[APP][ROOT][6+] Tether TPROXY v0.1 (USB, Wifi Hotspot, Ethernet)

Search This thread

fddm

Senior Member
Feb 24, 2011
471
283
Screenshot (Mar 27, 2022 11 29 09 PM).png

Tether TPROXY uses iptables tproxy rules to capture tethered traffic and route it through a local proxy. This allows you to tether through your phone's internet source, be it a VPN or whatever else. Should also bypass APN classification and TTL/HL DPI checks. It supports TCP and UDP for IPv4 and IPv6. It can not proxy raw packets like ICMP, you can disable "Prevent Leaking" if required for your setup.

Tether TPROXY should support all tethering operations(USB, Wifi Hotspot, Ethernet). It does not enable tethering, that needs to be done manually.

Options:
Prevent Leaking - Allow traffic to exit through tproxy exclusively. Drops traffic on the forward chain of the filter table.
DPI Circumvention - Passes traffic on ports 80 and 443 to tpws to skirt DPI. Gives you proper fast.com scores.
Enable Dnsmasq - Bypass the built-in services and use Dnsmasq to provide DHCP/DHCP6/SLAAC/DNS.
IPv4 Address* - Lets you pick your IPv4 address/prefix. Makes it possible to set static addresses on your devices.
IPv6 Prefix* - ULA makes devices prefer using IPv4, GUA makes devices prefer IPv6.
*Only takes effect when Dnsmasq is enabled

Notes:
-After disabling the service, you will need to restart any active tethers you have running
-You may need to set APN protocol to IPv6 or IPv4/IPv6 to enable IPv6 for your mobile network.
-Dnsmasq can be used to get IPv6 working, but it is not recommended if you want traffic to leak.
-When using Dnsmasq, clients connected before the service is started will need to reconnect to get new addresses/routes.

Requires a kernel built with CONFIG_NETFILTER_XT_TARGET_TPROXY

Dependencies:
hev-socks5-server - https://github.com/heiher/hev-socks5-server
hev-socks5-tproxy - https://github.com/heiher/hev-socks5-tproxy
tpws - https://github.com/bol-van/zapret
Dnsmasq - https://github.com/worstperson/dnsmasq

Source:

Download:
 

Attachments

  • app-debug.apk
    4.3 MB · Views: 1,782
Last edited:

fddm

Senior Member
Feb 24, 2011
471
283
[How it works]
When the service is enabled, it applies iptables rules and starts any servers required. These rules do not depend on the interface so they apply to all tethered traffic with no additions. This alone is enough for IPv4 to work.

The service also listens to "android.net.conn.TETHER_STATE_CHANGED" which fires whenever tethering is enabled or disabled. The service waits 5 seconds and then checks for Android's Dnsmasq listening on port 53 to tell if tethering is active. That IP is checked against established routes to get the active tether interface. With that, we can find it's IPv6 address and add an exception to allow IPv6 to work. If Dnsmasq is enabled, we also set IPs and routes at this point.

To get Dnsmasq to work, we need to make it use alternative ports with the options "--port=5353" and "--dhcp-alternate-port=6767,68". Then 3 iptables are used to make clients use them. One takes DHCP broadcasts and redirects them to port 6767, the second takes DNS requests and redirects them to port 5353, and the final rule blocks Router Advertisement packets from non-root processes.
 
Last edited:
  • Like
Reactions: Mar-cel

kkuhle

Senior Member
Jul 16, 2013
125
40
Is this tested on Android 12.1? I enable the service, and the app shows Kernal TPROXY Support = PASS as well as having DPI Circumvention enabled selected.

Screenshot_20220401-072859.png


I turn on my hotspot after enabling the service and I am still getting throttled to ~.5 mpbs. Are there any additional steps I missed or should try?

I'm using a Pixel 5A 5G on T-mobile with March update.
 
Last edited:

fddm

Senior Member
Feb 24, 2011
471
283
I turn on my hotspot after enabling the service and I am still getting throttled to ~.5 mpbs. Are there any additional steps I missed or should try?
Thanks for reporting!
Since you have "Prevent Leaking" enabled in your picture and the client(s) you have tested are able to access the internet after the service is started, I can know for sure that everything has loaded up correctly and tethered traffic is being successfully routed through the hex-socks5 and tpws proxies. I thought maybe tpws was exposing the TTL/HL of your traffic, but that is not the case, both hex-socks5 and tpws recreate packets with the TTL of the host(64).

I'm afraid I don't have a solution for you if the above information is correct/complete, it really should be working.

Just an added note, DPI Circumvention is mostly just for video, to access higher resolutions on services like Youtube or Netflix.
 
