You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9e068192c7 | 1 year ago | |
---|---|---|
.gitattributes | 3 years ago | |
.gitignore | 1 year ago | |
LICENSE | 1 year ago | |
README.adoc | 1 year ago |
README.adoc
:experimental: ifdef::env-github[] :icons: :tip-caption: :bulb: :note-caption: :information_source: :important-caption: :heavy_exclamation_mark: :caution-caption: :fire: :warning-caption: :warning: endif::[] == Requirements * A rooted Android device with an active SIM card. == Requirements can't be met * Get an unlocked Google Pixel phone that support all radio bands of your telecom. ** Use link:https://www.kimovil.com/en/[Kimovil] to check radio band support. Note that the same phone from different countries have different bands supported. ** The recommendation is a link:https://swappa.com/buy/used/google-pixel-4a-5g/unlocked[Pixel 4a (5G)] for $100 USD off Swappa instead of Ebay due to their human review of listings, and requirements imposed on sellers to prevent scams or false advertising. == Introduction .Goals: * Least amount of speed reduction with no increase in link:https://www.waveform.com/tools/bufferbloat[bufferbloat]; unlike the link:https://github.com/RiFi2k/unlimited-tethering[sshuttle method]. * Difficult for telecoms to prove intentional bypassing of their DPI firewall and tethering detections; unlike the link:https://github.com/krlvm/PowerTunnel-Android[PowerTunnel method]. * Fully bypassing DPI (Deep Packet Inspection); used to throttle & tamper with sites such as Netflix or YouTube (to force a low resolution like 480p), and sometimes censorship. ** A good VPN is required for this goal. * Works for as many tethered to devices as possible. == Preparation . link:https://topjohnwu.github.io/Magisk/[Install Magisk], then the link:https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf#installation[MagiskHide Props Config] module. . Install the following apps: * The link:https://f-droid.org/en/packages/com.termux/[Termux] terminal emulator (link:https://wiki.termux.com/wiki/Termux_Google_Play[from F-Droid only]), and link:https://f-droid.org/en/packages/com.termux.boot/[Termux:Boot]. ** Run Termux:Boot once before continuing. * link:https://apkpure.com/network-signal-guru/com.qtrun.QuickTest[Network Signal Guru for band locking], which can help maintain reliable speeds, and/or avoid congested bands for higher speeds. ** Enable "Systemless Hosts" in Magisk's settings, then install link:https://github.com/AdAway/AdAway/releases[AdAway]; use its root method before running Network Signal Guru to successfully block their advertising permanently (while AdAway is installed). === A custom kernel with "xt_HL.ko" support .Testing if "xt_HL.ko" (netfilter's TTL/HL packet mangling) is present: . Run Termux. . `$ su` . `# iptables -t mangle -A POSTROUTING -o null -j TTL --ttl-inc 1; ip6tables -t mangle -A POSTROUTING -o null -j HL --hl-inc 1` ** If there's no output, the kernel successfully has "xt_HL.ko" support. === Downloading a suitable custom kernel NOTE: The listed kernels include the BBR or BBRv2 TCP congestion control algorithm to link:https://web.archive.org/web/20220313173158/http://web.archive.org/screenshot/https://docs.google.com/spreadsheets/d/1I1NcVVbuC7aq4nGalYxMNz9pgS9OLKcFHssIBlj9xXI[help maintain speeds over bad network conditions]. |=== | 1. momojuro's link:https://forum.xda-developers.com/search/member?user_id=5670369&content=thread[fsociety tribute]; recommended for the Pixel 4A (5G) and Pixel 5. | 2. Freak07's link:https://forum.xda-developers.com/search/member?user_id=3428502&content=thread[Kirisakura]; recommended for the Pixel 6. | 3. kdrag0n's link:https://forum.xda-developers.com/search/member?user_id=7291478&content=thread[Proton]. |=== TIP: Not for your device? + Use these search terms on the link:https://forum.xda-developers.com/search/[XDA Forums] to find other kernels with "xt_HL.ko" support: + `TTL spoofing`, `TTL target`, `IPtables TTL`, `TTL/HL target`, `TTL module`. === Installing a custom kernel . Install