Claude Code and MCP Tools Timing Out? Stabilize CLI and Plugin Feeds With Clash in 2026

Why browser-only Anthropic rules miss Claude Code and MCP

If you already split claude.ai and API hosts for chatty browser sessions, you have solved half the problem. Claude Code and MCP-heavy workflows add parallel surfaces: package managers that talk to registry.npmjs.org and regional CDNs, Git operations against github.com and objects.githubusercontent.com, OAuth device flows that bounce between vendor domains, and MCP servers that may run locally yet still reach remote registries to resolve tool metadata. Each hop is another chance for traffic to exit through a different policy group than the one your model calls use.

The failure mode is familiar once you read logs with process context. The model stream succeeds while a tool install stalls, or vice versa, because npm traffic followed a domestic path while Anthropic API calls rode a tunnel that throttles long uploads. MCP amplifies the mismatch: a server process spawned by your IDE might inherit environment proxy variables on macOS but not on Linux, or the opposite under WSL2. Clash cannot rewrite every application bug, but it can remove “random exit per hostname family” from the equation by placing developer-critical domains into a single, well-monitored policy group ahead of coarse GEOIP rules.

What actually talks to the network

Before editing YAML, inventory the hostnames your machine touches during a representative session. Anthropic-facing stacks typically include api.anthropic.com and related API edges, console or account flows on console.anthropic.com, and whatever domains your organization pins for OAuth or SSO. Those deserve the same careful ordering you would give any paid API.

Package ecosystems add bulk. npm clients resolve the registry, then follow redirects to tarball hosts and integrity subresources; corporate mirrors may sit on private domains—if so, keep mirror hostnames in the same policy bucket as your CLI tools to avoid split-brain TLS. GitHub traffic is rarely a single name: raw endpoints, Git LFS, releases, and GitHub Actions caches can fan out widely. When MCP servers download models or fetch remote JSON catalogs, they may hit CDNs that look like “generic cloud” unless you log them once.

MCP itself is a protocol family, not one socket shape. A server might expose HTTP or WebSocket endpoints, or run as a subprocess with stdio framing while still making outbound HTTPS for tool discovery. The common thread is long-lived sessions and bursty metadata fetches that punish proxies with aggressive connection limits or short idle timers. Listing these behaviors beats memorizing a static domain list copied from a forum thread.

• Anthropic API and console: keep on a stable, low-flap egress with consistent source IP if your org allowlists addresses.
• npm and GitHub: prioritize throughput and TLS completeness; avoid blocklists that silently break tarball hosts.
• MCP discovery: log once, then codify the hostnames you actually saw rather than guessing “AI CDN” buckets.

Split routing order that actually wins

Clash evaluates rules top to bottom until the first match. That sounds obvious until a remote rule provider injects a broad GEOIP,CN row above your carefully crafted developer bundle, or a catch-all MATCH swallows traffic you meant to steer elsewhere. For developer stacks, place high-confidence rows for your workflow bundle above entertainment, ad, or tracker lists that might interfere with telemetry or OAuth callbacks.

A practical pattern is to dedicate a policy group such as AI_DEV (name it however you like) and reference it consistently for Anthropic, npm, GitHub, and any MCP-related domains you confirmed in logs. Keep domestic-only services on DIRECT with explicit DOMAIN-SUFFIX entries so they never accidentally inherit a foreign exit. Reserve ultra-broad rules for the bottom of the file, and treat remote rule sets as suggestions you merge with local overrides that win on ordering.

Through 2026, teams increasingly merge multiple provider lists. After each merge, skim for collisions: a generic “cloud storage” block might capture GitHub release assets, or a “streaming video” block might accidentally include a CDN edge shared with model weights downloads. When collisions happen, narrow the upstream list or insert a more specific local row above it. The goal is not maximal blocking; it is predictable routing for paid work tools.

DNS, fake-ip, and why npm or Git “randomly” hang

Misaligned DNS is the fastest way to manufacture timeouts that look like “bad nodes.” Under fake-ip, applications may receive synthetic addresses that only make sense inside Clash’s mapping table; if any part of the stack resolves names outside Clash while packets still traverse it, you get bizarre partial connectivity. Under redir-host or TUN setups, ensure your OS resolver and Clash’s nameserver story agree on which queries go where.

For CLI tools, verify whether they honor HTTP_PROXY variables, SOCKS helpers, or nothing at all. A common WSL2 pitfall is Linux resolving DNS on the Windows side while TCP flows through a different adapter—our WSL2 plus Clash on Windows article walks through mirrored networking and port forwarding patterns that reduce that class of bug. On macOS, local developer daemons may bypass system proxy settings unless you adopt TUN or per-tool configuration.

When npm reports ETIMEDOUT or Git prints slow clone speeds, capture the failing hostname in Clash logs alongside the matched policy. If the policy is correct but DNS latency spikes, tune nameserver and fallback ordering, or disable experimental DNS features one at a time until behavior stabilizes. For deeper triage, read the DNS and fake-ip troubleshooting guide before you churn through dozens of exit cities.

