China Sites Slow After Enabling Clash? Check GEOIP CN and Bypass Rules (2026 Step-by-Step)

Symptoms that point to mis-routed China traffic

People describe the problem in different ways: “only Chinese websites are slow,” “Baidu opens but images crawl,” “the campus VPN portal times out unless I disable Clash,” or “my ping to game servers in China jumps when the client is on.” Those stories share a structure: latency and path length increase because packets detour through an overseas relay, or because DNS answers and routing decisions disagree after you inserted a policy router in front of the operating system.

This article is not about proving which subscription is fastest. It is about policy alignment: making sure the evaluator sends what you consider “mainland China” toward DIRECT (or a dedicated domestic group) before a broad catch-all sends everything to Proxy or Auto. When that alignment slips, the core is doing exactly what your YAML told it to do—which is why the fix is almost always ordering, coverage, and DNS visibility, not a magical checkbox labeled “make China fast.”

The mental model: first match wins, GEOIP is just another rule

Clash-family cores evaluate rules from top to bottom and stop at the first match. That single fact explains why a beautiful GEOIP,CN,DIRECT line can appear to “do nothing”: something above it already matched—perhaps a DOMAIN-SUFFIX aimed at a CDN, a RULE-SET that tags traffic as global, or an MATCH line placed too early in a merged profile.

GEOIP compares the destination IP against a bundled or downloadable country database. The CN region is the conventional tag for China. A line such as GEOIP,CN,DIRECT means “if the destination resolves within the CN country block according to this database, use direct egress.” It does not magically know user intent; it only knows what the IP geolocation data claims. CDNs, anycast, and partial IPv6 paths can still produce surprises, which is why GEOIP is necessary but not sufficient for every property on the modern Chinese web.

“Bypass mainland” in community templates usually means a stack of domain lists and GEOIP lines that try to carve domestic properties out of the default proxy path. The label sounds like a product feature; in practice it is a convention for ordering and list membership. Treat it as documentation inside your YAML, not a guarantee from the universe.

If proxy-groups names confuse you, read our proxy-groups guide first—rules point to group names, and a typo there makes even perfect GEOIP lines fail at runtime.

Step 1 — Confirm the traffic actually traverses Clash

Start with the boring question: are the packets even hitting your policy engine? A browser can ignore the system HTTP proxy; a terminal tool might resolve DNS without going through Clash’s listener; a UWP app on Windows can behave differently from Chrome. If nothing appears in your client log when you reproduce the issue, you are debugging the wrong layer.

System proxy mode generally captures well-behaved HTTP(S) clients that honor OS settings. TUN / virtual adapter modes pull more traffic into the tunnel, which is often what you want when diagnosing “everything should be split” setups—but they introduce their own DNS and routing interactions. Our TUN mode deep dive walks through capture mechanics if you suspect invisible flows.

Turn on sensible logging in your GUI, reproduce a slow page load, and identify one failing connection. Note whether the log shows a domain name or only an IP address for that flow. That distinction will matter again when we talk about DNS and Sniff.

Step 2 — Read which rule won (and which policy it picked)

Once you see a live line in the log, read the matched rule type and the policy (for example DIRECT vs a proxy group). If a domestic bank URL shows a match to a RULE-SET line that maps to Proxy, you have already found the culprit: the set or its position—not “China” in the abstract—is steering traffic away from direct egress.

When logs show an IP-only flow, resist the urge to immediately add random domain keywords. Ask why the core lacked a hostname: did DNS happen outside Clash? Did TLS SNI not arrive yet? Is the connection UDP or QUIC-heavy in a way your capture path summarizes differently? You are hunting a visibility problem, not a moral failure of GEOIP.

Step 3 — Audit rule order: put “China direct” before the catch-all

Most subscription templates end with something like MATCH,Proxy or MATCH,Auto. That line is correct as a default route for everything not explicitly classified. The failure mode is different: someone prepends a giant global list, accidentally places a second MATCH mid-file during a merge, or lets a RULE-SET for “foreign media” shadow domestic CDNs because a shared domain appears in both lists.

Work through this ordered pass mentally:

1. LAN and private ranges on DIRECT if you rely on them (home NAS, printers).
2. Explicit domestic domain lists you trust—often shipped as RULE-SET providers for Chinese sites and services.
3. GEOIP,CN,DIRECT (or a domestic-only group if your template uses one) above the default proxy catch-all.
4. Everything else falling through to your general proxy group via the final MATCH.

If your profile literally contains GEOIP,CN,DIRECT but domestic traffic still proxies, return to step 2: the winning rule is not that GEOIP line. Either the IP is not classified as CN in your database snapshot, or another matcher fires first.

# Conceptual slice — exact names must exist in your proxy-groups
DOMAIN-SUFFIX,cn,DIRECT
GEOIP,CN,DIRECT
MATCH,Auto

The snippet is illustrative; real profiles interleave more RULE-SET entries and ad-blocking lists. The invariant remains: specific-to-you overrides belong in a predictable band near the top, and the default MATCH stays at the bottom unless you truly intend otherwise.

Step 4 — Validate GEOIP data and “CN” coverage

GEOIP accuracy is data-dependent. Cores ship or download a GeoIP database; older snapshots mis-tag some anycast edges; occasional IP blocks move between regions after routing changes. When only one stubborn site misbehaves, test its resolved A/AAAA records outside the tunnel and compare with what Clash sees.

Some Meta-class cores support alternate GeoIP datasets or additional keywords beyond the minimal GEOIP,CN,DIRECT pattern—exact names differ by release. If documentation for your fork mentions a premium database or updated loader path, follow that path instead of cargo-culting a keyword from a five-year-old gist.

