mirror of
https://github.com/nermur/no-tethering-restrictions
synced 2024-11-13 19:11:57 +00:00
.gitattributes | ||
LICENSE | ||
README.adoc |
:experimental: ifdef::env-github[] :icons: :tip-caption: :bulb: :note-caption: :information_source: :important-caption: :heavy_exclamation_mark: :caution-caption: :fire: :warning-caption: :warning: endif::[] .Learning resources used [%collapsible] ==== * Read these in order if interested: . https://archive.org/download/p173_20220313/p173.pdf . https://archive.org/download/technology-showcase-policy-control-for-connected-and-tethered-devices/technology-showcase-policy-control-for-connected-and-tethered-devices.pdf . https://archive.org/download/geneva_ccs19/geneva_ccs19.pdf ==== == Requirements * An Android 9 (or newer) device with an active SIM card. ** Older Android versions may need modifications for the Termux TTL & HL script shown later in this guide at "<<Rooted tether device>>". * If not rooted, the ROM must explicitly stop Android from snitching: *** https://github.com/GrapheneOS/platform_frameworks_base/commit/d4e03e77dd590e3ed89af8b72d5c09f875fc46b0 *** https://github.com/GrapheneOS/platform_build/commit/b22db418509758b781699898dc43c1c1d3a94999 == Requirements can't be met Ignore this guide past this section, and try these choices... * Using the link:https://github.com/krlvm/PowerTunnel-Android[PowerTunnel] anti-DPI app. ** You'd use PowerTunnel on tethered to devices by connecting to the transparent HTTP proxy provided by PowerTunnel on the tethering device. *** There's no direct tutorials for this, and I'm planning to write one for it. ** This method makes it very obvious to a telecom that you intentionally bypassed their restrictions and/or throttling. * link:https://github.com/RiFi2k/unlimited-tethering[RiFi2k's SSH tunneling guide]. ** This method isn't obvious to telecoms, but can drastically lower speed on low-end CPUs (CPU matters heavily for both the tethering device, and the tethered to devices), and will add additional link:https://www.waveform.com/tools/bufferbloat[bufferbloat]. * Get an unlocked Google Pixel phone (off Swappa if possible) which supports all radio bands of your telecom; link:https://www.kimovil.com/en/[check that at Kimovil]. The recommendation as of 7 June 2022 is a link:https://swappa.com/buy/used/google-pixel-4a-5g/unlocked[Pixel 4a (5G)]. ** Check the desired phone's band support at link:https://www.kimovil.com/en/[Kimovil] to ensure support for your telecom before buying it. Also look at the "Aliases" of your desired phone on Kimovil for each region to avoid buying a Global phone that doesn't support the bands your theoretical United States telecom requires. == Introduction .This guide is for bypassing firewalls utilizing Deep Packet Inspection (DPI), which are used to throttle & tamper with tethering/hotspot data, and enact censorship for some; the three other main goals with this guide are: * Minor or no (download & upload) speed reduction and no increase in bufferbloat, unlike the SSH or SSL tunneling methods. * Making it difficult for telecoms to prove intentional bypassing of their tethering detections, and consequently their DPI firewall. * Must work for as many tethered to devices as possible. ** Currently not met due to a lack of instructions for OS specific TTL & HL spoofing (for those using a non-rooted tethering device), and needs instructions for more router firmwares. NOTE: Enabling "Data Saver" while USB tethering is recommended to make Android restrict data to USB tethering and what app is at the forefront only. + -> If WiFi/Hotspot tethering is used, Android will forcefully disable "Data Saver". == Using a VPN is likely required * Free, fast, and non-malicious VPN services: ** link:https://cloudflarewarp.com/[Cloudflare WARP] *** Some telecoms may block this due to using the WireGuard protocol. ** link:https://www.vpngate.net/en/[VPN Gate] *** Potentially fast depending on the server chosen, and supports the SoftEther protocol. * VPN protocol comparison (only for protocols worth using): ** *WireGuard*, the fastest on reliable internet, but is easily detected by DPI firewalls. ** *IKEv2/IPSec*, sometimes faster than WireGuard on unreliable internet. Depending on the VPN provider, IKEv2 can either be resistant to DPI firewalls (hide.me's implementation), or not at all. ** *SoftEther*, bypasses DPI firewalls easily with good speeds in general, but is more complicated to setup for non-Windows OSes. ** *OpenVPN3*, resistant to DPI firewalls (outside of China, Iran, and Egypt; unless OpenVPN over SSL is used, which impacts speeds greatly and increases bufferbloat further) if tls-crypt is used alongside port 443. This protocol isn't efficient and has bufferbloat issues; OpenVPN3 makes great strides in improving its situation, but is still inferior to other choices here. .