Network Guide Featured Tags: Clash MCP split rules

MCP Keeps Dropping?Clash Split Rules for Remote MCP Hosts in 2026

The Model Context Protocol (MCP) turned custom tools in Cursor, Visual Studio Code, and other editors into first-class citizens—but many sessions still die mid-flight. When your IDE plugin opens a long-lived WebSocket or streaming channel to a remote host, a noisy PROXY bucket or mismatched DNS can look exactly like “MCP is buggy.” This guide shows how to peel MCP traffic out of generic rules, bind it to a sane policy group in Clash, and align resolvers so split rules behave predictably.

Approx. 22 min read
Clash Editorial
Table of Contents

1. Why MCP Traffic Is Not “Just Another HTTPS Tab”

Most people configure Clash with a handful of broad rules: send “foreign” sites to a catch-all PROXY group, send domestic traffic DIRECT, and call it a day. That works surprisingly well for short web requests. Model Context Protocol clients are different: the IDE may keep a channel open for minutes, stream partial results, reconnect quietly, and multiplex tool calls across the same TLS session. When that session rides an outbound tuned for bursty browser traffic, you inherit behaviors you never asked for—aggressive connection recycling on congested nodes, region switches from url-test flapping, or middleboxes that dislike long idle periods.

The fix is not “buy a faster subscription” by default. It is to classify MCP flows as their own traffic class: explicit split rules that match the real remote host names your tools use, then a policy group whose health checks and membership reflect long-session workloads rather than a speedtest score alone. Clash gives you ordered rules and composable proxy-groups precisely so you can express that intent without turning the entire machine into a single-tunnel VPN.

If you are new to how profiles fit together, skim the configuration documentation first—this article assumes you understand rule order, group types, and where DNS hooks in.

2. MCP in Cursor, VS Code, and IDE Plugins

Model Context Protocol is an open pattern for connecting editors and assistants to external data sources and tools: filesystems, databases, SaaS APIs, or bespoke microservices. Implementations ship as IDE plugins or built-in integrations. The client speaks JSON-RPC–style messages over a transport—commonly STDIO for local servers, and often HTTPS or WSS when the server runs remotely. Remote setups exploded in 2025–2026 as Cursor and VS Code ecosystems standardized configuration files listing server endpoints, headers, and auth tokens.

From the network’s perspective, remote MCP looks like “yet another TLS flow”—until you notice it never really stops. Unlike loading a documentation page, the MCP channel may heartbeat, resume after sleep, or spike throughput when a tool returns a large payload. That usage pattern interacts badly with outbounds that minimize concurrent streams or change exits frequently. Treating it like ordinary browsing hides the failure mode: everything works for thirty seconds, then the tool list greys out until you reload the window.

Why generic PROXY groups mislead you

A url-test group that probes every five minutes might switch you from Singapore to Los Angeles between two tool invocations. For a static webpage, you barely notice. For a stateful WebSocket, you may notice a lot. Similarly, a fallback chain that aggressively demotes peers on a single failed probe can interrupt sessions that would have recovered on their own. Giving MCP its own group is less about vanity labels and more about controlling churn.

3. Symptoms That Point to Routing, Not the Server

Before you rewrite server code, check whether symptoms correlate with proxy mode changes, subscription renewals, or sleep/resume cycles—classic signs that the path—not the MCP implementation—is unstable. Intermittent “tool unavailable” banners after idle periods, sudden TLS warnings in developer consoles, or partial streams that freeze while simple HTTPS sites still load often indicate client-side path issues.

What you see Often actually means First Clash-side check
Tools work briefly after restart, then die Session tied to an outbound that later flaps or resets idle TCP Dedicated policy group with conservative health checks
Works on LTE, flaky on Wi‑Fi (or the reverse) DNS or IPv6 path divergence, not MCP logic Compare resolver output and rule hits in logs
Only some remote servers fail Missing DOMAIN-SUFFIX coverage for one CDN hostname Expand hostname inventory from live captures
TLS handshake timeout spam SNI or node mismatch, not application JSON errors See TLS handshake timeout checklist
Tip: Capture the exact wss:// or https:// host your IDE uses during failure. Guessing split rules from a blog post dated six months ago is how teams accumulate mystery YAML.

