About

This bypass method & tutorial compared to PDANet, FoxFi, NetShare, EasyTether, Wi-Fi Tether Router, and sshuttle tunneling:

1. Reliable with little to no speed reduction.

2. Plug and play, other devices don’t need to install apps to have internet.

3. Bypasses service specific throttling such as limited video quality on YouTube or other streaming services, and censorship.

   • Other devices have to install an app for this goal, it’s unavoidable.

This guide is tested from an unlocked US Pixel 4a 5G, it can be had for $100.

Preparation

1. Install Magisk; read "Getting Started", then "Patching Images".

2. Install the following apps:

   • A terminal emulator; for that app make sure to allow all the permissions it asked for.

   • Network Signal Guru for its radio band locking to maintain and increase network speeds.

   • AdAway to block Network Signal Guru’s advertising.

     • AdAway requires you to enable "Systemless Hosts" in Magisk’s settings.

   • NetMonster for its network monitoring. Without it, you are practically blind to what bands are used, and what the various signal strengths are; this is very useful information.

Testing mangling support

1. Open a terminal emulator.

2. $ su

3. # iptables -t mangle -A POSTROUTING -o null -j TTL --ttl-inc 1; ip6tables -t mangle -A POSTROUTING -o null -j HL --hl-inc 1

   • No output is good/desired. If this is the case, skip ahead to blocking Android snitching, and spoofing TTL & HL.

Downloading a suitable custom kernel

ℹ️	The listed kernels include the BBR or BBRv2 TCP congestion control algorithm to help maintain speeds over bad network conditions.

1. momojuro’s fsociety tribute; recommended for the Pixel 4A (5G) and Pixel 5.

2. Freak07’s Kirisakura; recommended for the Pixel 6.

3. kdrag0n’s Proton.

💡	Not for your device? Use these search terms on the XDA Forums to find other kernels with "xt_HL.ko" support: TTL spoofing, TTL target, IPtables TTL, TTL/HL target, TTL module.

Installing a custom kernel

1. Install BusyBox Installer, open it, then reboot after it prompts to.

2. Install Horizon Kernel Flasher, open it, then point it to the ZIP containing the custom kernel.

1. Blocking Android snitching, and spoofing TTL & HL

1. Download our Unlimited Hotspot Magisk module.

2. Open Magisk → Modules → Install from storage → Select the "unlimited-hotspot-v4.zip" that was downloaded.

3. Reboot.

For routers to also be plug and play, additional steps are required:

Asuswrt-Merlin

1. Advanced Settings - WAN → disable Extend the TTL value and Spoof LAN TTL value.

2. Advanced Settings - Administration

   • Enable JFFS custom scripts and configs → "Yes"

   • Enable SSH → "LAN only"

3. Replace the LAN IP and login name if needed: $ ssh 192.168.50.1 -l asus

   • Use other SSH clients if preferred, such as MobaXterm or Termius.

4. # nano /jffs/scripts/wan-event

#!/bin/sh
# shellcheck disable=SC2068
Say() {
  printf '%s%s' "$$" "$@" | logger -st "($(basename "$0"))"
}
WAN_IF=$1
WAN_STATE=$2

# Call appropriate script based on script_type
SERVICE_SCRIPT_NAME="wan${WAN_IF}-${WAN_STATE}"
SERVICE_SCRIPT_LOG="/tmp/WAN${WAN_IF}_state"

# Execute and log script state
if [ -f "/jffs/scripts/${SERVICE_SCRIPT_NAME}" ]; then
  Say "     Script executing.. for wan-event: $SERVICE_SCRIPT_NAME"
  echo "$SERVICE_SCRIPT_NAME" >"$SERVICE_SCRIPT_LOG"
  sh /jffs/scripts/"${SERVICE_SCRIPT_NAME}" "$@"
else
  Say "     Script not defined for wan-event: $SERVICE_SCRIPT_NAME"
fi

##@Insert##

# nano /jffs/scripts/wan0-connected

#!/bin/sh

# HACK: Not sure what to check for exactly; do it too early and the TTL & HL won't get set.
sleep 5s; modprobe xt_HL; wait

# Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice.
iptables -t mangle -D PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -D POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2

# TTL & HL hotspot detection bypass.
## Increments the TTL & HL by 2 (1 for the router, 1 for the devices connected to the router).
iptables -t mangle -A PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -I POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -A PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2

Have to set permissions correctly to avoid this: custom_script: Found wan-event, but script is not set executable!
# chmod a+rx /jffs/scripts/*
# reboot

---

GoldenOrb or OpenWrt via LuCI

1. GoldenOrb specific: Network → Firewall → Custom TTL Settings

   • Ensure its option is disabled.

2. Network → Firewall → Custom Rules

# Removes these iptables entries if present; only removes once, so if the same entry is present twice (script assumes this never happens), it would need to be removed twice.
iptables -t mangle -D PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -D POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -D PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -D POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2

# TTL & HL hotspot detection bypass.
## Increments the TTL & HL by 2 (1 for the router, 1 for the devices connected to the router).
iptables -t mangle -A PREROUTING -i usb+ -j TTL --ttl-inc 2
iptables -t mangle -I POSTROUTING -o usb+ -j TTL --ttl-inc 2
ip6tables -t mangle -A PREROUTING ! -p icmpv6 -i usb+ -j HL --hl-inc 2
ip6tables -t mangle -I POSTROUTING ! -p icmpv6 -o usb+ -j HL --hl-inc 2

---

2. Confirm the tethering is un-throttled

💡	After enabling USB tethering, enable "Data Saver". This tells Android to restrict data to USB tethering and what app is at the forefront only.