Last edited:

kkuhle

Senior Member
Jul 16, 2013
125
40
I tested this on Android 11, and it generally worked pretty flawlessly. I tried going back to Android 12 and seemed that it was working (speeds were not being capped). However, it seems to generally sooner than later start causing data connection to stop working altogether so hotspot clients of course aren't able to get an internet connection either.
 

fddm

Senior Member
Feb 24, 2011
471
283
I tested this on Android 11, and it generally worked pretty flawlessly. I tried going back to Android 12 and seemed that it was working (speeds were not being capped). However, it seems to generally sooner than later start causing data connection to stop working altogether so hotspot clients of course aren't able to get an internet connection either.
Thank you for the report! My devices are all A11 atm, I'll flash a GSI to one of them to see if I can reproduce. I'll also try to post a new version soon as this initial release is very rough.
 

kkuhle

Senior Member
Jul 16, 2013
125
40
Thank you for the report! My devices are all A11 atm, I'll flash a GSI to one of them to see if I can reproduce. I'll also try to post a new version soon as this initial release is very rough.
Welcome! I wanted to add that I started trying to use USB tethering hotspot yesterday instead of wifi hotspot. With usb tethering, my connection seemed to be rock solid (still A12) for a few hours as I used it. I had a couple additional devices that I just extended my hotspot on from my laptop settings. I only selected "Enable Service" in Tether TPROXY this time. Here is my usage from yesterday.

1650035516157.png

Total data over 15G and only 2.5 being recognized as Hotspot. There were some times where I disabled the service as it was causing me issues with the wifi hotspot (before I figured out the USB tethering was working nicely), so it may all be from that. I also didn't enable "Prevent Leaking" so I'll have to mess around with that next time I need it and see how/if usage changes.

I haven't been able to find anything else for Android 12 that has done what it claims when I was searching a couple weeks ago. Thanks a ton for this!
 

kkuhle

Senior Member
Jul 16, 2013
125
40
I spoke too soon. I can't get this to work anymore. It generally seems to cause my mobile network to stop working. I am over my mobile hotspot cap, so maybe that has someting to do with it.
 

shield616_666

New member
Sep 26, 2022
1
0
I know it’s a dumb question. But I rooted my phone with only READ access to system files since I still can’t figure out how to do that. I wonder if it’s possible for me to use this app with just root?
 

fddm

Senior Member
Feb 24, 2011
471
283
I know it’s a dumb question. But I rooted my phone with only READ access to system files since I still can’t figure out how to do that. I wonder if it’s possible for me to use this app with just root?
Only root is required, you do not need system r/w. This app is in an still in an early alpha state though.
 
View attachment 5572677

Tether TPROXY uses iptables tproxy rules to capture tethered traffic and route it through a local proxy. This allows you to tether through your phone's internet source, be it a VPN or whatever else. Should also bypass APN classification and TTL/HL DPI checks. It supports TCP and UDP for IPv4 and IPv6. It can not proxy raw packets like ICMP, you can disable "Prevent Leaking" if required for your setup.

Tether TPROXY should support all tethering operations(USB, Wifi Hotspot, Ethernet). It does not enable tethering, that needs to be done manually.

Options:
Prevent Leaking - Allow traffic to exit through tproxy exclusively. Drops traffic on the forward chain of the filter table.
DPI Circumvention - Passes traffic on ports 80 and 443 to tpws to skirt DPI. Gives you proper fast.com scores.
Enable Dnsmasq - Bypass the built-in services and use Dnsmasq to provide DHCP/DHCP6/SLAAC/DNS.
IPv4 Address* - Lets you pick your IPv4 address/prefix. Makes it possible to set static addresses on your devices.
IPv6 Prefix* - ULA makes devices prefer using IPv4, GUA makes devices prefer IPv6.
*Only takes effect when Dnsmasq is enabled

Notes:
-After disabling the service, you will need to restart any active tethers you have running
-You may need to set APN protocol to IPv6 or IPv4/IPv6 to enable IPv6 for your mobile network.
-Dnsmasq can be used to get IPv6 working, but it is not recommended if you want traffic to leak.
-When using Dnsmasq, clients connected before the service is started will need to reconnect to get new addresses/routes.

