diff --git a/mobile/src/main/java/be/mygod/vpnhotspot/App.kt b/mobile/src/main/java/be/mygod/vpnhotspot/App.kt
index 077ff57d..6b8c0ed4 100644
--- a/mobile/src/main/java/be/mygod/vpnhotspot/App.kt
+++ b/mobile/src/main/java/be/mygod/vpnhotspot/App.kt
@@ -49,8 +49,9 @@ class App : Application() {
         val result = pref.getString(KEY_OPERATING_CHANNEL, null)?.toIntOrNull() ?: 0
         return if (result in 1..165) result else 0
     }
-    val masquerade: Boolean get() = pref.getBoolean("service.masquerade", true)
-    val dhcpWorkaround: Boolean get() = pref.getBoolean("service.dhcpWorkaround", false)
+    val masquerade get() = pref.getBoolean("service.masquerade", true)
+    val strict get() = app.pref.getBoolean("service.repeater.strict", false)
+    val dhcpWorkaround get() = pref.getBoolean("service.dhcpWorkaround", false)
 
     val cleanRoutings = Event0()
 }
diff --git a/mobile/src/main/java/be/mygod/vpnhotspot/LocalOnlyInterfaceManager.kt b/mobile/src/main/java/be/mygod/vpnhotspot/LocalOnlyInterfaceManager.kt
index bcde73d0..fb8b2360 100644
--- a/mobile/src/main/java/be/mygod/vpnhotspot/LocalOnlyInterfaceManager.kt
+++ b/mobile/src/main/java/be/mygod/vpnhotspot/LocalOnlyInterfaceManager.kt
@@ -42,7 +42,7 @@ class LocalOnlyInterfaceManager(val downstream: String) : UpstreamMonitor.Callba
         try {
             this.dns = dns
             this.routing = Routing(upstream, downstream, owner).apply {
-                val strict = app.pref.getBoolean("service.repeater.strict", false)
+                val strict = app.strict
                 if (strict && upstream == null) return@apply    // in this case, nothing to be done
                 if (app.dhcpWorkaround) dhcpWorkaround()
                 ipForward()                                     // local only interfaces need to enable ip_forward
diff --git a/mobile/src/main/java/be/mygod/vpnhotspot/TetheringService.kt b/mobile/src/main/java/be/mygod/vpnhotspot/TetheringService.kt
index c3a6c173..01cce533 100644
--- a/mobile/src/main/java/be/mygod/vpnhotspot/TetheringService.kt
+++ b/mobile/src/main/java/be/mygod/vpnhotspot/TetheringService.kt
@@ -55,7 +55,9 @@ class TetheringService : IpNeighbourMonitoringService(), UpstreamMonitor.Callbac
                             // system tethering already has working forwarding rules
                             // so it doesn't make sense to add additional forwarding rules
                             rule()
+                            // here we always enforce strict mode as fallback is handled by system which we disable
                             forward()
+                            if (app.strict) overrideSystemRules()
                             if (app.masquerade) masquerade()
                             dnsRedirect(dns)
                             if (app.pref.getBoolean("service.disableIpv6", false)) disableIpv6()
diff --git a/mobile/src/main/java/be/mygod/vpnhotspot/net/Routing.kt b/mobile/src/main/java/be/mygod/vpnhotspot/net/Routing.kt
index d40891b3..70c2059e 100644
--- a/mobile/src/main/java/be/mygod/vpnhotspot/net/Routing.kt
+++ b/mobile/src/main/java/be/mygod/vpnhotspot/net/Routing.kt
@@ -84,6 +84,11 @@ class Routing(val upstream: String?, private val downstream: String, ownerAddres
         stopScript.addFirst("$IPTABLES -D FORWARD -j vpnhotspot_fwd")
     }
 
+    fun overrideSystemRules() {
+        startScript.add("$IPTABLES -A vpnhotspot_fwd -i $downstream -j DROP")
+        stopScript.addFirst("$IPTABLES -D vpnhotspot_fwd -i $downstream -j DROP")
+    }
+
     fun masquerade(strict: Boolean = true) {
         val hostSubnet = "${hostAddress.address.hostAddress}/${hostAddress.networkPrefixLength}"
         startScript.add("quiet $IPTABLES -t nat -N vpnhotspot_masquerade 2>/dev/null")
diff --git a/mobile/src/main/res/values-zh-rCN/strings.xml b/mobile/src/main/res/values-zh-rCN/strings.xml
index f1733c04..65ab2672 100644
--- a/mobile/src/main/res/values-zh-rCN/strings.xml
+++ b/mobile/src/main/res/values-zh-rCN/strings.xml
@@ -64,7 +64,7 @@
     <string name="settings_service_repeater_oc">Wi\u2011Fi 运行频段 (不稳定)</string>
     <string name="settings_service_repeater_oc_summary">"自动 (1\u201114 = 2.4GHz, 15\u2011165 = 5GHz)"</string>
     <string name="settings_service_repeater_strict">严格模式</string>
-    <string name="settings_service_repeater_strict_summary">只允许通过 VPN 隧道的包通过，不适用于系统共享</string>
+    <string name="settings_service_repeater_strict_summary">只允许通过 VPN 隧道的包通过</string>
     <string name="settings_service_disable_ipv6">禁用 IPv6 共享</string>
     <string name="settings_service_disable_ipv6_summary">防止 IPv6 VPN 泄漏。</string>
     <string name="settings_service_repeater_start_on_boot">开机自启动中继</string>
diff --git a/mobile/src/main/res/values/strings.xml b/mobile/src/main/res/values/strings.xml
index 1fb98bc1..f4987d61 100644
--- a/mobile/src/main/res/values/strings.xml
+++ b/mobile/src/main/res/values/strings.xml
@@ -69,8 +69,7 @@
     <string name="settings_service_repeater_oc">Operating Wi\u2011Fi channel (unstable)</string>
     <string name="settings_service_repeater_oc_summary">Auto (1\u201114 = 2.4GHz, 15\u2011165 = 5GHz)</string>
     <string name="settings_service_repeater_strict">Strict mode</string>
-    <string name="settings_service_repeater_strict_summary">Only allow packets that goes through VPN tunnel. Does not
-        apply to system tethering.</string>
+    <string name="settings_service_repeater_strict_summary">Only allow packets that goes through VPN tunnel.</string>
     <string name="settings_service_disable_ipv6">Disable IPv6 tethering</string>
     <string name="settings_service_disable_ipv6_summary">Enabling this option will prevent VPN leaks via IPv6.</string>
     <string name="settings_service_repeater_start_on_boot">Start repeater on boot</string>