Android Phone as a VPN Gateway [Bypass Tethering Block]

Discussion in 'Mobile Devices' started by InsaneNutter, Sep 14, 2014.

  1. InsaneNutter

    InsaneNutter Resident Nutter Staff Member

    Joined:
    Jun 1, 2007
    Messages:
    12,254
    Likes Received:
    3,724
    Location:
    Yorkshire, England
    android-tethering-open-vpn.png

    The Problem:

    A lot of mobile providers might give you "unlimited data" or a certain amount of data, however block you from tethering. By blocking tethering I mean only allowing you to use your data allowance on the phone, not on a tablet, laptop, pc or any other device.

    The Solution:

    Turn your mobile phone in to a VPN gateway. Presuming you are able to connect to a VPN on your mobile device, which you should be able to. You can turn your Android mobile device in to a VPN gateway, which will send any tethered traffic through the VPN. This means your mobile provider can not see the traffic as its encrypted. The advantage of turning the phone in to a VPN Gateway is that you dont need to run any additional VPN applications on your mobile devices, this can be especially useful for a Windows Laptop / Tablet. The reason been is Windows like to send internet traffic as your connecting to a wireless network, my mobile provider detects this traffic and blocks my internet access on the phone before I even have time to connect to a VPN on the Windows mobile device.

    However using a VPN gateway any tethered traffic will always be going through the VPN, so unless your mobile provider blocks the use of VPN's they will never know your tethering. Result!

    Please note: you need some knowledge of networking and using a rooted Android device to follow this tutorial, i have tried to make it as easy as possible to follow, however it will be a lot easier if you have some background knowledge.

    Firstly before we go any further you are going to need the following:


    1. A rooted Android device
    2. A VPN server running either at home (free) or on a server somewhere on the internet.
    If you are looking for a hosted VPN Server, we strongly recommend NordVPN
    If you use the coupon code "2YDeal2017" you can get 2 years service for only $79.99 which is a massive steal. I picked NordVPN because of its zero logging policy, it's Netflix US friendly as well as P2P friendly while operating out of Panama meaning DMCA and Blocking Streams just doesn't happen.

    How to root your Android device and setup a VPN sever is simply beyond the scope of this tutorial, however its very easy to setup a VPN server with the OpenVPN Virtual Appliance. You can basically download a pre-configured Virtual Machine for Microsoft's Hyper-V or VmWare ESXI, answer a few questions when the Virtual Machine launches and have secure a VPN server up and running on your network in a matter of minutes.

    As for rooting your phone, find the forum section for your mobile device on XDA Developers and you should find various tutorials on how to root the Android Mobile device you own.

    How to setup a VPN gateway on Android:

    First you need OpenVPN Connect installed on your Android device, this is free on the Google Play store, load OpenVPN Connect and connect to your VPN

    open-vpn-gateway-1.jpg

    Now go to Settings > More > Tethering & Portable Hotspot and enable the Portable Wi-Fi Hotspot

    open-vpn-gateway-2.jpg

    Now open the Android Terminal Emulator, this can also be downloaded from Google Play if its not present on your device.

    Type Su to enable super user access (root)

    open-vpn-gateway-3.jpg

    Grant super user access to Terminal Emulator if required:

    open-vpn-gateway-4.jpg

    Now type netcfg to show the name / status of the various network interfaces:

    open-vpn-gateway-5.jpg

    You will see above i have the following active interfaces:

    rmnet0 - this is the phones 2g / 3g or 4g data connection
    wlan0 - this is the phones wi-fi connection that your devices will be connecting to
    tun0 - this is our VPN tunnel that we want to send all the traffic of wlan0 through

    These interfaces should have the same name on all modern Android devices, however double check.

    You now want to basically type the following in to the Android Terminal Emulator to configure IP tables to route any traffic from wlan0 (the Wi-Fi hotspot on your phone) through the VPN connection (tun0)

    If you have not already gained super user rights type Su, then copy and paste the following below:

    Code:
    iptables -t filter -F FORWARD
    iptables -t nat -F POSTROUTING
    iptables -t filter -I FORWARD -j ACCEPT
    iptables -t nat -I POSTROUTING -j MASQUERADE
    ip rule add from 192.168.43.0/24 lookup 61
    ip route add default dev [B]tun0[/B] scope link table 61
    ip route add 192.168.43.0/24 dev [B]wlan0[/B] scope link table 61
    ip route add broadcast 255.255.255.255 dev [B]wlan0[/B] scope link table 61
    
    open-vpn-gateway-6.jpg

    Tip: copy and paste the above in to the Terminal Emulator to saver you typing it out line by line on your phone and possibly making mistakes. Maybe save it as a txt file on your phones SD card and copy and paste from that, as i have done below.

    open-vpn-gateway-7.jpg

    That basically it for the configuration on your phone, the changes will however be lost when the phone is reset.
    To make the changes permanent create a file called userinit.sh in /data/local and paste all the iptable commands in it. This will basically run the IP tables commands again when the phone boots, saving you from doing so manually.

