Skip to content
Switch branches/tags

VPN Hotspot

CircleCI API Releases Language: Kotlin Codacy Badge License

Connecting things to your VPN made simple. Share your VPN connection over hotspot or repeater. (root required)
, sign up for beta

This app is useful for:

  • Connecting things that don't support VPN like Chromecasts behind corporate firewalls;
  • Setting up gapps behind corporate firewalls;
  • Connecting to your mobile hotspot but you're not bothered to set up VPN on your device;
  • Identifying, monitoring and blocking (unwanted) clients;
  • Bypassing tethering limits by:
    • (recommended) Use this app with a real VPN/socksifier;
    • Use this app with some adblock/DNS apps that uses system VPN service APIs, i.e. fake VPNs; (troubleshooting/a list of apps that work)
    • Try your luck and simply use this app.

P.S. You can also do the similar on Windows, Mac, and iOS. I don't know about you but I can't get my stupid Windows 10 to work with hosted network now that they introduced this Mobile hotspot.

Features That Requires System App Installation

The following features in the app requires it to be installed under /system/priv-app since some restricted permissions are required. One way to do this is to use App systemizer for Magisk.

  • (Android 8-10, since app v2.4.0) android.permission.OVERRIDE_WIFI_CONFIG: Read/write system Wi-Fi hotspot configuration. (#117)

Installing as system app also has the side benefit of launching root daemon less frequently due to having privileged permissions listed below.

  • android.permission.LOCAL_MAC_ADDRESS
  • android.permission.MANAGE_USB
  • android.permission.OVERRIDE_WIFI_CONFIG
  • android.permission.READ_WIFI_CREDENTIAL
  • android.permission.TETHER_PRIVILEGED
  • android.permission.WRITE_SECURE_SETTINGS

Whenever you install an app update, if there was a new protected permission addition (last updated in v2.10.4), you should update the app installed in system as well to make the system grant the privileged permission.

Settings and How to Use Them

Default settings are picked to suit general use cases and maximize compatibility but it might not be optimal for battery life.


  • Upstream network interface: Main upstream regex used to reroute traffic. Leave blank for auto detect system VPN (allow/do not bypass this app to use VPN for it to work). Put none (or a^ or other similarly invalid entries) to suppress tethering VPN.
  • Fallback upstream: Fallback upstream is used when some VPN leave certain routes fallback to default network interface. Leave blank for auto detect. Put none (or a^ or other similarly invalid entries) to forbid falling back. Put other interface name if you feel like it.
  • IP Masquerade Mode:
    • None: Nothing will be done to remap address/port from downstream. I find turning this option off sometimes works better for dummy VPNs like ad-blockers and socksifiers than Simple mode, e.g. Shadowsocks. But you should never use this for real VPNs like OpenVPN, etc.
    • Simple: Source address/port from downstream packets will be remapped and that's about it.
    • (since Android 9) Android Netd Service: Let your system handle masquerade. Android system will do a few extra things to make things like FTP and tethering traffic counter work. You should probably not use this if you are trying to hide your tethering activity from your carrier.


  • Disable IPv6 tethering: Turning this option on will disable IPv6 for system tethering. Useful for stopping IPv6 leaks as this app currently doesn't handle IPv6 VPN tethering (see #6).
  • (since Android 8.1) Tethering hardware acceleration: This is a shortcut to the same setting in system Developer options. Turning this option off is probably a must for making VPN tethering over system tethering work, but it might also decrease your battery life while tethering is enabled.
  • Enable DHCP workaround: Only used if your device isn't able to get your clients IP addresses with VPN on. This is a global setting, meaning it will only be applied once globally.


