Instead of writing iptables by hand, maybe this would work: https://fedoramagazine.org/internet-connection-sharing-networkmanager/ ?
Good Job Purism !
I guess that would need to be tested on the Librem 5.
If it does work then it avoids the need to assign static IP addresses on the ethernet side and instead gives you DHCP for the clients.
I wish that had come up in testing. 
I updated the video to show using networkmanager instead of iptables. 
Do you think it would be viable to run a OpenWrt Virtual Machine in QEMU on Librem 5 and this way get a sandboxed router?
OpenWrt does not require a lot of resources. It runs even on very underpowered ARM devices. At the same time it has a powerful set of features.
I just want to be able to get a more advanced Hot Spot out of Librem 5.
The current hot spot does not let me set WPA3. And maybe I could also use WiFi Dongles with the L5 for extra capability.
That sounds “bleeding edge”, so you tell us. 
Why is that? Is it a limitation of the WiFi card firmware or of the software on the phone itself? And if the latter, where specifically?
Is that the only feature that you need for your hotspot or are there other specific features?
In my opinion it is a limitation of the software on the phone.
At the moment Librem 5 can connect as a client to WPA3 networks.
What is missing is hosting WPA3 networks as a hotspot.
The limitation is that in the GNOME frontend when you set up a hotspot there is no option to choose any security settings for the hotspot apart from the password. It just shows WPA. It is definitely not WPA3 and I am not sure if it is even WPA2.
Trying to manually edit the files where the hotspot settings are kept takes no effect as they get overwritten when you turn on the hotspot.
This is currently the main feature I am interested in.
Later on it would be interesting to be able to route the whole traffic of the clients connected to the Librem 5 hotspot through a VPN or Tor tunnel.
Also to create different networks maybe with the use of external WiFi cards connected through the USB port.
It may be that if you want advanced features, you can’t use the GUI to turn on the hotspot because it will choose certain configuration automatically - and instead you should
- understand what actions the GUI would cause to occur
- instead carry out those actions manually
- vary the actions as needed in order to achieve your advanced configuration.
I think there was some discussion of this in the early days before there was a GUI.
In particular, if you want to override the default routing, I think you would need to go behind the scenes.
Whether you actually want the VPN endpoint on the phone or on the tethered client is debatable. Anything doing hardcore encryption might be better on the client. That is, you may get more MB/s through a VPN tunnel with the encryption being done on the client and the phone restricting itself to moving packets (but you may have entirely legitimate reasons to want the endpoint on the phone itself).
Last time I tried, I got a poor performing WiFi and Bluetooth until reflashing 
And even I broke the ModemManager for a while.
It seems that the NetworkManager and ModemManager are very deeply integrated in the Librem 5 and messing around seems to be risky.
So if there was a manual on how to do it without a GUI it would be one thing. But without a manual it seems risky.
Now everything works fine with the limitation that the hotspot is not WPA3. So I am a little bit afraid to experiment.
I’m still waiting to receive my Librem 5 but I have a Pinephone Pro running Mobian with Phosh so at least the UI is the same. I tried to enable hotspot and share the mobile connection with a laptop. The laptop was able to connect but didn’t receive an IP from DHCP and I had to set the address, default gateway, and DNS up manually on the laptop. Is this how it works with the Librem 5 also?
I’m considering filing a bug but wanted to make sure it wasn’t a Pinephone issue.
If it’s reproducible, IMO it’s worth filing a bug report because it could be something that is wrong but only showing symptoms in your setup because of some other seemingly unrelated thing and it’s worth tracking down. Reproducible on command is almost always worth investigating imo.
On the Librem 5 the WiFi Hotspot currently works out of the box with just pressing a button in the GNOME UI.
No need for any manual settings.
Huh, is it still working for you? For me it stopped working a month or two ago (well, TLS stopped working, which nowadays means basically everything).
(I haven’t been able to activate my source.puri.sm account for reporting the issue just yet)
Yes, it works. Try a fresh reflash.
I’ve been using the tethering mode with the L5 but the internet speed is painfully slow (at least an order of magnitude lower than internet speed on device and tethering speed from android).
Apparently such an issue was already reported before and fixed via
nmcli connection add type ethernet ifname usb0 ipv4.method shared con-name tether
I’m not sure why enabling sharing from the GUI leads to such a slow connection but I’d like to know whether it would it be possible to configure the settings by default such that tethering speeds is good by default.