Requires a kernel built with CONFIG_NETFILTER_XT_TARGET_TPROXY

Dependencies:
hev-socks5-server - https://github.com/heiher/hev-socks5-server
hev-socks5-tproxy - https://github.com/heiher/hev-socks5-tproxy
tpws - https://github.com/bol-van/zapret
Dnsmasq - https://github.com/worstperson/dnsmasq

Source:

Download:
Thank you for this. Works like a charm to bypass a T-Mobile hotspot throttle. Awesome job, thank you
 

J0nhy

Senior Member
Jan 22, 2016
321
86
Something weird happens with this app, don't know if it supposed to happen like that but when this app is enable on my pixel 7 pro I'm able to share my hotspot with no problem but my current device gets no data at all, I don't know how to explain it, i might do a vid to show this to you
 

fddm

Senior Member
Feb 24, 2011
471
283
Something weird happens with this app, don't know if it supposed to happen like that but when this app is enable on my pixel 7 pro I'm able to share my hotspot with no problem but my current device gets no data at all, I don't know how to explain it, i might do a vid to show this to you
That is very weird and unintended. I suppose your running Android 13, so I'll need to get a test device set up so I can reproduce. Thanks for reporting!
 

J0nhy

Senior Member
Jan 22, 2016
321
86
Bro is this project dead? Btw it works fine on TMobile, but can't get it to work on Verizon :(
 

fddm

Senior Member
Feb 24, 2011
471
283
Bro is this project dead? Btw it works fine on TMobile, but can't get it to work on Verizon :(
Mind sharing more information? Are these the same device, stock or custom firmware? If it's carrier software/modifications flagging traffic, I can add some code automatically add 'dun' to your APN type and it should work around it.
 

J0nhy

Senior Member
Jan 22, 2016
321
86
Mind sharing more information? Are these the same device, stock or custom firmware? If it's carrier software/modifications flagging traffic, I can add some code automatically add 'dun' to your APN type and it should work around it.
Yep same device both on esim 5g, custom firmware "paranoid android" on pixel 7 pro, but i have tested on stock firmware and it's the same, I'm able to hotspot using "hotspot vpn" but traffic needs to go thru a VPN
 

fddm

Senior Member
Feb 24, 2011
471
283
Yep same device both on esim 5g, custom firmware "paranoid android" on pixel 7 pro, but i have tested on stock firmware and it's the same, I'm able to hotspot using "hotspot vpn" but traffic needs to go thru a VPN
Is this a dual esim setup? Mind sharing the output of this command from adb or a terminal app so I can be sure the patch updates the correct APN?
Code:
su
content query --uri content://telephony/carriers/preferapn

The fix will look something like this, but I don't have a device with multiple SIMs, so it only touches the first APN returned currently.
Java:
static void setDunApn() {
    Log.w("TetherTPROXY", "Checking APN type for dun");
    // get current id and apn type
    Shell.Result command = Shell.cmd("content query --uri content://telephony/carriers/preferapn --projection _id:type | awk -F '[=,]' '{print $2,$4}'").exec();
    if ( command.isSuccess() ) {
        String[] parts = command.getOut().get(0).split(" ");
        if ( parts.length == 2 && !parts[1].contains("dun")) {
            Log.w("TetherTPROXY", "Setting APN type for dun");
            // update type field with dun
           Shell.cmd("content update --uri content://telephony/carriers --where \"_id=" + parts[0] + "\" --bind type:s:" + parts[1] + ",dun --bind edited:i:0").exec().getOut();
            // restart data
            Shell.cmd("svc data disable").exec().getOut();
            Shell.cmd("svc data enable").exec().getOut();
        }
    }
}
 

JDToo

Member
Feb 1, 2015
16
1
Thanks for developing this app. I will have to try it even though I already have a couple of free working tethering solutions. It never hurts to have another tool for the toolshed given how things change with carriers. I take it that your app basically "proxifies/socksifies" traffic on the phone's tether interfaces to a local SOCKS5 proxy service/app on the phone.

By the way too many acronyms above. "DPI" is "deep packet inspection" for anyone else who wondered. I understand why you abbreviated it in the UI due to the length, but not in the description.

For IPv6 "GUA" is global unicast addresses (Internet routable) and "ULA" is unique local addresses (private IP addresses). I am not sure why you would want to choose a ULA in this situation since the goal is Internet access. Are the IP addresses on that configuration screen in the screenshot above the local addresses for the SOCKS5 proxy? If so, would using a ULA address for its IPv6 address mean that the clients would also need ULA addresses to access it? If so, how would the clients get those addresses? Self-generate them or does that setting set dnsmasq to issue ULA IPv6's to the tethered clients? Since (if?) you are using a SOCKS5 proxy to send the Internet traffic I am not sure why you say above that using "ULA" for IPv6 will prefer IPv4 when the IPv4 address is also a private one. Why favor private IPv4 over private IPv6?
 
