If every node flashes timeout, pause here first

Massive timeouts after subscribing usually trace to resolver modes, captive Wi‑Fi, missing permissions, or a misconfigured split tunnel scope masking which UID actually probes nodes. Follow the staged checklist in our Clash for Android connectivity guide before you reinvent profiles. Treat this article as orthogonal: assume ping tests succeed when you widen scope momentarily but you intentionally want narrower routing afterward.

Mental shortcut Global mode works, selective mode flakes for some apps—that is the signal you belong on this page.

Why split tunnels by UID still matter beside YAML policies

Domain rules classify destinations inside the core. They cannot fix cases where institutions reject any foreign-looking exit simply because TLS leaves a datacenter ASN, or where native SDK stacks ignore HTTP proxy knobs and wedge themselves into whatever route Android grants the VPN UID. Conversely, flipping off the tunnel entirely sends every WebView-heavy travel app back onto carrier DNS you did not vet. UID-level toggles carve an intermediate layer—small enough that risk teams stop flagging OTP flows, expressive enough that you still route browsers and tooling through outbound groups.

Expect four recurring winners on bypass lists: issuer banking apps that embed root checking, Alipay-style wallets with carrier binding, ticketing apps insisting on localized pricing, and low-level VPN accelerators bundled with games that fight nested tunnels. Conversely, enthusiasts often reach for proxy-only setups on metered hotspots so only a Telegram client and Chromium fork burn bandwidth through paid nodes.

Because fork labels collide (Meta Core builds rebranding menus nightly), skim the explanatory paragraph under each toggle—it usually clarifies whether checkmarks mean routed or excluded. Screenshots expire; terminology does not vanish overnight.

Two mirrored semantics—and how to never flip them blindly

Bypass mode—sometimes “split tunnel exclusions,” “do not VPN these apps,” or “direct list”—means every checked package sidesteps Clash routing tables and speaks to the WAN as if VPN were dormant for that UID. Everything else traverses tunnel policy until another mechanism blocks access.

Proxy-only mode—also “allowlist,” VPN-only selections, restrictive split tunnel—means only checked packages traverse the tunnel interface. Leaving your browser unchecked in this mode strands every HTTPS tab on the default route regardless of immaculate domain rules upstream.

Common trap Users migrate from bypass to proxy-only for “security posture” forget to include whatever app they use to sanity-check egress, then assume nodes died. The outage is UX, not provider latency.

Write down your intended behavior before ticking boxes:

  • Most traffic via Clash except a predictable short list → bypass mode wins (least surprise for WebView-heavy launchers).
  • Virtually nothing should touch paid nodes unless explicitly allowed → proxy-only, but whitelist generously at first.

You can always graduate from bypass-first to tighter allowlists after validating logs; doing the inverse under pressure produces panicked Reddit threads blaming “broken servers.”

Prep work that saves twenty minutes later

Ensure the tunnel can start cleanly: approve VPN permission prompts, uninstall competing always-on VPN clients that fight for UID priority, whitelist battery killers so the foreground service survives screen-off tests, then import a sane profile that already distinguishes DIRECT and policy groups—you will lean on YAML later even when UID filters short-circuit the core.

Disable Private DNS extremes while diagnosing; malformed DoT endpoints masquerade as split tunnel breakage because browsers inside the tunnel resolve differently than bypass packages on system stub resolvers.

Finally, memorize your fork’s naming for the submenu: CFA derivatives cluster labels under headings like Profiles → Access Control → Per-app, or Settings → Network → Bypass. If you cloned an experimental build renamed “Flsomething,” screenshots from three months ago rarely match—but the explanatory copy still distinguishes bypass vs whitelist.

