Why do Zoom or Teams meetings fail when browsers still load websites through Clash?

Meeting apps move most media over UDP-based real-time transport after TLS setup completes on TCP. Plain system proxy modes often steer HTTP CONNECT and SOCKS flows well yet miss UDP packets that bypass the tunnel. Until those datagrams and ICE candidates traverse the same coherent policy path as signaling, you can see thumbnails without stable audio—or the opposite—or endless “connecting” spinners.

Do I need to list STUN or TURN hostnames individually in Clash rules?

You usually start with registrable Zoom and Teams domains your clients authenticate against, then expand from connection logs—not a static encyclopedia from a forum screenshot. ICE may select STUN-derived addresses or relay through TURN with hostnames your provider rotates. Rule Providers help if you maintain curated lists; always reconcile what your local logs show during a reproduced failure.

Is TUN mode required for Zoom and Teams behind Clash?

Often yes on desktops when UDP does not traverse system proxy listeners. TUN redirects eligible packets through Clash so UDP can attach to policy groups. If enterprise policy forbids TUN, document how the conferencing binary escapes the SOCKS port and validate whether split-tunnel VPN or per-app tooling is in play—inconsistent capture still produces classic half-working calls.

How do I verify my subscription URL and nodes support UDP for conferencing?

Refresh the profile imported from your subscription URL, pick exits your operator marks as UDP-friendly or gaming-oriented, reproduce a short meeting, and read logs at INFO without publishing secrets publicly. If the remote side drops UDP entirely, no YAML trick invents RTP capability downstream—rotate regions or escalate with your vendor using timestamps from the log.

Zoom & Teams Freeze? Clash RTC UDP TURN 2026

Why video meetings behave differently behind Clash

General web browsing leans on HTTPS to recognizable hostnames. Your Clash rules match DOMAIN-SUFFIX entries, steer traffic into policy groups, and screenshots look convincing. Corporate video meetings introduce a parallel stack: signaling and authentication still ride TCP/TLS toward product domains—think Zoom gateways and Microsoft Teams fronts under zoom.us or microsoft.com umbrellas—but sustained audio and compressed video streams prefer UDP-based real-time transports after sessions negotiate codecs and paths. Interactive Connectivity Establishment (ICE) gathers candidates; STUN helps peers learn reflexive addresses; TURN relays appear when symmetrical NAT or firewalls obstruct direct RTP-style flows.

When half of that story crosses your tunnel and half rides DIRECT, you earn glitches inconsistent with latency tests aimed at ICMP or single-file downloads. Symptoms include frozen tiles after minutes of apparent success, microphones that mute without UI errors, reconnect loops, or “establishing connection” phrases that expire while Slack messages still synchronize. Consumers often chase the wrong villain—assuming the meeting vendor changed datacenters overnight—because they never measured UDP alongside TCP in the same five-minute trace.

Another distortion is geographic policy. If Teams auth exits through one country while ICE selects media candidates reachable only when another egress would have been coherent, jitter rises even when bandwidth looks ample. Conversely, pinning everything to “global proxy” without ensuring your client actually submits datagrams to Clash keeps UDP on the unintended interface. Routing everything in YAML does not magically capture packets applications never handed to your proxy listeners.

This article assumes Clash Meta (mihomo) or an equivalent fork. If terminology like proxy-groups feels new, skim the YAML routing guide first; we reference rule-order discipline throughout without repeating the entire tutorial.

How Zoom versus Microsoft Teams organizes traffic

Both ecosystems publish high-level network requirements emphasizing open UDP paired with reachable TCP HTTPS for control planes. Practical observation still beats memorizing brochures: Zoom desktop clients routinely hit names under zoom.us, CDN edges, websocket-style gateways depending on revision, and a changing set of download hosts for updates—each logged version may differ subtly. Keeping a dedicated policy group such as ZOOM_MTG concentrates decisions instead of scattering one-off snippets above a reckless MATCH.

