Network Guide Featured Tags: cellular Wi-Fi Clash

Clash Works on Wi-Fi but Fails on 4G/5G?Step-by-Step Android and iOS Fix

Mobile data is not “the same internet with a smaller antenna.” When you leave Wi-Fi for 4G or 5G, your phone picks a carrier NAT, often different DNS behavior, and stricter power and background policies. A Clash profile that looked perfect on a home router can suddenly show “connected” in the app while browsers time out, or conversely take the whole device offline because TUN routing disagrees with what the cellular stack expects. This guide gives a repeatable order: confirm bare connectivity, resolve system proxy versus VPN/TUN capture, neutralize OS-level DNS conflicts, then revisit split routing when your egress IP and geography change—not when only the Wi-Fi icon did.

Approx. 26 min read
Clash Editorial
Table of Contents

1. Why Wi-Fi and cellular diverge

On Wi-Fi, you usually sit behind one home or office router. That device hands out private addresses, often performs DNS forwarding, and may even honor the same proxy or forwarding assumptions you configured once for laptops. Cellular connections hand the handset a different relationship to the public internet: carrier-grade NAT, IPv6 prefixes that appear or disappear by plan, and DNS resolvers chosen for the radio access network rather than for your YAML aesthetics. A system proxy entry that applications respect on Wi-Fi may still leave certain stacks—peer-to-peer helpers, background sync, or tether clients—talking straight to the carrier unless TUN or an actual VPN tunnel captures them.

Phones also treat cellular as metered more often than Wi-Fi. That single flag changes whether browsers defer large downloads, whether sync runs, and whether OEM skins kill “invisible” tunnels after the screen locks. If Clash “works until the display sleeps,” you are usually looking at battery optimization and background restrictions, not a broken outbound. Conversely, if nothing loads at the instant you switch off Wi-Fi, you might be staring at two tunnels fighting for the VPN slot, or at Private DNS / secure DNS settings that resolve hostnames to addresses your current rules never route the way you expect.

Symptom after switching to mobile data What it often points to first
Total loss of connectivity when Clash enables TUN Route loop, excluded routes too narrow, IPv6 path bypassing the tunnel, or another VPN profile still “connected.”
Some apps work, others do not System proxy respected only where apps implement it; games or UDP-heavy clients may need TUN. Per-app VPN lists can also differ by OEM.
Websites open, “IP country” is wrong Split routing sending test domains DIRECT by GEOIP; DNS answers from a resolver outside Clash’s listener.
Works until screen off Power saver killing the core process, or the OS pausing the VPN extension while Wi-Fi-style keepalives stop.

Hold that framing: the goal is not to prove that your subscription text “looks updated,” but to prove which layer changed when the radio type changed. If you skip that distinction, you will paste new node lists into a situation where the phone never lets those nodes see cellular packets in the first place.

2. Five-minute triage

Before editing profiles, run the same exercise on both radios. Turn Wi-Fi off completely (not just disconnect—disable the radio so the phone cannot fall back silently). Open a single plain browser tab to an HTTPS site you trust. If the browser cannot load anything even after disabling Clash entirely, stop: you might be dealing with SIM provisioning, APN misconfiguration, account suspension, or a captive portal on the carrier’s side. No amount of rule tuning fixes a radio that has no working data path.

Next, flip one variable at a time. With mobile data stable and Clash off, note your carrier-assigned IP from a simple check site. Enable Clash with the same outbound group you used on Wi-Fi and compare. If the exit address changes as expected but some destinations hang, suspect DNS or split routing, not throughput. If nothing passes through the tunnel yet local pings or SMS still work, suspect TUN installation, duplicate VPN, or a firewall profile your ROM applies differently on metered networks.

  1. Confirm raw cellular data without any VPN or Clash.
  2. Enable only system proxy mode—observe which apps follow it.
  3. Switch to TUN or VPN mode per your client, watching for errors about “another VPN” or “always-on” conflicts.
  4. Disable Private DNS / OS secure DNS temporarily and retest resolution-sensitive sites.
  5. Compare logs for DNS queries: do they reach Clash’s listener on cellular the same way they did on Wi-Fi?
Tip: Screenshot Clash’s log line for the same domain on Wi-Fi and on cellular. If rule names or outbounds differ only after the switch, your profile is reacting to a different resolver answer or GEOIP bucket—not mysteriously “hating 5G.”

