I have a rooted android device with a VPN app installed and I want to route all traffic from Mobile Hotspot(swlan0) through VPN(tun0).
I ran this script found on github(from 5 years ago) to update iptables on the Android rooted device but my other device connected(ip 192.168.43.181/24 gateway 192.168.43.112) through swlan0 does not get the traffic routed through the VPN.
Looking at the routes, I don't see any route for swlan0. Could the android script be outdated that it is missing to add routes to swlan0 device in table 61? Any hints on what could be wrong and/or how to fix it?
#echo $wifiIP
192.168.1
#echo $wifi
1
# Inital variable setup
tethering=0
# Setup iptables before forwarding VPN
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
# Check if WIFI is tethered, if so forward VPN
wifi=$(dumpsys wifi | grep curState=StartedState | wc -l)
wifiIP=$(ifconfig wlan0 2>/dev/null | grep "inet addr" | cut -d":" -f2 | cut -d' ' -f1 | cut -d'.' -f1-3)
if [[ "$wifi" -gt 0 ]];
then
ip rule add from "$wifiIP".0/24 lookup 61
touch /storage/emulated/0/vpn-hotspot.lock
nohup sh -c 'while [[ -f /storage/emulated/0/vpn-hotspot.lock ]]; do ip route add default dev tun0 scope link table 61; sleep 180; done;' </dev/null >/dev/null 2>&1 &
echo $! > /storage/emulated/0/vpn-hotspot.pid
ip route add "$wifiIP".0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
wifiTethered=1
tethering=1
echo "Set up VPN on WIFI successfully"
else
wifiTethered=0
echo "Not tethering on WIFI"
fi
#ifconfig
lo Link encap:UNSPEC
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope: Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 TX bytes:0
tun0 Link encap:UNSPEC
inet addr:10.2.0.2 P-t-P:10.2.0.2 Mask:255.255.255.255
inet6 addr: fe80::ceed:722f:7718:ef59/64 Scope: Link
UP POINTOPOINT RUNNING MTU:1280 Metric:1
RX packets:4059 errors:0 dropped:0 overruns:0 frame:0
TX packets:3252 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:3255334 TX bytes:360377
wlan0 Link encap:UNSPEC
inet addr:192.168.1.153 Bcast:192.168.1.255 Mask:255.25
5.255.0
inet6 addr: 2804:30c:1b11:100:68c2:f3ff:fe28:fb4e/64 Scop
e: Global
inet6 addr: fd4b:c3dd:1793:0:1803:3567:3317:a215/64 Scope
: Global
inet6 addr: 2804:30c:1b11:100:1803:3567:3317:a215/64 Scop
e: Global
inet6 addr: fe80::68c2:f3ff:fe28:fb4e/64 Scope: Link
inet6 addr: fd4b:c3dd:1793:0:68c2:f3ff:fe28:fb4e/64 Scope
: Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:420883 errors:0 dropped:3 overruns:0 frame:0
TX packets:141806 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:516850927 TX bytes:18288110
swlan0 Link encap:UNSPEC
inet addr:192.168.43.112 Bcast:192.168.43.255 Mask:255.
