Tethering (USB) on Android with VPN - Guide and Qs - Android General

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
This guide will explain how to use USB-Tethering with your Android phone/tablet together with VPN.
After that your PC will be able to use the tunneled (VPN) internet connection from your android device.
(This is a pretty simple and straight forward guide but please correct me if you spot a mistake so this guide can be as easy and useful as possible)
My setup:
Nexus 7 (2013)
CleanROM 1.5 (ICS 4.3)
OpenVPN Connect for Android
WiFi-Connection to the source Internet (data-packets will come from there)
USB-Tethering (USB-Cable connected to my Win7 x86 PC)
Prerequisites:
a root-ed phone
a terminal
USB-Debugging DISABLED
Click to expand...
Click to collapse
Step 1.
Connect your phone/tablet to the source of your internet connection (in my example its WiFi, it may be MobileData for you)
Step 2.
Connect your USB-Cable to the PC <-> phone/tablet
Step 3.
Activate USB-Tethering over the settings menu
(Settings -> "Wireless & Networks" -> More... -> "Tethering and portable hotspot" -> check "USB Tethering" )
Now wait until you can use this connection on your PC. (Make sure this works!)
Step 4.
Start OpenVPN and connect to your VPN-Service.
(At this point using the internet with your PC becomes impossible, at least for me)
Step 5.
You need to issue the following commands in a rooted terminal on your phone/tablet.
(Change the interface wlan0 if you need to. "netcfg" command will show you the active interfaces)
Code:
iptables --flush
iptables -A POSTROUTING -o tun0 -j MASQUERADE -t nat
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j RETURN
iptables -A FORWARD -i wlan0 -o tun0 -m state --state INVALID -j DROP
iptables -A FORWARD -i wlan0 -o tun0 -j RETURN
The most important command for me was
Code:
iptables --flush
Maybe because I played to much with iptables beforehand but this command did the trick for me.
(You should now be able to browse webpages with its IP-Addr. Ping www.google.com in Step 3 to get the IP)
Step 6.
This is the last step to configure your PC to use a DNS server. I don't know why but after entering the commands on Step 5 DNS-Queries are no longer routed through your phone/tablet.
Google’s Public DNS
8.8.8.8
8.8.4.4
Click to expand...
Click to collapse
Right-click the connection on your PC and choose Properties / Settings.
After that right-click the "IPv4 Protocol" and select "Properties / Settings" again.
Enter at least a primary DNS and click OK.
Everything should now work properly.
QUESTION:
Does someone know how to rewrite iptables to route DNS traffic to the client?
Click to expand...
Click to collapse

The codes in Step 5 do not work for me. Instead, I use
Code:
# iptables -P FORWARD ACCEPT
to solve the problem.

I've been using my N9005 (Stock 4.4.2 Kitkat installed-Rooted) as a hotspot for my wifi enabled work PC
(USB driver installation is forbitted by our admins-so I can't use USB tethering).
When I enable VPN on N9005, connected PC cannot access to internet.
Can you provide similar procedure for wi-fi tethering side of the process?
or may be simple .apk ?

I easily us PDaNet app, both on my phone and my PC, regards

Taylantz said:
This guide will explain how to use USB-Tethering with your Android phone/tablet together with VPN.
After that your PC will be able to use the tunneled (VPN) internet connection from your android device.
(This is a pretty simple and straight forward guide but please correct me if you spot a mistake so this guide can be as easy and useful as possible)
Step 1.
Connect your phone/tablet to the source of your internet connection (in my example its WiFi, it may be MobileData for you)
Step 2.
Connect your USB-Cable to the PC <-> phone/tablet
Step 3.
Activate USB-Tethering over the settings menu
(Settings -> "Wireless & Networks" -> More... -> "Tethering and portable hotspot" -> check "USB Tethering" )
Now wait until you can use this connection on your PC. (Make sure this works!)
Step 4.
Start OpenVPN and connect to your VPN-Service.
(At this point using the internet with your PC becomes impossible, at least for me)
Step 5.
You need to issue the following commands in a rooted terminal on your phone/tablet.
(Change the interface wlan0 if you need to. "netcfg" command will show you the active interfaces)
Code:
iptables --flush
iptables -A POSTROUTING -o tun0 -j MASQUERADE -t nat
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j RETURN
iptables -A FORWARD -i wlan0 -o tun0 -m state --state INVALID -j DROP
iptables -A FORWARD -i wlan0 -o tun0 -j RETURN
The most important command for me was
Code:
iptables --flush
Maybe because I played to much with iptables beforehand but this command did the trick for me.
(You should now be able to browse webpages with its IP-Addr. Ping www.google.com in Step 3 to get the IP)
Step 6.
This is the last step to configure your PC to use a DNS server. I don't know why but after entering the commands on Step 5 DNS-Queries are no longer routed through your phone/tablet.
Right-click the connection on your PC and choose Properties / Settings.
After that right-click the "IPv4 Protocol" and select "Properties / Settings" again.
Enter at least a primary DNS and click OK.
Everything should now work properly.
Click to expand...
Click to collapse
Thank you!