3. Android: VPN slot, Private DNS, battery, dual SIM

Android exposes exactly one active “VPN” personality to many subsystems at a time. Clash ports that implement a VPN service register like any other tunnel. If you have a corporate profile, a second privacy VPN, or an OEM “game accelerator” that installs a always-on shim, the handset may refuse Clash’s TUN or silently order tunnels in ways the tray icon does not explain. Open system VPN settings and verify only one profile should be active during your test. Some builds show “blocking connections without VPN” toggles—those are wonderful for leak prevention and brutal if you forgot you enabled them while experimenting.

Private DNS (Settings → Network → Private DNS on stock Android) bypasses whatever resolver your Clash document describes unless you intentionally integrate stacks. In many support threads, “Wi-Fi fine, 4G weird” really means “my home router forwarded DNS to the device differently than the carrier does.” For a controlled test, set Private DNS to Automatic or Off, restart the Clash core, and see whether hostname-dependent rules snap into place. If you require encrypted DNS end-to-end, the sustainable fix is to make Clash’s dns section authoritative and stop letting the OS second-guess it—not to toggle random public resolvers whenever Instagram blinks.

Battery optimization and background starts

OEM “phone managers” love to freeze anything not stamped with a chat app logo. If Clash stops updating subscriptions on cellular while Wi-Fi was fine, check whether background data for the client is unrestricted, whether battery optimization is disabled for that package, and whether data saver treats your subscription URL as non-essential traffic. The failure mode looks like “my nodes are stale only when I leave the house,” which is indistinguishable from a dead provider until you read the timestamp in logs. Our Clash Meta for Android subscription import checklist walks link accessibility and provider refresh separately from rule content; pair that with network allowance settings on your specific ROM.

Dual SIM and enterprise work profiles

With dual SIM devices, the data SIM might change default routes when you roam or when one slot drops to 2G. If rules key off interface names or subnets, confirm your client still binds to the data-capable SIM. Work profiles and secondary users duplicate network permission models—Clash might be installed only in the personal profile while the browser you test lives elsewhere. When symptoms are “app A works, app B never sees the proxy,” profile boundaries are a faster hypothesis than rewriting GEOIP.

Note: Aggressive privacy tools that force “DNS over TLS for everything” can recreate the same bypass problem on cellular while Wi-Fi looked fine because your router was already forwarding to a compatible forwarder. Change one resolver layer at a time.

4. iOS: extensions, Low Data Mode, carrier bundles

On iPhone and iPad, Clash-compatible clients typically rely on Apple’s Network Extension frameworks. That is a different permission and lifecycle story than flipping a Linux firewall rule. The tunnel can restart when the system throttles extensions to save power, when the user switches between Wi-Fi and LTE, or when the carrier pushes updated APNs in a background profile. If you only see issues right after carrier updates, capture whether the extension detaches at the same timestamp in diagnostic logs before you assume remote servers died.

Low Data Mode (Settings → Cellular → Cellular Data Options) reduces background usage and often interacts with sync and streaming. Some users perceive “proxy off” when what actually happened is applications deferring work. Toggle Low Data Mode temporarily during triage. Likewise, review per-app cellular switches—offline-first tools may never trigger the paths you think you proxied.

iOS does not give you the same blunt “Private DNS” knob as Android; DNS behavior still mixes Wi-Fi DNS overrides, profile-driven settings from management software, and whatever the VPN extension advertises. If resolution feels inconsistent when moving between radios, align with Clash’s documented DNS mode and read the fake-ip and DNS troubleshooting guide for shared Mihomo concepts—especially fake-ip-filter and resolver ordering—without assuming desktop Windows behavior maps one-to-one.

For parallels between system-level capture and permissions on another Unix-like mobile, Clash Verge on macOS and Network Extension is a useful companion read: different OS, same class of “the GUI says on, the packet path disagrees” problems.

