Use Clash for MCP in 2026: Split Rules for AI Plugin and Toolchain Domains

Why MCP Traffic Breaks Behind a Generic Proxy

In 2026, MCP (Model Context Protocol) shows up everywhere in AI plugin and agent tooling: local processes speak JSON-RPC over stdio to a server binary, while remote transports use HTTPS or WebSocket to cloud endpoints. None of that is “just another browser tab.” When your developer proxy stack is tuned for web surfing, streaming, or a single chat domain, MCP sessions often fail with symptoms that look unrelated: the IDE says the server started, then tools vanish; package installs succeed while model calls stall; curl through the proxy works but Node refuses to honor HTTPS_PROXY. The common thread is split rules that never see the hostnames your toolchain actually uses—or DNS paths that bypass Mihomo entirely.

Clash (with the Mihomo core inside modern GUIs) can stabilize this class of traffic, but only if you treat MCP as its own policy lane: explicit DOMAIN / DOMAIN-SUFFIX rows derived from logs, a dedicated proxy-groups entry ahead of blunt GEOIP catch-alls, and DNS settings that match whether you run TUN, system proxy, or both. This article is a practical checklist for that workflow—not a catalog of every third-party MCP server on the internet, because those hostnames change weekly.

MCP Versus IDE-Only Traffic (and Our Cursor Guide)

Our Cursor IDE split-rule guide focuses on editor-shaped traffic: *.cursor.sh model APIs, marketplace CDNs, and extension downloads. That is essential when the bottleneck is the IDE itself. Model Context Protocol traffic is adjacent but not identical: the editor may launch subprocesses that call api.anthropic.com, openrouter.ai, corporate registries, or a vendor-specific gateway your team added. Those flows may never touch Cursor’s documented hosts even though the user experience is “the same AI panel broke.”

Think of this page as the complement: keep Cursor rules for Cursor, add MCP-aware rows for whatever your connection table shows when an MCP server or plugin actually runs. If you also route aggregators, pair this with the OpenRouter split guide when your stack calls that API directly. Shared vocabulary for MATCH, GEOIP, and group types lives in the rule-based routing tutorial.

Symptoms: What Timeout Really Means Here

Before editing YAML for the sixth time, classify the failure. Class A: TLS handshake errors or certificate warnings when a subprocess talks to an HTTPS MCP backend. That is often split-rule miss combined with a node that decrypts or rewrites traffic inconsistently, or the flow went DIRECT into a region that blocks the endpoint. Class B: hung connections with no error text—classic when GEOIP,CN,DIRECT wins before your AI domain rows because the matcher only saw an IP, not a hostname.

Class C: “Works in browser, fails in terminal” points to capture mode: the browser uses system proxy settings while node, deno, or a language server ignores them unless you export variables or switch to TUN. Class D: DNS pollution or split-horizon resolution—the client resolves a name to an unexpected IP, so Clash never participates in the query and your split rules never run. Each class has different fixes; mixing them produces random success when you retry.

What to Route: Toolchain Hostnames, Not Buzzwords

MCP does not own a single magical domain. Instead, observe what your stack hits when a plugin installs or a server starts: package registries (registry.npmjs.org and mirrors), GitHub for releases and raw assets, cloud APIs for hosted connectors, and whichever model vendor your server uses for completions. Some teams run entirely on-prem with no external calls; others chain to generativelanguage.googleapis.com, Azure OpenAI endpoints, or Anthropic. Your developer proxy profile should reflect your logs, not a static list copied from a forum post dated last month.

Start by exporting a short allowlist pattern from the Mihomo connection view or log: sort by process if your GUI supports it, filter TLS destinations, and note repeated DOMAIN-SUFFIX candidates. Add those suffixes to a dedicated group such as MCP_TOOLCHAIN or reuse a broader DEV_HTTPS bucket if you prefer fewer groups—just keep the ordering honest. Avoid stuffing every AI-related hostname into one group named CHATGPT; AI plugins are too heterogeneous for that to age well.

For remote MCP servers that use WebSocket or HTTP/2 long polls, remember throughput matters as much as reachability. Pick nodes with stable TCP to the regions your API expects; ultra-low latency to the wrong country sometimes loses to a slightly slower hop that actually completes the TLS session. This is policy design, not raw ping worship.

Proxy-Groups and First-Match Discipline

Mihomo evaluates rules: from top to bottom and stops at the first match. A catch-all GEOIP line or an oversized DOMAIN-KEYWORD,google entry above your toolchain section will swallow traffic before your MCP-specific rows execute. Move explicit DOMAIN / DOMAIN-SUFFIX lines for observed hosts above broad geographic buckets, mirroring the same discipline we use for streaming and API guides on this site.