    An easy way to do this is with Root Explorer which can be downloaded on the Google Play Store, this is a paid for app, however very useful to have on your device.

    On your client devices:

    The only configuration you need to do on your client devices is set the DNS server to point to the DNS server on the network you have connected to with your VPN, this would basically be the IP address of your home router unless you have another device configured for DNS queries on your network. I have no idea how to make Android hand out the correct DNS server unfortunately, were basically playing with two separate things not designed to work together and making them place nice with a bit of trickery. However its a very minor inconvenience to change the DNS settings on your client devices.

    Here is how to change the DNS settings on a Windows device, 192.168.1.1 is the ip address of my home router on the local network, which is the DNS server my client devices use.

    open-vpn-gateway-8.jpg

    Once you have changed the DNS server address Windows should be happy it has internet access:

    open-vpn-gateway-9.jpg

    Both your mobile phone and any client device connected to it via tethering can access any resources on your home network, such as network shares:

    open-vpn-gateway-10.jpg

    There you go, hopefully you have now leaned how to turn your Android device in to an OpenVPN gateway, allowing tethering even if your mobile provider blocks. The additional bonus is you can access services and network shares on your home network using your laptop, even when away from home.

    Running an OpenVPN gateway on your phone is handy as it allow devices which cant run OpenVPN, such as Windows RT devices or even an Xbox games console to still connect to a remote network through OpenVPN.
     
    Liam W and Rick like this.
  2. MrNitvit

    MrNitvit Resident

    Joined:
    Mar 7, 2011
    Messages:
    103
    Likes Received:
    2
    Location:
    Somewhere you don't want to go.
    Would this let me go past my tethering limit of 4gb on three?
     
  3. InsaneNutter

    InsaneNutter Resident Nutter Staff Member

    Joined:
    Jun 1, 2007
    Messages:
    12,254
    Likes Received:
    3,724
    Location:
    Yorkshire, England
    Yes as Three think you are just using your mobile phone and not a Laptop / PC.

    I have unlimited data, however cant tether at all officially, so it defiantly works.
     
  4. MrNitvit

    MrNitvit Resident

    Joined:
    Mar 7, 2011
    Messages:
    103
    Likes Received:
    2
    Location:
    Somewhere you don't want to go.
    Ahh because I have unlimited data but they told me I had a 4gb limit for tethering.
     
  5. twan6q

    twan6q New Member

    Joined:
    Nov 8, 2014
    Messages:
    1
    Likes Received:
    0
    Can I use the VPN in the tethering. Because phone is off but I am using a VPN for data connection but haven't figured out how to tether the vpns data connection
     
  6. InsaneNutter

    InsaneNutter Resident Nutter Staff Member

    Joined:
    Jun 1, 2007
    Messages:
    12,254
    Likes Received:
    3,724
    Location:
    Yorkshire, England
    I'm not totally sure what you are asking, however if you do this all your internet traffic will go though the VPN.
     
  7. Fabio de Gaetano

    Fabio de Gaetano New Member

    Joined:
    Nov 25, 2014
    Messages:
    3
    Likes Received:
    0
    Hello, thanks a lot for this great thread. I've followed your step-by-step instructions and at the end I have my windows laptod connected via wifi to my android device, which is running a VPN (tunnelbear) and offering a hot spot. Internet connection on laptot seems allright, I even see some sent and received packets, but I have no Internet access from any browser. Even ping doesn't work, both to alias and IP addresses. No way. I don't know if this is related to the fact that I don't use a router, so that I couldn't set the DNS of my client to 192.168.1.1. or similar; so I tried setting as DNS address on laptop both the smartphone address (192.168.1.43) or even google DNS (8.8.8.8)...but no way, there is no connection.

    THanks in advance for any help
     
  8. InsaneNutter

    InsaneNutter Resident Nutter Staff Member

    Joined:
    Jun 1, 2007
    Messages:
    12,254
    Likes Received:
    3,724
    Location:
    Yorkshire, England
    I'm not totally sure if this will work with tunnelbear, if you know the IP address of the server you are connected to on tunnelbear try setting that as your DNS server.