link:https://f-droid.org/en/packages/com.smartpack.busyboxinstaller/[BusyBox]. . Install link:https://apkmody.io/apps/franco-kernel-manager-apk/download[Franco Kernel Manager]. . Run Franco Kernel Manager and go to "Flasher", from there the kernel can be flashed/installed. == 1. Block Android's snitching . Run Termux. . `$ su` . `# settings delete system tether_entitlement_check_state; settings delete global tether_dun_required` . `# props` ** "Select an option below." -> "Add/edit custom props" kbd:[5 ↵] ** Select "New custom prop" with kbd:[n ↵] *** `net.tethering.noprovisioning` kbd:[↵] -> kbd:[true ↵] -> kbd:[y ↵] **** "Do you want to reboot now?" kbd:[n ↵] ** Select "New custom prop" with kbd:[n ↵] *** `tether_entitlement_check_state` kbd:[↵] **** "Are you sure you want to proceed?" kbd:[y ↵] -> kbd:[0 ↵] -> kbd:[y ↵] **** "Do you want to reboot now?" kbd:[n ↵] ** Select "New custom prop" with kbd:[n ↵] *** `tether_dun_required` kbd:[↵] -> kbd:[0 ↵] -> kbd:[y ↵] **** "Do you want to reboot now?" -> kbd:[y ↵] == 2. Spoof TTL & HL . Show the currently used network interfaces; it's helpful for troubleshooting if needed. ** `$ netstat -i` ** Open Termux:Boot at least once, this allows it to run at boot while installed. . Make the script: ** `$ mkdir -p ~/.termux/boot` ** `$ cd ~/.termux/boot` ** `$ nano set-tether-ttl.sh` [source, shell] ---- #!/bin/sh su -c "iptables -t mangle -D PREROUTING -i v4-rmnet_data+ -j TTL --ttl-inc 1 && \ iptables -t mangle -D POSTROUTING -o v4-rmnet_data+ -j TTL --ttl-inc 1 && \ ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i v4-rmnet_data+ -j HL --hl-inc 1 && \ ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o v4-rmnet_data+ -j HL --hl-inc 1 iptables -t mangle -I PREROUTING -i v4-rmnet_data+ -j TTL --ttl-inc 1 && \ iptables -t mangle -I POSTROUTING -o v4-rmnet_data+ -j TTL --ttl-inc 1 && \ ip6tables -t mangle -I PREROUTING ! -p icmpv6 -i v4-rmnet_data+ -j HL --hl-inc 1 && \ ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o v4-rmnet_data+ -j HL --hl-inc 1" ---- * Run the script: ** `$ chmod +x set-tether-ttl.sh && sh set-tether-ttl.sh` === For routers, additional steps are required. .Asuswrt-Merlin [%collapsible] ==== . `Advanced Settings - WAN` -> disable `Extend the TTL value` and `Spoof LAN TTL value`. . `Advanced Settings - Administration` ** `Enable JFFS custom scripts and configs` -> "Yes" ** `Enable SSH` -> "LAN only" . Replace the LAN IP and login name if needed: `$ ssh 192.168.50.1 -l asus` ** Use other SSH clients if preferred, such as MobaXterm or Termius. . `# nano /jffs/scripts/wan-event` [source, shell] ---- #!/bin/sh # Martineau wrote this script # See https://www.snbforums.com/threads/wan-start-script-also-run-on-wan-stop.61295/#post-542636 # # v384.15 Introduced wan-event script, (wan-start will be deprecated in a future release.) # # wan-event {0 | 1} {stopping | stopped | disconnected | init | connecting | connected} # # shellcheck disable=SC2068 Say() { printf '%s%s' "$$" "$@" | logger -st "($(basename "$0"))" } #======================================================================================================================================== WAN_IF=$1 WAN_STATE=$2 # Call appropriate script based on script_type SERVICE_SCRIPT_NAME="wan${WAN_IF}-${WAN_STATE}" SERVICE_SCRIPT_LOG="/tmp/WAN${WAN_IF}_state" # Execute and log script state if [ -f "/jffs/scripts/${SERVICE_SCRIPT_NAME}" ]; then Say " Script executing.. for wan-event: $SERVICE_SCRIPT_NAME" echo "$SERVICE_SCRIPT_NAME" >"$SERVICE_SCRIPT_LOG" sh /jffs/scripts/"${SERVICE_SCRIPT_NAME}" "$@" else Say " Script not defined for wan-event: $SERVICE_SCRIPT_NAME" fi ##@Insert## ---- `# nano /jffs/scripts/wan0-connected` [source, shell] ---- #!