Hi,
for my Samsung ace plus (necessary rooted device), for usb tethering with vpn work this:
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.42.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.42.0/24 dev rndis0 scope link table 61
ip route add broadcast 255.255.255.255 dev rndis0 scope link table 61
rndis0 is the adapter relative usb connection on my phone. In case of tether wifi I change it on ''wlan0''.
for verify adapters digit on terminal emulator ''netcfg''.
192.168.42.0/24 change in some case in 192.168.43.0/24 verify with netcfg
verify if in your android is installed tun adapter. test it with app '' Tun ko''. if necessary install tun adapter.
set dns Google in the pc connection or router 3g connected via usb to smartphone (for example asus rt-n14u)
I have tried more apps for enable tunnel vpn through tethering.... but not always worked.
Samsung ace plus android kitkat 4.4.4

I am trying to get my asus router tethered to my android phone. The router says its connected but any dns requests from it end up unresolved and I don't see an option to change the dns server. Its using my phone's private ip as the dns server. All devices behind the router work because they are using google public dns.
My question for here is: How can you change the dns server being pushed by the phone using usb tethering?
Thanks.

A simpler way would be to use PDANet+ app on android PdaNet windows application. Much simpler I think.

Thank ro sharing this post. It's helped to us.

Related

ppp over adb (for linux/unix users)

