Symptoms: When Clash “Works” Everywhere Except Games and Voice

A frustrating pattern shows up in support threads: web browsing and desktop chat apps feel fine, then you launch a multiplayer game or join Discord voice and the session degrades. Ping looks unstable, you rubber-band, the party hears clipping, or the match simply drops the moment the tunnel toggles on. Those failures rarely mean your subscription “expired” in isolation — they usually mean UDP is taking a different path than TCP, a rule is sending real-time traffic through an outbound that does not carry UDP, or DNS handed the game an address your policy stack never intended.

Modern Clash derivatives built on the mihomo core can forward UDP when the dataplane and remote node cooperate, but UDP is not a free checkbox. Voice codecs, game state replication, and anti-cheat handshakes are latency-sensitive; forcing them through a high-latency region, double-NAT scenario, or a broken relay is worse than sending them DIRECT on purpose. The goal of this article is not to preach “always proxy games” — it is to help you choose consciously between TUN mode and system proxy, then write split rules so UDP is not hijacked by accident.

Why UDP Breaks More Easily Than Web Traffic

Browsers lean heavily on TCP and TLS. A typical HTTP proxy or system proxy configuration can steer that traffic through a local port, and if something goes wrong you get a clear error page. Games and VoIP often open UDP sockets directly to ephemeral ports on publisher servers, voice relays, or peer endpoints in NAT traversal scenarios. If those packets never enter Clash’s pipeline — for example because the title ignores OS proxy variables — your rules simply do not run. Conversely, if packets do enter Clash but the selected proxy group points at a profile that only supports TCP forwarding, UDP may be dropped or black-holed with little user-visible explanation beyond “voice died.”

Another subtle issue is connection state. TCP proxies can track streams; UDP is datagram-based. Any middleware that tries to “help” by rewriting addresses must preserve 5-tuple consistency or voice frameworks detect jitter buffers exploding. That is why many experienced users prefer split tunneling: keep low-latency UDP on a short path, and still route censored or geo-locked TCP services through your chosen exit. The art is doing so without leaking sensitive traffic you meant to protect — which is where ordered rules and observability matter.

TUN Mode vs System Proxy for Gaming and Voice

System proxy mode (mixed HTTP/SOCKS on a local port) is convenient and low-privilege, but a large share of game executables never consult those settings. Titles using custom networking stacks, kernel-adjacent anti-cheat, or launcher-bypassed binaries may talk to the network as if no proxy existed. Result: you think Clash is “on,” yet matchmaking DNS still resolves through the ISP and UDP flows never hit your YAML. For that class of software, TUN transparent mode is usually the first structural fix because it attaches a virtual interface and lets the OS steer packets into Clash without per-game configuration.

TUN is not automatically “better latency.” It changes the capture surface: more traffic types, including UDP/53 for DNS when you enable hijack, plus QUIC and game ports that system proxy would miss. The cost is operational: you must understand routing loops, strict-route behavior, and DNS integration or you can break the entire machine. For a full conceptual tour — stacks, dns-hijack, and platform permissions — read our Clash TUN mode guide first; here we focus on the gaming and voice consequences of that choice.

  • Start with system proxy if you only need browsers and IDE tools, or if corporate MDM forbids virtual adapters.
  • Move to TUN when a game or voice client clearly ignores proxy env vars, or when QUIC/UDP must follow the same domain rules as TCP.
  • Hybrid mindset: TUN on for play sessions, system proxy for work hours — document the toggle so you are not debugging two configs at midnight.

Split Rules: Put DIRECT and Game CDNs Ahead of Catch-All Proxies

Clash evaluates rules top-down; the first match wins. A common mistake is a massive GEOIP or regional shortcut sitting above narrow lines you added for a publisher. The game might resolve to an anycast IP that your database labels unexpectedly, so traffic you assumed would go DIRECT suddenly rides a distant relay. The fix is to insert explicit DOMAIN-SUFFIX, DOMAIN-KEYWORD (sparingly), and IP-CIDR lines for the infrastructure you recognize before broad matchers. Our rule-based splitting deep dive explains matchers in detail; treat this section as a gaming-oriented ordering discipline.

Many multiplayer stacks use a mix of HTTPS telemetry (TCP) and UDP gameplay. You might want the storefront or patch CDN on one policy and the actual match on another. In practice, start by logging: reproduce a disconnect, then read which process / destination appeared. If the failing hop is clearly domestic or low-risk, a DIRECT line can instantly restore stability. If you must proxy, ensure the same rule covers both the domain phase and any later IP rules that might override it. 

# Illustrative pattern — replace groups and domains with your observed traffic
rules:
  # LAN / console discovery / local matchmaking helpers
  - IP-CIDR,192.168.0.0/16,DIRECT
  - IP-CIDR,10.0.0.0/8,DIRECT
  # Example: keep a voice stack direct if logs show it breaks via relay
  - DOMAIN-SUFFIX,discord.com,DIRECT
  - DOMAIN-SUFFIX,discordapp.com,DIRECT
  - DOMAIN-SUFFIX,discord.gg,DIRECT
  # Publisher-specific endpoints you identified from connection logs
  # - DOMAIN-SUFFIX,example-publisher.net,GAME-PICK
  # Only after explicit lines, apply regional lists and the final MATCH
  - GEOIP,CN,DIRECT
  - MATCH,PROXY
Discord’s hostname map changes over time. Treat any static list as a starting point: when voice fails after an update, capture the new SNI or DNS name from Clash logs and extend the rule once instead of switching to global mode.