Scenario A — bypass banks while everything else proxies

  1. Open the routing screen exposing per-app selectors and toggle bypass-style semantics—not proxy-only—to avoid double negation mistakes.
  2. Search for each financial UID (issuer app, OTP authenticator packaged separately, Alipay or PayPal clones, stock broker). Tick them individually; avoid “select all utilities” shortcuts because OEM bundles ship unexpected shared WebViews.
  3. Include regional payment SDKs spawned as secondary packages (carrier billing helpers, NFC wallet shells). Missing one child UID leaves phantom failures that look like server stalls.
  4. Swipe away each financial app fully, restart Clash routing, reopen the tunnel, wait for handshake completion, relaunch banking from cold start (FORCE_STOP via system settings where available).
  5. Validate OTP delivery and push notifications over cellular and Wi‑Fi separately; captive portals sometimes pin DNS per interface.
  6. Only after stabilization should you tighten YAML—add GEOIP DIRECT shortcuts if you insist, but UID bypass removes the brittle guesswork institutions layer on ASN heuristics.

This pattern parallels how privacy-focused commercial VPN apps expose “inverse split tunnel,” except you keep Clash transparency: logs reveal what still traverses tunnels, YAML still governs non-bypass UID destinations, and outbound experiments remain auditable unlike closed SDKs buried inside consumer VPN storefronts.

Scenario B — only selected consumers use outbound nodes

  1. Identify the minimal outbound consumers (browser forks, Slack-like messengers, dev shells, telemetry-heavy games). Prefer packages you can see generating connections in diagnostics.
  2. Switch to proxy-only semantics and whitelist those packages first—start broad, trimming after traffic logs stabilize.
  3. Explicitly whitelist anything that probes subscription health (PROFILE-UPDATE helpers, YAML fetchers); leaving them unchecked starves dashboards even when userland browsing works.
  4. Include WebView wrappers if messaging apps instantiate embedded storefronts referencing blocked CDNs outside your country.
  5. Disconnect Clash entirely, reopen, confirm system networking still loads domestic portals (news, SSO) while whitelisted UID apps route through proxies.
  6. Iterate by opening one new package per fifteen minutes—bursty activation prevents confused blame when simultaneous downloads saturate metered quotas.
Power users combine layers Proxy-only trims blast radius while YAML still steers Gemini API traffic into a latency group and pushes domestic CDNs toward DIRECT—UID scope is orthogonal to rule order.

How UID lists stack atop rules, sniffing, and DNS overrides

Applications routed through Clash still evaluate rules top to bottom, respect sniffers when enabled, and inherit any dialer-proxy quirks your provider ships. Bypassed UID traffic never invokes that stack; Android hands packets straight to whichever interface qualifies as default for split users. That asymmetry catches readers who layered fake-IP or redir-host DNS tricks expecting uniform resolver behavior—the bypassed browser inherits stub resolver chaining while Chromium inside the tunnel may still funnel queries through clash DNS modules.

When diagnosing odd TLS failures, annotate mentally whether the offending domain belongs inside or outside UID scope. Institutions often pin certificate transparency expectations differently per route. Mixing captive portal Wi‑Fi with bypass banking while still tunneling telemetry apps can produce split-brain SSO cookies; toggling airplane mode cleanly between tests prevents stale cookies from masquerading as routing bugs.

Advanced readers sometimes pair bypass entries with deliberate PROCESS-NAME clauses for desktop equivalents; Android lacks identical hooks, reinforcing why UID granularity remains the sanctioned mobile escape hatch.

Cloned apps, work profiles, and parallel spaces

OEM duplicate-app features instantiate fresh user IDs—even though icons look identical. A bypass entry for primary WeChat skips the cloned instance silently. Maintain a handwritten map of duplicated packages (“com.tencent.mm” vs cloned suffix) referencing Android’s Users & accounts screen when confusion spikes.

Work Profile containers route separately; approving VPN scopes for one profile seldom implies the sibling profile inherits exclusions. Administrators may force always-on tunnels that ignore personal Clash sliders entirely—corporate fleets remain out of scope, but freelancers toggling Bring Your Own Device should expect BYOD policies to preempt local bypass fantasies overnight.