Hey, I was trying to share my internet connection on my laptop with my android phone, so the android could use the laptop's internet connection via usb.
Until somebody compiles an usbnet enabled kernel into an android ROM (this would be the cleanest way), the only way I found for doing this has been emulating the "ppp over ssh" method (search google).
I know, tcp over tcp is a bad idea, but hey, it works!.
Every method I found for doing something similar is to do the opposite: share the phone internet connection with the laptop. I'd like my laptop to be the one that shares the Internet.
The idea here is quite simple:
Code:
pppd nodetach noauth nodeflate pty "ssh [email protected] pppd noauth nodetach notty" ipparam vpn 192.168.0.1:192.168.0.254
pppd in the local host can be connected to pppd in the remote host using a tcp connection, so we can have an IP tunnel between the two endpoints.
The first thing I tried was to replace the ssh part of the command with "adb shell", supposing that adb was going to respect the pipe chain, but it seems that adb doesn't connect its stdin with the shell stdin (try "echo test | adb shell cat", it simply doesn't work)
So, I made it work by using the port redirection feature in adb, and the wonderful "nc". The idea is this:
In the linux host:
Code:
# forward 12000/tcp
adb forward tcp:12000 tcp:12000
# enable routing
sysctl net.ipv4.ip_forward=1
# enable nat
iptables -t nat -I POSTROUTING -s 192.168.0.254 -j MASQUERADE -o eth0
In the android device:
Code:
# delete the default route
ip r del default
# execute pppd listening in 12000/tcp
pppd nodetach noauth pty "nc -l -p 12000" defaultroute
In the linux host:
Code:
# execute pppd connected to 12000/tcp
pppd nodetach noauth nodeflate pty "nc localhost 12000" ipparam vpn 192.168.0.1:192.168.0.254
Et voilà. The android device is accessing the Internet using my laptop's ethernet connection via USB.
I'd like to develop a more user friendly method of doing this, but first I'd like to know if somebody has been working on this already.
BTW, AFAIK this is only for linux/unix users.
EDIT: Sorry, forgot to comment: for some reason, android's pppd version, when doing this kind of things, tries to allocate a pseudo tty under "/dev.pts". As this directory doesn't exists, current pppd will fail.
I had to modify pppd source to allocate the pseudo tty under "/dev/pts" instead of under "/dev.pts". I attach the modified version of the binary.
How reliable is it?
I did the same thing a few months ago, but when I ran some heavy traffic through it, the connection broke and adb started reporting the device as "offline" until re-plugged. Are you able to run heavy traffic on top of it for more than 2-3 minutes?
When I tested it for a min it worked great, but when I really needed to use it (my ADSL went offline and I tried to run my home network's traffic through the G1 via ppp), it went offline every 2-3 minutes and needed replugging.
Correction: I retested my script now, on JF 1.51, and it works reliably. With the old kernel (2.6.25) it was unreliable but with the current one it's fine. I'm tethering over it right now.
i made a script to tethering using this pppd-mod for everyone who is interested
Code:
ADB=/opt/android-sdk-1.5/tools/adb
echo "Setting up..."
$ADB shell "echo 1 > /proc/sys/net/ipv4/ip_forward"
$ADB shell "iptables -t nat -F"
$ADB shell "iptables -t nat -A POSTROUTING -j MASQUERADE -o rmnet0"
$ADB forward tcp:12000 tcp:12000
$ADB shell "killall pppd-mod" &> /dev/null
echo "Starting PPP daemon..."
$ADB shell "pppd-mod noauth pty 'nc -l -p 12000 '" &
sleep 5
echo "Establishing connection..."
pppd noauth nodeflate pty "nc localhost 12000" ipparam vpn 192.168.0.2:192.168.0.1
while [ "`ifconfig | grep 192.168.0.1`" == "" ]; do
sleep 1
done
route del -net 0.0.0.0 &> /dev/null
route add -net 0.0.0.0 gw 192.168.0.1
echo "nameserver 4.2.2.2" > /etc/resolv.conf
echo "Connected."
Still hoping some day regular usb networking will work :-/
mzet said:
i made a script to tethering using this pppd-mod for everyone who is interested
Click to expand...
Click to collapse
Is there anything required phone-side for that to work?
juanmasg said:
Until somebody compiles an usbnet enabled kernel into an android ROM (this would be the cleanest way), the only way I found for doing this has been emulating the "ppp over ssh" method (search google).
Click to expand...
Click to collapse
skyjumper said:
Is there anything required phone-side for that to work?
Click to expand...
Click to collapse
I do believe Cyanogen's 3.9.1 has rudimentary support and he's working on getting it working. Of course the man appears to be on at least 3-4 completely unique vectors (quite impressive, I counted donut, samba, cyanogen mod, and usbnet) so it might be a little bit of time before we get this from him.
skyjumper said:
Is there anything required phone-side for that to work?
Click to expand...
Click to collapse
you have to have binary pppd-mod from first post in your $PATH on your phone and rooted phone with iptables of course
mzet said:
you have to have binary pppd-mod from first post in your $PATH on your phone and rooted phone with iptables of course
Click to expand...
Click to collapse
Ah, didnt even notice the first post had a file. Been looking to do this for some time. Thanks to whoever all helped to get it working.
juanmasg said:
Hey, I was trying to share my internet connection on my laptop with my android phone, so the android could use the laptop's internet connection via usb.
Until somebody compiles an usbnet enabled kernel into an android ROM (this would be the cleanest way), the only way I found for doing this has been emulating the "ppp over ssh" method (search google).
I know, tcp over tcp is a bad idea, but hey, it works!.
Every method I found for doing something similar is to do the opposite: share the phone internet connection with the laptop. I'd like my laptop to be the one that shares the Internet.
The idea here is quite simple:
Code:
pppd nodetach noauth nodeflate pty "ssh [email protected] pppd noauth nodetach notty" ipparam vpn 192.168.0.1:192.168.0.254
pppd in the local host can be connected to pppd in the remote host using a tcp connection, so we can have an IP tunnel between the two endpoints.
The first thing I tried was to replace the ssh part of the command with "adb shell", supposing that adb was going to respect the pipe chain, but it seems that adb doesn't connect its stdin with the shell stdin (try "echo test | adb shell cat", it simply doesn't work)
So, I made it work by using the port redirection feature in adb, and the wonderful "nc". The idea is this:
In the linux host:
Code:
# forward 12000/tcp
adb forward tcp:12000 tcp:12000
# enable routing
sysctl net.ipv4.ip_forward=1
