Why Gemini and AI Studio Feel Flaky Even When “The Internet Works”

Consumer-grade diagnostics stop at “other sites open.” In 2026, discussion around Google Gemini, Google AI Studio, and other Google AI access paths often tracks product updates on one side and unstable last-mile behavior on the other—especially where international CDNs meet aggressive local DNS or shifting policy rules. Google Gemini in the browser is a long-lived single-page application that keeps dozens of HTTPS connections warm for HTML shells, streaming tokens, telemetry, and large uploads when you attach files. Google AI Studio layers project metadata, model pickers, and API keys on top of the same edge ecosystem. Neither experience reduces to one hostname or one TCP flow. When your Clash split routing profile treats *.google.com differently from *.googleapis.com, or when your resolver returns an answer optimized for a captive portal instead of the CDN front you expected, you can see classic Gemini not working symptoms—white canvas, endless loading rings, or sign-in loops—while unrelated news sites still render.

Network operators in many regions also interfere with plain DNS. Answers can be rewritten, truncated, or accelerated toward caches that are not authoritative for Google AI at all. That is where DNS-over-HTTPS enters not as a privacy flex but as a stability tool: if your operating system or browser bypasses the resolver that Clash expects, you can get two different stories for the same name on the same laptop. The goal of this article is to give you one coherent story—names, rules, exits, and logs—without pretending that Google traffic is identical to OpenAI or Anthropic stacks. If you already stabilized ChatGPT flows, read ChatGPT and OpenAI API stable routing for contrast on vendor-specific hostnames; Google’s surface is wider and more CDN-heavy.

💡
Design goal Put Gemini web, AI Studio, and API-shaped calls under one predictable policy group, align DNS so Clash sees the same names your browser resolves, verify with logs, then tune automation—not the reverse.

Gemini in China: What “Cannot Open” Usually Means on the Wire

Readers searching for Gemini not working from mainland China are not imagining a single switch labeled “block AI.” The observable pattern is layered: domestic destinations stay on DIRECT paths that your airport profile already optimizes, while Google-class names need a stable overseas exit. When only part of the stack crosses the tunnel—say gemini.google.com proxied but generativelanguage.googleapis.com still matched by an older GEOIP rule—you get a page shell that loads analytics yet never completes model initialization. The fix is not louder complaining on social feeds; it is a disciplined inventory of which hostnames appeared in Clash logs during the failure window and whether each row used the same policy group you intended.

Campus and corporate networks add another wrinkle: split tunnels mandated by MDM, captive portals that rewrite DNS only during login, or HTTP/3 defaults that race ahead of your proxy’s QUIC handling. None of that negates the baseline recipe—explicit suffix rules, aligned resolvers, pinned exits while debugging—but it explains why two laptops on the same desk can diverge if one browser enables “secure DNS” and the other does not. Treat Google AI access as a small distributed system you operate: names, rules, exits, and logs must agree.

Legally and ethically, this article assumes you use Google services only where permitted by local regulation, your contract, and Google’s terms. Clash split routing is a network hygiene tool; it does not grant eligibility, bypass account restrictions, or replace approved enterprise access paths.

Consumer Web, AI Studio, and API Calls: Why One “Google” Rule Is Rarely Enough

The consumer Gemini tab lives mostly on gemini.google.com but still reaches into google.com for identity, accounts.google.com for OAuth, and various static and user-content domains for assets. Google AI Studio emphasizes aistudio.google.com plus documentation on ai.google.dev, while keys and model calls lean on generativelanguage.googleapis.com and sometimes broader *.googleapis.com buckets shared with other Google Cloud clients. If your mental model is “I proxied Google,” but your YAML only lists DOMAIN-SUFFIX,google.com, you may still leak API-shaped traffic to the wrong outbound or leave it on DIRECT where it stalls.

Contrast that with vendor-specific articles we publish for other stacks. ChatGPT and OpenAI API stable routing centers on openai.com and api.openai.com; Claude.ai routing and SNI checks focuses on Anthropic edges. Google’s hostname fan-out is wider and more CDN-heavy, so copy-pasting “AI rules” from those guides without renaming destinations is how people build profiles that look clever yet fail in production.

Practical split design: keep one select-style policy group such as PROXY_GOOGLE_AI for everything you personally classify as generative Google work, then list suffixes you verified. When you need a narrower blast radius—for example API-only workloads—clone the group name in rules but keep the same upstream members during debugging so you only change one variable at a time.

