1. Symptoms: sync versus shell versus attachments
Notion failures behind Notion proxy-class rules rarely announce themselves as “connection refused.” The UI is optimistic: navigation chrome may load while the document graph waits on API responses, or a page appears read-only while inline edits never commit. A stuck spinner in the status bar, “Offline” flapping while other HTTPS sites work, and “Unable to connect” to a specific workspace after sign-in are all compatible with a fractured path.
Attachment-heavy pages exaggerate the split. A database with large media depends on fetches to delivery domains that are not the same as api.notion.com. Thumbnails, PDF previews, and embedded file viewers can hang while the outline still lists rows—another fingerprint of static delivery and API disagreeing on policy. Team spaces that live behind stricter org policies are especially sensitive: conditional logic may send some calls through identity-aware edges while the client still issues parallel Notion CDN fetches to generic buckets.
Before you rewrite YAML, name the class of problem. Overload (single exit saturated or flapping) feels like global slowdown across all apps. Partial routing feels like a ghost: one surface works, another is empty, and the Mihomo log shows sibling hostnames split between PROXY and DIRECT even though the product still looks like one window.
2. Triage order: visibility, DNS, rules, then TUN on Windows
Work through a fixed sequence on Windows so you do not chase ghosts from rule four while rule one is still false.
- Confirm the Notion app or browser is actually using the same capture path: system proxy, manual localhost proxy, or TUN, not a forgotten corporate VPN that bypasses Clash.
- Open live connections, reproduce a failed Notion sync, and read the policy column for every Notion-related row in order of appearance.
- Reconcile DNS with the addresses your rules evaluate—especially in
fake-ipmode, where a resolver mismatch is indistinguishable from a bad node. - Add explicit
DOMAIN-SUFFIXlines for the API, product, and Notion CDN groups you see in the log, ahead of broad “domestic CDN” list rules. - Only if HTTPS looks coherent yet sync still desynchronizes, retest with TUN to remove invisible bypasses from certain runtimes on Windows.
If the profile itself is confusing, start from subscription import basics so you know which sections are under your control versus provider-bundled.
3. Why a single notion.so rule is not enough
Notion is a document platform built from cooperating services. The shell may load from a familiar zone while the editor negotiates with API hosts, search infrastructure, and regional edges that change with feature flags. A rule that only targets the public marketing apex leaves real traffic on whatever your catch-all GEOIP or “domestic” block decides—often DIRECT to a path your ISP throttles or that never completes cross-border.
Static assets and attachment pipelines frequently ride hostnames in generic cloud CDNs. Those labels may look “generic” in a subscription list, which encourages automated rules to pin them to DIRECT for performance. In mixed networks, that is exactly how you strand API success beside CDN failure: TLS handshakes succeed on one class of name while the browser blocks on another.
When you read marketing materials about Notion reliability, remember that the public story is uptime for the product as a whole. Your Notion proxy design must match the list of hostnames the client actually dials, not a remembered blog post from two years ago.
4. System proxy compared with TUN for Notion on Windows
System proxy is attractive because it is lightweight: WinINET settings propagate to many user-mode apps, and Notion’s Electron client generally respects the stack when nothing strips flags. The classic failure is partial visibility. Secondary processes, helper fetches, or WebView surfaces sometimes sidestep the OS proxy, especially when security software rewrites the chain.
TUN puts traffic under route-level capture so more flows show up in your Mihomo view with fewer “invisible” sockets. The trade-off is interaction with other virtual adapters, Hyper-V, WSL, and corporate VPN: two tunnels fighting for priority can masquerade as an application bug. If you already followed our TUN mode guide, repeat the same mental checklist while filtering connections for Notion and Chromium-related process names. You are not “turning TUN on because Reddit said so,” but because the log still shows unexplained DIRECT rows while the shell claims it is online.
Always select the same profile you are editing. A surprisingly common source of Notion sync reports is a GUI pointed at a snapshot you have not changed since last week.
5. DNS, fake-ip, and resolver policy
Mihomo-compatible cores answer quickly in fake-ip mode, but the answer is synthetic: routing policy and the resolver must tell the same story. When a hostname maps to a fake range in Clash but your browser cache or Windows DNS client still holds a different answer, you see intermittent TLS handshakes, long stalls after first paint, and “offline” flips with no clear upstream error string.
