The symptom: “Connecting” with the tunnel “up”
People who tune split routing for work or school already know the uncomfortable shape of this bug. Browsers follow your expectations, a synthetic bandwidth test points at an offshore relay, and then one application stares at you with a single animated word: Connecting. On Telegram, that banner is not decorative—it means the client has not yet completed a coherent sequence of TLS handshakes, MTProto session bootstrap, and background fetches to the Telegram edge network. If any of those legs detours through DIRECT while you mentally filed everything as “foreign app traffic,” the UI can sit there indefinitely while half-open sockets time out. This is a different class of problem from voice-centric stacks such as Discord, where UDP and TUN get top billing: Telegram in its default client story is still dominated by TLS to documented hostnames, but the failure mode—policy inconsistency at match time—rhymes with every other single-app split guide we publish.
Your search for Clash Telegram routing is therefore not about a mythical secret port checkbox. It is about placing a handful of namespaces in a named lane, ordering that lane before aggressive geography heuristics, and aligning the resolver and dataplane so the t.me indirection, web shell, and native binary all read the same network map. The sections below build that map step by step.
What t.me actually does in the graph
t.me is not the entire Telegram product on its own. It is a high-visibility short link and landing surface. Clicking a t.me handle from a browser typically bounces you through HTTP redirects, Content Security headers, and eventually toward web.telegram.org or app-specific deep links, depending on platform. From a Clash rules perspective, that means you need explicit DOMAIN-SUFFIX treatment for t.me and the longer-lived API and web shells—treating t.me alone as “done” is how people end up with web previews that work while the installed client is still dead. A practical baseline covers at least telegram.org, t.me, web.telegram.org, core.telegram.org, and the desktop or mobile update surfaces your environment touches. Community RULE-SET or GEOSITE bundles may already alias many of these; the operational rule is to verify, not to assume, because your subscription reorders on refresh.
MTProto in one paragraph—why “MTProto rules” is not a magic keyword
MTProto is Telegram’s transport layer, typically carried over TLS on 443 in modern clients. When users say they need MTProto rules in a proxy context, they usually mean: ensure the flows that implement MTProto sessions to Telegram data centers are classified consistently, not that Clash must parse a proprietary framing header from scratch. A plain HTTP proxy on a single mixed port can still work when the app respects system or environment proxy settings, because those sessions are ordinary TCP+TLS to published names. The harder cases appear when a component ignores your proxy, when DNS routes disagree with the tunnel, or when you rely on IP-based classification without SNI—then you need a mode that can steer the whole IP flow, not just the hostname lines your YAML sees.
Do not conflate that with a third-party MTProto proxy (sometimes called MTProxy) that advertises a custom secret: that is a different server role entirely. This article focuses on the official Telegram service graph behind Telegram connecting through a general-purpose Clash stack, not on hosting your own MTProxy node.
Give Telegram a named policy group you can read in logs
Call the group TELEGRAM (or a label your mental model can grep). In proxy-groups, make it a select or url-test the way you would for any other sensitive foreign workload, then point your first-pass rules at that group. The YAML shape is unremarkable on purpose: maintenance wins when a future you can search for a single token. A minimal illustration—adapt names to your file—shows how DOMAIN-SUFFIX lines should reference the group while staying above broad geography short circuits:
# Illustrative; merge with your real proxies and group names
proxy-groups:
- name: TELEGRAM
type: select
proxies: [RELAY-1, RELAY-2, DIRECT]
rules:
- DOMAIN-SUFFIX,t.me,TELEGRAM
- DOMAIN-SUFFIX,telegram.org,TELEGRAM
- DOMAIN-SUFFIX,web.telegram.org,TELEGRAM
- DOMAIN-SUFFIX,core.telegram.org,TELEGRAM
# keep curated GEOSITE or RULE-SET imports below your hand-written overrides
# - GEOIP,CN,DIRECT
# - MATCH,FINAL
The key is not the exact four suffixes; it is the placements. If an imported GEOIP,CN,DIRECT line (or a country bucket from a public list) runs above your Telegram rows, a resolver that hands out an onshore anycast range can shunt a critical hostname to the wrong path while your connecting spinner blames a “bad node” on the other side of the world. If you are still learning how top-to-bottom matching and Fake-IP interact, read Clash YAML: routing rules, proxy groups, and Fake-IP before you let an auto-updated rule provider own the top of your file.
Rule order: win before GEOIP and noisy catch-alls
Clash and mihomo cores evaluate rules in order; the first match wins. Profiles tuned for domestic browsing often end with a tidy GEOIP or community list block that is perfect for general sites and dangerous for apps whose edges live in globally distributed anycast. The failure you feel as endless Connecting is sometimes just that: the database thinks an address is domestic, the packet obeys DIRECT, and your Telegram session can never meet the same exit you chose for a visible t.me test in the browser. Move explicit DOMAIN-SUFFIX and curated RULE-SET lines for the Telegram namespace above those geography shortcuts, and document the exception in a one-line comment so a 3:00 a.m. merge from a public profile does not silently shuffle them downward again.
