Save data on mobile hotspots

^{January 2nd, 2022}

By default, Windows treats WiFi connections as non-metered. Simply said, as soon as you join your mobile hotspot, literally every background process will start using the Internet: download updates and who knows what else. It may hurt if you are charged per megabyte or if your data contingent is basically limited.

In order to avoid this issue, Microsoft introduced a flag called 'metered connection', which you can set for a particular WiFi profile. The problem is, probably no app takes care of that flag, which renders it useless.

One solution is to virtually disconnect the operating from the shared Internet and let only the app of your choice to get an actual connection. There are different possible scenarios for that. Let's start with the most flexible one, at least as of my opinion: a Socks-Proxy. It requires an Android phone as a server. No idea whether anything similar works for iPhones and, to be honest, I don't care.

Network Setup

Find out the network addressing schema for tethered Internet connection as offered by your phone (e.g. start the Internet sharing for a short time, connect your PC to the phone and write down the assigned IP address, Network Mask and Gateway Address).
Now, configure your PC's network adapter manually with an IP address of the same range, the same Network Mask, but (important!) skip setting any Gateway Address or DNS Servers. This way your client will be able to communicate with the phone over the shared WiFi network, but not with the Internet.

Option 1: SOCKS-Proxy

SOCKS Proxy Scenario

On the phone:

Install Termux (com.termux), a terminal emulation on your phone.
Optionally install AnLinux (exa.lnx.a), and choose a preferred linux distro for your Android device (if you choose to do it, following steps may differ in your case).
Within Termux, install openssh:

apt install openssh

Start the ssh daemon (will be listening on the port 8022):

sshd

Generate a key pair and copy the public key to ~/.ssh/authorized_keys

On the PC:

Start an ssh client on your PC with the following settings:

ssh -ND <local_port> <your_phone_ip> -p 8022 -i <private_key_path>

where

-N skips execution of remote commands (forwarding ports only)

-D enables dynamic port forwarding with SOCKS4 and SOCKS5 protocol on the port given as a local_port, which is just an arbitrary chosen port number on your local machine that will act as a proxy for your apps. Take anything above 1024.

your_phone_ip is the Gateway Address you noted down in the preparation steps.

private_key_path is a path to the private SSH key in an OpenSSH format. The OpenSSH will complain if the access rights are too relaxed. On Windows, you will have to remove access rights to anyone but you in order to proceed.

Configure your apps to use the configured port as a SOCKS5 proxy. Please note, the DNS queries are to be proxied as well. Firefox, for example, requires an additional option for that. On the about:config page, look for a setting called network.proxy.socks_remote_dns and set it to true.

Option 2: socat

socat Scenario

The difference of this scenario is, all traffic from the PC will be redirected to a fixed location (Target A on the diagram). Depending on the needs, you may want either multiple such redirects or a proxy server on the Target A, so that other destinations are dynamically reachable (Target B on the diagram).

On the phone:

Same preparation, just instead of the openssh, install socat:

apt install socat

Start forwarding connections to a fixed target:

socat TCP-LISTEN:<phone_port>,fork TCP:<target_address>:<target_port>

where

phone_port is an arbitrary chosen port number on your phone that will receive connections from your PC. Take anything above 1024.

target_address and target_port is the location in the Internet, to which the traffic should be forwarded.

On the PC:

Configure your app to connect your phone on the phone_port chosen above. Your phone's IP address is the Gateway Address as noted before.

Good to know:

If you need to reach dynamic addresses/ports, you would need a proxy on the target machine. It's installation and configuration is out of scope of this article.
If you need just a few fixed targets, create a port forwarding for each of them. You may need to shift each socat session in the background.
A big advantage of socat is, you can forward UDP protocol as well, e.g. socat UDP4-RECVFROM:<phone_port>,fork UDP4-SENDTO:<target_address>:<target_port>.
Similarly, for the IPv6 protocol the options are called TCP6 and UDP6. For listening, TCP6-LISTEN and UDP6-LISTEN, if the hotspot works in IPv6 schema.

Next: Eavesdropped using Pegasus

Previous: Files Ninja

Main Menu