255.255.0
inet6 addr: fe80::cca5:d5ff:fe10:1171/64 Scope: Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:50844 errors:0 dropped:0 overruns:0 frame:0
TX packets:103745 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3666610 TX bytes:127952229
:/
#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N block_all_dns
-N block_allow_table
-N block_block_table
-N block_tcp_ports
-N block_udp_ports
-N bw_FORWARD
-N bw_INPUT
-N bw_OUTPUT
-N bw_VIDEOCALL_IN
-N bw_VIDEOCALL_OUT
-N bw_costly_shared
-N bw_data_saver
-N bw_global_alert
-N bw_happy_box
-N bw_penalty_box
-N bw_videocall_box
-N firewall_f
-N firewall_r
-N fw_FORWARD
-N fw_INPUT
-N fw_OUTPUT
-N input_dos
-N oem_fwd
-N oem_out
-N st_OUTPUT
-N st_clear_caught
-N st_clear_detect
-N st_penalty_log
-N st_penalty_reject
-N tetherctrl_FORWARD
-N tetherctrl_counters
-A INPUT -j bw_INPUT
-A INPUT -j fw_INPUT
-A INPUT -j input_dos
-A INPUT -j bw_VIDEOCALL_IN
-A INPUT -j bw_VIDEOCALL_OUT
-A INPUT -j bw_videocall_box
-A INPUT -j firewall_f
-A FORWARD -j ACCEPT
-A OUTPUT -j oem_out
-A OUTPUT -j fw_OUTPUT
-A OUTPUT -j st_OUTPUT
-A OUTPUT -j bw_OUTPUT
-A OUTPUT -j bw_VIDEOCALL_IN
-A OUTPUT -j bw_VIDEOCALL_OUT
-A OUTPUT -j bw_videocall_box
-A OUTPUT -j firewall_f
-A bw_INPUT -j bw_global_alert
-A bw_INPUT -p esp -j RETURN
-A bw_INPUT -m mark --mark 0x100000/0x100000 -j RETURN
-A bw_INPUT -j MARK --set-xmark 0x100000/0x100000
-A bw_OUTPUT -j bw_global_alert
-A bw_costly_shared -j bw_penalty_box
-A bw_data_saver -j RETURN
-A bw_global_alert -m quota2 ! --name globalAlert --quota 2097152
-A bw_happy_box -m bpf --object-pinned /sys/fs/bpf/netd_shared/prog
_netd_skfilter_allowlist_xtbpf -j RETURN
-A bw_happy_box -j bw_data_saver
-A bw_penalty_box -m bpf --object-pinned /sys/fs/bpf/netd_shared/pr
og_netd_skfilter_denylist_xtbpf -j REJECT --reject-with icmp-port-u
nreachable
-A bw_penalty_box -j bw_happy_box
-A firewall_f -o tun+ -m bpf --object-pinned /sys/fs/bpf/prog_ss_ne
td_skfilter_mobilefw_xtbpf -j firewall_r
-A firewall_f -o rmnet+ -m bpf --object-pinned /sys/fs/bpf/prog_ss_
netd_skfilter_mobilefw_xtbpf -j firewall_r
-A firewall_f -o wlan+ -m bpf --object-pinned /sys/fs/bpf/prog_ss_n
etd_skfilter_wlanfw_xtbpf -j firewall_r
-A firewall_r -j REJECT --reject-with icmp-port-unreachable
-A input_dos -p tcp -m conntrack --ctstate NEW -m limit --limit 50/
sec --limit-burst 50 -j ACCEPT
-A input_dos -p tcp -m conntrack --ctstate NEW -j DROP
-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT
--reject-with icmp-port-unreachable
-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN
-A st_clear_detect -p tcp -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x
3c@0x0&0xffff0000=0x16030000&&0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x4&0xf
f0000=0x10000" -j CONNMARK --set-xmark 0x1000000/0x1000000
-A st_clear_detect -p udp -m u32 --u32 "0x0>>0x16&0x3c@0x8&0xffff00
00=0x16fe0000&&0x0>>0x16&0x3c@0x14&0xff0000=0x10000" -j CONNMARK --
set-xmark 0x1000000/0x1000000
-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN
-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32
"0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0x0=0x0" -j st_clear_caught
-A st_clear_detect -p udp -j st_clear_caught
-A st_penalty_log -j CONNMARK --set-xmark 0x1000000/0x1000000
-A st_penalty_log -j NFLOG
-A st_penalty_reject -j CONNMARK --set-xmark 0x2000000/0x2000000
-A st_penalty_reject -j NFLOG
-A st_penalty_reject -j REJECT --reject-with icmp-port-unreachable
-A tetherctrl_FORWARD -j DROP
-A tetherctrl_counters -i swlan0 -o wlan0 -j RETURN
-A tetherctrl_counters -i wlan0 -o swlan0 -j RETURN
:/ #
#ip route show table all
default dev tun0 table tun0 proto static scope link
10.2.0.2 dev tun0 table tun0 proto static scope link
192.168.1.0/24 dev wlan0 table wlan0_local proto static scope link
10.2.0.2 dev tun0 table tun0_local proto static scope link
default dev tun0 table 61 scope link
192.168.1.0/24 dev wlan0 table 61 scope link
broadcast 255.255.255.255 dev wlan0 table 61 scope link
80.233.119.122 via 192.168.1.1 dev wlan0 table legacy_system proto
static
default via 192.168.1.1 dev wlan0 table wlan0 proto static
192.168.1.0/24 dev wlan0 table wlan0 proto static scope link
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.153
local 10.2.0.2 dev tun0 table local proto kernel scope host src 10.