5. Clash configuration angles: TUN, DNS, split routing

Once OS policies stop sabotaging you, return to the profile. System proxy mode is lightweight and often enough on Wi-Fi where desktops cooperate, but cellular apps frequently include paths that ignore PAC or manual proxy entries. If your symptoms are “HTTP browser tabs okay, everything else stubborn,” move the discussion to TUN or an equivalent full-device capture that your Android or iOS build supports, then verify exclusions: LAN ranges labeled DIRECT should still reach your tethered laptop; captive portals may need temporary bypass rules.

DNS deserves explicit attention here because cellular swaps resolvers more aggressively. When enhanced-mode uses fake-ip, domain rules and connection routing depend on answers the core actually saw—if queries skip the listener, you will chase phantoms. Walk the chain in the fake-ip guide and adjust nameserver-policy so domestic hostnames do not get answered by a resolver that makes your GEOIP think you are elsewhere. That mismatch shows up as “Wi-Fi matched my domestic DIRECT rule, 4G sends me out a foreign exit”—classic split-routing confusion.

Split routing itself is not wrong; it is simply sensitive to the IP and continent the world sees when you are on a carrier CGNAT pool versus a residential ASN. Rules that key off GEOIP can move traffic between DIRECT and PROXY when only the underlying radio changed. When debugging, log the GEOIP result for the IPs your node uses and compare Wi-Fi vs cellular—not because one is “more correct,” but because your policy might categorize them differently.

# Conceptual checklist — adapt keys to your core and GUI
mode: rule
tun:
  enable: true
  stack: system
  auto-route: true
  strict-route: true   # validate against your network; can break niche LAN setups
dns:
  enable: true
  enhanced-mode: fake-ip
  nameserver:
    - https://resolver-you-trust/dns-query

Treat snippets as orientation, not copy-paste secrets: strict-route and stack choices interact with vendor kernels. Always export the effective running config from your client after changes, and keep our configuration documentation open while you reconcile GUI toggles with YAML.

6. When the carrier—not Clash—is the variable

Some networks block or throttle unfamiliar UDP patterns, shape long-lived TLS sessions differently from home ISPs, or intercept DNS unless you use their own resolvers. If your tunnel establishes but throughput collapses only on one carrier while another SIM in the same phone behaves, capture traceroutes and timestamps before swapping rules. International roaming can also force DNS through partners that break split DNS assumptions baked into older profiles.

IPv6 introduces another fork: Wi-Fi might be IPv4-only while cellular prefers dual-stack. If your outbounds or hosts assume IPv4 and the OS suddenly prefers AAAA records, failures look like “works on Wi-Fi, dies on 5G” even when Clash never crashed. A pragmatic test is to compare behavior with IPv6 temporarily disabled—document the result rather than leaving silent OS flags as permanent fixes unless you understand the trade-offs.

Finally, subscription URLs that are reachable only from certain ASNs can fail silently on cellular. If updates succeed indoors and never on the road, verify the HTTPS endpoint from a mobile browser without Clash, then with Clash on, and read whether corporate captive portals appear. The fix might be routing the provider hostname through a stable outbound rather than rewriting every streaming rule.

7. Summary

When Clash behaves on Wi-Fi and stumbles on mobile data, treat the radio change as a signal that NAT, DNS, IPv6, and OS power policy—not only your node list—just entered the room. Clear other VPN slots, simplify Private DNS / secure resolver settings while testing, exempt the client from aggressive battery killers, and only then revisit TUN versus system proxy, Mihomo DNS alignment, and split routing when your egress geography shifts between ASN pools. Compared with swapping subscriptions whenever bars change, that sequence isolates the layer you can actually fix.

Compared with opaque one-click “accelerators,” Clash-family cores expose enough logging to show which rule owned a flow—which matters most when the network itself keeps changing under your feet. Install current builds from the official download page so tun stacks match what you read in guides, and cross-check tricky DNS behavior with the dedicated articles linked above rather than duplicating their YAML here.

Upstream cores evolve quickly; if a regression appears only on one mobile OS version, compare release notes in community repositories while still downloading user-facing packages from this site rather than mixing nightly binaries into a production phone without a rollback plan.

Download Clash for free and experience the difference