I've finally managed to figure it out, thanks to the threads here on XDA.
How to enable WiFi Tethering with all traffic routed through VPN
Current setup
Galaxy Note 2 (T-Mobile), Rooted, Android 4.1.2, stock TW ROM
Applications needed
- WiFi Tether Widget "Tethering Widget" from the Play store (I'm using the one by Hi-Develop)
- RootExplorer with root access
- adbd Insecure (by Chainfire) from the Play Store or from
http://xdaforums.com/showthread.php?t=1687590
- APN Backup and Restore from
http://xdaforums.com/showthread.php?t=1962752
- Shell script to forward traffic from
http://xdaforums.com/showthread.php?t=1766020&page=4
(I named the script ipforward.sh)
Code:
#!/system/bin/sh
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
Steps for PC Setup
1. Root your phone
2. Install WiFi Tether Widget
3. Install RootExplorer
4. Install adbd Insecure
5. Extract files from APN Backup and Restore thread to your PC
6. Install Android Commander on Windows PC
7. Copy the new APN .xml file to phone in folder "ApnBackupRestore"
8. Copy the shell script to any folder you want (I just put it in the Downloads folder)
9. Run adbd Insecure on phone (needed to allow Android Commander install apks)
10. Run Android Commander on Windows PC (make sure root is OK, see the above thread for details)
11. Install APN Backup and Restore as a System App
12. Close Android Commander
13. Open APN Backup and Restore on your phone
14. Dismiss the warning
15. Click on the menu and disable ICS check
16. Close APN Backup and Restore (fully close)
17. Reopen APN Backup and Restore
18. You can choose to backup the original APN now
19. Click on Delete APN
20. Click on Restore APN and choose the new t-mobile.xml from WarlockW
21. Enable tethering from tethering widget (supposed stock app will overwrite APNs, so don't use it)
22. Enable VPN
23. Open Root Explorer and go to the directory you copied ipforward.sh
24. Clock on the ipforward.sh and choose Execute
25. Output should be 0 and nulls
You now have tethering enabled and all clients tethered to your device will also be tunneled through VPN.
Now every time you want to tether, you need to:
1. Run tether widget
2. Start VPN
3. Run shell script from root explorer to forward traffic to VPN tunnel
Background
It seems like the stock T-mo tethering app would route all client traffic through the phone's default IP address and not use the VPN. This probably helps them monitor the type of traffic. TrevE mod also did not work for me after 4.1.2 update, and I'm not sure what I was doing wrong. Somehow, the hidden APN used for tethering was preventing tethered traffic to go through a VPN tunnel. I did not want to mess with the APNs, but in the end this was the only solution that worked for me. I triple checked my IP address on the phone before and after VPN and also on the clients before and after VPN. This method seems to do the trick.
Routing client traffic through VPN is useful for many reasons, so I hope this solution works for others as well. Thanks to all the authors of the threads above as they were key to making this happen. The setup is somewhat involved, but the final solution is not too cumbersome.