1. Symptoms that point to split routing, not “Figma is down”
Status dashboards for Figma are noisy, yet many tickets are local pathologies. Listen for asymmetry: marketing pages and account settings load, yet a specific file tab never leaves the loading shimmer; thumbnails appear in the sidebar while the main canvas stays blank; or two teammates on the same Wi-Fi see different “last synced” states because one browser still has a healthy WebSocket while the other’s channel died behind a proxy hop.
Comment and notification drift is another clue. If typing in a sticky note feels instant but the comments panel shows minutes-old threads, you may be splitting REST calls from the collab fabric. Enterprise readers sometimes mistake that for “Figma comments are broken,” when the log actually shows alternating DIRECT and PROXY rows for hostnames that should share one steady exit.
Before you chase outages, confirm whether the failure tracks a Clash profile swap rather than Figma’s own incident page. If YAML still feels opaque, skim our subscription import tutorial so you know where provider bundles end and where your personal rule section should live.
2. A checklist before you rotate exit nodes
Changing nodes feels decisive, yet it wastes time when the browser never hit Clash for the hostname that matters. Work through this sequence while watching your client’s live connection view.
- Decide whether you are in system proxy mode or TUN mode, then confirm the browser or desktop shell actually inherits that path. Some security suites strip OS proxy flags for selected binaries.
- Reproduce the stuck canvas or stale collab state, then read the policy column per hostname in the log. Stray
DIRECTrows next to proxiedfigma.comneighbors are a classic cause of half-hydrated editors. - Audit DNS: upstream reachability,
fake-ipexpectations, and whether campus or corporate resolvers special-case design-tool domains. - Expand Clash split rules to cover static delivery, API hosts, and any collab endpoints you observe—not only the marketing apex.
- After routing is coherent, pick a stable node for long-lived WebSocket sessions and avoid ultra-aggressive auto failover that reconnects mid-edit.
For port collisions, invalid rules, and core startup failures, keep the general Clash troubleshooting guide open. Here we focus on browser-class design apps where one missing Figma CDN suffix mimics a platform outage.
3. Why Figma breaks when only the “main” domain is proxied
Figma deliberately separates concerns. The editor downloads fonts, images, and compiled bundles from high-volume delivery paths while authenticated fetches and realtime channels may use different hostnames or edge contracts. A minimal profile that proxies figma.com but leaves a static delivery hostname on DIRECT can still strand the canvas if that hostname is unreachable on the direct path your ISP offers—or if TLS inspection on the direct path breaks HTTP/2 multiplexing the editor expects.
Realtime collaboration adds a second axis. WebSocket sessions are sensitive to mid-flight IP changes, flaky UDP companions on certain tunnels, and corporate middleboxes that throttle long-lived upgrades. A rule that forces aggressive domestic-direct behavior for “generic CDN” patterns may still be wrong for Figma if the same provider edge serves both static objects and authenticated fetches your session expects to co-locate on one exit.
Users perceive that as collab loading failure even when partial traffic still moves—another hint that policy selection is inconsistent rather than universally blocked.
4. System proxy versus TUN for Figma in the browser
System proxy is the lighter-touch option when the OS honors proxy settings and Chromium-derived shells respect them for HTTPS—including many WebSocket upgrades that ride the same process. The familiar failure mode mirrors complex web apps: the primary document succeeds, yet secondary hosts bypass the proxy, leaving embedded modules or font packs empty.
TUN mode pushes routing deeper so fewer processes can silently skirt Clash. That matters when Electron desktop wrappers, helper utilities, or background sync agents ignore system proxy flags. If you already walked through our TUN mode guide, repeat the experiment while sorting connections for the browser or Figma desktop process name. TUN is not mandatory for everyone, but it is the right lever when evidence shows asset fetches and collab channels take different visibility paths.
Regardless of mode, confirm the GUI is using the profile you edited. Editing one YAML while another snapshot remains selected manufactures phantom regressions that have nothing to do with Figma’s infrastructure.