Teams on modern builds converges heavily on Microsoft 365 namespaces: teams.microsoft.com, assorted *.microsoft.com and *.microsoftonline.com hosts for identity, Exchange Online coexistence hooks, telemetry you may selectively allow, plus Graph-adjacent calls. Recent UI shells also emphasize cloud.microsoft style surfaces—watch your resolver answers when Microsoft shifts edges. Routing “only teams.microsoft.com” rarely mirrors what a hardened enterprise tenant actually touches during SSO, breakout rooms, and screen sharing overlays.

Mobile adds nuance: iOS and Android conferencing stacks negotiate power savings differently from desktop Electron or native wrappers. Cellular interfaces may coexist with Wi-Fi concurrently; ICE may prioritize links your YAML never considered. Symptoms that vanish when you disable secondary radios validate radio policies more than blaming UDP generically.

Finally, governmental or campus networks may force transparent HTTP inspection or block arbitrary UDP egress entirely. Validate on a simpler uplink—tether briefly—before rewriting half your provider list. Some problems exist without Clash inserted at all.

STUN, TURN, and why “media endpoints” rarely equal one hostname

Session Description Protocol signaling still matters, but naive mental models—“I proxied HTTPS, meetings should follow”—skip how candidate pairs stabilize. Successful WebRTC-style stacks collect host, server-reflexive, and relay-derived candidates; they probe pairings subject to timeouts and bandwidth estimates. Firewall rules that jitter reordering degrade interactive audio faster than throughput graphs reveal.

Your static YAML lists cannot enumerate every ephemeral media port Microsoft or Zoom allocates cross-region nor every third-party CDN edge fused into screen-sharing paths. Operational practice: prioritize authentication and telemetry domains documented for your SKU, widen with suffix captures your logs justify, capture UDP via TUN, and confirm exits forward datagram semantics your subscription advertises—not copy two hundred stray IP literals from archived gists destined for ancient client builds.

Let logs widen YAML slowly Reproduce briefly, harvest fresh hostnames, deduplicate consciously, append suffix rules deliberately above catch-alls—not the reverse order where community Rule Providers preempt your meeting exceptions silently.

Step 1: Baseline reproduction without destroying evidence

Establish a repeatable lab call: mute cameras first to reduce variance, coordinate with one remote participant aware you are diagnosing, note exact timestamps correlating freezes with local CPU spikes or Wi-Fi dips. Toggle Clash off cleanly for one controlled attempt—prefer exiting rule mode distinctly rather than unplugging midway—then repeat with identical node picks. Divergence isolates interception layers from raw ISP congestion.

Snapshot your profile fingerprint: Meta core revision, Tun driver state, resolver mode, snippet of first twenty rules preceding MATCH. If disabling TUN heals audio while HTTPS alone looked healthy earlier, prioritize capture-path chapters before iterating provider lists blindly.

Confirm your subscription URL fetch completes without TLS quirks that leave you on stale transports. Our subscription auto-update troubleshooting article covers UA and clock skew dragons masquerading as meeting regressions unrelated to conferencing vendors.

Step 2: Align DNS with how rules evaluate names

Fake-ip environments synthesize LAN-visible addresses tying back to queried names inside Clash-aware stacks—great until an application resolves outside that contract. Mixed IPv4/IPv6 answers may steer half your candidates along broken tunnels. Toggle experiments methodically rather than chaining five guesses per minute.

Walk the comparison in our dedicated Fake-IP versus Redir-Host DNS article. Pay attention when Teams or Zoom leverages split-horizon corporate resolvers concurrently with public lookups—dual resolver races produce “silent mic” anecdotes hard to correlate without packet captures you may not be permitted to archive.

After substantive DNS edits, restart conferencing clients entirely; ephemeral caches cling to contradictory tuples longer than impatient humans tolerate.