Last edited:

J0nhy

Senior Member
Jan 22, 2016
321
86
Is this a dual esim setup? Mind sharing the output of this command from adb or a terminal app so I can be sure the patch updates the correct APN?
Code:
su
content query --uri content://telephony/carriers/preferapn

The fix will look something like this, but I don't have a device with multiple SIMs, so it only touches the first APN returned currently.
Java:
static void setDunApn() {
    Log.w("TetherTPROXY", "Checking APN type for dun");
    // get current id and apn type
    Shell.Result command = Shell.cmd("content query --uri content://telephony/carriers/preferapn --projection _id:type | awk -F '[=,]' '{print $2,$4}'").exec();
    if ( command.isSuccess() ) {
        String[] parts = command.getOut().get(0).split(" ");
        if ( parts.length == 2 && !parts[1].contains("dun")) {
            Log.w("TetherTPROXY", "Setting APN type for dun");
            // update type field with dun
           Shell.cmd("content update --uri content://telephony/carriers --where \"_id=" + parts[0] + "\" --bind type:s:" + parts[1] + ",dun --bind edited:i:0").exec().getOut();
            // restart data
            Shell.cmd("svc data disable").exec().getOut();
            Shell.cmd("svc data enable").exec().getOut();
        }
    }
}
The outcome for that command is:
i content://telephony/carriers/preferapn <
Row: 0 _id=1229, name=Verizon, numeric=311480, mcc=311, mnc=480, carrier_id=-1, apn=VZWINTERNET, user=, server=, password=, proxy=, port=, mmsproxy=, mmsport=, mmsc=, authtype=-1, type=default,dun,supl, current=1, protocol=IPV4V6, roaming_protocol=IP, carrier_enabled=1, bearer=0, bearer_bitmask=0, network_type_bitmask=0, lingering_network_type_bitmask=0, mvno_type=, mvno_match_data=, sub_id=-1, profile_id=0, modem_cognitive=1, max_conns=0, wait_time=0, max_conns_time=0, mtu=0, mtu_v4=0, mtu_v6=0, edited=0, user_visible=1, user_editable=1, owned_by=1, apn_set_id=0, skip_464xlat=-1, always_on=0
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    Screenshot (Mar 27, 2022 11 29 09 PM).png

    Tether TPROXY uses iptables tproxy rules to capture tethered traffic and route it through a local proxy. This allows you to tether through your phone's internet source, be it a VPN or whatever else. Should also bypass APN classification and TTL/HL DPI checks. It supports TCP and UDP for IPv4 and IPv6. It can not proxy raw packets like ICMP, you can disable "Prevent Leaking" if required for your setup.

    Tether TPROXY should support all tethering operations(USB, Wifi Hotspot, Ethernet). It does not enable tethering, that needs to be done manually.

    Options:
    Prevent Leaking - Allow traffic to exit through tproxy exclusively. Drops traffic on the forward chain of the filter table.
    DPI Circumvention - Passes traffic on ports 80 and 443 to tpws to skirt DPI. Gives you proper fast.com scores.
    Enable Dnsmasq - Bypass the built-in services and use Dnsmasq to provide DHCP/DHCP6/SLAAC/DNS.
    IPv4 Address* - Lets you pick your IPv4 address/prefix. Makes it possible to set static addresses on your devices.
    IPv6 Prefix* - ULA makes devices prefer using IPv4, GUA makes devices prefer IPv6.
    *Only takes effect when Dnsmasq is enabled

    Notes:
    -After disabling the service, you will need to restart any active tethers you have running
    -You may need to set APN protocol to IPv6 or IPv4/IPv6 to enable IPv6 for your mobile network.
    -Dnsmasq can be used to get IPv6 working, but it is not recommended if you want traffic to leak.
    -When using Dnsmasq, clients connected before the service is started will need to reconnect to get new addresses/routes.

    Requires a kernel built with CONFIG_NETFILTER_XT_TARGET_TPROXY

    Dependencies:
    hev-socks5-server - https://github.com/heiher/hev-socks5-server
    hev-socks5-tproxy - https://github.com/heiher/hev-socks5-tproxy
    tpws - https://github.com/bol-van/zapret
    Dnsmasq - https://github.com/worstperson/dnsmasq

    Source:

    Download:
    1
    [How it works]
    When the service is enabled, it applies iptables rules and starts any servers required. These rules do not depend on the interface so they apply to all tethered traffic with no additions. This alone is enough for IPv4 to work.