When you combine multiple subscription fragments, think like code review: treat each import as a potential reordering bug. If you must pin stability, keep a local override file you append after you understand what the upstream changed—never the other way around on autopilot.
TUN versus system proxy and the mixed port
Many Telegram desktop builds honor the operating system’s system proxy when you enable it in your Clash front end. In that world, a working mixed port and correct Windows or macOS settings are enough to lift Telegram out of Connecting—until something in the graph still bypasses: a helper binary, a secondary updater, or a path that only resolves in the tray background. A full TUN or system-forwarding mode sends both TCP and UDP the same policy table the UI shows, which closes an entire class of “the main window works, the socket behind it does not” stories. On Windows specifically, if you have already waded through driver prompts and overlapping virtual adapters, our TUN, routing, and firewall article saves hours of false positives; half of the tickets that blame Clash actually trace to another VPN’s routes or a stale interface metric.
Mobile is its own book: iOS profiles and per-app policy differ sharply from a desktop you can sprinkle environment variables on. The invariant is unchanged—match the mode you advertise to what the Telegram binary can actually use.
DNS, Fake-IP, and the split-brain you cannot see
When a channel list appears once, then vanishes an hour later, the culprit is often a resolver that answered differently the second time. Fake-IP modes, nameserver-policy sections, and split upstream lists are powerful, but if your Telegram hostname resolves on one path while the tunnel forwards on another, you inherit intermittent Connecting states that defy a simple node swap. Keep DNS policy coherent with the interface applying your rules, simplify when debugging, and reintroduce complexity only with log lines in hand, not with folklore from a four-year-old forum post. If t.me opens in a tab while the app stalls, that asymmetry is a clue: the browser and the client are not even sharing the same resolution story.
Desktop, web.telegram.org, and phone clients: same brand, different edges
Reproducing on a single surface matters. A Chromium tab and an Electron or native Telegram app do not have identical network graphs; neither do Android and iOS sandboxes. Pick one, reproduce there, and align rules for that code path. Cross-contaminating test notes between a mobile session and a PC session is how you “fix” the wrong layer, declare success, and reopen the bug after the next client update rebalances hostnames. When you do need voice-like resilience, our Discord-oriented UDP guide is the contrast case: it foregrounds real-time media, whereas default Telegram text and attachment flows remain TLS-heavy. Borrow ideas about precedence and tunneling, not the specific suffix list, unless your logs show identical behavior.
When DOMAIN rules are not enough: IP-only legs
Some Telegram infrastructure is reached by raw IP, or the client may race multiple transports during poor connectivity. If your only tools are DOMAIN-SUFFIX rows, a stray flow that does not present a friendly hostname in the way your core expects can still miss the TELEGRAM group. TUN—with careful exclusion lists for banking or LAN—usually captures those flows. Reserve IP or ASN rules for log-backed cases; avoid giant static CIDR pastes you cannot maintain, especially when Telegram rotates data centers. Let measurements justify the complexity.
Copy-ready checklist (mental, not a substitute for your logs)
Run through the sequence in this order on a test profile before you merge it into the daily driver you rely on for everything else. First, confirm a dedicated TELEGRAM (or equivalent) policy group exists and that manual DOMAIN-SUFFIX lines for t.me, telegram.org, and the web and core shells sit above GEOIP and other broad rules. Second, check DNS and Fake-IP once, because resolver churn explains intermittent Connecting better than almost any node change. Third, decide between system proxy and TUN based on how completely the Telegram binary on your platform honors the former; when in doubt on Windows, a clean TUN test with other VPNs disabled is worth twenty blind toggles. Fourth, reread the connection or debug view your GUI offers and verify that the policy that fires is the one you think you wrote—Clash rewards readers, not wishful thinking. Fifth, avoid mixing MTProxy server experiments into the same edit session; isolate variables.
Acceptable use
Split routing is for making legitimate traffic paths predictable and auditable, not for evading law enforcement, workplace security policy, or service terms. When operators publish required allowlists, coordinate with them. Use these techniques to get Telegram working as the communication tool it is, not to abuse anyone else’s network.
Closing: align names, then align the plane
In 2026, the durable fix for Telegram connecting behind Clash is still a readable story: give the Telegram namespace a dedicated lane, keep MTProto traffic and t.me indirection inside that lane by rule order, and make DNS, TUN, and the system proxy agree on the same world map. That combination is what people really mean when they search for Clash Telegram split answers that do not fall apart the next time a public profile rewrites itself overnight.
Compared with opaque one-click clients, Clash-family cores show connection decisions you can interrogate. When you want a maintained installer alongside logs you can read, start from our download page so the core and UI you test against stay aligned. → Download Clash for free and experience the difference.