Discord, Party Chat, and “Proxy Voice” Expectations

Discord is a frequent pain point because it mixes REST over TCP, media over UDP, and occasional WebRTC-style paths depending on client settings and region. If TCP API calls succeed through a proxy but UDP media is blocked or routed to an incompatible exit, users hear “connected” yet audio crumbles. A pragmatic approach for domestic users is to keep Discord on DIRECT while still proxying other destinations — that is legitimate split tunneling, not cheating the rules. If you must proxy Discord entirely (strict corporate egress, for example), verify the node supports UDP and test with a short voice call while watching latency and packet loss in the client debug overlay when available.

In-game party systems (PlayStation Network, Xbox Live, Steam friends, Epic voice, etc.) each bring their own hostname farms. Rather than cargo-culting a giant block list from a random gist, build an evidence-based list: run one session with verbose logging, export the destinations you actually hit, then promote recurring names into YAML. This keeps maintenance sane and avoids over-broad DOMAIN-KEYWORD lines that accidentally capture unrelated telemetry and then fight your AI or streaming rules.

DNS, Fake-IP, and Why Matchmaking “Feels” Wrong

With enhanced-mode: fake-ip, Clash can answer DNS from a synthetic pool so it retains domain context when connections are established. That is powerful for domain rules, but games sometimes perform DNS lookups outside the paths you expect, or rely on answers that must be real public addresses for anti-cheat attestation. If a title receives a fake-ip answer for a hostname that should resolve normally, you can see bizarre routing, failed handshakes, or region mismatches. Mitigations include widening fake-ip-filter for known publisher zones, temporarily switching enhanced mode to normal as a bisection test, and ensuring DNS hijack under TUN actually covers the resolver the game uses — not only the browser.

When TUN is enabled, pair DNS hijack with a coherent dns section: credible upstreams, sane fallback for poisoned networks, and logging good enough to see whether the game even asked Clash for DNS. If DNS bypasses the core, your IP-based rules may classify traffic differently than your mental model of “I added a DOMAIN rule,” because the domain never existed in the pipeline — only the resolved IP did.

Outbounds and Nodes: Confirm UDP Is Actually Supported

Not every remote profile forwards UDP cleanly. Some historical HTTP-only chains drop datagrams entirely; some congested relays add jitter that voice cannot tolerate. Before rewriting YAML for the tenth time, test UDP reachability on the same node with a small controlled experiment — many GUI clients expose per-connection logs showing whether UDP sessions establish. If TCP sites work but every UDP test fails, no amount of DOMAIN tweaking fixes the underlying transport. Rotate to a UDP-capable profile or keep real-time traffic on DIRECT.

Strategy groups matter: a url-test or fallback group that aggressively jumps between regions can destabilize long-lived UDP flows even when each node alone is “fine.” For voice, consider a sticky manual select group during sessions, or pin low-latency nodes per region. Stability often beats theoretical peak bandwidth for interactive UDP.

TUN Stack Tweaks for Stubborn Titles

On mihomo-family cores, tun.stack changes how userspace handles injected packets. If a specific game or VoIP stack misbehaves only under TUN, try switching among system, gvisor, and mixed while holding all other variables constant — the TUN guide outlines trade-offs. This is not superstition; some proprietary stacks assume particular ICMP behaviors or fragmentation paths that differ per stack implementation.

Also revisit strict-route and LAN bypass lists. Overly aggressive tunnel routing can starve local discovery protocols that games use to find party members on the same LAN segment. If Wi-Fi lobby discovery breaks only when TUN is on, you are often one IP-CIDR away from relief.

Anti-Cheat, Kernel Drivers, and What You Cannot Solve in YAML

Some anti-cheat and DRM layers inspect network endpoints or forbid unexpected virtual adapters. Symptoms include instant kick after login, not gradual lag. Those cases are policy conflicts, not mis-sorted DOMAIN-SUFFIX lines. Remedies may be limited to running without TUN, using vendor-approved network modes, or accepting that certain titles will not coexist with transparent interception. Document the behavior so you do not burn hours tuning DNS when the client never intended to tolerate a tunnel.

Operational Checklist You Can Run in Ten Minutes

  1. Reproduce with logging enabled; note whether disconnects correlate with proxy toggles or node switches.
  2. Decide capture mode: if the game ignores system proxy, plan on TUN — after you understand routing from the dedicated guide.
  3. Verify UDP on the chosen outbound; abandon TCP-only paths for voice.
  4. Audit rule order: explicit game / voice / LAN DIRECT lines before regional catch-alls.
  5. Bisect DNS: try normal mode briefly; adjust fake-ip-filter if fake-ip breaks matchmaking.
  6. Tune stack (system vs gvisor vs mixed) if only one title fails.
  7. Retest with a calm manual node instead of aggressive auto-switching groups.

Stable Gaming Sessions Without Giving Up Split Tunneling

Thoughtful Clash use in 2026 looks less like “everything through Tokyo” and more like policy per traffic class: browsers and APIs where you need them, UDP real-time on paths that respect physics, and LAN traffic unmolested so discovery and printers keep working. Compared with flipping a blunt global VPN, a maintained ruleset preserves that balance — but only if you align TUN capture, node capabilities, and DNS mode with what the game actually does on the wire.

If you are still assembling your first desktop profile, the Windows-focused tutorial walks client-level toggles that mirror other platforms, and the documentation hub links core concepts like strategy groups and remote rule providers. Subscription health still matters — when nodes rotate or profiles change, UDP behavior can shift overnight — so keep refresh hygiene in mind alongside routing.

A polished client surfaces TUN switches, readable connection logs, and safe escape hatches when a session goes sideways. That is the difference between “I can fix this in two minutes” and losing a ranked match because YAML archaeology is not a spectator sport.

→ Download Clash for free and experience the difference on Windows, macOS, Android, iOS, or Linux — pair it with deliberate TUN and split rules so games and voice stay crisp while the rest of your traffic follows the policy you actually intend.