Illustrative excerpt—rename groups to match your own proxies: list:

proxy-groups:
  - name: MCP_TOOLCHAIN
    type: select
    proxies:
      - NODE-US
      - NODE-SG
      - DIRECT

rules:
  - DOMAIN-SUFFIX,anthropic.com,MCP_TOOLCHAIN
  - DOMAIN-SUFFIX,openrouter.ai,MCP_TOOLCHAIN
  - DOMAIN-SUFFIX,github.com,MCP_TOOLCHAIN
  - DOMAIN-SUFFIX,npmjs.org,MCP_TOOLCHAIN
  - GEOIP,CN,DIRECT
  - MATCH,PROXY

Replace placeholders with suffixes you actually see; trim duplicates after subscription merges. If you import provider rule-sets, re-check order whenever the subscription updates—silent reordering is a frequent source of “it worked yesterday.”

DNS, Fake-IP, TUN, and Why the Terminal Ignores You

DNS fake-ip mode is convenient: Mihomo returns synthetic addresses and maps them back to names for routing. It assumes the application uses the resolver you control. Many CLI tools do not. System proxy mode helps browsers and Electron apps that respect OS settings; pure Node processes may still open direct sockets unless you set HTTP_PROXY / HTTPS_PROXY to your local mixed port or switch to TUN so the kernel steers all IPv4 traffic through the tunnel.

When fake-ip is on, align three knobs: the dns: section, tunnel or proxy capture, and (if you use Sniffer for IP-only flows) sniffer.force-dns-mapping. Enable DNS hijack on the TUN adapter when you need stubborn binaries to stop talking to public DoH endpoints behind your back. If hijack is off, one part of your stack resolves through Cloudflare while another uses Mihomo, and your split rules look “random.” For a deeper pass on capture modes, read the TUN mode guide alongside this article.

When Sniffer Enters the Picture

Sometimes flows arrive as raw IP:port tuples because the client resolved elsewhere or QUIC bypassed your DNS path. The Mihomo Sniffer can recover hostnames from TLS SNI and QUIC initial packets so DOMAIN-SUFFIX rows apply. Sniffer is not a silver bullet—protocols without visible SNI, pinning, or early encryption still slip through—but for typical HTTPS toolchains it closes the gap between “I see an IP in the log” and “my rule matched.” If you enable Sniffer, pair it with sane override-destination settings and QUIC ports, as covered in our streaming-focused Sniffer article; the mechanics are identical even though the application is developer tooling instead of video.

Verification: Logs First, Then curl

Work methodically. After each profile change, reload and open the live connections panel. Confirm the destination hostname appears and that the selected proxy-groups entry matches your intent. If you see a hostname but the wrong group, scroll your rules: list: first match wins, always.

Sanity-check from the same machine with curl -v through the local mixed port when possible, comparing TLS success against the IDE’s behavior. When curl succeeds and the IDE fails, you are almost certainly looking at capture or environment variables, not upstream outage. When both fail, swap nodes before rewriting YAML—no rule fixes a dead relay.

Copy-Paste Skeleton: MCP Lane + DNS Baseline

Below is a merge-friendly skeleton showing how proxy-groups, rules, and dns cooperate. Adjust nameservers and fake-ip range to your environment.

proxy-groups:
  - name: MCP_TOOLCHAIN
    type: select
    proxies:
      - HK-1
      - US-1
      - DIRECT

dns:
  enable: true
  enhanced-mode: fake-ip
  nameserver:
    - tls://1.1.1.1
  fake-ip-range: 198.18.0.1/16

rules:
  - DOMAIN-SUFFIX,anthropic.com,MCP_TOOLCHAIN
  - DOMAIN-SUFFIX,github.com,MCP_TOOLCHAIN
  - DOMAIN-SUFFIX,npmjs.org,MCP_TOOLCHAIN
  - GEOIP,CN,DIRECT
  - MATCH,PROXY

Expand suffixes as your logs demand; keep the MCP group above catch-all GEOIP rows. If you maintain separate lanes for chat, streaming, and APIs, duplicate only what you must—overlapping DOMAIN-SUFFIX lines in different groups are fine if the first match reflects your priority.

Closing: Hot Topic, Cold Engineering

Model Context Protocol is a genuine shift in how AI plugins wire tools to models, but the network failure modes are old friends: wrong capture mode, DNS that bypasses the proxy, and split rules that lose to a broad GEOIP line. Treat MCP as a named policy lane inside Clash, ground your YAML in observed hostnames, and verify from logs before chasing exotic kernel flags. Stability beats chasing every new server binary announced on social feeds.

Compared with hope-and-pray global PROXY toggles, disciplined routing keeps local latency low for domestic services while giving toolchain HTTPS a consistent exit—fewer “it works until it doesn’t” afternoons. Pair that approach with a maintained client build from our download page so Mihomo features you rely on actually exist in your binary.

→ Download Clash for free and experience the difference.