Long-lived connections, SSE, and MCP transports

Chat in a browser tends to reset connections often enough to hide mediocre proxy behavior. Claude Code and MCP sessions may keep channels open across many tool invocations, large repository reads, or streaming responses that resemble server-sent events. Middle boxes that recycle TCP sessions too eagerly, or nodes that apply per-flow rate limits, surface as mid-stream stalls rather than instant hard errors.

Design your policy group with idle tolerance in mind. Commercial VPN-style exits vary widely: some handle long TLS sessions gracefully; others excel at short web bursts only. When you must chain relays, each hop multiplies failure modes—prefer a short chain for API work unless you have measured improvement. If your MCP server uses WebSockets, confirm whether UDP or QUIC alternatives are in play; some networks treat them differently from plain HTTPS.

stdio-based MCP bridges add a subtle twist: the parent IDE process might be proxied while the child inherits a different environment. Logging at the Clash dashboard should still show outbound calls from the child once it touches the network; if not, you are dealing with pure local IPC, and your instability is elsewhere. When outbound calls do appear, align them with the same AI_DEV group as Anthropic APIs so OAuth tokens, tool metadata, and model traffic share fate.

Node selection in 2026: fewer speed tests, more steady streams

Synthetic benchmarks rarely predict how a node behaves for a fifteen-minute model-assisted refactor with ten intermediate Git pushes. Prefer nodes with stable routes to both Anthropic edges and GitHub’s anycast fronts, not just whichever city wins a weekend speed test. Watch jitter and loss on small packets; developer tooling is often latency-sensitive even when bandwidth looks ample.

If your provider exposes health checks, set intervals that are humane—overly aggressive probing can mark good nodes flaky, while sluggish probes keep you pinned on a degraded path. Separate “bulk download” groups from “API and MCP” groups if your subscription allows multiple concurrent selections; otherwise, accept that large npm installs may contend with streaming tokens and schedule them consciously.

For headless servers running agents, see the Clash Meta Linux headless guide for systemd persistence and subscription refresh patterns that keep unattended boxes from silently reverting to a broken default profile.

When TUN beats environment variables for CLI and IDE children

System proxy variables help browsers and many CLI tools, but they are not universal. Kernel-level TUN interception catches stubborn binaries that ignore HTTPS_PROXY, and modern Clash Meta cores can combine TUN with PROCESS-NAME or PROCESS-PATH rules when you need surgical splits. That is heavier operationally—permissions on macOS, driver interactions on Windows—but it is often the difference between “Cursor works” and “Cursor plus spawned MCP server works the same.”

If you enable TUN, revisit DNS immediately. TUN magnifies fake-ip mismatches because more processes participate. Validate with a simple reproducible script: a curl to Anthropic’s API host, an npm view command, and a shallow git fetch should all log under the same policy group when your bundle is correct. If one leg diverges, you still have ordering or DNS work to do before blaming Anthropic or MCP itself.

YAML sketches and ongoing maintenance

The snippet below is illustrative only—replace AI_DEV with your real policy group and expand domains from your own logs. Keep Anthropic, npm, and GitHub families near the top of your personal overrides, above imported GEOIP blocks.

# Illustrative rules — expand domains from your logs; verify policy group names
rules:
  - DOMAIN-SUFFIX,anthropic.com,AI_DEV
  - DOMAIN-SUFFIX,api.anthropic.com,AI_DEV
  - DOMAIN-SUFFIX,npmjs.org,AI_DEV
  - DOMAIN-SUFFIX,github.com,AI_DEV
  - DOMAIN-SUFFIX,githubusercontent.com,AI_DEV
  # Add MCP discovery hosts you observed (examples only):
  # - DOMAIN-SUFFIX,example-mcp-registry.dev,AI_DEV
  - GEOIP,CN,DIRECT
  - MATCH,AI_DEV

Maintenance is ongoing because CDNs and vendor edges shift. Schedule a quarterly review: diff your local overrides against connection logs, prune unused hostnames, and add newcomers immediately after you first see them during a real project—not weeks later when the team forgets what changed.

Symptom	First check	Second check
Model works; npm fails	Matched policy for registry.npmjs.org	Tarball CDN host captured in logs
MCP tool discovery fails	Child process proxy inheritance	TUN vs env-only coverage
Mid-stream stall	Node idle timeout behavior	Relay chain length and jitter

FAQ

My MCP server runs locally—do I still need special rules?

Often yes, because local servers still perform outbound HTTPS for catalogs, models, or Git operations. Log outbound destinations from the server process and route them consistently with your developer bundle.

I followed the Anthropic browser guide—why is Claude Code different?

Browser guides emphasize claude.ai and human-visible flows. Claude Code adds CLI binaries, npm, Git, and MCP orchestration. Extend your rules to those surfaces instead of duplicating the browser article’s scope.

Should Anthropic and GitHub share the same node?

They should at least share the same policy group so you can reason about one egress story. Whether that group contains one node or a load-balanced pool depends on your provider; avoid splitting them across unrelated pools unless you have measured benefit.

Practical checklist

Ship rules you can explain to a teammate

Clash shines when your profile reads like documentation: clear policy groups, ordered rules, and logs that tell a story. Once Claude Code, MCP, npm, and GitHub share a coherent path, timeouts stop being mysterious “AI outages” and become ordinary network engineering problems with ordinary fixes.

Download Clash for free and experience the difference