Why does Google Antigravity time out even when the browser Gemini tab works?

The Agent IDE launches auxiliary processes, language services, and extension hosts that may bypass a system proxy. Without Clash TUN (or strict per-app routing), part of the Google API and OAuth flow can go DIRECT while the browser is tunneled, producing hung panels and TLS errors.

Do OpenAI-only Clash rules cover Google Antigravity and Gemini API traffic?

No. OpenAI lists omit googleapis.com and shared Google identity or static hosts. Reuse a ChatGPT profile for Antigravity and you will still see stalled sign-in, missing assets, or generativelanguage.googleapis.com timeouts until you add Google-specific suffix rules.

Should I route all of google.com through the same node as Google AI?

Many operators place google.com, accounts, gstatic, and googleapis.com in one coherent policy path for AI tooling so sessions stay consistent. If you must split Workspace or Search traffic, document exceptions carefully—half-routed OAuth is a common source of intermittent failures.

What if I still see HTTP 403 or 429 after fixing rules?

Those codes usually indicate credentials, quotas, regional product availability, or organization policy—not a missing DOMAIN line. Fix routing first; if errors persist with a stable egress, treat it as an account or API limit issue on the Google side.

Google Antigravity: Clash TUN & Gemini Rules

Table of Contents

1. Antigravity Traffic vs Browser Gemini

Google Antigravity positions itself as an Agent IDE: inline assistance, code actions, and model-backed workflows sit beside your editor instead of living only in a separate chat tab. Under the hood that means more than one executable talks to Google: the shell you see, background language services, update channels, and embedded web content may each resolve hostnames independently. Consumer Gemini guidance for gemini.google.com is still relevant—see our dedicated walkthrough on Google Gemini domain rules in Clash—but an IDE multiplies the chances that one hostname misses your split rules while the rest are proxied.

The networking goal is coherence. When Google API calls to generativelanguage.googleapis.com share the same egress policy as accounts.google.com and gstatic.com, authentication, static bundles, and streaming completions stay in one continuity region. When they do not, you see the worst kind of outage: intermittent spinner UIs, truncated streaming responses, or cryptic TLS warnings that disappear after a restart until the next subprocess spawns cold. Treat Antigravity like any other multi-process client: design for full-path capture first, then refine rule-based exceptions.

If you also use Microsoft’s stack in parallel, our Copilot and VS Code split-routing article illustrates the same “IDE plus extensions” lesson for GitHub—different hostnames, identical discipline.

2. Symptoms: IDE Timeouts and TLS Noise

Operators usually report three clusters of failure. First, Google Antigravity features never finish loading—model pickers stay empty, summarization buttons no-op, or workspace scans report generic network errors even though ordinary browsing works. Second, explicit transport faults appear: TLS handshake timeouts, reset connections after you switch nodes, or HTTP/2 goaway storms when your proxy group flaps between regions. Third, authentication oddities—double prompts, sudden sign-out, or consent screens that loop—often track rapid changes in perceived location rather than hard packet loss.

Knowing which bucket you are in avoids chasing the wrong knob. Pure Google API quota or billing problems tend to return crisp HTTP status codes in logs once you inspect them through a tool that speaks HTTPS. Routing problems, by contrast, frequently show up as socket stalls with no application-level body at all. Before you rip out an entire subscription, confirm whether curl through your local Clash mixed port can reach https://generativelanguage.googleapis.com with a stable outbound selected; if the TCP phase itself hangs, no amount of API key rotation helps.

For readers still on classic system-proxy-only setups, symptoms often improve the moment every process—not only the browser—rides the same tunnel. That is the practical motivation for the next section on Clash TUN.

3. Why Clash TUN Matters for Agent IDEs

Clash TUN (sometimes labeled Meta/TUN or “virtual NIC” mode depending on the GUI) pushes policy enforcement to the OS routing table instead of asking each app to honor a PAC file or HTTP proxy variable. Agent-style IDEs are notorious for spawning helpers that ignore those legacy hooks, especially on Windows and Linux. TUN is not magic—it still requires privileges, correct route metrics, and awareness of split-tunnel corporate VPNs—but it narrows the class of leaks that leave half your Gemini session on DIRECT while DevTools insists everything “should” be proxied.

Pair Clash TUN with explicit split rules rather than a blind “send everything abroad” default. Domestic CDNs, internal Git remotes, and LAN diagnostics should remain reachable. The sweet spot for productivity tools is selective internationalization: international AI endpoints and Google identity infrastructure ride PROXY-GOOGLE-AI, while the rest of your day job stays on faster paths. Document any local exceptions (corporate roots, captive portals) above your Google block so they cannot be shadowed by aggressive catch-alls.

If your platform GUI separates “TUN” from “system proxy,” enable both only when you understand loop risks; some language runtimes double-wrap themselves when an outer VPN and an inner HTTP proxy disagree. When in doubt, prefer the single coherent path described in the official Clash mode and DNS documentation and restart Antigravity after toggles.