4. Building a Hostname Inventory You Trust

Unlike a fixed SaaS with marketing domains, remote MCP endpoints are user-supplied. Your colleague might run a server on mcp.example.com; a vendor might use *.run.app or a regional API gateway. There is no universal list to paste. The reliable approach is observability: watch your client’s network panel, export failing URLs, or tail Clash connection logs while you invoke a tool. Add DOMAIN-SUFFIX entries for the parent domains you control, and document third-party suffixes the same way you would for internal APIs.

If your server sits behind a reverse proxy that terminates TLS on cdn.provider.net while the logical name is tools.company.internal, your rules must follow what the TLS SNI actually presents—usually the public hostname. Internal-only names may never hit Clash at all if they resolve to RFC1918 space and go DIRECT by design. The point is to stop pretending one keyword rule can cover “all MCP everywhere.”

For command-line and git-style workflows that also need consistent proxy ports, our terminal proxy environment guide pairs well with IDE-focused routing: developers often fix npm and MCP on the same machine but forget to align variables with the same core instance.

5. Split Rules: Order, Suffixes, and Non-Standard Ports

Split rules work because Clash evaluates them sequentially. Place MCP-oriented DOMAIN-SUFFIX lines above broad GEOIP or MATCH catch-alls. If a generic foreign rule fires first, your carefully named group never sees the packet. This sounds obvious until a subscription merges remote rule-sets that silently reorder priorities—diff your effective config after every provider update.

Port numbers matter in two ways. First, many MCP examples use https://host:8443 or similar; the hostname still drives SNI-based rules, but firewall ACLs on your node might treat non-443 ports differently. Second, if you ever need IP-based rules for a static endpoint, you graduate from simple suffix matching to IP-CIDR entries—harder to maintain, but unavoidable when vendors publish fixed anycast ranges and you must pin them. Prefer domains whenever possible.

rules:
  # Replace example.com with suffixes from YOUR MCP servers
  - DOMAIN-SUFFIX,example.com,PROXY-MCP
  - DOMAIN-SUFFIX,example.run.app,PROXY-MCP
  # ... domestic DIRECT and GEOIP rules ...
  - MATCH,FINAL

Rename PROXY-MCP to match your style; keep the intent obvious when you revisit the file in six months. Aggressive DOMAIN-KEYWORD matchers remain risky—they can sweep unrelated traffic into the same tunnel and mask the very isolation you wanted.

Note: Do not paste opaque rule lists from strangers on the internet into production profiles. Treat third-party snippets as patterns, re-type them after review, and version-control your own YAML.

6. Policy Groups for Low-Latency, Low-Churn Nodes

A policy group is where you encode operational preferences: failover ordering, latency tolerance, and how often to re-probe. For MCP, bias toward stability over winning microsecond races. A modest interval on url-test reduces how often you rip established sessions out from under the IDE. If your provider offers multiple transports, test whether TCP-based profiles survive longer than multiplexed ones—empirical results beat ideology.

proxy-groups:
  - name: PROXY-MCP
    type: url-test
    proxies:
      - node-tokyo-01
      - node-sg-01
      - node-sjc-01
    url: https://www.gstatic.com/generate_204
    interval: 600
    tolerance: 80

If you already maintain a “development” group for Git operations, resist the temptation to overload it with unrelated streaming traffic—noisy neighbors change probe outcomes. A separate PROXY-MCP keeps tuning decisions honest. When you need strict priority—“always try Tokyo, only then the US West coast”—a fallback group documents that intent more clearly than a crowded url-test pool.

What “low latency” really buys you here

Round-trip time matters for interactive tool calls, but session longevity matters more for keeping the WebSocket alive. Pick nodes with stable transit and sane idle handling before chasing the lowest ping on a speedtest banner. Document the region that worked; future you will thank present you after the next OS update.