2.0.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 12
7.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.
0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope lin
k src 127.0.0.1
broadcast 192.168.1.0 dev wlan0 table local proto kernel scope link
src 192.168.1.153
local 192.168.1.153 dev wlan0 table local proto kernel scope host s
rc 192.168.1.153
broadcast 192.168.1.255 dev wlan0 table local proto kernel scope li
nk src 192.168.1.153
2000::/3 dev tun0 table tun0 proto static metric 1024 pref medium
fe80::/64 dev tun0 table tun0 proto kernel metric 256 pref medium
2804:30c:1b11:100::/64 dev wlan0 table wlan0_local proto static met
ric 1024 pref medium
fd4b:c3dd:1793::/64 dev wlan0 table wlan0_local proto static metric
1024 pref medium
fe80::/64 dev wlan0 table wlan0_local proto static metric 1024 pref
medium
2000::/3 dev tun0 table tun0_local proto static metric 1024 pref me
dium
2804:30c:1b11:100::/64 dev wlan0 table wlan0 proto kernel metric 25
6 expires 523472sec pref medium
2804:30c:1b11:100::/64 dev wlan0 table wlan0 proto static metric 10
24 pref medium
2804:30c:1b11:100::/56 via fe80::52eb:f8ff:fe19:f1d8 dev wlan0 tabl
e wlan0 proto ra metric 1024 expires 1669sec pref medium
fd4b:c3dd:1793::/64 dev wlan0 table wlan0 proto kernel metric 256 p
ref medium
fd4b:c3dd:1793::/64 dev wlan0 table wlan0 proto static metric 1024
pref medium
fd4b:c3dd:1793::/48 via fe80::52eb:f8ff:fe19:f1d8 dev wlan0 table w
lan0 proto ra metric 1024 expires 1669sec pref medium
fe80::/64 dev wlan0 table wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 table wlan0 proto static metric 1024 pref mediu
m
default via fe80::52eb:f8ff:fe19:f1d8 dev wlan0 table wlan0 proto r
a metric 1024 expires 1669sec mtu 1492 hoplimit 64 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2804:30c:1b11:100:1803:3567:3317:a215 dev wlan0 table local p
roto kernel metric 0 pref medium
local 2804:30c:1b11:100:68c2:f3ff:fe28:fb4e dev wlan0 table local p
roto kernel metric 0 pref medium
local fd4b:c3dd:1793:0:1803:3567:3317:a215 dev wlan0 table local pr
oto kernel metric 0 pref medium
local fd4b:c3dd:1793:0:68c2:f3ff:fe28:fb4e dev wlan0 table local pr
oto kernel metric 0 pref medium
local fe80::68c2:f3ff:fe28:fb4e dev wlan0 table local proto kernel
metric 0 pref medium
local fe80::ceed:722f:7718:ef59 dev tun0 table local proto kernel m
etric 0 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