5. DNS, fake-ip, and resolver conflicts
Clash’s fake-ip mode answers quickly with synthetic addresses, yet it tightly couples DNS to rule evaluation. When the resolver and the rule engine disagree about what a Figma CDN hostname “means,” you can observe TLS retries, stalled bundles, and editor panes that never leave the loading state.
A practical mitigation has two parts. First, ensure upstream DNS servers are reachable through the policy path you expect for general browsing, and avoid resolver chains that intermittently drop international queries. Second, consider targeted policies—commonly nameserver-policy in Mihomo-compatible cores—for suffixes you see repeatedly in Figma traffic. Always verify keys against the documentation bundled with your exact core build instead of copying aged forum snippets.
When DNS fixes clear most symptoms without changing proxy groups, you have strong evidence the bottleneck was resolution, not bandwidth. That distinction tells you whether to invest in resolver hygiene or in node stability next.
6. How to collect Figma hostnames you can defend in a ticket
Static rule posts decay because CDNs and feature flags shift. Build a fresh inventory whenever Figma ships a large editor update or your subscription provider rearranges geo rules.
In the browser, open developer tools, switch to the Network tab, reproduce the spinner, and sort by domain. Pay attention to font requests, large script bundles, and any wss:// entry that stays pending. Cross-check with your Clash connection table: if a name appears in DevTools but never in Clash, you still have a visibility problem rather than a rule-depth problem.
On desktop, use your client’s per-process view or OS-level monitors to isolate the Figma binary, then note every remote hostname during file open and multiplayer sessions. Prefer evidence from the actual binaries you use in production, not a one-off curl test from another machine that inherits different YAML.
When you document fixes for a design system guild, paste the hostname list with a capture date. Future you will appreciate the timestamp when a CDN cutover suddenly invalidates yesterday’s YAML.
7. Domain buckets from API to CDN edges
After collection, group hosts so your configuration stays readable. Names drift; verify each suffix against your own logs before you paste.
| Bucket | Common patterns | Routing note |
|---|---|---|
| Core app and API | figma.com, www.figma.com | Often insufficient alone; the editor immediately calls additional hosts. |
| Embeds and marketing | embed.figma.com, figma.site (published sites), help or status subdomains you use | Breaks when only the file tab is proxied. |
| Static and fonts | static.figma.com and observed CDN neighbors | Classic canvas spinner when this bucket splits from API. |
| Realtime collab | wss:// hosts tied to live cursors and presence | Keep on a stable policy; avoid flappy failover pools. |
| Plugins and third parties | Hosts introduced by community plugins or analytics | May need separate rules so they do not poison the core buckets. |
Treat the table as a hypothesis checklist, not a frozen vendor contract. Your subscription may already inject broad “design” or “SaaS” lists; reconcile overlaps so your explicit lines still win on precedence.
8. Rule snippets: explicit coverage and clean ordering
The YAML fragments below illustrate steering traffic to a proxy group named PROXY. Rename that token to match your real policy label and insert these lines before broad provider rules that might prematurely return DIRECT for “domestic” CDNs that Figma also uses.
# Example only — replace PROXY with your policy group name
rules:
- DOMAIN-SUFFIX,figma.com,PROXYAdd DOMAIN-SUFFIX,figma.site,PROXY only if your team uses published Figma Sites and logs show hits on that suffix. Prefer DOMAIN-SUFFIX when you can express intent precisely. Reserve DOMAIN-KEYWORD for noisy vendor patterns you cannot enumerate, because substring matches are powerful and easy to overfit.
If your subscription injects aggressive geo rules, duplicate critical Figma lines in a user-controlled section that loads with correct precedence, or merge providers thoughtfully so your exceptions win. The same structural advice appears in our Telegram MTProto and CDN split article, which walks through layered clients with a similar debugging mindset.