Also remember IPv6. If your OS prefers AAAA records and your rules only contemplate IPv4 GEOIP paths, you can split outcomes: one address family exits directly while the other rides a proxy, producing “half-loaded” pages. Align IPv6 policy explicitly or disable IPv6 at the OS level if that matches your operational choice—just document why, so you are not mystified six months later.

Step 5 — Domain lists vs GEOIP: why both appear in “bypass” stacks

Domain-based matchers excel when hostnames are stable and visible. GEOIP excels when you cannot enumerate every subdomain a service will touch—think API endpoints that shift IPs weekly. Community “China direct” lists try to pre-classify known domestic properties so you are not solely dependent on IP geolocation for brands that mix global CDNs.

The trade-off is trust and maintenance: large remote RULE-SET providers can drift, overlap, or classify domains differently than you expect. Treat lists as policy inputs, not scripture. When a provider update coincides with new slowness, diff the release or temporarily disable that RULE-SET line to see if matches revert to sane GEOIP,CN behavior.

For hands-on practice with RULE-SET mechanics and merge discipline, our custom rules tutorial walks through ordering and providers without turning your YAML into an unreadable wall of pasted domains.

Step 6 — DNS: fake-ip, redir-host, and “I routed it, but the name was wrong”

DNS is not a separate universe from routing—it decides which IP your rules evaluate when applications defer resolution to Clash. In fake-ip modes, the client may receive synthetic addresses that map back to original names inside the core. That design is powerful for split tunneling, but when misaligned with browser Secure DNS or hard-coded DoH endpoints, you can observe exactly the class of “Chinese sites break only when Clash is on” bugs this article targets.

Run through this sub-checklist when domestic pages feel wrong:

• Is the OS still using public DoH while Clash expects to own DNS? Mixed setups can resolve different A records than your rule engine assumes.
• Does the log show the domain you care about during the failure? If not, revisit Sniff settings and whether TLS SNI is visible for that flow—our sniffing exceptions guide covers cases where over-eager sniffing breaks sites, which can masquerade as routing errors.
• Are you comparing “DNS through Clash” vs “DNS direct” when triaging? A quick A/B test clarifies whether the root cause is resolver placement rather than GEOIP.

Writing this down bluntly: you cannot expect GEOIP lines to rescue you from contradictory DNS if the core and the browser disagree about which IP represents “the site.” Fix resolver alignment first; then re-evaluate GEOIP.

Step 7 — MERGE and GUI realities: where your YAML actually ends up

Graphical clients often merge a remote subscription with local overrides. The dangerous part is not YAML syntax—it is merge order you did not read. Some GUIs prepend user rules; others append them; a few let you choose. If your painstaking GEOIP,CN,DIRECT block lands after an imported MATCH,Proxy because the merge strategy appended the vendor file second, you will see exactly the “China is slow” symptom even though your text file looks perfect in isolation.

When debugging, export the effective running configuration your core loaded—not the fragment you remember editing. Diff that against your intent. The surprise is almost always ordering or duplicated sections after an automatic refresh pulled a new upstream profile.

Common failure patterns we see in support threads

Catch-all too high. A stray MATCH copied from a gist sits halfway through the list, so nothing below it—including GEOIP—ever executes.

Over-broad DOMAIN-KEYWORD rules. A short keyword accidentally matches unrelated hosts, pinning traffic to a proxy group before GEOIP sees it.

List overlap. Two community sets both claim “global CDNs” and “China direct,” and whichever appears first wins—sometimes incorrectly.

Geo database drift on routers. Embedded Clash builds on low-memory devices may ship older GeoIP snapshots; domestic IPs occasionally look foreign until you refresh data or update the firmware channel.

Corporate split-horizon DNS. Inside some networks, the same hostname resolves to intranet addresses on direct DNS but public addresses through an external resolver. Clash cannot guess your corporate intent unless you encode explicit IP-CIDR or domain exceptions.

Building confidence: a minimal end-to-end test plan

Instead of scrolling forums for “the one true rule,” adopt a small battery of tests you can rerun after every subscription update:

1. Open a known domestic site that should be direct and watch which policy the log assigns.
2. Open a known overseas site that should use your default proxy group.
3. Resolve a domestic hostname with and without Clash in the path; compare at least one A record.
4. If you game or voice-chat, add one UDP-heavy domestic check relevant to your hobbies—latency spikes there often reveal IPv6 or QUIC edge cases.

Passing those checks does not mean your security model is perfect; it means your routing story matches your stated policy, which is the bar most readers actually care about when they say “make China normal again.”

Privacy, compliance, and realistic expectations

Routing tweaks change paths and exit IPs; they do not grant permission to ignore terms of service, campus policies, or local regulations. This guide assumes you configure systems you own or legitimately administer. If you need enterprise support, follow your IT department’s VPN standard instead of improvising split tunnels on a work laptop.

Open-source repositories remain the right place to read changelogs and file issues; for day-to-day installs, prefer curated distribution pages that track signatures and release channels. Keep GitHub discussions separate from “where do I download the GUI” so newcomers are not nudged toward unverified mirrors by accident.

Closing: from mystery lag to a policy you can explain

When domestic sites feel wrong only after Clash starts, you are usually one disciplined audit away from clarity: confirm capture, read the winning rule, place GEOIP CN and trusted domestic lists above the catch-all, and align DNS with how your core resolves names. Compared with randomly toggling nodes, that sequence isolates whether you are fighting geography data, list overlap, merge order, or resolver placement—and it produces a configuration you can defend to your future self.

If you are new to installation layout and first-run checks, work through our Clash tutorial, then layer the overrides here. When you are ready to standardize a maintained Clash Meta-class client with readable logs, use our download page as the primary path—Download Clash for free and experience the difference.