Fix Telegram on Clash: Split Rules and Direct Exceptions (Tested)

What usually breaks: Telegram is not “one hostname and done”

Telegram’s clients combine a small set of well-known web properties with a larger shifting surface of API endpoints, MTProto transports, and CDN hostnames for stickers, photos, and videos. A profile tuned for browser tabs can still strand the app if chat setup flows and media pulls do not share the same outbound family, if IPv6 and IPv4 take different paths, or if the operating system resolves names through a resolver that bypasses the assumptions your rule stack encodes.

Separately, “text works but thumbnails never finish” is a classic sign that control-plane traffic and bulk media traffic diverged in policy. “Everything works on cellular but not on home Wi-Fi” often points to ISP shaping, IPv6 preference, or double-NAT oddities—not mystical Telegram maintenance. Before you rotate exit nodes for the tenth time, confirm whether Clash even observes the failing flows and which matcher handled them. If you are new to transparent capture versus application-level proxy settings, read the TUN mode deep dive alongside this page; it explains why some programs ignore system proxy configuration and why changing capture mode changes what your rules can see.

Split the problem: control plane, media, and optional real-time calls

Think in three buckets. Control plane covers account session maintenance, chat list sync, and the initial negotiation that must succeed for the UI to feel “online.” Media plane covers large-object retrieval from CDN-style hosts—where a wrong policy might still let short JSON calls succeed while multi-megabyte downloads stall. Real-time calls add another dimension: voice and video can interact with UDP-like behaviors and relay selection in ways that resemble conference apps; when calls are the only broken surface, pair this article with Discord voice, UDP, and Clash for the RTC mindset even though product hostnames differ.

Keep those buckets separate while testing. If message text is current but a specific channel’s album never loads, bias toward media hostnames and byte-heavy paths. If the app never reaches “online” at all, bias toward capture visibility, DNS alignment, and the narrow set of names that establish sessions. If failures correlate with toggling Wi-Fi assist, moving between office and tethering, or enabling an aggressive battery saver on phones, note transport and radio before you rewrite YAML.

Step 0: reproduce with logging that shows rule hits

Pick one controlled test. Open Telegram, open a chat with a known large photo, and wait until the spinner either completes or clearly stalls. While reproducing, keep your core’s connection log visible and record three fields for several lines: destination hostname or IP, protocol if shown, and which policy or outbound group handled the flow. Repeat once with a tiny text-only chat to contrast control-plane behavior against media behavior.

Turn off unrelated experiments during the window. Pause game launchers saturating uplink, stop parallel 4K streams, and disable competing full-tunnel VPN products temporarily. Two tunnel stacks fighting over default routes produces “random messenger death” that no DOMAIN line will cure. If you recently enabled aggressive sniffing on Meta-class cores, remember sniffing can change how hostnames are inferred; if symptoms began right after that toggle, review our guide on disabling sniffing and adding exceptions before you fork a giant static domain list from a forum thread.

Step 1: confirm capture mode (system proxy versus TUN)

Many setups rely on “system proxy.” Browsers honor that reliably; some native apps do not. Telegram’s desktop and mobile clients may open paths that bypass user-session proxy configuration depending on platform, version, and how the GUI integrates with OS proxy APIs. If your logs stay quiet during a clear in-app failure, escalate capture rather than stacking more DOMAIN-SUFFIX guesses.

TUN mode raises visibility at the cost of complexity: more flows reach the core, but you must respect DNS mode, IPv6 coexistence, and conflicts with other virtual adapters. A pragmatic sequence is reproduce under your daily mode, then try TUN for a short A/B test while watching whether Telegram-related entries appear. Document the outcome so you know whether your eventual fix must be “rules only” or “rules plus capture change.” For a parallel walkthrough on conference-style apps where DNS alignment matters, see Zoom and Teams split routing and DNS; reuse its checklist structure even when hostnames differ.

Step 2: align DNS with how your rules classify traffic

Misaligned DNS is the fastest way to make “correct” rules irrelevant. If the operating system resolves names through a public DoH resolver while Clash expects to own name-to-address mapping in fake-ip modes, you can see schizophrenic behavior: the shell UI loads while background sync stalls, or media flaps when the client rotates endpoints. Aim for consistent resolution paths during the test window, not ideological purity about which public resolver brand wins.