    If you can open Terminal Emulator on your android device and screenshot the results of the netcfg command (When connected to the VPN) I might be able to try help you more.
     
  9. Fabio de Gaetano

    Fabio de Gaetano New Member

    Joined:
    Nov 25, 2014
    Messages:
    3
    Likes Received:
    0
    Hi, here is netcfg result when android is connected to tunnelbear:




    u0_a53@sirius:/ $ netcfg
    rmnet7 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
    rmnet6 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
    rmnet5 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
    rmnet4 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
    rmnet3 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
    rmnet2 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
    rmnet1 DOWN 0.0.0.0/0 0x00000000 00:00:00:00:00:00
    rmnet0 UP 10.114.128.99/29 0x00000041 00:00:00:00:00:00
    rev_rmnet1 DOWN 0.0.0.0/0 0x00001002 7e:D5:fe:ca:94:49
    rev_rmnet0 DOWN 0.0.0.0/0 0x00001002 42:Dc:46:2d:97:e6
    rev_rmnet8 DOWN 0.0.0.0/0 0x00001002 06:ed:01:77:af:ee
    rev_rmnet7 DOWN 0.0.0.0/0 0x00001002 4a:01:fb:68:c5:ee
    rev_rmnet6 DOWN 0.0.0.0/0 0x00001002 da:76:8b:14:b3:e9
    rev_rmnet5 DOWN 0.0.0.0/0 0x00001002 42:1f:1a:88:c4:44
    rev_rmnet4 DOWN 0.0.0.0/0 0x00001002 42:48:71:6e:ac:Df
    rev_rmnet3 DOWN 0.0.0.0/0 0x00001002 3e:72:D8:bc:c6:9d
    rev_rmnet2 DOWN 0.0.0.0/0 0x00001002 96:84:ad:88:bc:3d
    dummy0 DOWN 0.0.0.0/0 0x00000082 e2:5d:c4:2a:42:ba
    wlan0 UP 192.168.43.1/24 0x00001043 44:D4:e0:D6:3a:21
    rmnet_usb0 DOWN 0.0.0.0/0 0x00001002 4e:15:3c:01:ce:06
    p2p0 DOWN 0.0.0.0/0 0x00001002 00:90:4c:33:22:11
    tun0 UP 172.18.10.118/30 0x00000051 00:00:00:00:00:00
    sit0 DOWN 0.0.0.0/0 0x00000080 00:00:00:00:00:00 lo UP 127.0.0.1/8 0x00000049 00:00:00:00:00:00


    screensgot.jpg
     
  10. InsaneNutter

    InsaneNutter Resident Nutter Staff Member

    Joined:
    Jun 1, 2007
    Messages:
    12,254
    Likes Received:
    3,724
    Location:
    Yorkshire, England
    That all looks ok to me, it might be worth asking tunnelbear if they have any DNS servers you can use when connected to the VPN.

    I have only tested this using OpenVPN Access Server as the VPN server, however when running on a server with a dedicated IP address for the DNS ip address i simply used the servers IP which worked fine.
     
  11. Fabio de Gaetano

    Fabio de Gaetano New Member

    Joined:
    Nov 25, 2014
    Messages:
    3
    Likes Received:
    0
    Hi, finally it works! The problem was just a mistake on the launch of the script userinit.sh. Thanks a lot for your help!
     
  12. goodandbetter

    goodandbetter New Member

    Joined:
    Dec 3, 2014
    Messages:
    2
    Likes Received:
    0
    Hello insanenutter, thanks your very much for this helpful thread. I have followed your instructions and they work perfectly. The only thing that I can't get working is the "userinit.sh". I have created the file and stored it in the correct location ( /data/local), but it does not seem to auto start on boot. I am using a custom rom "rXTREME-KK-v.2.1-XXUFNJ1" on a rooted I9305.

    Thanks for any help that you can offer me.
     
  13. goodandbetter

    goodandbetter New Member

    Joined:
    Dec 3, 2014
    Messages:
    2
    Likes Received:
    0
    Hi Fabio de Gaetano. Would you mind sharing how you got the userinit.sh to run automatically? Thanks for your help.
     
  14. Woogie

    Woogie New Member

    Joined:
    Jan 1, 2015
    Messages:
    2
    Likes Received:
    0
    Thank you for this tutorial. It's awesome, but I really need some help. I'm on T-Mobile using a rooted HTC One M7 with a custom ROM called ViperOne.


