Tethering VPN on Android

I guess many people search the Internet with the words “android vpn tether”, and there surely are many hits.  The basic problem people are trying to solve is to create a wifi hotspot that sends all traffic over some VPN connection.  Android can by itself create a wifi hotspot allowing your 3G or 4G connection to be shared with other devices over wifi.  Just click the hotspot icon, change the name and password if you like, and off you go.  Your android phone can also make connections to some VPN if you e.g. install Wireguard or one of the several OpenVPN client apps.  That also works nicely.  But how about using the two at the same time.  I think there are some variations of failure, but it never does what you really want:  Share or tether the VPN connection over wifi.  It is – according to many websites – a careful decision by Google, not to allow this.

But go a bit further, and you will find several apps or simple scripts, that will allow sharing a VPN connection, and which all require your phone to be rooted.  A script like:

iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from lookup 61
ip route add default dev tun0 scope link table 61
ip route add dev wlan0 scope link table 61
ip route add broadcast dev wlan0 scope link table 61

is found in lots of places (it assumes your VPN tunnel is on tun0, which typically is the case for OpenVPN), and it is often told that it does the trick for you.  I believe many of the available apps do the same behind the scenes. And it is correct, if you start a VPN connection, start the hotspot, and run this script as root, your wifi connection is shared.  But does it “work”?  Have you tried using connecting to that shared hotspot from another device?  Chances are it doesn’t work.  It didn’t work for me.  But there is a solution or a workaround, which I’ll describe below.

The core of the problem is that the VPN tethering device doesn’t give out proper IP information to the client devices when they connect.  But you can manually configure those client devices to have static IP addresses, gateway and – if needed – DNS.  The IP address of the wifi hotspot itself is always (but see the note below for Android 9), so the connected devices need (distinct) IP address like .. 254.  Look at the image here at the left; this is how I have configured the wifi settings for an Android device that is getting connected to my tethered vpn hotspot.  You need to open advanced settings and then choose a static IP address; I chose here while the gateway is and the network prefix length is kept at 24.  I also add a DNS 1 address here – the value is specific for my VPN connection, and it will likely differ for yours so check with your VPN provider.  Often or will work, as you can see, I am actually using as DNS 2.  Note that if you want to connect multiple devices to your VPN tethered hotspot, you need to manually make sure they get different IP address such as,,, etc.

So a summary of the steps are

  • Use a rooted Android device as your VPN tethered hotspot
  • Install a VPN app on it – I recommend Wireguard or an OpenVPN app; ensure you can create a VPN connection.
  • Save the above commands in a script; I recommend using the “FX” app, which also has the possibility to save the script as a named shortcut on your device.  Make sure to check the “root” option.
  • When you want to operated the VPN tethered hotspot, create the VPN connection and start the hotspot (the standard Android feature), and then run your root script.  If you get a non-existing device error, it is probably because your VPN connection isn’t running or is running on something else than tun0.  If you run it again, you will get errors about something already existing; you can safely ignore those.
  • Each of the devices you want to connect to the VPN tethered hotspot need to have manual configuration of their IP settings as described above; each need a different IP address in the 192.168.43.x range where x is between 2 and 254.
  • NOTE: As of Android 9 (LineageOS 16), the IP address of the wifi hotspot is no longer fixed at; a new (apparently) random one is used each time the hotspot is turned on.  Effectively, this means the procedure no longer works.  To make it work on Android 9, you would need to find the IP address of the hotspot and change the default gateway to that IP address for all devices connecting to your hotspot, which would be a tedious thing to do.

A final remark is that I typically get throughput performance of at least 10Mb/s, often 20Mb/s download and somewhat less upload, while ping times typically are in the 30-40ms range.

It should also be mentioned that you can create a very similar setup – that is a portable wifi hotspot over a VPN connection using the GL-MiFi from Shenzhen based GL-iNet.  However, due to the low performance CPU, the best possible throughput is limited to around 5Mb/s.

Leave a Reply

Your email address will not be published.