9. WebSocket-specific behavior: why collab is not “just HTTPS”
A file tab may download megabytes over ordinary HTTPS while collaboration rides a parallel WebSocket that stays open for tens of minutes. If that channel reconnects through a different exit every few seconds—because your auto strategy thrashes under latency spikes—users see jittery cursors and comment stalls even when static assets look fine.
When experimenting, clone your proxy group as PROXY_FIGMA and point Figma-related suffixes there, leaving unrelated bulk traffic on DIRECT if policy requires. Document the choice: aggressive auto-switching on huge downloads can starve interactive sessions if the same pool backs both.
Enterprise TLS inspection can also break long-lived secure websockets even when downloads succeed. If HTTPS policies look perfect yet collab still flakes, broaden diagnostics beyond domain rows: confirm whether inspection appliances sit on the direct path, and whether split-horizon DNS returns different addresses inside the office than at home.
10. FigJam, libraries, and cross-app links
Whiteboarding and design libraries add more hostnames to the graph. A team might proxy the core editor beautifully yet forget the subdomain that serves shared library metadata, producing “library updates pending” badges that never clear. Treat each new surface as a reason to refresh your capture, not as an excuse to turn on crude global proxy for the whole machine.
Community plugins may call third-party APIs that your corporate policy labels differently from Figma itself. Decide consciously whether those hosts belong in the same PROXY_FIGMA bucket or in an isolated group so a misbehaving plugin cannot force the entire design stack through an unstable node.
11. GUI workflow: logs are the source of truth
Desktop clients such as Clash Verge Rev expose live connections, DNS panes, and rule editors side by side. When Figma misbehaves, filter connections for figma substrings and read the chosen policy per row. If anything sensitive shows DIRECT while similar hosts use PROXY, fix precedence before swapping servers.
If the baseline install still feels unfamiliar, follow the Clash Verge Rev setup guide to confirm ports, subscriptions, and first launch before you chase Figma-specific ghosts.
12. How this differs from Cursor or Steam guides
Our Cursor marketplace split article targets Electron update graphs and extension CDN edges—similar instincts about half-proxied developer tools, yet different hostnames. Likewise, Steam’s CDN split article focuses on depot downloads rather than browser-grade WebSocket collaboration. Figma sits in the middle: web-tech realtime inside a design surface that still pulls large static payloads.
Enterprise readers should remember that split-horizon DNS can make international Figma surfaces look broken even when Clash is perfect. If only Figma-facing domains fail while unrelated HTTPS succeeds, involve the network team with connection logs rather than assuming the proxy core is misconfigured.
13. Browser extensions, antivirus, and dual VPN stacks
Privacy extensions that block third-party scripts, aggressive HTTPS-filtering antivirus suites, and “WAN optimizers” sometimes reorder traffic in ways Clash cannot see. Disable them briefly during triage. Running two VPN-class products simultaneously invites routing loops that masquerade as application bugs.
If you also use WSL or containers alongside the browser, remember those environments inherit none of your host YAML unless you explicitly bridge them—our WSL2 host-proxy guide covers the Linux side, which can confuse diagnostics when you test with curl from Ubuntu while designers reproduce issues in Chrome on Windows.
14. Open source and trust
If you want to inspect upstream source, review issues, or contribute patches, visit the community repositories linked from our docs. Keep that separate from day-to-day install paths: the primary way readers should fetch maintained desktop builds remains this site’s download flow, not a raw release asset buried in a thread.
15. Close with evidence, not superstition
Figma spinners and brittle collaboration are frustrating because the UI still looks authoritative even when the network path is fractured. Treat every endless shimmer as a prompt to open the log, read policies row by row, and reconcile DNS with the hostnames the editor actually contacted. Clash split rules that cover Figma CDN edges alongside WebSocket channels—not a single apex line—are the mechanical layer; stable nodes and honest long-lived sessions are the polish once TCP is coherent.
Compared with toggling random VPNs, a maintained desktop client with Mihomo integration keeps diagnostics visible and reduces YAML foot-guns when Figma ships quiet infrastructure changes. → Download Clash for free and experience the difference