Tip: After enabling TUN, watch Clash’s live connections while opening Antigravity. If you still see Gemini-related hostnames on DIRECT, your exception list is too broad or ordered too late—fix rules before blaming the IDE.

4. Google Domains to Capture

Google stacks reuse infrastructure across products. The marketing hostname may say Gemini, yet assets and APIs span google.com, gstatic.com, googleusercontent.com, and broad googleapis.com trees. SDKs that power Antigravity-style features typically terminate on Generative Language endpoints under *.googleapis.com; pinning only gemini.google.com leaves the long tail exposed.

Because Google ships incremental UI refreshes, any static list ages. Keep a scratchpad of hostnames pulled from DevTools or from your client’s verbose logging whenever a release lands. Convert fresh names into DOMAIN-SUFFIX rows instead of chasing brittle DOMAIN-KEYWORD matches that might collide with unrelated sites. Enterprise teams sometimes add console-only endpoints; if your workspace uses Vertex-style APIs, validate those patterns separately.

Host / pattern	Role for Antigravity / Gemini	What breaks if omitted
`gemini.google.com`	Consumer Gemini web shell referenced by embedded views	Blank panels, missing inline help iframes
`google.com`, `accounts.google.com`	Sign-in, account recovery, branding	OAuth loops, inconsistent sessions across processes
`gstatic.com`	Static JS, fonts, telemetry bundles	“Loaded” UI with broken controls—hard to diagnose visually
`googleapis.com`	Generative Language API and related RPC fronts	Model calls time out while static HTML still renders

Observing new hostnames safely

When a release note mentions experimental agents or cloud attachments, repeat the capture exercise. The first hours after an update are when stale YAML hurts most: your profile still mirrors last month’s hostname graph. Version-control small rule-provider snippets if colleagues share responsibility; that mirrors how SRE teams ship allow lists without editing giant monolith files by hand.

5. Split Rule Order and Policy Groups

Clash evaluates rules sequentially; the earliest match wins. Place your Google Antigravity and Gemini block above sweeping GEOIP or MATCH rules that might classify Google addresses ambiguously. If a catch-all foreign bucket grabs traffic first, you will spend evenings “tuning nodes” when the real problem is the wrong policy tag altogether.

Dedicate a proxy group such as PROXY-GOOGLE-AI instead of reusing a noisy default pool full of torrent-shaped traffic. Node selection inside that group should optimize for session stability: mild tolerance on url-test groups resists oscillation, while fallback enforces a preferred region order when your subscription exposes several similarly named peers.

Interplay with DNS modes remains the subtle killer. Fake-IP maps names to synthetic addresses so rules can attach quickly; if the IDE resolves through a different resolver than your core, the browser and the background worker may disagree about which IP belongs to which rule. After any DNS change, fully quit Antigravity (all helper processes) and reopen it so HTTP/2 connection pools rebuild on consistent metadata.

6. Example YAML Patterns

The snippets below illustrate structure, not a drop-in subscription. Rename groups to match your airport, validate against your Mihomo-class core, and never import opaque blobs without reading them—malicious profiles can exfiltrate traffic.

Define a health-checked pool tuned for Google frontends:

proxy-groups:
  - name: PROXY-GOOGLE-AI
    type: url-test
    proxies:
      - node-us-west-01
      - node-us-west-02
      - node-tokyo-01
    url: https://www.gstatic.com/generate_204
    interval: 300
    tolerance: 50

Pin suffix and identity hosts ahead of your general foreign group:

rules:
  - DOMAIN-SUFFIX,gemini.google.com,PROXY-GOOGLE-AI
  - DOMAIN-SUFFIX,google.com,PROXY-GOOGLE-AI
  - DOMAIN-SUFFIX,gstatic.com,PROXY-GOOGLE-AI
  - DOMAIN-SUFFIX,googleapis.com,PROXY-GOOGLE-AI
  - DOMAIN-SUFFIX,googleusercontent.com,PROXY-GOOGLE-AI
  # LAN / intranet exceptions should appear above this block in real profiles
  # ... remaining rules ...
  - MATCH,FINAL

Teams that separate “AI experimentation” from “everyday Google Workspace browsing” may fork google.com handling across two groups. That is advanced: you must track dependencies—Docs in one window still expects consistent cookies with the IDE’s OAuth session—or you reintroduce the very churn you were trying to remove.

Note: Without TLS interception, path-based distinctions inside https:// URLs are invisible to proxy rules. Do not pretend a DOMAIN-SUFFIX row understands “only the /v1beta stream.” Put path logic in an API gateway, not in Clash.

7. DNS, Fake-IP, and OAuth Stability

DNS is half of any Clash TUN deployment. If the tunnel resolves googleapis.com through encrypted DNS while the OS resolver still points at an ISP server that injects ads or NXDOMAIN games, different processes will stagger through different paths. Centralize resolution inside the core when your GUI allows it, and disable competing “smart VPN” helpers that try to heal DNS on their own.

