Cellular Tethering with Squid for UserAgent String masking


  • Most Cellular Providers block tethering from your phone unless you pay per MB. They block tethering by detecting your browser string and blocking your http(port 80) requests if the string matches common windows browser strings. You could install a UserAgent String changer for each browser on each computer to get around this.

    But I have found a much easier way. We can use Squid to change the UserAgent String in the http header of all port (80) traffic that passes through pfSense. Thus allowing us to use stock browsers with no UserAgent String changer addons.

    I am using pfSense2.1-RELEASE & Squid3 3.1.20 . Version 2.7.9 was not compiled to support String injection, and I have not tested any versions newer than 3.1.20 . They should work, but with maybe different config lines in squid.conf .

    
    1.) Install Squid3 Beta 3.1.20 pkg 2.0.7
    
    2.) Browse to the Squid GUI.
    
    3.) Proxy interface = LAN
    
    4.) Allow users on interface = checked
    
    5.) Transparent HTTP proxy = checked (This will allow all port 80(http) traffic to have the UserAgent String changed.
    
    6.) Bypass proxy for Private Address destination = checked
    
    7.) Disable X-Forward = checked (I am not sure what this does, but it seems to block adding the client IP to the HTTP header, which is good)
    
    8.) on the "General" TAB in the "Custom Options" box enter:
    
    request_header_access User-Agent deny all
    request_header_replace User-Agent .
    
    	***If your Cell Provider blocks "." as a UserAgent String try other strings.***
    	***Usually the strings used by your cell phone's browser when in "Desktop Mode" will be allowed.***
    	***You can browse to a User Agent String Check site to check your string.***
    
    9.) Go to "Status" --> "Services" on the top of the pfSense page.
    
    10.) Restart "squid".
    
    11.) Test your browser and enjoy!  :)
    
    Notes:
    
    	HTTPS traffic is passed over port 443\. Most cellular providers do not proxy this traffic as it would be an invasion of privacy.
    	It would also cause invalid certificates for users. So there is no need to change the UserAgent String on this traffic.
    
    	I have noticed that adblockers(adaway, adfree, etc.) that modify the hosts file on Android devices used for tethering will
    	prevent loading of some sites. The sites will either completely fail to load, partially load, or take a very long time to load.
    	It is recommended that the user disables these ad blockers while tethering if you notice issues.
    

    On the hardware side I was not able to acquire a compatible wifi card/USB stick for the WAN link on my pfSense box. So I purchased a $30 Linksys N150 E800 wifi/ethernet internet gateway(router) @ Walmart. I flashed ddwrt onto it and converted the device into a wireless bridge.

    So my connection goes as follows: Cell Phone WIFI AP –> Linksys N150 in wireless bridge mode --> pfSense WAN port --> pfSense LAN port --> Switch & Linksys WAP54g wifi AP. :)