    The service also listens to "android.net.conn.TETHER_STATE_CHANGED" which fires whenever tethering is enabled or disabled. The service waits 5 seconds and then checks for Android's Dnsmasq listening on port 53 to tell if tethering is active. That IP is checked against established routes to get the active tether interface. With that, we can find it's IPv6 address and add an exception to allow IPv6 to work. If Dnsmasq is enabled, we also set IPs and routes at this point.

    To get Dnsmasq to work, we need to make it use alternative ports with the options "--port=5353" and "--dhcp-alternate-port=6767,68". Then 3 iptables are used to make clients use them. One takes DHCP broadcasts and redirects them to port 6767, the second takes DNS requests and redirects them to port 5353, and the final rule blocks Router Advertisement packets from non-root processes.
    1
    1
    Thanks for reporting back! Unfortunately you already have dun set in your primary APN, so that's not what is causing the issue here. I don't have a subscription to the VZW network and am unable to do testing for this issue. When you say that it doesn't work, is it that no traffic passes, that traffic counts towards your tethering allotment, or it's throttled down as if it were regular tethered traffic?

    I take it that your app basically "proxifies/socksifies" traffic on the phone's tether interfaces to a local SOCKS5 proxy service/app on the phone.
    That's right, it uses the iptables tproxy module supported on most modern Android phones to redirect tethered traffic through a local proxy. The idea is that packets are recreated on the phone with the correct TTL/HL and the origin of the traffic is obscured.

    What's most interesting about this approach to me is that you could run the proxy server on the phone, tproxy server on an OpenWRT device, and connect them through an adb tunnel. This in theory would bypass entitlement, APN dun profile, and TTL/HL dpi detection - all with a phone that is in an entirely stock state.

    For IPv6 "GUA" is global unicast addresses (Internet routable) and "ULA" is unique local addresses (private IP addresses). I am not sure why you would want to choose a ULA in this situation since the goal is Internet access. Are the IP addresses on that configuration screen in the screenshot above the local addresses for the SOCKS5 proxy? If so, would using a ULA address for its IPv6 address mean that the clients would also need ULA addresses to access it? If so, how would the clients get those addresses? Self-generate them or does that setting set dnsmasq to issue ULA IPv6's to the tethered clients? Since (if?) you are using a SOCKS5 proxy to send the Internet traffic I am not sure why you say above that using "ULA" for IPv6 will prefer IPv4 when the IPv4 address is also a private one. Why favor private IPv4 over private IPv6?
    This setting effects the preferred protocol version for connected clients (per RFC 3484). GUA tells DNSMASQ to assign local IPs in the 2001:db8::/64 range, which is treated like a real public address, so clients will prefer sending their traffic through IPv6. ULA assigns addresses in the fd00::/64 range, so clients will send traffic through IPv4 by default.
    1
    Since you have root, you can just install the kmod-usb-net-rndis in OpenWRT, bridge usb0 to lan, and disable DHCP. That'll let you use your phone's USB tethering as a wan to serve your network.
    Add kernel RNDIS support:
    Code:
    opkg update
    opkg install kmod-usb-net-rndis

    Network -> Interfaces -> Devices Tab
    -> Configure br-lan

    Bridge Ports: add usb0

    Network -> Interfaces -> LAN
    -> DHCP Server
    --> General Setup

    Check "Ignore interface"

    For routers, I find Linksys to be the cheapest. You'll want a Qualcomm or Mediatek CPU with a USB2+ port. There is a bug with Qualcomm USB3 where the driver can crash when plugging in a phone. This is easily fixed with a script, but it's easier to just recommend Mediatek hardware:
    You need to pay attention to the hardware version when purchasing though, different versions of the same model often have wildly different hardware.

    If you edit your APN settings for your APN protocols to "IPv4" and have "dun" in APN type, then you can add this to the router to automatically bypass tether limitations without any app:
    Lets you set the outgoing TTL if your unable to set it on your phone. IPv4 only.

    Code:
    opkg update
    opkg install iptables-mod-ipopt
    opkg install iptables-mod-physdev

    System -> Startup -> Local startup
    Code:
    sysctl -w net.bridge.bridge-nf-call-arptables=1
    sysctl -w net.bridge.bridge-nf-call-iptables=1
    sysctl -w net.bridge.bridge-nf-call-ip6tables=1

    Network -> Firewall -> Custom Rules
    Code:
    iptables -t mangle -I POSTROUTING -m physdev --physdev-out usb0 -j TTL --ttl-set 65

    Alternatively, I always recommend VPN Hotspot with a local VPN like Adguard for bypassing restrictions. It's relatively foolproof to set up. Just need to make sure to disable IPv6 and Tether hardware acceleration in the app.