Web, AI Studio, and APIs: Hostnames You Should Expect in Logs

Start from evidence. During a failure window, capture connection rows for domains—not vibes. Common anchors for the consumer Gemini experience include gemini.google.com, google.com for account flows, and various *.gstatic.com or *.googleusercontent.com assets depending on feature flags. Google AI Studio frequently touches aistudio.google.com, documentation on ai.google.dev, and API traffic on generativelanguage.googleapis.com or broader *.googleapis.com buckets used by Google Cloud clients. Multimodal uploads may introduce additional storage fronts; treat anything outside your captured list as a hypothesis until logs confirm it.

Blunt DOMAIN-KEYWORD,google style shortcuts age poorly. They over-capture unrelated Google properties, fight with domestic DIRECT shortcuts, and make debugging noisy. Prefer tighter suffix rules for the classes you actually use, then widen only when logs justify the expansion. For philosophy on balancing domestic direct paths with overseas proxy baselines, read split routing for DIRECT and PROXY before you carve Google exceptions on top of a crowded ruleset.

If you also maintain Anthropic workloads, keep the mental models separate. Claude.ai routing and SNI checks cover different hostnames and client behaviors; mixing YAML comments “for all AI” tends to create accidental ordering bugs.

Clash Split Routing for Google AI Traffic

Effective Clash split routing for Google AI Studio and Gemini begins where every disciplined profile begins: loopbacks, RFC1918 shortcuts, and explicit LAN exceptions stay at the top so you never proxy your router admin by accident. Below that, add a hand-reviewed block for Google AI destinations you verified during real failures. Typical shapes include suffix matches for google.com (when you accept the breadth), googleapis.com (know the blast radius), and narrower entries such as generativelanguage.googleapis.com when you only need API stability.

Ordering still wins. A large GEOIP or regional rule above your Gemini exception sends traffic somewhere else first. Subscription rule providers help as scaffolding, but remote lists drift: CDNs rename, products split hostnames, and your airport’s maintainer may reorder files. Keep personal intent in a merge layer so subscription refreshes do not erase your AI block. Our Clash Meta overrides guide shows how to append overrides without editing generated YAML by hand every week.

When API clients and browsers disagree, suspect environment variables or missing TUN capture rather than “bad nodes.” A Python script using the official Google SDK might ignore system proxies unless you export HTTPS_PROXY or route through TUN. A browser tab honors different certificate stores. Align surfaces after routing works for the browser by itself; otherwise you will chase dual failures.

A Baseline YAML Shape (Illustrative)

The snippet below is intentionally conservative. Adapt names, transports, and ordering to your complete profile, leak controls, and domestic direct lists.

# Example only — expand or narrow using your own connection logs
proxy-groups:
  - name: PROXY_GOOGLE_AI
    type: select
    proxies:
      - NODE_STABLE_PRIMARY
      - NODE_STABLE_SECONDARY
      - AUTO_GENERIC

rules:
  - DOMAIN-SUFFIX,gemini.google.com,PROXY_GOOGLE_AI
  - DOMAIN-SUFFIX,aistudio.google.com,PROXY_GOOGLE_AI
  - DOMAIN-SUFFIX,ai.google.dev,PROXY_GOOGLE_AI
  - DOMAIN-SUFFIX,generativelanguage.googleapis.com,PROXY_GOOGLE_AI
  # Optional wider catch — understand overlap with other Google APIs first:
  # - DOMAIN-SUFFIX,googleapis.com,PROXY_GOOGLE_AI

Pair suffix rules with periodic log reviews. Google shifts edges; a hostname that appeared only during a beta window may disappear. When uncertain, add only what a failing trace proves, then retest with a pinned node.

Fixed Exits, Selectors, and Why url-test Rotates at the Worst Time

Latency-based url-test or fallback groups are convenient until they are not. A probe can crown a new winner while a long Gemini completion stream is mid-flight; the next chunk lands on a different egress; session cookies and risk scoring on the provider side see a disjoint path. That is the practical meaning of a fixed node during investigation: you freeze the variable “which upstream relay” so remaining anomalies point at DNS, TLS inspection, or genuine provider issues.

After you stabilize behavior under a manual select member, you can reintroduce automation with conservative intervals. Separate bulk download groups from interactive AI selectors so large transfers do not starve probes that were meant to approximate conversational latency. If multiple family members share one subscription, consider distinct selectors for AI tooling versus video streaming to reduce accidental overlap.

DNS Hijack, DoH, and Keeping Resolver Output Consistent

Plain UDP DNS toward ISP resolvers is fast until it is tampered with. Poisoned or filtered answers produce IPs that look “fine” to ping yet fail TLS handshakes because the far end is not actually Google’s edge. DNS-over-HTTPS raises the bar: the query rides inside HTTPS to a resolver you chose, which shrinks the simplest hijack surfaces on the path. In Clash Meta-class stacks, upstream nameserver configuration, enhanced mode, and fake-ip versus redir-host interact with how domain rules match. If Clash resolves a name to a fake pool while your browser asks DoH separately and commits to a different mapping, you can chase ghosts for hours.