    I can input all the commands in terminal emulator up to the step where I'm supposed to enter:


    ip route add default dev tun0 scope link table 61


    Then it comes back with:


    RTNETLINK answers: File exists.


    After that it coughs up errors after each line, and I am still getting the tethering upsell screen on my other devices. I am using TORguard VPN service settings with the OpenVPN Android client. The VPN seems to be working as it shows the service's IP on a DNS leak test on both the phone and PC, but it is still counting PC traffic against my tethering limit.


    Thank you in advance for any help you can offer. I used to just be able to use a VPN client running on the PC, but their tethering detection has gotten smarter so really need this to work.
     
  15. InsaneNutter

    InsaneNutter Resident Nutter Staff Member

    Joined:
    Jun 1, 2007
    Messages:
    12,254
    Likes Received:
    3,724
    Location:
    Yorkshire, England
    When typing the commands in have you gained superuser rights by typing "su" (without quotes) first? then granting superuser rights to Terminal Emulator?

    If you have been messing about with this re start the phone as it will clear and previous changes you have made.
     
  16. Woogie

    Woogie New Member

    Joined:
    Jan 1, 2015
    Messages:
    2
    Likes Received:
    0
    Yes, I am giving it superuser rights. I tried to post some screenshots but the board software won't let me because my account is too new. I can't even post the raw text from the netcfg results.

    Is there any other way to get them to you?
     
  17. InsaneNutter

    InsaneNutter Resident Nutter Staff Member

    Joined:
    Jun 1, 2007
    Messages:
    12,254
    Likes Received:
    3,724
    Location:
    Yorkshire, England
  18. Liam W

    Liam W New Member

    Joined:
    Jan 24, 2015
    Messages:
    1
    Likes Received:
    0
    Location:
    Barrow, Cumbria, England
    Thank you for the guide, very useful - I'm able to make my tethering connection go through my vpn which goes through my mobile internet... With a bit of wrangling.

    Do you know of any way to make DHCP work correctly? Currently, it appears DHCP on the phone is returning the VPN servers IP instead of a local IP... I want to use this for Chromecast, which doesn't like static configurations.

    Also, I'm using the built in Android VPN system - I just had to change tun0 with ppp0.

    EDIT: I just noticed that if I turn off the VPN, DHCP works and WiFi connects. If I turn the VPN back on, the connection will go through the VPN. This should solve the chromecast issue :)

    Liam
     
  19. Rickh

    Rickh New Member

    Joined:
    Feb 26, 2015
    Messages:
    1
    Likes Received:
    0
    Thanks for the very useful guide. I've got it running and it's all going well.

    There's one small annoyance though. I live in a rural area and sometimes the network connection drops for a 30 second period or so and then reconnects to a different tower.
    When that happens, OpenVPN disconnects, the tun0 device disappears, and the wifi tethering then seems to be sent through rmnet0, causing a tethering block (and requiring an airplane mode cycle).

    OpenVPN's 'Seamless Tunnel' feature sounds like it should stop this from happening, but obviously not.
    Do you have any ideas how to stop this, perhaps by routing traffic to nowhere if tun0 is not available (I tried doing this with the metric and the weight parameters but failed).

    Thanks in advance.
     
  20. Serge De Coster

    Serge De Coster New Member

    Joined:
    Apr 3, 2015
    Messages:
    1
    Likes Received:
    0
    Getting the script to load on boot seems challenging. To start with I am trying to crease a sh script to run it all at once manually. Something very weird is happening:

    This is my script "test.sh"


    echo "hello world!"
    iptables -t filter -F FORWARD


    If I execute these commands in the terminal as root, it works great.
    If I run "sh test.sh" it works great also.


    I then update the script to have 2 command that include iptables. For testing purposes I make both the same. Here is how "test.sh" now looks like:


    echo "hello world!"
    iptables -t filter -F FORWARD
    iptables -t filter -F FORWARD


    If I execute these commands in the terminal as root, it works great.
    If I run "sh test.sh" here is what I get:


    hello world!
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name


    I.e. both of the iptables command did not work. As long as there is only 1 per file it works great, but as soon as there is more than 1 iptables command in the script, it gives the same error.


    What I am doing wrong? I tried:


    - putting the sh file in ./data/local and in ./sdcard
    - adding #!/system/bin/sh
    - running the sh file using "su sh test.sh" or "exec sg test.sh"


    All gave the same result.
    My phone is rooted, using stock rom.


    Thanks!
     

Share This Page