[GH-ISSUE #1275] Ntfy on Android: can't connect to Ntfy server (on wifi) behind VPN when restricted to wifi only #900

New issue

Open

opened 2026-05-07 00:28:35 +02:00 by BreizhHardware · 1 comment

BreizhHardware commented 2026-05-07 00:28:35 +02:00

Owner

Copy link

Originally created by @GideonBear on GitHub (Feb 6, 2025).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1275

🐞 Describe the bug

When I set Ntfy to "wifi only" in my settings (Samsung), it fails to connect to my Ntfy server over a WireGuard VPN, even on wifi (mobile data is off). When "Mobile data or wifi" is selected, it connects fine.

💻 Components impacted

Android app

💡 Screenshots and/or logs

https://nopaste.net/9iBLnfgCnN

🔮 Additional context

When "wifi only" is selected, I do get notifications over mobile data. Attachments fail to download.
This is probably related, and also an issue for me; I want to use as little mobile data as possible.

Originally created by @GideonBear on GitHub (Feb 6, 2025). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1275 :lady_beetle: **Describe the bug** <!-- A clear and concise description of the problem. --> When I set Ntfy to "wifi only" in my settings (Samsung), it fails to connect to my Ntfy server over a WireGuard VPN, even on wifi (mobile data is off). When "Mobile data or wifi" is selected, it connects fine. :computer: **Components impacted** <!-- ntfy server, Android app, iOS app, web app --> Android app :bulb: **Screenshots and/or logs** <!-- If applicable, add screenshots or share logs help explain your problem. To get logs from the ... - ntfy server: Enable "log-level: trace" in your server.yml file - Android app: Go to "Settings" -> "Record logs", then eventually "Copy/upload logs" - web app: Press "F12" and find the "Console" window --> https://nopaste.net/9iBLnfgCnN :crystal_ball: **Additional context** <!-- Add any other context about the problem here. --> When "wifi only" is selected, I do get notifications over mobile data. Attachments fail to download. This is probably related, and also an issue for me; I want to use as little mobile data as possible.

BreizhHardware added the

🪲 bug

label 2026-05-07 00:28:35 +02:00

BreizhHardware commented 2026-05-07 00:28:35 +02:00

Author

Owner

Copy link

@Ravindranathrl commented on GitHub (Feb 25, 2025):

I've investigated this issue and found that it likely stems from how the WireGuard VPN routes traffic when restricted to "Wi-Fi only." The error logs indicate a java.net.ConnectException: Failed to connect to /172.17.0.1:1420, which suggests that the app is trying to connect to a local IP that may not be accessible over the VPN when only Wi-Fi is enabled.

Add the following to your WireGuard configuration to ensure all traffic, including Wi-Fi-only traffic, routes through the VPN:

AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Use a Public IP Address Instead of a Local IP:

Replace 172.17.0.1 with the public IP address or domain of your Ntfy server. This ensures that traffic is routed correctly through the VPN tunnel, even on Wi-Fi.

Adjust Android VPN Settings:

Set the VPN to Always-on VPN and enable Block connections without VPN in Android settings.

Disable Mobile Data Always Active in Developer Options (if available) to force the device to rely entirely on Wi-Fi.

Check App Permissions:

Ensure that the app has these permissions in the Android manifest:

<!-- gh-comment-id:2681119347 --> @Ravindranathrl commented on GitHub (Feb 25, 2025): I've investigated this issue and found that it likely stems from how the WireGuard VPN routes traffic when restricted to "Wi-Fi only." The error logs indicate a java.net.ConnectException: Failed to connect to /172.17.0.1:1420, which suggests that the app is trying to connect to a local IP that may not be accessible over the VPN when only Wi-Fi is enabled. Add the following to your WireGuard configuration to ensure all traffic, including Wi-Fi-only traffic, routes through the VPN: AllowedIPs = 0.0.0.0/0, ::/0 PersistentKeepalive = 25 Use a Public IP Address Instead of a Local IP: Replace 172.17.0.1 with the public IP address or domain of your Ntfy server. This ensures that traffic is routed correctly through the VPN tunnel, even on Wi-Fi. Adjust Android VPN Settings: Set the VPN to Always-on VPN and enable Block connections without VPN in Android settings. Disable Mobile Data Always Active in Developer Options (if available) to force the device to rely entirely on Wi-Fi. Check App Permissions: Ensure that the app has these permissions in the Android manifest: <uses-permission android:name="android.permission.INTERNET"/> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/> <uses-permission android:name="android.permission.VPN_SERVICE"/>

BreizhHardware referenced this issue 2026-05-07 01:02:10 +02:00

[PR #900] [MERGED] docs: remove Firefox-Android known issue #1455

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#900

No description provided.