1 Why “Figma” is a bundle of different network needs
Figma and FigJam in the browser, and the Electron-based desktop build, are best understood as a small fleet of services glued together by a single product experience. The canvas itself talks to Figma’s own APIs, but a typical session also touches identity providers, marketing pages, HTTPS to font repositories, and large static blobs for plugin runtimes and community add-ons. When you route everything through a single “proxy” with no split tunnel thought, a flaky exit node on one destination can make another symptom look like a product bug: the editor might load while comments stop updating, or the app shell appears while Google sign-in never finishes a redirect.
A Clash-compatible client with a Mihomo core gives you two things designers rarely name explicitly: ordered rules and readable logs. Your goal is not to send “the Internet” to one node; it is to make sure the handful of design collaboration dependencies share a coherent path, while everyday browsing or work-specific intranet hosts stay on policy-correct direct routes. This article is written for teams who already have a working subscription; it does not try to be a GeoIP catalog for every Figma CDN—because those subdomains change—instead it shows how to discover and codify what your own sessions actually use.
Compliance with your employer, school, and local law is on you. The techniques here describe how to route and observe application traffic, not how to evade access controls. If a network blocks a service outright, a proxy is not a substitute for authorization. Keep that frame while reading the rule provider examples; they are templates for a lab or a permitted environment, not one-size-fits-all bypasses.
2 Start by reading what Figma really connects to
Before pasting a twenty-line YAML fragment from a forum, open the connection window in your Clash client (or a dashboard like YACD connected to a properly locked external-controller on 127.0.0.1) and reproduce the pain: open a file, install a plugin from the community, sign out and sign back in, and watch DOMAIN names stream past. You are looking for patterns: a cluster under figma.com and figma.io-style hosts, occasional third-party CDNs, and, if you use Google or SSO, a parallel cluster around identity providers. If the log stays empty while the browser is clearly “online,” the traffic is not traversing the core you think it is, which is almost always a system proxy or TUN configuration gap, not a missing DOMAIN-SUFFIX line.
Export or screenshot the first-level hostnames, then add them explicitly ahead of a broad GEOIP or MATCH rule. The advantage of a rule provider is that you can update the list on disk or from a URL when your team notices a new CDN name after a product deploy. Static community lists for “design tools” help as a starting point, but the authoritative source for your room is the log you just produced on your own desktop in your own account tier.
SameSite flows split across two exits. If only fonts render as fallbacks, suspect font CDNs on a different path than the main app. If cursors and presence stutter, suspect long-lived WebSocket traffic and UDP-unfriendly nodes.
3 A maintainable rule provider skeleton
In Clash and Mihomo, a rule-providers entry points at a file that is mostly a list of DOMAIN and DOMAIN-SUFFIX lines, which you can hand-edit or source from a generator. The pattern below is intentionally minimal: it routes first-party Figma hosts and common Google identity endpoints to a 🎯 Proxy group name you should rename to match your own profile, while leaving a final MATCH decision to the rest of your policy file. You must merge this with your existing proxy-groups and rules ordering—rules are first-match-wins, so place these before a catch-all that sends unknown domains to the wrong place.
rule-providers:
figma-design:
type: file
path: ./rules/figma.txt
behavior: classical
interval: 86400
rules:
- RULE-SET,figma-design,🎯 Proxy
# ... your other rules, then MATCH
The companion ./rules/figma.txt file, in classical format, can begin with a tiny seed list and grow as you learn. A conservative opening set often includes first-party suffixes and leaves room for exact hosts you see in the log, for example DOMAIN-SUFFIX,figma.com and DOMAIN-SUFFIX,figmaapi.com if your session references it, plus any DOMAIN lines for short-lived CDN hostnames. Some enterprises run split views of the same URL between regions; in that case you might route Figma to a url-test group while keeping personal browsing on a cheaper pool. The architecture is the same: explicit rows first, generic buckets later.
If you prefer a remote http rule provider, treat it like any other subscription: verify the source, pin TLS expectations, and refresh on a schedule that matches how often the vendor changes CDN front doors. A stale provider that omits a new shard name is a classic reason new features appear “for everyone else” while your session is stuck on a half-upgraded plugin or script bundle.
4 Sign-in, browsers, and OAuth edges
Figma’s account flows can bounce between the web URL space and third-party OAuth such as Google or Apple, depending on how you authenticate. A mistake people make is routing only figma.com through a good exit while the OAuth consent screen loads from another domain on a noisier node. Browsers (and the embedded Chromium shell inside the desktop app) treat that as a single logical login; if the middle hop is slower or gets reset, you see endless spinners or a successful password screen with no file access afterward.
The practical response is to extend your rule provider with the identity hosts you observed during a clean login, which often include accounts.google.com and related Google cookie endpoints when using Google, or Apple domains if you use “Sign in with Apple.” You do not have to overfit every Google property—only the ones the login tab actually hit. For pure email-and-password Figma logins, the set is usually smaller, but the same debugging recipe applies: watch the log during failure, not during success.
Enterprise SSO and internal IdPs
In corporate deployments, a company IdP and device posture checks add more hops. Keep those on direct or corporate VPN paths if security policy says so, and do not indiscriminately send “all HTTPS” to a consumer exit. Split tunnel is not about cheating speed tests; it is about keeping the authentication channel exactly where your security team intended.