  • Keep Wi-Fi alive: Acquire Wi-Fi locks when repeater, temporary hotspot or system VPN hotspot is activated.
    • Choose "System default" (default since Android 10) to save battery life;
    • (prior to Android 10) Choose "On" (default) if repeater/hotspot turns itself off automatically or stops working after a while;
    • (prior to Android 10) Choose "High Performance Mode" to minimize packet loss and latency (will consume more power);
    • (since Android 10) Choose "Disable power save" to decrease packet latency. An example use case is when a voice connection needs to be kept active even after the device screen goes off. Using this mode may improve the call quality. Requires support from the hardware.
    • (since Android 10) Choose "Low latency mode" to optimize for reduced packet latency, and this might result in:
      1. Reduced battery life.
      2. Reduced throughput.
      3. Reduced frequency of Wi-Fi scanning. This may cause the device not roaming or switching to the AP with highest signal quality, and location accuracy may be reduced. Example use cases are real time gaming or virtual reality applications where low latency is a key factor for user experience. Requires support from the hardware. Note: Requires this app running in foreground with screen on.
  • Start repeater on boot: Self explanatory.
  • Repeater safe mode: (Android 10, March 2020 security patch or newer) You might be required to turn this mode off if you want to use short SSID (at most 8 bytes long). Unsafe mode might not work for your device, and there is a small chance you will soft brick your device (recoverable). See #153 for more information.
  • Network status monitor mode: This option controls how the app monitors connected devices as well as interface changes (when custom upstream is used). Requires restarting the app to take effects. (best way is to go to app info and force stop)
    • Netlink monitor: Use Linux netlink mechanism, most battery efficient but may not work with SELinux enforcing mode. Sometimes auto fallbacks to Netlink monitor with root and Poll.
    • Netlink monitor with root: Same as above but runs netlink as root. This option works well with SELinux enforcing mode but might still be bugged on devices heavily modified by OEM and/or carriers. Sometimes auto fallbacks to Poll.
    • Poll: (default) Update network information manually every second. Least battery efficient but it should work on most devices. Recommended to switch to other modes if possible.
    • Poll with root: Same as Poll but polling is done using a root shell.

Q & A

Search the issue tracker for more.

What changes exactly can this app do to my system? (and how to revert them)

No root?

Failed to create group due to internal error/repeater shuts down after a while?

This could caused by the Wi-Fi channel you selected is no longer available, due to:

  1. Your device doesn't support operating on this channel, or
  2. There is some nearby Wi-Fi direct device that broadcasted that it can't operate on the channel you picked.

For maximum stability, you need to set channel = 0 so that your device will pick a channel automatically. You can also use WPS to connect your 2.4GHz-only device to force the repeater to switch from 5GHz to 2.4GHz for this time.

Private APIs used / Assumptions for Android customizations

a.k.a. things that can go wrong if this app doesn't work.

This is a list of stuff that might impact this app's functionality if unavailable. This is only meant to be an index. You can read more in the source code.

Greylisted/blacklisted APIs or internal constants: (some constants are hardcoded or implicitly used)

Hidden whitelisted APIs: (same catch as above, however, things in this list are less likely to be broken)

Nonexported system resources:

  • (since API 30)
  • (since API 30)
  • (since API 30)
  • (since API 30)
  • (since API 30)
  • (since API 30)
  • (since API 30)


  • (since API 29) needs to be parcelized in a very specific order, except for possible extra fields at the end. (used only for safe mode)
  • Activity$TetherSettingsActivity is assumed to be exported.

For ip rule priorities, RULE_PRIORITY_SECURE_VPN and RULE_PRIORITY_TETHERING is assumed to be 12000 and 18000 respectively; (prior to API 24) RULE_PRIORITY_DEFAULT_NETWORK is assumed to be 22000 (or at least > 18000). DHCP server like dnsmasq is assumed to run and send DHCP packets as root.

Undocumented system binaries are all bundled and executable:

  • (since API 24) iptables-save, ip6tables-save;
  • echo;
  • /system/bin/ip (monitor neigh rule unreachable);
  • ndc (ipfwd since API 23, nat since API 28);
  • iptables, ip6tables (with correct version corresponding to API level, -nvx -L <chain>);
  • sh;
  • su.

Wi-Fi driver wpa_supplicant:


Share your VPN connection over hotspot or repeater! (root required)




Sponsor this project



No packages published