7. WebSockets, SSE, and Idle Timeouts

Many remote MCP integrations upgrade HTTP to WSS. Middleboxes along the path may enforce shorter idle timers than a plain REST call. If disconnects cluster after quiet periods, you are looking at idle policy, not JSON-RPC bugs. Mitigations split into two buckets: network-side (pick a cleaner path via your policy group) and application-side (server or client keepalives). Clash cannot invent application heartbeats, but it can stop you from routing long sessions through exits that reset aggressively.

Server-sent events (SSE) and chunked HTTP responses show similar fingerprints: they hold connections open and suffer when NATs or proxies disagree about timeouts. When debugging, compare behavior with Clash paused—but only on networks you trust—and with a narrow rule that forces the MCP hostnames through a single known-good node. If the pattern persists across outbounds, escalate to server logs; if it vanishes, keep tuning YAML.

8. DNS, Fake-IP, and “Random” Disconnects

Misaligned DNS remains the fastest way to manufacture phantom failures. In fake-IP modes, the core may map hostnames to synthetic addresses that your rules must interpret consistently; if the IDE resolver and the core disagree, you can connect to “the same” hostname through different logical paths. Align Clash DNS settings with your operating mode—system proxy versus TUN—and verify what the core logs for the exact MCP name during a failure.

IPv6 adds another layer: some networks advertise global IPv6 prefixes but drop tunneled traffic intermittently. If connects stall before TLS completes, test with IPv6 temporarily disabled or ensure your profile routes both families predictably. For split-horizon corporate DNS, you may need explicit nameserver rules or fake-ip filters so internal names never get rewritten into public IP space unintentionally.

When symptoms overlap with general TLS stalls, cross-check the dedicated walkthrough on handshake timeouts and SNI—the log lines differ from clean idle drops even if the UI looks similar.

9. Complement: Cursor + GitHub Timeouts

This article focuses on remote MCP hosts and long-lived tool channels. Our companion piece on Cursor and GitHub split rules tackles a related but distinct problem: HTTPS clones, large packfiles, and IDE sync traffic that time out when Git hostnames are incomplete or grouped with the wrong node policy. Together, the two guides cover “AI editor platform plumbing” and “MCP tool plumbing” without recycling the same domain list—because they are not the same traffic class.

If you run both heavy Git operations and frequent MCP calls, you may still choose separate groups: PROXY-DEV versus PROXY-MCP—not because the labels are magical, but because tuning intervals independently prevents one workload’s probe strategy from thrashing the other’s sessions.

10. Limits: Local MCP, IP Literals, and Compliance

Not every MCP server is remote. Local STDIO transports talk to 127.0.0.1 and never traverse Clash unless the application explicitly uses a forward proxy or the OS routes loopback creatively. Do not expect global YAML to fix a server that never opens an external socket. Conversely, hard-coded IP literals in config files bypass ordinary name-based rules—handle them with IP-CIDR entries if you must, or fix the config to use stable DNS names.

Enterprise policies, export controls, and vendor terms still apply when you redirect traffic. This guide explains mechanics only; it is not legal advice. If you administer team laptops, store profile changes in git, review outbound lists periodically, and remove experimental matchers once they have served their purpose.

11. Summary

In 2026, Model Context Protocol adoption in Cursor, VS Code, and other editors means more remote host traffic that behaves like infrastructure, not casual browsing. Treat that traffic as a first-class citizen inside Clash: build a hostname inventory from real captures, encode it with ordered split rules, attach it to a policy group tuned for stable long sessions, and align DNS with your tunnel mode so disconnects are diagnosable instead of mystical. The combination pairs naturally with our Cursor and GitHub timeout guide when you maintain both large repositories and rich tool ecosystems on the same machine.

Compared with opaque one-click VPNs, rule-based proxies reward the same discipline as good infrastructure code—explicit names, visible matches, and logs that tell the truth. When you are ready to install or refresh the client, use the official download page for verified builds; then layer the routing above on a reproducible baseline you can diff over time.

Download Clash for free and experience the difference