This file describes how to set up connection sharing (specifically, LTE->WLAN and VPN(@LTE)->WLAN) on Android 8.1. The two cases differ a bit, though.
All commands need to be run on Android as root, and make sure your phone can connect to LTE and WLAN simultaneously. Making the WLAN failing captive portal check is a cheap way to do so.
This has to be done before any further steps:
iptables -F natctrl_FORWARD
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
where 192.168.1.0/24
is LAN subnet. You can also make it single IP if needed.
Suppose LTE connection is available on the interface rmnet_data1.
ip route add table rmnet_data1 192.168.1.0/24 dev wlan0
Same note for 192.168.1.0/24
applies.
Change gateway of any host in 192.168.1.0/24 to the phone, that's it.
Suppose VPN connection is available on tun0 (don't think this can differ)
Unlike sharing LTE when our goal matches default route by chance, we need a new routing table for your single LAN host. Otherwise traffic from phone (on WLAN) and the host will be indistinguishable.
ip rule add from 192.168.1.10 lookup 61
ip route add table 61 192.168.1.10 dev wlan0
ip route add table 61 default dev tun0
ip route add table local_network 192.168.1.10 dev wlan0
61
is a random number, and 192.168.1.10
is your LAN host. You're free to fly.
The WiFi network could not reach the internet at all when I wrote these commands, so the check failed without any manual intervention.
I have not looked into how Android 10 organizes iptables. You may try checking each table here in packet traversal order and find out how to perform NAT on forwarded packets and clear its way out to the internet.