On dual-stack networks, IPv6 preference can split subflows across families. If IPv4 and IPv6 take different policy paths or different physical quality, symptoms look like intermittent “online but useless” states. When problems correlate with moving between office Ethernet and tethering, add IPv6 notes alongside your DNS notes. If secure DNS is enabled OS-wide, verify whether it bypasses the resolver chain your profile assumes; silent bypasses show up as “rules never seem to match” until you correlate timestamps with OS resolver traffic.

Step 3: what typically belongs on a proxy path (and how to name the group)

Create a named proxy-group you will recognize in logs—Telegram, Messaging, or IM—and aim focused rules at that group instead of raw server entries. For restrictive networks, the stable pattern is ensuring session-establishment hosts and primary web properties share a sane exit. Automatic url-test rotation can be fine for lightweight HTTPS, but for long-lived sync channels some users prefer pinning a single stable node during troubleshooting so variables do not multiply.

Treat any static list as a hypothesis you confirm in your own captures. Infrastructure shifts; clients update. That said, the following names and suffixes appear frequently across desktop and mobile sessions and are reasonable starting points for DOMAIN and DOMAIN-SUFFIX matchers. Always place more specific lines above broad subscription rules—first match wins in Clash.

• Product and web: telegram.org, t.me, telegra.ph, and web.telegram.org for web sessions.
• API-style surfaces: patterns under api.telegram.org and related service hosts when they appear in your logs during login or sync bursts—promote repeated names you actually see rather than importing decade-old dumps.
• CDN and large media: cdn.telegram.org and provider-specific media hosts that may not include the word Telegram at all; missing these is a common reason thumbnails spin while text stays crisp.

Step 4: when DIRECT exceptions are justified (and when they are not)

DIRECT means your ISP path handles the flow. For some households, media CDNs perform better locally than through a distant proxy hop because of peering, bufferbloat, or upstream UDP-like behavior on the tunnel path. For other households, the same CDN must ride the tunnel because the ISP blocks or degrades the target prefix class. There is no universal morality here—only measurements.

Use a disciplined rule: if logs show a specific CDN hostname repeatedly timing out through your proxy group but completing quickly on DIRECT during a controlled A/B test, promote a narrow direct exception for that hostname or suffix. If DIRECT breaks censorship-sensitive control-plane names in your region, keep those names on the tunnel and scope exceptions tightly to media edges you verified. If workplace policy forbids split tunneling, treat this as non-applicable and coordinate with IT instead of improvising on a managed machine.

YAML fragment A: steer Telegram-oriented names to a dedicated group (illustrative)

Assume your profile defines a group named Telegram. Adapt names, merge carefully with provider templates, and keep LAN exclusions above broad matchers.

# RFC1918 and loopback (adjust to your LAN)
IP-CIDR,192.168.0.0/16,DIRECT
IP-CIDR,10.0.0.0/8,DIRECT
IP-CIDR,172.16.0.0/12,DIRECT
IP-CIDR,127.0.0.0/8,DIRECT

# Telegram-oriented (verify in YOUR logs during failures)
DOMAIN-SUFFIX,telegram.org,Telegram
DOMAIN-SUFFIX,t.me,Telegram
DOMAIN-SUFFIX,telegra.ph,Telegram
DOMAIN,web.telegram.org,Telegram
DOMAIN-SUFFIX,cdn.telegram.org,Telegram
DOMAIN-SUFFIX,api.telegram.org,Telegram

# Remaining traffic follows your profile (GEOIP, MATCH, etc.)

After pasting, rerun the photo test and confirm lines actually hit. If logs show the expected hostnames but media still stalls, you have downgraded the problem to transport or upstream quality—now node selection, MTU, and ISP path matter. If logs show unexpected destinations winning earlier rules, fix order or specificity before touching nodes. For selector mechanics and healthy group patterns, see the proxy groups guide.

YAML fragment B: narrow DIRECT exceptions for verified CDN edges (illustrative)

When A/B tests show that a media suffix behaves better on your home path, you can carve an exception without abandoning the rest of your split policy. Keep the exception as narrow as your logs allow; avoid “DIRECT all of Telegram” unless you have accepted the privacy and policy trade-offs consciously.