5 Web fonts, static assets, and the plugin marketplace
Visual fidelity issues—substituted typefaces, missing icons, or half-styled FigJam templates—frequently come from blocked or time-out fetches to font CDNs, JavaScript delivery networks, and versioned static URL trees, not from the Figma file server itself. The editor may be “up” while a stylesheet never arrives, so you get odd spacing and a broken plug-in bar. The fix is the same as for any CDN-heavy web app: include those hostnames in the same proxy group you trust for the main product, and verify on a second machine that the behavior is reproducible, which rules out a single corrupted cache.
The plugin marketplace and community plugin installs add more moving parts. Some plugin runtimes are downloaded as bundles or executed in sandboxed contexts; you may see additional domains not obviously branded as Figma, especially for analytics the author bundled. Again, the log is authoritative. When you are unsure whether a sketchy URL is essential, test with the plugin disabled, then re-enable and compare—security-conscious teams will appreciate that you can name the extra endpoints instead of routing “everything” with a sledgehammer.
6 Realtime collaboration, FigJam, and long-lived links
Design collaboration in 2026 still feels instant because of low-latency, long-lived connections that synchronize presence, cursors, and object edits. When those WebSocket-class flows ride on a path with aggressive NAT timeouts, lossy UDP assumptions, or an exit that strips upgrade headers, your board may “look” saved while you are the only person who can see your changes. FigJam sessions share the same class of problem: sticky notes and timers feel flaky when the channel behind them is not as stable as ordinary HTTPS fetches to a marketing page.
If your clash profile has a sniffer and TUN stack misaligned with DNS FakeIP settings, you can also get mysterious disconnects: the desktop client thinks a name resolves one way on first connect and a different way after sleep/wake. For deep resolver tuning beyond the basics here, the Meta core DNS leak prevention guide walks through patterns that work well with Mihomo in production-like setups, including how to keep application-layer and kernel-layer views consistent.
7 Desktop app routing and PROCESS-NAME on Windows and macOS
Browsers are relatively obedient about system proxy settings. The Figma desktop shell, like other Electron apps, may ignore some of those hints unless the OS or your client forces a capture path, which is one reason TUN is popular. When you need a surgical rule—only the Figma binary uses a special exit—Clash and Mihomo support process-based match keys on some platforms, such as PROCESS-NAME on Windows for Figma.exe and equivalent mechanisms on macOS for applications inside the .app bundle.
The detailed mechanics differ by OS and core build, and mis-specified process rules silently fail, so read the focused walkthrough on Clash process name routing on Windows before you rely on that alone. A robust baseline is still TUN or system capture plus good DOMAIN policy; PROCESS-NAME is a refinement when you are sure a particular binary is the only consumer you want to move.
Figma.exe will not help if the user launches from a different helper or an beta channel with another executable name.
8 DNS, sniffer, and when TUN is simpler
A recurring theme in Clash Meta support threads is “works in the browser, fails in the app,” which often means two different DNS paths. The operating system stub resolver might answer directly while the core uses FakeIP, or a sniffer tries to map flows back to domain rules after the fact. For design tools that make parallel connections, those mismatches are brutal. The fix is to choose one story: let the core own DNS with a clear nameserver policy, or disable the conflicting stub path on that machine for testing. Our Clash Verge Rev TUN mode guide is the right next click when you are ready to route the whole workstation through the stack so Electron and the shell agree on the same table.
On macOS and Windows 11, also remember that firewalls, “smart” VPN clients, and Hyper-V or WSL2 virtual switches can create secondary interfaces that split tunnel policies forget. A quick sanity check: with your profile loaded, can you curl a small HTTPS resource from the same user session that launches Figma, and do you see the expected exit IP in the client log? If not, clean that up before you tune another rule-providers file.
9 Troubleshooting checklist for Figma and Clash
- “Cannot access file” right after a clean install: Confirm the sign-in OAuth tab finished on the same logical route as the editor; add missing identity domains to your rule provider.
- Plugins fail to run or auto-update on one network only: Watch for extra marketplace and script CDN names in the log, then add them explicitly instead of increasing timeout blindly.
- Live cursors jump or vanish while images load fine: Test another exit in the same proxy group; longRTT and lossy nodes harm realtime channels more than one-off fetches. Consider a
url-testorfallbackgroup for design traffic. - Flaky behavior only on the desktop app: Compare with the browser. If the browser is perfect, suspect Electron bypassing system proxy—pivot to TUN or a verified PROCESS-NAME rule, per the Windows process-routing article.
- Everything broke after a VPN update: Revisit interface metrics and DNS leak settings; corporate stacks often reinsert themselves above user-space proxy layers.
10 Wrap-up
Figma and FigJam in 2026 are still best described as a design collaboration platform on top of a very chatty web and desktop platform: sign-in flows, web fonts, plugin marketplace assets, and realtime channels all benefit when your Clash or Mihomo profile encodes what you have actually seen in logs, not what a generic list from last year assumed. A small rule provider that you own, a predictable DNS story, and optional TUN or PROCESS-NAME refinements are enough to make “works on my home ISP” turn into “works in the design office too,” without trading away compliance for convenience.
Compared with a single-tunnel VPN that blasts every URL out the same exit, a maintained clash client keeps latency-sensitive FigJam sessions and bulk CDN downloads on routes you can reason about, and the same stack scales to the rest of your 2026 tool chain when you are ready. If you still need a reliable installer and updates, the project’s download hub lists desktop builds; treat third-party GitHub release pages as reference for source and issues, not as your only distribution story.
When the network is boring again, the canvas can be interesting instead—and that is the point of investing an afternoon in split rules for design tools you rely on every day.