*Good paid VPN providers do the following:* . Transparent communication, alongside either easily accessible forums, a Discord "server"/guild, a Telegram channel/group, or a Matrix channel. . Only bare-metal (dedicated) servers used, with no hard drives (RAM only). ** Bare-metal is faster and more secure than virtual servers ("VPS" / "VDS"), as that machine isn't shared between multiple unaffiliated people. . State all their geolocated (fake) server locations, or have none. . All server locations allow all traffic except outbound port 25. ** P2P should never be blocked, despite also being abuse-prone. . Ability to link:https://airvpn.org/faq/port_forwarding/[select ports to forward]; this heavily gauges if a VPN provider is good, even if you never need port forwarding. ** AirVPN, hide.me (uses UPnP; not selecting specific ports), and Mullvad have the best implementations of port forwarding as of 31 December 2021. *** link:https://web.archive.org/web/20220313235113/https://teddit.net/r/VPNTorrents/comments/s9f36q/list_of_vpns_that_allow_portforwarding_2022/[List of VPNs that allow Port Forwarding]. . SoftEther protocol support. . No PPTP protocol support; PPTP has no security. . If the OpenVPN protocol is supported, its tls-crypt must be supported and for the VPN provider to allow establishing connection to their servers via port 443. ** OpenVPN over SSL or SSH is mandatory for China, Iran, and Egypt. . Full IPv4 and IPv6 support across all servers. ** On some telecoms, connecting to a VPN server through IPv6 is required. == Rooted requirements TIP: If staying non-rooted, skip to <<2. Spoof TTL & HL>>. NOTE: Root allows for: + * Correctly spoofing TTL & HL for every tethered to device, without a need to spoof on the tethered to device separately. + -> Routers however still require their own separate spoofed TTL & HL. + * More consistent and potentially much higher network speeds. WARNING: Root comes at the cost of security; do not leave important content (files, logins...) on a rooted device. + If you plan on using an old phone or tablet as the rooted tethering device, check its bands and LTE category at link:https://cacombos.com[Bands & Combos]; if its LTE category is 6 or lower, don't expect good network speeds from that device for any guide. *1: link:https://topjohnwu.github.io/Magisk/[Install Magisk], then the link:https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf#installation[MagiskHide Props Config] module.* *2: Install the following apps; if needed, use the link:https://gitlab.com/AuroraOSS/AuroraStore/-/releases[Aurora Store] app for installing apps located on the Google Play Store.* * The link:https://f-droid.org/en/packages/com.termux/[Termux] terminal emulator (link:https://wiki.termux.com/wiki/Termux_Google_Play[from F-Droid only]). ** If checking for Termux app updates is desired, use link:https://github.com/NeoApplications/Neo-Store/releases[Neo Store] instead of the official F-Droid app (which is unreliable and uses outdated Android APIs, lessening the security of their app). * link:https://play.google.com/store/apps/details?id=com.draco.ktweak[KTweak for higher network speeds], using its "throughput" profile. * link:https://play.google.com/store/apps/details?id=com.qtrun.QuickTest[Network Signal Guru for band locking], which can help maintain reliable speeds, and/or avoid congested bands for higher speeds. ** link:https://adguard-dns.com/en/public-dns.html[Configure AdGuard DNS manually] before using Network Signal Guru. *** link:https://github.com/AdAway/AdAway/releases[AdAway] is the alternative if you're not willing to change DNS servers, or using a paid VPN (on the tethering device) that has no option to change the DNS servers it uses. *3: Kernel in use must have the "xt_HL.ko" module built-in (netfilter's TTL/HL packet mangling).