# Example: only the heavy CDN suffix bypasses the tunnel
DOMAIN-SUFFIX,cdn.telegram.org,DIRECT

# Everything else in the Telegram bucket still uses your group
DOMAIN-SUFFIX,telegram.org,Telegram
DOMAIN-SUFFIX,t.me,Telegram
DOMAIN-SUFFIX,telegra.ph,Telegram
DOMAIN,web.telegram.org,Telegram
DOMAIN-SUFFIX,api.telegram.org,Telegram

Order still matters. If a broad GEOIP or provider rule wins first, your careful Telegram block never runs. If a subscription rule set imports “final” matchers that collide with your intent, use your client’s prepend/append features or maintain a local merge file you control, as described in the custom rules tutorial.

Mobile clients: same ideas, different constraints

On phones, per-app VPN semantics and battery-aware radio behavior add variance. iOS and Android Telegram builds may shift transport details across releases; verify on the device that fails, not only on a laptop. If media fails exclusively on mobile while desktop on the same Wi-Fi is fine, compare IPv6, private DNS, and whether a second VPN profile is active. If both fail the same way, bias toward router-level or profile-level rules and DNS.

When you tunnel an entire device through a remote node, remember that “global proxy” fixes symptoms by brute force but teaches you little about which hostnames matter. Prefer named groups and log proof so you can tighten policy once stability returns.

QUIC, long-lived connections, and the “HTTPS everywhere” illusion

Modern stacks interleave QUIC with classic TLS. Telegram’s surface area is not frozen; clients evolve. When debugging, note whether disabling experimental features or toggling transport settings in the client matters—that asymmetry is a clue about which stack you exercise. If you suspect middleboxes on your access network mangle certain UDP classes, compare Ethernet versus tethering with everything else held constant.

Respect MTU: tunnels reduce effective MTU, and some implementations handle fragmentation poorly. If disconnects spike right after enabling TUN alongside another VPN-like product, suspect double encapsulation before rewriting messenger rules.

Symptom quick map (orientation, not scripture)

• Stuck on “Connecting…” with quiet logs: capture mode first; then DNS alignment; then confirm whether any other tunnel owns default routes.
• Chats work, photos and videos spin: media/CDN hostnames and byte-heavy paths; try scoped DIRECT tests for verified CDN suffixes.
• Fine on tethering, bad on home ISP: ISP shaping or IPv6 differences; test wired Ethernet and compare resolver paths.
• Everything breaks after a subscription refresh: merge order changed; rerun verification instead of assuming Telegram outage.
• Calls fail while text works: review real-time/relay behavior with the Discord UDP article’s mindset; do not assume HTTP domain lists cover calls.

How this complements our streaming and store split-routing guides

We already published practical guides that separate storefront HTTPS from CDN bulk downloads for gaming clients and sports streaming. Telegram is closer to “always-on sync plus bursty media” than to a single giant file, but the engineering habits transfer: observe hostnames during real failures, prefer named groups, align DNS, prove rule hits. If you run both heavy launchers and Telegram daily, read Steam and Epic split rules for CDN lessons that occasionally matter when rich media downloads overlap with background sync.

Privacy, terms, and realistic expectations

Routing changes path selection; it does not grant entitlement to features, pricing, or moderation outcomes you would not otherwise receive. Respect Telegram’s terms, your workplace acceptable-use policy, and local regulations. Corporate machines may forbid split tunneling entirely—this article assumes you configure systems you own or legitimately administer.

Open-source repositories on GitHub remain valuable for reading changelogs and filing issues; fetching production installers is still best handled through approved channels. For personal setups, prefer the site’s download page when choosing a maintained GUI so documentation, versioning, and install hygiene stay aligned.

Putting it together

Reliable Telegram behind Clash in 2026 looks less like hoarding static domain dumps and more like a disciplined loop: confirm capture, align DNS with your mode, aim focused DOMAIN rules at a dedicated group, add tight DIRECT exceptions only when logs prove they help media, and verify matches before swapping nodes. Compared with toggling global modes whenever someone complains about stuck stickers, that approach isolates whether you are fighting policy, CDN peering, or upstream congestion—and it yields YAML you can share without turning every troubleshooting session into folklore.

If you have not yet installed a maintained Clash Meta-class client, walk through our Clash tutorial, import your subscription, then layer the overrides from this guide. When you are ready to standardize installers across machines, use our download page as the primary path—Download Clash for free and experience the difference.