# enable nat
iptables -t nat -I POSTROUTING -s 192.168.0.254 -j MASQUERADE -o eth0
In the android device:
Code:
# delete the default route
ip r del default
# execute pppd listening in 12000/tcp
pppd nodetach noauth pty "nc -l -p 12000" defaultroute
In the linux host:
Code:
# execute pppd connected to 12000/tcp
pppd nodetach noauth nodeflate pty "nc localhost 12000" ipparam vpn 192.168.0.1:192.168.0.254
Et voilà. The android device is accessing the Internet using my laptop's ethernet connection via USB.
I'd like to develop a more user friendly method of doing this, but first I'd like to know if somebody has been working on this already.
BTW, AFAIK this is only for linux/unix users.
EDIT: Sorry, forgot to comment: for some reason, android's pppd version, when doing this kind of things, tries to allocate a pseudo tty under "/dev.pts". As this directory doesn't exists, current pppd will fail.
I had to modify pppd source to allocate the pseudo tty under "/dev/pts" instead of under "/dev.pts". I attach the modified version of the binary.
Click to expand...
Click to collapse
Hello,
I have been trying your method without success. The phone and the computer can ping each other but no connection to the internet. Using wireshark I can't see anything on the eth0 when I try to ping from the phone. All I see is stuff from ppp0 and the loop back. What am I doing wrong?
Thanks
ethernet-over-usb
First, I appreciate juanmasg's initiaive on this much needed feature. thanks!
CyanogenMod thread at http://forum.xda-developers.com/showthread.php?t=539744 talks about experimental ethernet-over-usb functionality (see CHANGELOG for 3.9.1). I don't know how it will be used but it seems he's trying to get it to work. juanmasg can talk to cyanogen for current status and a possible integration of his methodology into his ROMs. I am monitoring his thread for any update on this feature and I just sent a tweet to cyanogen about this. he's a great developer!
With your script .I got these output
Setting up...
Starting PPP daemon...
Establishing connection...
[: 16: unexpected operator
Connected.
And it didn't work.Do you have any ideas?
Sorry for my poor English.
I use a route and the route's ip is 192.168.0.1 ,the computer's ip is 192.168.2.
I think it cause the problem but I don't know how to edit your scipt to make it works.
Hmm. Does anyone know the correct parameters to use the actual "adb ppp" command? I've searched all over the web and nobody has posted any example of how to use this command with the G1. What is the name of the tty device that we should use? etc. etc...
Never mind, I see it now in the adb source code. It's a bit useless as-is, but a small tweak would make it pretty useful. If it was changed to return an interactive_shell() session, and then invoke "pppd notty" in that session, then invoke pppd on the host, it would be a simple means of tethering over USB. The only other thing you'd need is to set up the appropriate NAT rules on either side, depending on whether you want the G1 to share the PC's network, or vice versa.
Too bad pppd insists on setting up a pseudo-tty for itself, there's no need for a tty device driver in scenarios like this.
OK, this is the patch I made to adb to make its ppp command work the way I want.
With that, invoke adb like this:
adb ppp foo notty 192.168.2.1:192.168.2.2
The <tty> parameter is no longer used; everything past the "foo" is just passed as arguments to the local pppd.
Once this is done you can set up NAT forwarding on whichever side you want.
And yes, I know this isn't a clean patch. I should make this a new command instead of usurping the existing ppp command, since presumably the original command is still useful to somebody out there. But this was just a quick hack to see if it would work, and it works great. This saves a lot of the CPU overhead of ssh / port forwarding / etc...
To use the G1's network from the PC, issue these commands on the G1:
# enable routing
sysctl net.ipv4.ip_forward=1
# enable nat
iptables -t nat -I POSTROUTING -s 192.168.2.1 -j MASQUERADE -o rmnet0
(Use tiwlan0 if you want to use the G1's wifi. Not sure why you'd need to do this if the PC already has its own wifi.)
And then set the default route on the PC
route add -net default gw 192.168.2.2
I got about 15-20KB/sec download using EDGE, and about 65KB/sec download using 3G. You may want the "usepeerdns" option in your pppd options, otherwise you'll have to edit /etc/resolv.conf yourself and copy the nameservers from the G1's /system/etc/resolv.conf
To use the PC's network from the G1, just swap the appropriate parameters around. E.g.,
Issue these commands on the PC:
# enable routing
sysctl net.ipv4.ip_forward=1
# enable nat
iptables -t nat -I POSTROUTING -s 192.168.2.2 -j MASQUERADE -o eth0
And issue this command on the G1
route add -net default gw 192.168.2.1
ppp over adb on G2
Hi guys,
I've take your example to do the same on my G2.
I've found some problem and some solution.
This is the script I used:
Code:
#!/bin/sh
ADB=/opt/Android/android-sdk-linux_x86-1.5_r3/tools/adb
echo "Setting up..."
$ADB shell "echo 1 > /proc/sys/net/ipv4/ip_forward"
$ADB forward tcp:12000 tcp:12000
$ADB shell "killall pppd-mod" &> /dev/null
echo "Starting PPP daemon..."
$ADB shell "pppd-mod noauth pty 'nc -l -p 12000 '" &
sleep 5
echo "Establishing connection..."
/usr/sbin/pppd noauth nodeflate pty "nc localhost 12000" ipparam vpn 192.168.0.2:192.168.0.1
while [ "`/sbin/ifconfig | grep 192.168.0.1`" == "" ]; do
sleep 1
done
$ADB shell "iproute add default dev ppp0" &
$ADB shell "iproute del default via 192.168.1.1 dev tiwlan0" &
echo "Connected."
But there is a problem on G2. If the system doesn't believe to be connected (WIFI or 3G) although it can go in internet through the ppp connection it doesn't go on internet.
So to fool it I've created a WIFI connection, not suitable for internet, and then deleted ( in the script ) the default route to tiwlan0.
Somebody know if is possible to believe to Android that it is connected when it isn't?
Bye
im on archlinux and i wanna do this :S how can i ?
i follow the guid in the first page but cant get to it :S when i do the last step on the linux host it says that nc its not a commmand .
anyone plzzz ????
Hi dear,
I don't know archlinux...
However the problem in your situation is that you have to install netcat too.
But if you need more help please tell us which problem you encounter with more detail.
Bye
Zioalex
zioalex said:
Hi dear,
I don't know archlinux...
However the problem in your situation is that you have to install netcat too.
But if you need more help please tell us which problem you encounter with more detail.
Bye
Zioalex
Click to expand...
Click to collapse
gonna try installing netcant and comment, thx !!!!