* * Testing for "xt_HL.ko" support: . Launch Termux. . `$ su` . `# iptables -t mangle -A POSTROUTING -o null -j TTL --ttl-inc 1` . `# ip6tables -t mangle -A POSTROUTING -o null -j HL --hl-inc 1` ** If there's no output, the commands succeeded (kernel has "xt_HL.ko" support). |=== | Kernels with "xt_HL.ko" support, and use the BBR or BBRv2 TCP congestion control algorithm to help link:https://web.archive.org/web/20220313173158/http://web.archive.org/screenshot/https://docs.google.com/spreadsheets/d/1I1NcVVbuC7aq4nGalYxMNz9pgS9OLKcFHssIBlj9xXI[maintain speeds over bad network conditions]: | 1. momojuro's link:https://forum.xda-developers.com/search/member?user_id=5670369&content=thread[fsociety tribute] kernel. + -> I made a complete guide for this kernel here: https://github.com/nermur/pixel-tether-setup | 2. kdrag0n's link:https://forum.xda-developers.com/search/member?user_id=7291478&content=thread[Proton Kernel]. | 3. Freak07's link:https://forum.xda-developers.com/search/member?user_id=3428502&content=thread[Kirisakura] kernel. |=== TIP: Search terms to use on link:https://forum.xda-developers.com/search/[XDA Forums] to find other kernels with "xt_HL.ko" support: + `TTL spoofing`, `TTL target`, `IPtables TTL`, `TTL/HL target`, `TTL module`. == 1. Configure props . Launch Termux. . `$ su` . `# settings delete system tether_entitlement_check_state; settings delete global tether_dun_required` . `# props` ** "Select an option below." -> "Add/edit custom props" kbd:[5 ↵] ** Select "New custom prop" with kbd:[n ↵] *** `net.tethering.noprovisioning` kbd:[↵] -> kbd:[true ↵] -> kbd:[y ↵] **** "Do you want to reboot now?" kbd:[n ↵] ** Select "New custom prop" with kbd:[n ↵] *** `tether_entitlement_check_state` kbd:[↵] **** "Are you sure you want to proceed?" kbd:[y ↵] -> kbd:[0 ↵] -> kbd:[y ↵] **** "Do you want to reboot now?" kbd:[n ↵] ** Select "New custom prop" with kbd:[n ↵] *** `tether_dun_required` kbd:[↵] -> kbd:[0 ↵] -> kbd:[y ↵] **** "Do you want to reboot now?" -> kbd:[y ↵] == 2. Spoof TTL & HL NOTE: For dual (or more) router setups, each router has to apply TTL/HL spoofing of its own. === Router methods .Asuswrt-Merlin [%collapsible] ==== . `Advanced Settings - WAN` -> disable `Extend the TTL value` and `Spoof LAN TTL value`. . `Advanced Settings - Administration` ** `Enable JFFS custom scripts and configs` -> "Yes" ** `Enable SSH` -> "LAN only" . Replace the LAN IP and login name if needed: `$ ssh 192.168.50.1 -l asus` ** Use other SSH clients if preferred, such as MobaXterm or Termius. . `# nano /jffs/scripts/wan-event` [source, shell] ---- #!/bin/sh # Martineau wrote this script # See https://www.snbforums.com/threads/wan-start-script-also-run-on-wan-stop.61295/#post-542636 # # v384.15 Introduced wan-event script, (wan-start will be deprecated in a future release.) # # wan-event {0 | 1} {stopping | stopped | disconnected | init | connecting | connected} # # shellcheck disable=SC2068 Say() { printf '%s%s' "$$" "$@" | logger -st "($(basename "$0"))" } #======================================================================================================================================== WAN_IF=$1 WAN_STATE=$2 # Call appropriate script based on script_type SERVICE_SCRIPT_NAME="wan${WAN_IF}-${WAN_STATE}" SERVICE_SCRIPT_LOG="/tmp/WAN${WAN_IF}_state" # Execute and log script state if [ -f "/jffs/scripts/${SERVICE_SCRIPT_NAME}" ]; then Say " Script executing.. for wan-event: $SERVICE_SCRIPT_NAME" echo "$SERVICE_SCRIPT_NAME" >"$SERVICE_SCRIPT_LOG" sh /jffs/scripts/"${SERVICE_SCRIPT_NAME}" "$@" else Say " Script not defined for wan-event: $SERVICE_SCRIPT_NAME" fi ##@Insert## ---- `# nano /jffs/scripts/wan0-connected` [source, shell] ---- #!/bin/sh # HACK: Not sure what to check for exactly; do it too early and the TTL & HL don't get set. sleep 5s modprobe xt_HL; wait # Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice. iptables -t mangle -D PREROUTING -i usb+ -j TTL --ttl-inc 2 iptables -t mangle -D POSTROUTING -o usb+ -j TTL --ttl-inc 2 ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2 ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2 # Bypass TTL & HL detections for hotspot/tethering. ## Increments the TTL & HL by 2 (1 for the router, 1 for the devices connected to the router). iptables -t mangle -I PREROUTING -i usb+ -j TTL --ttl-inc 2 iptables -t mangle -I POSTROUTING -o usb+ -j TTL --ttl-inc 2 ip6tables -t mangle -I PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2 ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2 ---- Have to set permissions correctly to avoid this: `custom_script: Found wan-event, but script is not set executable!