Gemini account flows react to rapid region hopping. Legitimate users sometimes trigger re-auth when a subscription rotates exit countries on every health check. From a hygiene standpoint, keep node selection calm: finish sign-in on a steady egress before enabling aggressive automatic switching. The goal is not to spoof residence—it is to stop your tooling from tripping fraud-prevention heuristics because your stack cannot pick a lane.

IPv6 deserves an explicit decision. If some answers route over IPv6 unproxied while IPv4 rides the tunnel, you will chase “ghost” failures. Either route IPv6 consistently through the same policy or administratively disable it on that workstation until you can test dual-stack behavior methodically.

8. Node Selection for Streaming Sessions

Latency leaderboards mislead for AI workloads. Short ICMP wins do not predict whether a node sustains long TLS uploads for big prompts or multimodal attachments. Prefer providers with clean peering to Alphabet’s edge, then validate subjectively inside Antigravity: run the same summarization twice on different peers and compare tail latency, not just the first token.

When multiplexing (smux, grpc-like overlays) interacts poorly with your provider, disable it for the Google API group before opening a support ticket with the wrong evidence. Likewise, QUIC experiments in Chromium-derived surfaces occasionally fight middleboxes; temporarily compare HTTP/2-only behavior if you suspect protocol downgrade loops.

Corporate environments may layer TLS inspection on gateways. If you sit behind such a box, Clash cannot magically restore trust chain validation—work with security on pinned roots or split horizons instead of stacking yet another opaque VPN on top of Clash.

9. Self-Check and Diagnostics

Walk this list whenever “Antigravity broke after lunch”:

Rule hits. Confirm gemini.google.com, googleapis.com, and gstatic.com map to PROXY-GOOGLE-AI (or your chosen tag), not silent DIRECT.
Resolver parity. Compare dig or OS resolver output with the core’s fake-IP table when applicable; mismatches predict spooky partial failures.
Transport smoke tests. Run curl -I https://generativelanguage.googleapis.com via the local mixed port—timeouts isolate cabling and proxy issues from HTTP semantics.
HTTP semantics. Visible 401, 403, or 429 bodies point to credentials or quotas, not missing DOMAIN-SUFFIX rows.
Reduce variables. Disable aggressive browser extensions or companion VPNs for one controlled attempt; double proxies create TLS symptoms that masquerade as Google outages.

Capture screenshots or log excerpts when a recipe works. Next month’s IDE update is much cheaper to triage when you know the tuple of DNS mode, TUN state, group tag, and working region.

10. Quick FAQ

Why does only Antigravity fail while Chrome Gemini loads? Subprocesses bypassed system proxy settings are the usual culprits; enable Clash TUN and verify host-level captures.

Can I reuse ChatGPT YAML? No—OpenAI suffixes never implied googleapis.com. Start from Google-native lists such as our Gemini-focused profile guidance.

What about enterprise Vertex endpoints? Add the exact hostnames your org’s console shows; they differ from consumer Generative Language paths.

Do I need Premium nodes? You need stable nodes—throughput matters less than avoiding hourly region roulette.

11. Availability and Terms

This article addresses legitimate operators who already hold authorized access to Google AI services. Routing changes path, not contractual rights. Respect regional availability, workplace acceptable-use policies, and applicable law. We do not describe bypass of fraud prevention, abuse defenses, or billing verification—use official recovery and support flows when challenges appear for genuine security reasons.

Treat downloads of Clash-compatible clients as supply-chain decisions: prefer signed artifacts from publishers you trust and audit updates before mass rollout.

12. Summary

Google Antigravity turns Gemini into an Agent IDE companion, which means more processes touch Google API endpoints than a single browser tab ever did. The durable fix is boring engineering: turn on Clash TUN where your OS allows, maintain ordered split rules for google.com, gstatic.com, googleapis.com, and related suffixes ahead of catch-alls, align DNS with the tunnel, and pick node selection policies that do not yo-yo regions mid-session. Capture fresh hostnames whenever Google ships UI changes, and separate transport timeouts from crisp HTTP errors before you burn a weekend swapping airports.

Compared with one-button consumer VPNs that hide routing behind opaque toggles, a maintained Clash profile lets you read connection logs, version YAML in Git, and explain to teammates exactly why a model call succeeded. That transparency is scarce among “universal accelerator” apps that promise AI access without exposing which suffixes they actually match—when their lists fall behind a CDN shift, you wait for someone else to publish an opaque update.

Clash rewards the same discipline: declarative rules, reproducible DNS, and clients that stay patched across Windows, macOS, and Linux. When you are ready to standardize that stack, use the official channel on our download page so binaries match what maintainers publish, then fold the Google block above into a profile you can diff like code.

→ Download Clash for free and experience the difference