Practical hardening on Windows includes: picking upstream resolvers that keep international queries reliable, avoiding chained resolvers that drop EDNS, and, where your core version supports it, scoping nameserver-policy to suffixes you actually observe for Notion—always verified against the documentation for your build number, not a random gist.
Split-horizon networks deserve caution. A campus that rewrites “cloud” names to a local forwarder can make Notion’s world look broken only on your LAN while tethering from a phone works. Compare answers from Clash’s resolver and from ipconfig /all before you accuse a remote exit.
When a DNS change clears most symptoms before you touch any proxy group, the bottleneck was resolution coherence, not bandwidth.
6. How to collect hostnames you will defend in rules
Do not copy an outdated “Notion list” from a forum without replaying a capture. CDNs and feature rollouts change the edges your client actually hits.
On Windows, use Resource Monitor’s network tab or the client’s own connection view while you open a page that reproduces the stuck Notion sync. Sort by process name, isolate Notion or the browser binary, and write down each remote name. Cross-check with Clash: if a name appears in Resource Monitor but not in Clash, you still have a visibility problem—rules cannot fix what you do not see.
Compare desktop against browser. They are not identical. Many teams need the desktop app for offline tolerance; the debugging story should come from the binary you really deploy.
When you keep an internal runbook, label your hostname list with a date. Future you will know why Clash split routing “suddenly” broke the week a vendor shuffled a bucket.
7. Buckets: API, app, and CDN in plain terms
Group names so the YAML remains readable, then adjust only after the log justifies the bucket.
| Bucket | Typical patterns to verify | What breaks if split wrong |
|---|---|---|
| Notion app and product | notion.so, www.notion.so, and hostnames your capture shows for the signed-in shell | Navigation or workspace list fails or loops. |
| API and data plane | api.notion.com and related control hosts from the log (verify live) | “Syncing…” forever; edits not saved; databases empty. |
| Static and script delivery | Script, font, and bundle hostnames in your Notion CDN capture, often vendor CDN zones | White screen or half-rendered UI with no obvious error string. |
| Attachments and file edges | Object storage and signed URL fetches in your log when opening file blocks | Thumbnails, PDFs, and embeds never resolve while text pages still load. |
Treat the table as a hypothesis, not a permanent vendor list. The actionable unit is the suffix list your Mihomo log prints while you fail on purpose in a test page.
8. Example rule ordering (rename PROXY to match yours)
The fragment below is illustrative. Insert lines before catch-all or “domestic CDN” rules that may otherwise mark generic edges as DIRECT while your API is proxied.
# Example only — replace PROXY; verify every suffix in your live Mihomo log
rules:
- DOMAIN-SUFFIX,notion.so,PROXY
- DOMAIN-SUFFIX,notion.site,PROXY
- DOMAIN-SUFFIX,notion.com,PROXY
- DOMAIN-SUFFIX,notion.new,PROXY
- DOMAIN,api.notion.com,PROXY
- DOMAIN-SUFFIX,notioneusercontent.com,PROXYPrefer DOMAIN-SUFFIX when you are targeting a clear zone. Reserve DOMAIN-KEYWORD for noisy vendor substrings, because it is easy to over-capture unrelated traffic. After you add lines, re-open the test workspace and re-read the log: the policy column should be uniform across sibling fetches, not a checkerboard of PROXY and DIRECT.
Broad DOMAIN-SUFFIX,cloudfront.net,PROXY-style fallbacks are powerful and risky: they can steer unrelated services. Use them only when your capture justifies a shared edge family and you are prepared to log side effects in other apps.
9. What to look for in Mihomo or Verge live logs
Filter for notion and for host fragments your row seven table identified. A healthy run looks boring: a stable policy choice per bucket, with no sudden REJECT and no “direct hop” in the middle of a multi-request transaction.
Pay special attention to time ordering. A burst of PROXY to API names followed by DIRECT to a delivery name that your resolver maps differently is a frequent recipe for a half-hydrated page that never reaches “ready” in the app shell.