` + `# chmod a+rx /jffs/scripts/*` + `# reboot` ___ ==== .GoldenOrb & OpenWrt via LuCI [%collapsible] ==== . GoldenOrb specific: `Network` -> `Firewall` -> `Custom TTL Settings` ** Ensure its option is disabled. . `Network` -> `Firewall` -> `Custom Rules` [source, shell] ---- # Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice. iptables -t mangle -D PREROUTING -i usb+ -j TTL --ttl-inc 2 iptables -t mangle -D POSTROUTING -o usb+ -j TTL --ttl-inc 2 ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2 ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2 # Bypass TTL & HL detections for hotspot/tethering. ## Increments the TTL & HL by 2 (1 for the router, 1 for the devices connected to the router). iptables -t mangle -I PREROUTING -i usb+ -j TTL --ttl-inc 2 iptables -t mangle -I POSTROUTING -o usb+ -j TTL --ttl-inc 2 ip6tables -t mangle -I PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2 ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2 ---- ___ ==== NOTE: For unlisted router firmwares, if you get TTL & HL spoofing functional, please edit README.adoc to include instructions for that firmware, then make a Pull Request once you're done. === Rooted tether device * Show the currently used network interfaces; it's helpful for troubleshooting if needed. ** `$ netstat -i` * link:https://f-droid.org/en/packages/com.termux.boot/[Install Termux:Boot]. ** Open Termux:Boot at least once, this allows it to run at boot while installed. * Make the script: . `$ mkdir -p ~/.termux/boot` . `$ cd ~/.termux/boot` . `$ nano set-tether-ttl.sh` [source, shell] ---- #!/bin/sh su -c "iptables -t mangle -D PREROUTING -i v4-rmnet_data+ -j TTL --ttl-inc 1 && \ iptables -t mangle -D POSTROUTING -o v4-rmnet_data+ -j TTL --ttl-inc 1 && \ ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i v4-rmnet_data+ -j HL --hl-inc 1 && \ ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o v4-rmnet_data+ -j HL --hl-inc 1 iptables -t mangle -I PREROUTING -i v4-rmnet_data+ -j TTL --ttl-inc 1 && \ iptables -t mangle -I POSTROUTING -o v4-rmnet_data+ -j TTL --ttl-inc 1 && \ ip6tables -t mangle -I PREROUTING ! -p icmpv6 -i v4-rmnet_data+ -j HL --hl-inc 1 && \ ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o v4-rmnet_data+ -j HL --hl-inc 1" ---- * Launch the script: ** `$ chmod +x set-tether-ttl.sh && sh set-tether-ttl.sh` *** Termux:Boot will automatically run set-tether-ttl.sh after startup/boot, though it will break if the interface name changes, which I cannot test nor know if this happens on Android, and if it does it may be specific to a ROM. == 3. Check TTL & HL Do this for both the tethering device, and the devices being tethered to. * If the TTL and/or HL isn't exactly the same as the tethering device, then modify the `ttl-inc` and `hl-inc` to match. ** inc = increment, dec = decrement; `ttl-inc 2` adds to the TTL by 2, `ttl-dec 1` subtracts the TTL by 1. * IPv4/TTL: `$ ping -4 bing.com` ** For Android & macOS: `$ ping bing.com` * IPv6/HL: `$ ping -6 bing.com` ** For Android & macOS: `$ ping6 bing.com` == 4. Confirm the tethering is unthrottled NOTE: If your telecom doesn't charge $$$ for going over the hotspot/tethering data limit, max out its cap before proceeding. + It'll make it easy to determine if this works, as after maxing the cap, some telecoms will use more tactics to ensure you're in line with how they want you to use their service. * Disconnect from any VPNs. * Use link:https://fast.com[Netflix's Speedtest], then after that's complete use link:https://www.waveform.com/tools/bufferbloat[Waveform's Bufferbloat Test]. This will test for throttling of streaming servers (Netflix), various forms of fingerprinting, and tethering/hotspot detections. * Connect to a VPN, then repeat the above step. ** If the speeds are lower than expected on all VPN protocols, connect to the VPN on a device that hardware accelerates the cryptography used, such as link:https://web.archive.org/web/20220314000051/https://wikiless.org/wiki/AES_instruction_set?lang=en[AES-NI] for x86_64 processors. NOTE: If the VPN can't connect, first check if IPv4 or IPv6 is being used to reach the VPN server; on T-Mobile, connecting through IPv6 may be required. + If the VPN still can't connect, change its protocol used in this order: + WireGuard -> IKEv2/IPSec -> SoftEther -> OpenVPN (UDP, port 443) -> OpenVPN (TCP, port 443) -> OpenVPN over SSL (TCP, port 443) TIP: + If this guide worked, then Star this repository!