diff --git a/rust/connlib/snownet/src/node.rs b/rust/connlib/snownet/src/node.rs
index e1761a5c4..22af6fc34 100644
--- a/rust/connlib/snownet/src/node.rs
+++ b/rust/connlib/snownet/src/node.rs
@@ -54,6 +54,10 @@ pub struct Client {}
 trait Mode {
     fn new() -> Self;
     fn is_client(&self) -> bool;
+
+    fn is_server(&self) -> bool {
+        !self.is_client()
+    }
 }
 
 impl Mode for Server {
@@ -446,6 +450,12 @@ where
             .get_established_mut(&connection)
             .ok_or(Error::NotConnected)?;
 
+        if self.mode.is_server() && !conn.state.has_nominated_socket() {
+            tracing::debug!(?packet, "ICE is still in progress; dropping packet because server should not initiate WireGuard sessions");
+
+            return Ok(None);
+        }
+
         let mut buffer = self.buffer_pool.pull_owned();
 
         // Encode the packet with an offset of 4 bytes, in case we need to wrap it in a channel-data message.
@@ -1723,6 +1733,10 @@ where
         };
         apply_default_stun_timings(agent);
     }
+
+    fn has_nominated_socket(&self) -> bool {
+        matches!(self, Self::Connected { .. } | Self::Idle { .. })
+    }
 }
 
 fn idle_at(last_incoming: Instant, last_outgoing: Instant) -> Instant {