[TIP] Kies Air over USB (SGS2 / ICS)

Hi guys,
Today I wanted to open the Kies Air web front-end from my web browser via USB cable.
Using earlier versions of SGS2 ROMS (ak original ROM), it was a quiet easy, but using ICS official ROM, I've got some throbbles.
1st: Kies Air will only start if it is connected via Wi-Fi or if Wi-Fi HotSpot is active;
I doesn't have a PC with access to some wireless network, so it should kill my plans. But I use Android, I dont like the easy way for everything!
To start the Kies Air service, I just selected to start a Wi-Fi HotSpot and by passed this essue.
Now we need to be able to access the web front-end, sure? But we have no IP to connect to. So, I used "adb forward tcp:8080 tcp:8080" command. This will redirect the requests of my PC at 8080 TCP port to my device.
2nd: After solving the 1st one, The kies service does not allow me to see the content saying "Welcome to KiesAir. Please access it from a PC or another handset." when accessing http://http://localhost:8080/
This says that the device is thinking you are accessing from its web browser (because of 'localhost').
I had to redirect the requests from my PC IP to the localhost interface.
I'm on Linux PC, so I cant use all this SO capabilities to do this with the commad "sudo iptables -t nat -I PREROUTING -d 192.168.XXX.XXX -p tcp -m tcp --dport 8080 -j DNAT --to-destination 127.0.0.1"
Be sure to change "192.168.XXX.XXX" to the IP of your PC.
FINALLY, we can access Kies Air over USB by accessing "http://http://192.168.XXX.XXX:8080/"
Abstract:
Enable USB debuggin (Settings > Developer options > USB debugging)
Connect USB cable
At your device, open Kies Air app, Select 'Wi-Fi HotSpot' option, tap 'OK' and then, tap 'Start'
At PC shell command type adb forward tcp:8080 tcp:8080
At PC shell command type sudo iptables -t nat -A PREROUTING -d YOUR_IP -p tcp -m tcp --dport 8080 -j DNAT --to-destination 127.0.0.1
Access http://YOUR_IP:8080/ from your web browser
Thanks!
thanks! I will do it.!!
thanks for really useful tip
Tried it and it worked
How can I use that shell commands on Windows platform?
Just came across this thread...
How do I do step (4) & (5) on a Mac? I opened up terminal and typed the command, but it returned: -bash: adb: command not found

