can get the https://github.com/TheCaduceus/WARP-UNLIMITED-ADVANCED[paid WARP+ for free], in which the "Railway App" method is recommended.

. https://cryptostorm.is/cryptofree[Cryptofree]
** Using their free WireGuard server is recommended.

. https://protonvpn.com/free-vpn/[ProtonVPN Free]

====


.Open-source VPN protocol comparison; what is suitable for your situation.
[%collapsible]
====
* *WireGuard*, the fastest on reliable internet; easily detected by DPI firewalls.
* *IKEv2/IPSec*, sometimes faster than WireGuard on unreliable internet. Depending on the VPN provider, IKEv2 can either be resistant to DPI firewalls (hide.me's implementation), or not at all.
* *SoftEther*, bypasses DPI firewalls easily with good speeds in general, but is more complicated to set up for non-Windows OSes.
* *OpenVPN3*, resistant to DPI firewalls if tls-crypt is used alongside port 443; China, Iran, and Egypt require OpenVPN over SSL which further reduces speeds. This protocol isn't efficient and has bufferbloat issues.

====


.Requirements for a good paid VPN provider.
[%collapsible]
====

NOTE: TorGuard is the overall gold standard for other VPNs to follow as of 23 January 2023, except for their buggy Windows program. hide.me has the best Windows program at the moment.

. Show which servers are geolocated/virtual (fake location) servers, or have none.

. Addon available (or included) for a dedicated/static/streaming IP, to get around streaming service blocks, and other websites using anti-VPN services such as https://blocked.com.

. P2P/http://www.bittorrent.org/introduction.html[BitTorrent protocol] isn't blocked on all servers.
** If all servers have this protocol unblocked, it will narrow down the amount of hosting services that VPN provider can use. +
This means higher ping/latency for some ISPs/telecoms; low latency is important for online gaming and video conferencing, among others.

. SOCKS5 and HTTPS/SSL proxies provided.
** Some VPNs such as TorGuard use this to allow BitTorrent in countries where it's forbidden; a SOCKS5 proxy can allow BitTorrent by being located in Canada while you're connected to no VPN server, or a VPN server located in the United States.

. Ability to port forward at least 5 ports while supporting IPv6; this gauges a VPN provider's attention to detail, even if you never need port forwarding.
** https://web.archive.org/web/20220731172057/https://teddit.net/r/VPNTorrents/comments/s9f36q/list_of_vpns_that_allow_portforwarding_2022/[List of VPNs that support Port Forwarding].

. If the OpenVPN protocol is supported, its tls-crypt must be supported and for the VPN provider to allow establishing connection to their servers via port 443.

** OpenVPN over SSL or SSH is mandatory for China, Iran, and Egypt.
. Full IPv4 and IPv6 support across all servers.
** On some telecoms, connecting to a VPN server through IPv6 is required.

. Reliable software across multiple operating systems.
** The most problematic: Android TV, iOS/iPadOS, and Linux (especially distros not based on Ubuntu or Fedora).
*** Linux support for most VPNs lack a graphical interface, and lack features included in their Windows and/or macOS VPN software.

====


.Finding honest VPN reviews or information.
[%collapsible]
====

. https://youtube.com/channel/UCXJWKuGh0qedrYviGEJmlWw[Tom Spark's Reviews] on YouTube, or directly at his https://www.vpntierlist.com/[VPN Tier List] website.

. https://restoreprivacy.com/vpn/best/[RestorePrivacy].

. https://web.archive.org/web/20220929090559/https://thatoneprivacysite.xyz/choosing-the-best-vpn-for-you/[An archive of "That One Privacy Site"], dated 19th December 2019. +
Use it as a second opinion for what justifies a good paid VPN provider.

TIP: Many VPN review websites and videos are dishonest, as Kape Technologies owns many popular VPN review websites to unfairly promote their products as the "best". +
https://restoreprivacy.com/kape-technologies-owns-expressvpn-cyberghost-pia-zenmate-vpn-review-sites/

====


== 4. Confirm the tethering is un-throttled

NOTE: Enable "Data Saver" while USB tethering. This tells Android to restrict data to USB tethering and what app is at the forefront only.

WARNING: If Wi-Fi or Bluetooth tethering is used, Android will forcefully disable "Data Saver".

. Disconnect from the VPN.
. Use https://fast.com[Netflix's Speedtest], then after that's complete use https://www.waveform.com/tools/bufferbloat[Waveform's Bufferbloat Test]. +
This will test for throttling of streaming servers (Netflix), various forms of data fingerprinting, and tethering/hotspot detections.
. Connect to a VPN on the tethered-to (client) device, then repeat the above step.

. Optionally, speedtest again after installing https://github.com/tytydraco/KTweak-Android-App/releases[KTweak] and applying its "throughput" profile.

=== If the VPN can't connect:
. First check if IPv4 or IPv6 is being used to reach the VPN server.
** For T-Mobile, connecting through IPv6 may be required.
. If the VPN still can't connect, try each supported protocol in this order:
** WireGuard -> IKEv2/IPSec -> SoftEther -> AnyConnect [TorGuard only] -> OpenVPN (UDP, port 443) -> OpenVPN (TCP, port 443) -> OpenVPN over SSL (TCP, port 443)


== Appendices

.Learning resources used
[%collapsible]
====

. https://archive.org/download/p173_20220313/p173.pdf
. https://archive.org/download/technology-showcase-policy-control-for-connected-and-tethered-devices/technology-showcase-policy-control-for-connected-and-tethered-devices.pdf
. https://archive.org/download/geneva_ccs19/geneva_ccs19.pdf
. Random XDA forums posts and threads to accumulate personal experiences with hotspot/tethering bypass attempts.

====

*You've reached the end of this guide.* Star it if you liked it.