Verification that beats guessing ping widgets

Use built-in logs or connectivity panes whichever fork exposes:

  • Trigger HTTPS inside a supposedly bypassed app and confirm absent entries—or explicit “skipped” instrumentation—versus busy session rows when routed.
  • For proxy-only setups, purposely load censored origins only inside whitelisted apps; domestic feeds should bypass without toggling YAML.
  • Cross-check geo hints from known IP endpoints in each category; beware CDNs pinning wrong regions when DNS still leaks domestically outside the tunnel.
  • Rerun minimal latency tests inside whitelisted tooling after each tweak; regressions pinpoint forgotten children faster than reloading entire profiles.

Document outcomes for fifteen minutes—you will revisit the spreadsheet next month after an OS upgrade reshuffles UID lists behind the curtain.

Pitfalls that masquerade as hardware failures

  • Leaving captive portal detection enabled while selectively routing causes HTTP interstitials invisible to QUIC-aware apps.
  • Neglecting to restart music streaming players after flipping modes leaves QUIC sessions anchored on old exits.
  • Assuming launcher shortcuts equal base packages—they sometimes deep-link PWAs unaffected by APK bypass lists.
  • Expecting tethered hotspot clients downstream to mimic phone UID decisions—those devices negotiate independent routing unrelated to handset bypass bookkeeping.
  • Forgetting downstream dual-stack IPv6 quirks when evaluating whether “direct still breaks” persists.

Quick FAQ

What is the difference between a bypass list and a proxy-only (allow) list?

A bypass list marks applications that bypass the tunnel and remain on whatever default route Android uses for non-VPN apps. A proxy-only list flips logic: traffic from selected apps traverses Clash while all other UID traffic stays outside the tunnel. Wording differs per fork, so always read the label beside each toggle.

Will per-app bypass fix every bank app login issue?

It solves the simplest anti-VPN egress cases. Institutions may still complain about networks, mismatched locales, roots, or anti-fraud beyond IP. Bypass means packets skip Clash; it does not guarantee approval of every posture.

Why do all nodes suddenly look unavailable after switching to proxy-only?

You probably left the latency tool, WebView-backed browser slice, updater, or the Clash helper outside the whitelist, so probes never ride the tunnels you configured. Validate with an explicitly whitelisted app.

Does bypass replace domain-based YAML rules?

No. Bypass is UID granularity; YAML rules classify destinations inside the tunnel. Bypassed packages never hit your rule chain; routed packages still honor policy groups fully.

Selective routing beyond “big VPN sliders”

Commercial mobile VPN storefronts marketed as “streaming friendly” routinely hide outbound selection behind opaque backends: you flick a vague region chip and trust black-box routing scripts you cannot inspect. Engineers trying to reconcile domestic banking compliance with nuanced YAML quickly hit walls—those apps rarely expose granular app lists synced with audited rulebases, churn UI labels without release notes, and throttle advanced controls behind subscription tiers. Some even tunnel DNS only while advertising full-device coverage, inviting false confidence when auditors compare egress logs versus marketing copy.

By contrast, the Clash-class ecosystem—profiles you fetch from a trustworthy subscription URL, rule providers you vet, forks you reinstall transparently—aligns UID bypass with deterministic networking you can screenshot for support tickets. Platforms such as ClashNote exist to shorten the distance between intimidating YAML and workable daily setups: curated client pointers, interoperability notes, and context so you adopt Meta-compatible forks without juggling mystery binaries.

Download Clash for free through ClashNote’s client directory, mirror a sane Android build, paste your subscription, then carve bypass or proxy-only lists deliberately—routing stops being folklore and turns into repeatable procedure.

After tuning mobile scope, skim DNS mode interplay for deeper dives, or revisit additional tech column installments when you refactor desktop policies to match handset expectations.