[ubuntu] Manual (no app) LAN Reverse Tethering

this has been tested on ICS. You will need Terminal Emulator with root privileges. you may not have to use (or have different) full path to the binaries but they are shown when used as part of a file eg. "/system/bin/".
Android
Code:
Settings -> More... -> Tethering & portable hotspot -> USB tethering
this will bring up the usb network device with an automatically assigned IP address on both the host and client ie. PC and phone.
Linux
Code:
$ sudo su
# echo 1 > /proc/sys/net/ipv4/ip_forward
# exit
$ ifconfig
[b]usb0[/b] Link encap:Ethernet HWaddr 1e:98:35:16:12:cd
inet addr:[b]192.168.42.170[/b] Bcast:192.168.42.255 Mask:255.255.255.0
inet6 addr: fe80::1c98:35ff:fe16:12cd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:537 errors:0 dropped:0 overruns:0 frame:0
TX packets:671 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:55661 (55.6 KB) TX bytes:346260 (346.2 KB)
look for device usbX where X is the connected device number. e. if there is only one tethered device connected it would most likely be usb0.
grab the PC usbX devices IP prefixed with "inet addr:". in this example the address is 192.168.42.170.
if you do not see a usbX network device, you will have to setup RNDIS, which is outside the scope of this example howto.
Android
Code:
Apps -> Terminal Emulator
open terminal emulator.
Code:
$ su
# route add default gw [b]192.168.42.170[/b] dev usb0
# exit
$ exit
NB, substitute with the PC IP address you obtained earlier.
with these steps completed, the phone will send outgoing packets to the PC address then the PC will forward packets to its default gw (gateway).
my router at work (where i use this) is already forwarding for the example network class above so i do not have to go any further than this.
google play appears to work but downloading does not seem to actually happen. i tried leaving mobile data enabled with this method and it did not work, others may have success. i obviously do not have a wifi AP to connect to, so it still might be possible to connect to an AP and use this method to enable download in google play (but that seems a bit redundant if you are able to connect via wifi in the first place).
at this point try the browser and attempt to load any site. if it does not work then continue on with the remaining steps; you can either bridge the usbX and ethX device (or whatever your LAN device is), change the IP (on both PC and phone) of usbX to the same network class (as your LAN) or have the PC network translate on behalf of the phone (untested as i dont need it). below is an example of NAT (network address translation) for linux; for bridging or changing the IP addresses please use google for a howto.
Linux
Code:
$ vi nat_ethX.sh
use an editor and paste the follow code below into the script or type the three lines below manually (ignoring the first line).
Code:
#!/bin/sh
/sbin/iptables -F --table nat
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
replace eth0 with the actual PC ethX network device name relevant to your LAN setup.
Code:
$ chmod 744 nat_ethX.sh
$ sudo ./nat_ethX.sh
change the permissions of the file and run it.
again this is untested, but your PC should now be sending packets from its own IP address on behalf of the phone which your router is already accepting.
Code:
iptables -F --table nat
to remove the NAT iptables rules
Wi-Fi Hotspot
Code:
Settings -> More... -> Tethering & portable hotspot -> Portable Wi-Fi hotspot
this will bring up the wifi network device with a static IP on the host and an automatically assigned IP address on the client ie. first phone and second phone (in this example).
on the second phone, connect to the newly created AP from the first phone.
as wifi is enabled on the second phone google play will actually download. you do not need to setup anything else on the second phone.
Android (first phone)
Code:
Apps -> Terminal Emulator
open terminal emulator.
Code:
$ su
# route add default gw [b]192.168.42.170[/b] dev usb0
if you enable the wifi hotspot on the first phone, you must once again reset the default gw in the route table.
Code:
$ su
# echo 1 > /proc/sys/net/ipv4/ip_forward
IP forwarding should have been automatically set when enabling the wifi hotspot feature. you should not have to do this step, it should not break anything if you do.
Code:
#!/system/bin/sh
/system/bin/iptables -F --table nat
/system/bin/iptables -P FORWARD ACCEPT
/system/bin/iptables --table nat -A POSTROUTING -o usb0 -j MASQUERADE
again you can probably route another way, but here i am using NAT once more as in my case, the wifi hotspot / AP device wl0.1 is set to another network class (192.168.43.0) from that of usb0 (192.168.42.0). like the example above, you can place this in a file and run it, or type the three lines manually (ignoring the first line).
Code:
iptables -F --table nat
to remove the NAT iptables rules
Terminal Emulator (extra info.)
Code:
$ ifconfig
$ iwconfig
you can check the wifi hotspot network device name and information, in my case it is wl0.1. use google for more information on these commands.
Code:
$ ip route show
is another way to see the route table, if the default route command does not print the table with the ROM you are using.

Working WiFi tethering with VPN on 4.3 without losing mobile data connection!!!

Thought this might help somebody. (Root required)
EDIT: Confirmed working on Carbon ROM 4.3/4.4
Can confirm that this works:
1) Install Crossbreeder ( http://forum.xda-developers.com/showthread.php?t=2113150 ) This modifies the DNS implementation to make the script work like it used to in Android versions pre 4.3
2) Connect VPN (I use the Private Internet Access app)
3) Start WiFi tether
4) Run the following script as superuser(all credit goes to thantos_mehak for this post: http://forum.xda-developers.com/showpost.php?p=39654892&postcount=31 ):
Code:
#!/system/bin/sh (you may need to confirm this is the proper path to sh, with `which sh`)
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
5) Connect mobile device (such as tablet) and allow it to obtain an IP address from the network before allowing Windows to connect to avoid the mobile data drop while tethering problem. Don't know why this works. Apparently something with the SGS3 and Verizon's network doesn't like to play nice with dolling out IP addresses to PCs. Connecting another Android (or other?) device before allowing your computer to connect prevents the data connection drop.
I'm tethering right now on Carbon ROM (4.3) on my Verizon SGS3.
Hope this helps!

