Android + wgclient + full cone nat = web stucks

me.fab · August 31, 2025, 4:38pm

Hello! As title, while I have wgclient and Full Cone NAT both active, Android 14 device stuck on loading internet pages, but Windows works well.

I found this in error log, google show just a post about MT3000, that is my router

header_packet_process() 7261: header_packet_process(): CheckRxError!

Vpn log section show just habitual advises to allow forward in firewall. Others errors are about slow initialization of services, that are working well (wifi driver, doh bootstrap, etc).

I was thinking to leave router-vpn as a basic protection, and handle the load by devices. So the option to turn off Full Cone NAT is not an option, I should prefer to turn off router-vpn, but if I can keep both it's better.

Note: I tried also to connect my Android via wgserver, instead of wifi, and he see the lan but stuck like wifi on wan. Maybe log say anything, but this scenario reduces a lot what to be considered.

Sorry for english, I didn't use translator this time

Edit: just now I was noticed that another Windows in my network was not working. I can see just a different age, in short, 2 devices wifi5 has the issue while 2 devices wifi6 hasn't.

me.fab · August 31, 2025, 8:07pm

I found an absurde solution: start openvpn, then return to wireguard, without any other change or reboot!

For sure, turn off full cone nat then restart wg, worked more times, even 12 hours later and a scheduled reboot in the middle. But a few minutes ago i was thinking to use wg just in devices, and openvpn in router, then i seen a bad speedtest and back to wireguard.

If anyone know this issue, please help me. As it is gone, it can come back without an apparent reason.

will.qiu · September 1, 2025, 4:31am

Hi

Could you please let us know the exact model of your router (is it the MT3000?) and the firmware version you’re currently using?

Also, when you mentioned Full Cone NAT — do you mean that once it’s disabled, all of your clients are able to work normally with WireGuard VPN?

me.fab · September 1, 2025, 1:36pm

MT3000 firmware 4.8.1, and wgclient is in policy mode.

Yes, full cone nat is the only change I made recently, before that vpn always worked with all other options enabled. I also switched to private NextDNS, entering it as static on dnscrypt, according to their guide, but I don't think it's relevant.

Also, in those 16 hours I tried to remove that one option, full cone nat, I had to restart the wg tunnel but then it worked. Reinstalling the full cone nat and restarting the wg tunnel, the old devices no longer detected the internet. Until I started openvpn for the first time and went back to wg, it probably forced an adjustment.

I have noticed that many things on this router work better when active on reboot, especially vpn, and maybe full cone nat should be activated before the first wgclient activation.

will.qiu · September 2, 2025, 6:11am

We tested using MT3000 with firmware 4.8.1.

With Full Cone NAT enabled and a WireGuard connection active, the issue could not be reproduced — both Android and Windows devices connected normally.

To help narrow this down, could you please try the following command on the affected device (Maybe on Windows):

Run:

ping 8.8.8.8

Run:

ping google.com

This will help us determine whether it’s a DNS issue.

If both pings fail, please also try:

tracert 8.8.8.8

to check where issue happen.

Additionally, please share your current VPN and DNS settings with us so we can better understand your usage scenario.