/bin/sh # HACK: Not sure what to check for exactly; do it too early and the TTL & HL won't get set. sleep 5s modprobe xt_HL; wait # Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice. iptables -t mangle -D PREROUTING -i usb+ -j TTL --ttl-inc 2 iptables -t mangle -D POSTROUTING -o usb+ -j TTL --ttl-inc 2 ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2 ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2 # Bypass TTL & HL detections for hotspot/tethering. ## Increments the TTL & HL by 2 (1 for the router, 1 for the devices connected to the router). iptables -t mangle -I PREROUTING -i usb+ -j TTL --ttl-inc 2 iptables -t mangle -I POSTROUTING -o usb+ -j TTL --ttl-inc 2 ip6tables -t mangle -I PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2 ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2 ---- Have to set permissions correctly to avoid this: `custom_script: Found wan-event, but script is not set executable!` + `# chmod a+rx /jffs/scripts/*` + `# reboot` ___ ==== .GoldenOrb & OpenWrt via LuCI [%collapsible] ==== . GoldenOrb specific: `Network` -> `Firewall` -> `Custom TTL Settings` ** Ensure its option is disabled. . `Network` -> `Firewall` -> `Custom Rules` [source, shell] ---- # Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice. iptables -t mangle -D PREROUTING -i usb+ -j TTL --ttl-inc 2 iptables -t mangle -D POSTROUTING -o usb+ -j TTL --ttl-inc 2 ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2 ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2 # Bypass TTL & HL detections for hotspot/tethering. ## Increments the TTL & HL by 2 (1 for the router, 1 for the devices connected to the router). iptables -t mangle -I PREROUTING -i usb+ -j TTL --ttl-inc 2 iptables -t mangle -I POSTROUTING -o usb+ -j TTL --ttl-inc 2 ip6tables -t mangle -I PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2 ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2 ---- ___ ==== == 3. Check TTL & HL Do this for both the tethering device, and the devices being tethered to. * If the TTL and/or HL isn't exactly the same as the tethering device, then modify the `ttl-inc` and `hl-inc` to match. ** inc = increment, dec = decrement; `ttl-inc 2` adds to the TTL by 2, `ttl-dec 1` subtracts the TTL by 1. * IPv4/TTL: `$ ping -4 bing.com` ** For Android & macOS: `$ ping bing.com` * IPv6/HL: `$ ping -6 bing.com` ** For Android & macOS: `$ ping6 bing.com` == 4. Using a VPN to bypass DPI-based throttling, traffic shaping, and censorship .Least shady free VPNs; not recommended. [%collapsible] ==== * Ordered from best to worst: . link:https://cloudflarewarp.com/[Cloudflare WARP] (never torrent on this). + You can get the link:https://github.com/TheCaduceus/WARP-UNLIMITED-ADVANCED[paid WARP+ for free], in which the "Railway App" method is recommended. . link:https://cryptostorm.is/cryptofree[Cryptofree] ** Using their free WireGuard server is recommended. . https://protonvpn.com/free-vpn/[ProtonVPN Free] ==== .Open-source VPN protocol comparison; what is suitable for your situation. [%collapsible] ==== * *WireGuard*, the fastest on reliable internet; easily detected by DPI firewalls. * *IKEv2/IPSec*, sometimes faster than WireGuard on unreliable internet. Depending on the VPN provider, IKEv2 can either be resistant to DPI firewalls (hide.me's implementation), or not at all. * *SoftEther*, bypasses DPI firewalls easily with good speeds in general, but is more complicated to set up for non-Windows OSes. * *OpenVPN3*, resistant to DPI firewalls if tls-crypt is used alongside port 443; China, Iran, and Egypt require OpenVPN over SSL which further reduces speeds. This protocol isn't efficient and has bufferbloat issues. ==== .Requirements for a good paid VPN provider. [%collapsible] ==== . Show which servers are geolocated/virtual (fake location) servers, or have none. . Addon available (or included) for a dedicated/static/streaming IP, to get around streaming service blocks, and other websites using anti-VPN services such as https://blocked.com. . P2P/link:http://www.bittorrent.org/introduction.html[BitTorrent protocol] isn't blocked on all servers. ** If all servers have this protocol unblocked, it will narrow down the amount of hosting services that VPN provider can use. + This means higher ping/latency for some ISPs/telecoms; low latency is important for online gaming and video conferencing, among others. . SOCKS5 and HTTPS/SSL