[GUIDE] Tethering through VPN over USB-OTG-ACA Ethernet /w IPv6 Support

This is a guide for tethering over USB Ethernet adapter. The purpose of this is to reliably USB tether to any router, without the need for a USB port or stable USB/RNDIS support(Broadcom MIPS is particularly bad). USB-OTG-ACA means the phone is powered externally while also operating in host mode. I used a cheap micro-USB Y-cable for this that lets me plug in a power source, USB Ethernet adapter, and phone together. IPv6 is supported via masquerading, so you share public IPs with your phone(thus hiding devices behind it). In this example I tether to a VPN tun0 interface, but you can tether to and from any interface you want.
This guide is targeted to more advanced users, but I included a E5 Play kernel and the files required at the bottom of this post for those who wouldn't be able to try this otherwise.
The first step is to enable the kernel IPv6 NAT table, with iptables and masquerading support. To do this I used LSM Kernel. My device is the E5 Play, steps for other devices are a little different.
https://forum.xda-developers.com/moto-e5/development/kernel-lowspecmoto-kernel-v0-1a-t3882378
These need to be set in james_defconfig. You can also enable any necessary kernel modules for your Ethernet adapter here.
Code:
CONFIG_NF_NAT_IPV6=y
CONFIG_IP6_NF_TARGET_MASQUERADE=y
CONFIG_IP6_NF_NAT=y
I had to disable the WireGuard install script and use jury_rig.sh instead, as well as fix a minor typo in the build script(misspelled and erroneous compile command) and one of the source files (extra const declaration).
The next step is to disable the IPv4 DHCP client for the Ethernet adapter's interface eth0. After a little reverse engineering, I found this state was controlled by /data/misc/ethernet/ipconfig.txt, and there is already a tool I can use to generate configurations.
https://github.com/jhswartz/ipconfigstore
I just feed it an empty static assignment and DHCP is then disabled.
Code:
ipAssignment: STATIC
id: 0
Next was to cross-compile radvd to support RA for IPv6. Modern versions of OpenWRT support spoofing so you don't need this, but everything else requires you run a RA server from the gateway device. I needed to use android-ifaddrs to get around an unsupported feature in the NDK. The version I built expects the config to exist at /sdcard/radvd.conf.
Now comes the scripting to make everything work. I made an application for this, but you can also accomplish this with something like Tasker or even run it manually.
At boot:
*Launch radvd as a root daemon
*Start your VPN
*Delete the file /sdcard/tether.state
*Execute tether.sh as root
On Intent.ACTION_POWER_CONNECTED:
*Execute tether.sh as root
tether.state keeps the script from applying NAT rules more than once, so the connection is just restored when the script is re-ran.
Code:
#!/system/bin/sh
echo 'Waiting for tether interfaces'
for waitTime in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
do
if [ -d '/sys/class/net/eth0' ] && [ -d '/sys/class/net/tun0' ] ; then break ; fi
echo "$waitTime"
sleep 1
done
sleep 2
if [ -d '/sys/class/net/eth0' ] && [ -d '/sys/class/net/tun0' ]
then
echo 'Preparing tether interface'
ip link set dev eth0 down
ip link set dev eth0 mtu 1280
sysctl -w net.ipv6.conf.eth0.mtu=1280
sysctl -w net.ipv6.conf.eth0.autoconf=0
sysctl -w net.ipv6.conf.eth0.accept_ra=0
ip addr flush dev eth0
echo 'Setting IP addresses'
ip -6 addr add fd00::1/64 dev eth0 scope global
ndc interface setcfg eth0 192.168.42.129 24 up
echo 'Waiting for interface to come up'
for waitTime in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
do
if [ "$(cat /sys/class/net/eth0/operstate)" = 'up' ] ; then break ; fi
echo "$waitTime"
sleep 1
done
sleep 3
ip -6 route add fd00::/64 dev eth0 src fd00::1
echo 'Enabling IP forwarding'
ndc ipfwd enable tethering
echo 'Adding marked routes'
ndc network interface add 99 eth0
ndc network route add 99 eth0 192.168.42.0/24
ndc network route add 99 eth0 fd00::/64
ndc network route add 99 eth0 fe80::/64
if [ ! -f '/sdcard/tether.state' ]
then
echo 'Setting up NAT'
touch /sdcard/tether.state
ndc nat enable eth0 tun0 99
ndc ipfwd add eth0 tun0
ip6tables -t nat -N natctrl_nat_POSTROUTING
ip6tables -t nat -A POSTROUTING -j natctrl_nat_POSTROUTING
ip6tables -t nat -A natctrl_nat_POSTROUTING -o tun0 -j MASQUERADE
ip6tables -t filter -A natctrl_FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -g natctrl_tether_counters
ip6tables -t filter -A natctrl_FORWARD -i eth0 -o tun0 -m state --state INVALID -j DROP
ip6tables -t filter -A natctrl_FORWARD -i eth0 -o tun0 -g natctrl_tether_counters
ip6tables -t filter -A natctrl_FORWARD -j DROP
fi
else
echo 'Skipping operation, USB not connected'
fi
eth0 is the Ethernet adapter and tun0 is the VPN interface. I also use a very similar script to do the same thing with RNDIS, you can setup all kinds of interesting tethering setups with these commands. If you want to run DHCP on the phone for use with a switch or cross-over cable or whatever, this command should work as root:
Code:
dnsmasq --keep-in-foreground --no-resolv --no-poll --dhcp-authoritative --dhcp-range=192.168.42.10,192.168.42.99,1h --dhcp-option=6,8.8.8.8,8.8.4.4 --dhcp-option-force=43,ANDROID_METERED --dhcp-leasefile=/sdcard/dnsmasq.leases --pid-file=/sdcard/dnsmasq.pid --listen-mark 0xf0063
Since this is a powered tethering setup, you probably want to use something to control charging:
https://play.google.com/store/apps/details?id=com.slash.batterychargelimit&hl=en&gl=US
On the router, set it's IP to 192.168.42.1, gateway to 192.168.42.129, DNS servers, and DHCP range to 192.168.42.10-192.168.42.99. Disable IPv6 support if it has it. Don't plug anything into the WAN (yellow) port, the phone connects to LAN.
Moto E5 Play kernel with IPv6 NAT support
https://drive.google.com/file/d/15IDtuuOn60bgw5FHVnoacexe2fjzuHcg/view?usp=sharing
ipconfig.txt, radvd, radvd.conf, tether.sh
https://drive.google.com/file/d/18YL4rYyF9tFu34WI_wzBLNtiUDp9U7_a/view?usp=sharing
I wrote an app to manage this, but it still needs a bit of work to handle custom configurations.
fddm said:
This is a guide for tethering over USB Ethernet adapter. The purpose of this is to reliably USB tether to any router, without the need for a USB port or stable USB/RNDIS support(Broadcom MIPS is particularly bad). USB-OTG-ACA means the phone is powered externally while also operating in host mode. I used a cheap micro-USB Y-cable for this that lets me plug in a power source, USB Ethernet adapter, and phone together. IPv6 is supported via masquerading, so you share public IPs with your phone(thus hiding devices behind it). In this example I tether to a VPN tun0 interface, but you can tether to and from any interface you want.
This guide is targeted to more advanced users, but I included a E5 Play kernel and the files required at the bottom of this post for those who wouldn't be able to try this otherwise.
The first step is to enable the kernel IPv6 NAT table, with iptables and masquerading support. To do this I used LSM Kernel. My device is the E5 Play, steps for other devices are a little different.
https://forum.xda-developers.com/moto-e5/development/kernel-lowspecmoto-kernel-v0-1a-t3882378
These need to be set in james_defconfig. You can also enable any necessary kernel modules for your Ethernet adapter here.
Code:
CONFIG_NF_NAT_IPV6=y
CONFIG_IP6_NF_TARGET_MASQUERADE=y
CONFIG_IP6_NF_NAT=y
I had to disable the WireGuard install script and use jury_rig.sh instead, as well as fix a minor typo in the build script(misspelled and erroneous compile command) and one of the source files (extra const declaration).