When a connection shows high latency and frequent reconnects, open the general Clash troubleshooting guide for generic core errors; return here for bucket coherence once the process actually reaches Clash.
10. Clash Verge style workflow: keep logs beside rules
Desktop clients that pair rule editors with live tables shorten the loop: edit, reload, trigger a Notion sync, reread. If the baseline UI is new, the Clash Verge Rev setup article covers first-run wiring so you are not fighting ports while debugging Notion.
Windows Defender Application Control and some endpoint suites inject their own network filters. If the log is suspiciously empty while Resource Monitor is busy, pause nonessential layers briefly to restore an honest view.
11. Flaky exits, not broken buckets
After buckets align, some tickets remain because the node itself flaps. Real-time and interactive surfaces punish reconnect storms: the API might succeed while long polling or websocket-style sessions reset when your strategy selects a new city every few seconds. Stabilize the exit, reduce hyperactive health checks on that destination, and re-test a heavy page with attachments.
Background on transport choice under loss lives in Shadowsocks vs Trojan vs Hysteria2—the goal is to match the stack to your packet-loss environment, not to crown one protocol globally.
12. WSL, Docker, and “works in curl, fails in app”
Developers often verify with curl -x in WSL while Notion runs natively. Those are different network namespaces on Windows. If that sounds familiar, read WSL2 and host Clash for bridging, but do not use a green WSL test as proof that the Notion app is fixed until the Electron binary shows the same policy rows.
13. How this differs from Microsoft Teams on the same PC
Our Teams and M365 CDN guide deals with a different control plane, identity stack, and media graph. Notion does not sign you in through the same hostnames, so paste-without-thinking is an easy way to create false confidence. Keep the same debugging discipline; swap the domain buckets for Notion’s log capture.
14. UWP, Store distribution, and loopback
If you also run distributed Notion or companion tools from the Microsoft Store ecosystem, the UWP loopback note for the Store may be relevant: packaged runtimes can ignore OS proxy in ways a classic Win32 build does not.
15. Windows-only checks: hosts file, DNS cache, and browser extensions
On Windows, a few system-level gotchas masquerade as Notion bugs. A stale line in the hosts file can pin an edge to a blackholed or outdated IP, which looks exactly like a broken Notion CDN from Clash’s perspective even when every rule in your profile is “correct.” Before you ship YAML to a team, compare what ping or nslookup reports for a captured hostname with what Clash’s resolver log shows. If Windows answers but Mihomo’s fake path disagrees, reconcile that first: either adjust nameserver policy or remove a conflicting hosts override.
Clearing the client DNS cache after resolver changes is cheap insurance: a stuck negative cache on the OS side can outlive your updated subscription by minutes, long enough to waste a long debugging session. Do the same mental exercise for browser-only testing: a privacy or “speed” extension that rewrites requests or forces DoH to a different upstream can make Chrome succeed while the desktop app still fails, which again points to environment bifurcation rather than to Clash split routing alone.
Corporate HTTPS inspection and endpoint TLS filtering deserve an explicit mention. If only Notion and a handful of SaaS products fail while raw IP tests succeed, ask whether a trust chain is being rewritten on the wire. In those cases, Clash is only one player in a stack that also includes a root certificate and filter driver you must account for; routing alone cannot paper over MITM that breaks application pinning expectations.
16. Open source and where to download
The Mihomo and Clash families publish source in public repositories for audit and community contribution. If you need protocol details or an upstream issue, follow those project links. For day-to-day installs, prefer this site’s download page for maintained desktop packages rather than chasing raw release assets in threads.
17. Close with the log, not with luck
Notion sync pain behind Clash is usually policy incoherence across API, app, and Notion CDN fetches, amplified by DNS and fake-ip mismatch—not a mystical ban on a single string like “Notion” in a keyword rule. On Windows, make visibility honest first, then make buckets coherent, then pin a stable exit. That sequence beats randomly swapping free nodes in hope.
Compared with opaque one-click “boost” utilities, a maintained Notion proxy profile inside Clash with readable logs gives you a defendable, repeatable fix when infrastructure shifts again. → Download Clash for free and experience the difference