Step 3: Place ordered domain splits before greedy catch-alls

Rules evaluate top-down until the first hit. Elevate conferencing clusters above broad GEOIP shortcuts or blunt MATCH shunts misrouting SaaS egress. Skeleton illustrating intent—not an exhaustive authoritative vendor manifest:

rules:
  - DOMAIN-SUFFIX,zoom.us,ZOOM_MTG
  - DOMAIN-SUFFIX,zoomgov.com,ZOOM_MTG
  - # …append suffixes surfaced in YOUR logs …
  - DOMAIN-KEYWORD,teams,TEAMS_MTG
  - DOMAIN-SUFFIX,microsoft.com,TEAMS_MTG
  - DOMAIN-SUFFIX,microsoftonline.com,TEAMS_MTG
  - DOMAIN-SUFFIX,cloud.microsoft,TEAMS_MTG
  - # Tighten aggressively only after validating side effects elsewhere
  - MATCH,PROXY

Prefer suffix precision over hungry DOMAIN-KEYWORD collisions that hijack unrelated Microsoft traffic unrelated to conferencing. Imported Rule Providers interleave with hand-written precedence—inspect combined order after merges lest an aggressive blocklist intercept STUN-bearing hosts your meeting stack still needs legally.

Pair this structure with thoughtfully named proxy groups referencing stable manual picks when automatic url-test jitter mid-call unsettles jitter buffers. Operational teams sometimes clone “low-latency” regional exits separate from throughput-optimized archival nodes—even if nominally identical protocol families—because congestion collapse signatures differ subtly across provider backbones.

For adjacent real-time workloads the mental model parallels our narrower Discord voice & UDP guide—distinct product but identical debugging rhythm: HTTPS first instincts, UDP second reality.

Step 4: Use TUN (or verified capture) for UDP coherence

Classic HTTP/SOCKS injection routes many workloads—yet conferencing binaries frequently emit RTP-style UDP not traversing conventional proxy sockets. TUN virtual adapters divert eligible packets through Clash so decisions align with layered split routing policy instead of bifurcated OS routing tables wrestling silently underneath.

Consult the dedicated Clash TUN setup and troubleshooting companion before flipping toggles blindly on production laptops. Windows App Store-delivered conferencing packages sometimes flirt with restricted capabilities—overlap exists with enterprise loopback quirks documented alongside our broader Windows networking articles when isolating anomalies.

Symptom pattern	First layer worth verifying
Calendar join links load yet media never attaches	UDP path bypassing proxy listeners; inspect TUN & node UDP
One-way audio or robotic bursts	Jitter buffers + asymmetric routing mismatches; unify exits
Freeze after predictable interval	Select-group flapping timers; Wi-Fi chipset sleep; uplink QoS
Teams web OK, desktop app broken	DNS split + per-binary proxy exemptions + IPv6 candidate skew
Occurs only tethered LTE	Carrier-grade NAT amplified; unrelated to YAML cleanliness

Where policy forbids TUN universally, escalate honestly: articulate clearly what capture path conferencing lacks; partial fixes risk compliance theater—not stable calls.

Windows environments deserve an extra diligence pass: conferencing binaries distributed through the Microsoft Store or packaged as UWPs sometimes interact with virtualization-based security stacks and virtualization-based GPU scheduling in ways subtly different from fully Win32 installers. Symptoms that correlate with sleep/resume transitions or hybrid graphics toggles may originate above Clash—even if logs initially resemble UDP starvation. Isolate by logging off secondary GPUs temporarily on developer laptops plagued by multiplexed docks where DisplayPort MST shares bandwidth with NIC ports on undersized cabling—edge cases uncommon but disproportionately loud in support archives.

macOS reviewers should remember split Little Snitch–style prompts interact additively with TUN overlays: approving one layer while silently denying companion helper processes still yields oddly specific “camera works locally but preview never relays” bugs that masquerade as proxy failures despite TLS handshakes succeeding at first glance inside verbose logs.

Step 5: Exit nodes, capacity, and corporate overlays

Even immaculate local profiles fail when remote relays discard UDP. Rotate among exits geographically closer to conversational peers when latency budgets drive interactive clarity. High-throughput archival nodes prized for gigantic single-stream downloads occasionally implement queueing harming micro-bursts conferencing depends on chronologically.

Modern stacks—HY2, TUIC, VLESS combos—vary; ensure your Meta core aligns with transports your provider documents in the subscription metadata. Readers refreshing cores should revisit the Clash Meta core upgrade overview periodically so TLS and QUIC-era expectations stay synchronized reality rather than folklore.