The next step is to disable the IPv4 DHCP client for the Ethernet adapter's interface eth0. After a little reverse engineering, I found this state was controlled by /data/misc/ethernet/ipconfig.txt, and there is already a tool I can use to generate configurations.
https://github.com/jhswartz/ipconfigstore
I just feed it an empty static assignment and DHCP is then disabled.
Code:
ipAssignment: STATIC
id: 0
Next was to cross-compile radvd to support RA for IPv6. Modern versions of OpenWRT support spoofing so you don't need this, but everything else requires you run a RA server from the gateway device. I needed to use android-ifaddrs to get around an unsupported feature in the NDK. The version I built expects the config to exist at /sdcard/radvd.conf.
Now comes the scripting to make everything work. I made an application for this, but you can also accomplish this with something like Tasker or even run it manually.
At boot:
*Launch radvd as a root daemon
*Start your VPN
*Delete the file /sdcard/tether.state
*Execute tether.sh as root
On Intent.ACTION_POWER_CONNECTED:
*Execute tether.sh as root
tether.state keeps the script from applying NAT rules more than once, so the connection is just restored when the script is re-ran.
Code:
#!/system/bin/sh
echo 'Waiting for tether interfaces'
for waitTime in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
do
if [ -d '/sys/class/net/eth0' ] && [ -d '/sys/class/net/tun0' ] ; then break ; fi
echo "$waitTime"
sleep 1
done
sleep 2
if [ -d '/sys/class/net/eth0' ] && [ -d '/sys/class/net/tun0' ]
then
echo 'Preparing tether interface'
ip link set dev eth0 down
ip link set dev eth0 mtu 1280
sysctl -w net.ipv6.conf.eth0.mtu=1280
sysctl -w net.ipv6.conf.eth0.autoconf=0
sysctl -w net.ipv6.conf.eth0.accept_ra=0
ip addr flush dev eth0
echo 'Setting IP addresses'
ip -6 addr add fd00::1/64 dev eth0 scope global
ndc interface setcfg eth0 192.168.42.129 24 up
echo 'Waiting for interface to come up'
for waitTime in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
do
if [ "$(cat /sys/class/net/eth0/operstate)" = 'up' ] ; then break ; fi
echo "$waitTime"
sleep 1
done
sleep 3
ip -6 route add fd00::/64 dev eth0 src fd00::1
echo 'Enabling IP forwarding'
ndc ipfwd enable tethering
echo 'Adding marked routes'
ndc network interface add 99 eth0
ndc network route add 99 eth0 192.168.42.0/24
ndc network route add 99 eth0 fd00::/64
ndc network route add 99 eth0 fe80::/64
if [ ! -f '/sdcard/tether.state' ]
then
echo 'Setting up NAT'
touch /sdcard/tether.state
ndc nat enable eth0 tun0 99
ndc ipfwd add eth0 tun0
ip6tables -t nat -N natctrl_nat_POSTROUTING
ip6tables -t nat -A POSTROUTING -j natctrl_nat_POSTROUTING
ip6tables -t nat -A natctrl_nat_POSTROUTING -o tun0 -j MASQUERADE
ip6tables -t filter -A natctrl_FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -g natctrl_tether_counters
ip6tables -t filter -A natctrl_FORWARD -i eth0 -o tun0 -m state --state INVALID -j DROP
ip6tables -t filter -A natctrl_FORWARD -i eth0 -o tun0 -g natctrl_tether_counters
ip6tables -t filter -A natctrl_FORWARD -j DROP
fi
else
echo 'Skipping operation, USB not connected'
fi
eth0 is the Ethernet adapter and tun0 is the VPN interface. I also use a very similar script to do the same thing with RNDIS, you can setup all kinds of interesting tethering setups with these commands. If you want to run DHCP on the phone for use with a switch or cross-over cable or whatever, this command should work as root:
Code:
dnsmasq --keep-in-foreground --no-resolv --no-poll --dhcp-authoritative --dhcp-range=192.168.42.10,192.168.42.99,1h --dhcp-option=6,8.8.8.8,8.8.4.4 --dhcp-option-force=43,ANDROID_METERED --dhcp-leasefile=/sdcard/dnsmasq.leases --pid-file=/sdcard/dnsmasq.pid --listen-mark 0xf0063
Since this is a powered tethering setup, you probably want to use something to control charging:
https://play.google.com/store/apps/details?id=com.slash.batterychargelimit&hl=en&gl=US
On the router, set it's IP to 192.168.42.1, gateway to 192.168.42.129, DNS servers, and DHCP range to 192.168.42.10-192.168.42.99. Disable IPv6 support if it has it. Don't plug anything into the WAN (yellow) port, the phone connects to LAN.
Moto E5 Play kernel with IPv6 NAT support
https://drive.google.com/file/d/15IDtuuOn60bgw5FHVnoacexe2fjzuHcg/view?usp=sharing
ipconfig.txt, radvd, radvd.conf, tether.sh
https://drive.google.com/file/d/18YL4rYyF9tFu34WI_wzBLNtiUDp9U7_a/view?usp=sharing
I wrote an app to manage this, but it still needs a bit of work to handle custom configurations.
Click to expand...
Click to collapse
For those who don't have a kernel with the network modules you've mentioned, but want to get ipv6 working (thinking of Tmobile) and have access to openwrt router, would adding the mentioned ip6tables command work?
In my router, I added something like this,
ip6tables -t mangle -I POSTROUTING -o usb0 -j HL --hl-set 65
but ipv6 connection didn't work. If I remove that line from the router firewall, then ipv6 connection works but it counts as tethered.
aznxwill said:
For those who don't have a kernel with the network modules you've mentioned, but want to get ipv6 working (thinking of Tmobile) and have access to openwrt router, would adding the mentioned ip6tables command work?
In my router, I added something like this,
ip6tables -t mangle -I POSTROUTING -o usb0 -j HL --hl-set 65
but ipv6 connection didn't work. If I remove that line from the router firewall, then ipv6 connection works but it counts as tethered.
Click to expand...
Click to collapse
One option is to use your phone's native tether and set up IPv6 nat on your router. This will make your iptables rule work and only requires provisioning and dun bypasses on the phone. The downside is your tethered traffic will go through a separate IPv6 address from your phone, so it's more risky.
The other option is to proxy, but getting UDP support is a real hurdle. Ideas are porting Shadowsocks or one of those Socks5 proxies written in Go. Adding UDP support to microsocks is also possible, but way more work. You'd use the Shadowsocks client or transocks-wong on the router to serve clients with no knowledge of the proxy.
Edit: also, what phone/rom/router are you working with?
fddm said:
One option is to use your phone's native tether and set up IPv6 nat on your router. This will make your iptables rule work and only requires provisioning and dun bypasses on the phone. The downside is your tethered traffic will go through a separate IPv6 address from your phone, so it's more risky.
The other option is to proxy, but getting UDP support is a real hurdle. Ideas are porting Shadowsocks or one of those Socks5 proxies written in Go. Adding UDP support to microsocks is also possible, but way more work. You'd use the Shadowsocks client or transocks-wong on the router to serve clients with no knowledge of the proxy.
Edit: also, what phone/rom/router are you working with?
Click to expand...
Click to collapse
I'm working with OnePlus 8 (phone) + GL.iNET MT-1300 (router) on TMO network.
I am able to get USB tethering to work with the router for IPv4. My setup is as follows:
Phone (USB) <---> MT-1300 (router) <---> clients (PC/phones/TVs)
For IPv4, I added the following line to router firewall:
iptables -t mangle -I POSTROUTING -o usb0 -j TTL --ttl-set 65
Click to expand...
Click to collapse
Currently trying to figure out IPv6...
This is the guide to enable nat6 on openwrt:
NAT66 and IPv6 masquerading
NAT66 and IPv6 masquerading This article relies on the following: * Accessing web interface / command-line interface * Managing configs / packages / services / logs Introduction * This how-to describes the method for setting up NAT66 aka NAT6 with IPv6 masquerading on your OpenWrt...
openwrt.org
Make sure usb0 is bridged to wan, not lan. Then your iptables rule will work.

Categories

Resources