Pick one coherent story. Either let Clash own DNS for classified flows and align applications with that path, or deliberately configure split responsibilities—but then document them. For a readable comparison of fake-ip and redir-host trade-offs without dogma, read fake-ip versus redir-host and choose before you tune Google rules. DoH upstreams themselves can be unreachable if you route resolver traffic through a broken group; many operators add a small nameserver-policy style exception so DNS to the DoH bootstrap stays on a known-good path. Exact keys depend on your core version; treat the idea as “do not create circular dependence between DNS and proxy health.”

Browser “secure DNS” toggles deserve a mention. Chrome and Edge can ignore OS resolver settings when enabled. If your Clash logs show perfect proxy selection yet the tab still fails, compare DoH providers between browser and system, or temporarily align them for a controlled test. You are looking for disagreement, not moralizing about which resolver is best.

SNI, Shared CDNs, and Why TLS Errors Are Not Always “Nodes”

Modern Google fronts multiplex many services behind overlapping infrastructure. The visible SNI—the server name clients send during ClientHello—still guides virtual host selection on shared edges. When middleboxes attempt “optimization” or inspection, subtle mismatches appear as reset connections or certificate warnings rather than clean HTTP status codes. Before you swap regions again, disable opportunistic HTTPS scanning in antivirus tools, exit captive portals, and confirm you are not mixing IPv6-only paths with IPv4-only exits.

Some experimental transports or QUIC-first networks interact poorly with certain outbounds. If logs show repeated handshakes to the same hostname while TCP fallback succeeds, capture that signal and test with HTTP/2-only clients or temporary QUIC disable in the browser as a controlled variable—not as a permanent superstition.

Logs First: Prove the Rule Hit, Then Change Knobs

Skipping logs turns engineering into astrology. Reproduce the failure once with logging enabled, then read which rule matched, which policy group applied, and whether DNS or the outbound failed first. Bursts of reconnects to generativelanguage.googleapis.com often indicate policy oscillation rather than raw packet loss. For a step-by-step workflow, use Clash logs and rule-hit tutorial before you rewrite half your YAML.

If rows show unexpected DIRECT egress for names you meant to proxy, reorder or tighten rules. If selection is consistently correct yet TLS still fails, escalate to inspection software, captive portals, or split-horizon DNS—not another random hop. When API-only failures persist while the browser works, verify whether your SDK traffic truly traverses Clash: consider TUN mode for developer tools after domain rules look sane.

TUN, Environment Variables, and Multimodal Uploads

System proxy mode is friendly when every library respects it. Real multimodal pipelines often do not. Large uploads may spawn subprocesses with clean environments; gRPC stacks may ignore HTTPS_PROXY entirely. TUN raises capture fidelity at the cost of needing thoughtful exclusions for LAN printers, local emulators, and the proxy’s own listeners—avoid routing loops by reading platform notes carefully. Sequence still matters: classify hostnames, pin a stable group, verify logs, then widen capture—not the reverse.

A Ten-Minute Checklist

Walk this in order during an incident. Capture failing hostnames from logs. Align resolver outputs for those names across browser diagnostics and CLI queries on the same machine. Move the Google AI group to a fixed select member and retry once. Inspect logs during the failure window for matched rules and outbounds. If TLS errors surface, check for antivirus HTTPS scanning before switching regions blindly. After changes, run a short Gemini chat and a minimal Generative Language API smoke test so both surfaces share the same story.

Keep a tiny regression note: date, node name, transport, DNS mode, whether TUN was enabled, and which DoH provider was active. Future you debugging after a subscription refresh will appreciate the breadcrumbs.

Compliance and Honest Scope

This guide assumes lawful personal network optimization and API usage that follows Google’s terms, export controls, and your employer’s acceptable-use policies. Correct Clash split routing does not bypass eligibility requirements, create unauthorized accounts, or substitute for approved enterprise paths on managed devices. If your organization forbids split tunneling or generative AI access outright, coordinate with administrators rather than improvising silent exceptions.

Closing Thoughts

Gemini not working and Google AI Studio mysteries shrink once you treat them as measurable network phenomena—especially when Google AI access from China depends on clean Clash split routing rather than a single magic node. Explicit suffix rules for web versus API hosts, a disciplined policy group, DoH paired with resolver alignment, log-backed verification, and honest SNI reasoning turn “randomly broken” into a sequence you can replay and fix. Compared with flipping global modes per application, Clash offers one policy surface—if you treat configuration like code and review changes with the same care you would give production infrastructure.

When you want a maintained client aligned with the guides on this site, start from our download hub instead of chasing random binaries. → Download Clash for free and experience the difference between unstable defaults and routing you can explain line by line.