Is there a way to force tethered data to go through an iOS VPN, instead of passing through raw to the mobile carrier?
Solution 1:
No, it seems that's not possible.
I have made several tests with different VPNs and VPN settings on my iPhone - some on demand, some not, but even when switched on manually, tethered traffic was never sent through the VPN.
I've also tried setting OverridePrimary to true as described here (it is false by default when creating the profile in the Apple Configurator), but that did not change the tethered traffic either.
The remaining solution is to install the VPN connection on your tethering client.
BTW, if that client is a Mac, you can simply import the same VPN profile by double-clicking on the mobileconfig file created for iOS.