Enterprise VPN or SD-WAN overlays sometimes hairpin conferencing twice—analyze whether forcing DIRECT for corporate split-tunnel subnets collides with mandated inspection paths contradictory to naive single-exit fantasies orchestrated purely inside personal YAML tinkering divorced from organizational policy reality.

Capacity planning overlaps slightly with QoS anecdotes: simultaneous household 4K streaming plus multiple concurrent conferencing sessions can saturate uplink—even symmetric gigabit fibre rarely guarantees stable upstream jitter when consumer routers buffer aggressively upstream small packets behind large TCP windows. Scheduling heavy ISO downloads away from predictable stand-up windows costs nothing yet prevents misattributed “random Clash breakage” reputations no YAML patch redeems ethically.

SSO, Conditional Access, and scope limits—not every mute is network-shaped

Microsoft 365 Conditional Access frequently gates Teams join tokens based on compliant device posture, approved IP ranges for legacy tenants migrating slowly, acceptable authentication strengths, or region locks independent of naive HTTP proxy routing completeness. Symptoms sometimes resemble pure transport failure: indefinite spinning join buttons, abruptly dropped sessions referencing policy identifiers instead of ICMP loss. Administrators should corroborate with Azure AD sign-in logs before burning cycles rewriting egress matrices—especially when personal Clash coexistence overlays corporate Defender lines confusing identity surfaces.

Zoom meetings governed by HIPAA-hardened “Zoom for Government” or similarly isolated SKUs may demand distinct infrastructure lists than consumer defaults; copying generic suffix packs without verifying tenant SKU introduces silent partial connectivity where authentication reaches yet media policies decline participation without obvious UI hints beyond opaque error codes surfaced minutes late in verbose logs reviewers rarely screenshot comprehensively afterwards.

Encryption modes matter philosophically—not every organization permits end-to-end optional modes equally; intermediary recording servers sanctioned for compliance archiving shift candidate exposure surfaces despite identical casual user descriptions verbally. Transparently: Clash cannot bypass lawful intercept expectations your employer configures nor magically endorse devices lacking corporate compliance signals—network tuning remains subservient to identity governance mandates dictating conferencing eligibility intrinsically.

Interpret these paragraphs as narrowing expectations when symptoms persist across pristine residential uplinks cleanly separated from interception clusters—escalate with IT ticketing chains supplying structured timelines rather than anecdotes alone. Combining structured packet metadata (sanitized responsibly) expedites differentiated triage enormously compared to unstructured venting repeated across forums endlessly recycling identical screenshot fragments lacking reproducible deltas.

How this differs from streaming CDN “region” troubleshooting

Media catalogs such as Netflix revolve heavily around deterministic HTTPS edges and catalog licensing labels—critical for watchers, subtly different kinematics versus bidirectional conferencing stress-testing ICE continuously. Guides like our Netflix region rules tutorial share vocabulary—policy groups, DNS leaks—but the failure surfaces diverge enough that blindly copying CDN suffix packs into Zoom or Teams seldom resolves oscillating microphones.

Open source pointers

Behavior evolves with upstream mihomo merges. Transparency matters: architectural discussions reside in the community mihomo repository; treat it separately from installers—per our publishing stance, downloadable clients route through onsite pages like download for clarity—not bare GitHub release links as first-hop install buttons.

Closing thoughts

Unblocking Zoom and Microsoft Teams under Clash rewards systems thinking—not wishful singular hostlines. Harmonize resolver semantics with authored rules, prioritize conferencing suffix families ahead of brute MATCH fallbacks, elevate TUN when UDP needs capture parity, and scrutinize exits for honest real-time relays instead of brute throughput folklore alone.

If calls stabilize after iterative tightening, memorialize succinct comments inside your YAML or Rule Provider stubs so teammates understand intent six months downstream—avoid mythic blobs nobody dares refactor.

→ Download Clash for free and experience the difference—pair a Meta-capable build with deliberate DNS hygiene, orderly rule stacks, TUN-aware capture when meetings still drop UDP, and a subscription workflow you trust enough to iterate calmly instead of blaming codecs first.

Continue learning via the policy groups guide, return to our tech column index for contextual peers, or branch into TURN optimization research when corporate relay policies demand deeper dives than one article can ethically compress.