proxies provided. ** Some VPNs such as TorGuard use this to allow BitTorrent in countries where it's forbidden; a SOCKS5 proxy can allow BitTorrent by being located in Canada while you're connected to no VPN server, or a VPN server located in the United States. . Ability to port forward at least 5 ports while supporting IPv6; this gauges a VPN provider's attention to detail, even if you never need port forwarding. ** link:https://web.archive.org/web/20220731172057/https://teddit.net/r/VPNTorrents/comments/s9f36q/list_of_vpns_that_allow_portforwarding_2022/[List of VPNs that support Port Forwarding]. . If the OpenVPN protocol is supported, its tls-crypt must be supported and for the VPN provider to allow establishing connection to their servers via port 443. ** OpenVPN over SSL or SSH is mandatory for China, Iran, and Egypt. . Full IPv4 and IPv6 support across all servers. ** On some telecoms, connecting to a VPN server through IPv6 is required. . Reliable software across multiple operating systems. ** The most problematic: Android TV, iOS/iPadOS, and Linux (especially distros not based on Ubuntu or Fedora). *** Linux support for most VPNs lack a graphical interface, and lack features included in their Windows and/or macOS VPN software. ==== .Finding honest VPN reviews or information. [%collapsible] ==== . link:https://youtube.com/channel/UCXJWKuGh0qedrYviGEJmlWw[Tom Spark's Reviews] on YouTube, or directly at his link:https://www.vpntierlist.com/[VPN Tier List] website. . link:https://restoreprivacy.com/vpn/best/[RestorePrivacy]. . link:https://web.archive.org/web/20220929090559/https://thatoneprivacysite.xyz/choosing-the-best-vpn-for-you/[An archive of "That One Privacy Site"], dated 19th December 2019. + Use it as a second opinion for what justifies a good paid VPN provider. TIP: Many VPN review websites and videos are dishonest, as Kape Technologies owns many popular VPN review websites to unfairly promote their products as the "best". + https://restoreprivacy.com/kape-technologies-owns-expressvpn-cyberghost-pia-zenmate-vpn-review-sites/ ==== TorGuard is the gold standard for other VPNs to follow as of 23 January 2023, except for their Windows or macOS program; hide.me does a better job at it. NOTE: It's still recommended to review other options for yourself, link:https://torguard.net/network/[TorGuard's server locations] for instance might not be suitable for you. == 5. Confirm the tethering is un-throttled NOTE: Enable "Data Saver" while USB tethering. This tells Android to restrict data to USB tethering and what app is at the forefront only. WARNING: If Wi-Fi or Bluetooth tethering is used, Android will forcefully disable "Data Saver". . Disconnect from the VPN. . Use link:https://fast.com[Netflix's Speedtest], then after that's complete use link:https://www.waveform.com/tools/bufferbloat[Waveform's Bufferbloat Test]. + This will test for throttling of streaming servers (Netflix), various forms of data fingerprinting, and tethering/hotspot detections. . Connect to a VPN on the tethered-to device, then repeat the above step. TIP: link:https://apkpure.com/root-ktweak-%E2%80%94-universal-kern/com.draco.ktweak[KTweak] can potentially increase speeds by using its "throughput" profile. ==== If the VPN can't connect: . First check if IPv4 or IPv6 is being used to reach the VPN server. ** For T-Mobile, connecting through IPv6 may be required. . If the VPN still can't connect, try each supported protocol in this order: ** WireGuard -> IKEv2/IPSec -> SoftEther -> AnyConnect [TorGuard only] -> OpenVPN (UDP, port 443) -> OpenVPN (TCP, port 443) -> OpenVPN over SSL (TCP, port 443) == Appendices .Learning resources used [%collapsible] ==== . https://archive.org/download/p173_20220313/p173.pdf . https://archive.org/download/technology-showcase-policy-control-for-connected-and-tethered-devices/technology-showcase-policy-control-for-connected-and-tethered-devices.pdf . https://archive.org/download/geneva_ccs19/geneva_ccs19.pdf ==== *You've reached the end of this guide.* Star it if you liked it.