1. Use Netflix’s Speedtest, then compare that result to Waveform’s Bufferbloat Test.
   This tests for throttling of streaming servers (Netflix), various forms of data fingerprinting, and tethering/hotspot detections.

2. If Netflix is throttled, use the PowerTunnel app on the client/tethered to device with its LibertyTunnel addon enabled, and test again.

3. Getting better internet speeds

1. Search for "Roaming" in the Settings app, then disable Roaming.

   • Roaming to a different telecom usually means unavoidable throttling. Usually roaming only happens when signal strength is either very poor or non-existent from your telecom.
     For example, T-Mobile USA’s agreement with AT&T allow the usage of AT&T towers, but only up to 250kbps download & upload speeds is allowed while roaming on AT&T’s network.

2. Use Network Signal Guru to set the allowed LTE bands to only the "LTE 4x4 Bands" listed on cacombos.com for your device.

This guide doesn’t work, or goes from fast to inexplicably slow

Using a VPN is likely the missing puzzle piece.
VPNs bypass DPI firewalls, they will not increase privacy.

Least shady free VPNs; try before any paid VPNs.

1. ProtonVPN Free

2. Cryptofree

   • Using their free WireGuard server is recommended.

3. Cloudflare WARP (never torrent on this).
   You can get the paid WARP+ for free.

---

Recommendations and requirements for a good paid VPN provider.

The recommendations

• United States citizens: Private Internet Access. Has a server in every single US state, and an optional dedicated IP addon if streaming services (Netflix, Hulu, Amazon Prime, etc.) must always work.

• The fastest, but with a limited selection of servers for the United States: hide.me.

• Strong emphasis on ethics: Mullvad, Cryptostorm, AirVPN.

The requirements

1. Network locking in their VPN software is reliable; very important to stay under the telecom’s radar regarding "OS fingerprinting".

2. Show which servers are geolocated/virtual (fake location) servers, or have none.

3. Addon available (or included) for a dedicated/static/streaming IP, to get around streaming service blocks, and other websites using anti-VPN services such as https://blocked.com.

4. P2P/ BitTorrent protocol isn’t blocked on all servers.

   • If all servers have this protocol unblocked, it will narrow down the amount of hosting services that VPN provider can use.
     This means higher ping/latency for some ISPs/telecoms; low latency is important for online gaming and video conferencing, among others.

5. SOCKS5 and HTTPS/SSL proxies provided.

   • Some VPNs such as TorGuard use this to allow BitTorrent in countries where it’s forbidden; a SOCKS5 proxy can allow BitTorrent by being located in Canada while you’re connected to no VPN server, or a VPN server located in the United States.

6. Ability to port forward at least 5 ports while supporting IPv6; this gauges a VPN provider’s attention to detail, even if you never need port forwarding.

   • List of VPNs that support Port Forwarding.

7. If the OpenVPN protocol is supported, its tls-crypt must be supported and for the VPN provider to allow establishing connection to their servers via port 443.

   • OpenVPN over SSL or SSH is mandatory for China, Iran, and Egypt.

8. Full IPv4 and IPv6 support across all servers.

   • On some telecoms, connecting to a VPN server through IPv6 is required.

9. Reliable software across multiple operating systems.

   • The most problematic: Android TV, iOS/iPadOS, and Linux (especially distros not based on Ubuntu or Fedora).

     • Linux support for most VPNs lack a graphical interface, and lack features included in their Windows and/or macOS VPN software.

💡	An archive of "That One Privacy Site", dated 19th December 2019. Use it as a second opinion on what justifies a good paid VPN provider.

---

If the VPN can’t connect.

1. Check if IPv4 or IPv6 is being used to reach the VPN server.

   • For T-Mobile, connecting through IPv6 may be required.

2. If the VPN still can’t connect, try each supported protocol in this order:

   • WireGuard → IKEv2/IPSec → SoftEther → OpenVPN (UDP, port 443) → OpenVPN (TCP, port 443) → OpenVPN over SSL (TCP, port 443)

Reasoning for each open-source VPN protocol choice:

• WireGuard: fastest on reliable internet; easily blockable by DPI firewalls.

• IKEv2/IPSec: sometimes faster than WireGuard on unreliable internet. Depending on the VPN provider, IKEv2 can either be resistant to DPI firewalls (hide.me’s implementation), or not at all.

• SoftEther: bypasses most DPI firewalls with good speeds in general, but is more complicated to set up for non-Windows OSes.

• OpenVPN3: resistant to DPI firewalls if tls-crypt is used alongside port 443; China, Iran, and Egypt require OpenVPN over SSL which further reduce speeds. This protocol isn’t efficient and has latency issues.

---

Appendices

Resources used

Learning

1. https://archive.org/download/p173_20220313/p173.pdf

2. https://archive.org/download/technology-showcase-policy-control-for-connected-and-tethered-devices/technology-showcase-policy-control-for-connected-and-tethered-devices.pdf

3. https://archive.org/download/geneva_ccs19/geneva_ccs19.pdf

4. Random XDA forums posts and threads to accumulate personal experiences with hotspot/tethering bypass attempts.

Third-party scripts

1. /jffs/scripts/wan-event used for Asuswrt-Merlin is a refined version of this script.

---

You’ve reached the end of this guide. Star it if you liked it.