Fix Gemini CLI Pull Timeouts: Route Google and npm Domains in Clash (2026)

1. Why the CLI Problem Differs from “Gemini in Chrome”

Browsers and terminal tools do not share identical stacks. Chromium may negotiate QUIC while your Node client stays on TCP TLS. A profile tuned only for what you saw in DevTools can still leave npm on an ISP path that rate-limits registry connections. Meanwhile Gemini CLI sessions may call generativelanguage.googleapis.com, touch googleapis.com adjacency, and bounce through account flows on familiar google.com properties. If any of those names resolve outside your mihomo resolver while the tunnel is active, you will stare at “everything looks proxied” in the GUI while the shell did something else entirely.

Another difference is observability. Browser failures produce rich network panels; terminal tools often print a single timeout after tens of seconds. That is why we insist on live connection logs in Clash Verge Rev, Mihomo Party, or any UI that exposes per-flow decisions. Guessing wastes time; logging turns the problem into engineering.

Readers who already followed the Gemini QUIC article should treat that guide as the consumer-web complement: turn off HTTP/3 when Chromium misbehaves, ensure broad Google AI rows exist, then return here for package-manager and API naming that the browser never had to download.

2. Symptoms: npm Stalls Next to API Timeouts

Most bug reports are combinations, not single stack traces. npm install spins on metadata while Google AI requests succeed, or packages finish quickly yet every model round trip ends in a client-side timeout. Those shapes scream split routing: two destinations, two policy outcomes, or one destination resolved twice through different pipelines. Occasionally the pattern is environmental: one terminal inherited HTTP_PROXY, another did not; WSL resolved through a different resolv.conf than Windows; Docker Desktop introduced its own DNS short-circuit.

Before swapping airport nodes, write down the hostnames on the failing flows. If the same suffix alternates between your dev group and DIRECT across retries, your YAML merge order—not upstream congestion—is the culprit. If failures appear only after a subscription refresh, diff the imported file: a newly inserted GEOIP shortcut above your personal overrides can swallow flows that used to match.

Finally, separate entitlement from transport. API keys, Workspace restrictions, and regional product availability still matter. This article removes self-inflicted networking drift from legitimate accounts; it does not circumvent Google’s terms or magically unlock regions your administrator blocked.

3. Hostnames to Pin From Your Own Logs

Treat the following as a seed list you refine with evidence. Consumer and developer surfaces evolve; your client log after one failed Gemini CLI invocation is authoritative. API traffic frequently includes generativelanguage.googleapis.com and other *.googleapis.com names depending on whether you use AI Studio, Vertex, or enterprise endpoints. Documentation and OAuth may touch ai.google.dev, aistudio.google.com, or accounts.google.com. Static assets often land on gstatic.com or www.google.com adjacency—capture what you actually see rather than copy-pasting a decade-old hosts file from a forum.

Package management amplifies the surface area. Beyond registry.npmjs.org, scoped packages or git dependencies may call github.com and objects.githubusercontent.com. If you route npm metadata through a solid exit but leave GitHub on a congested DIRECT path, the symptom still presents as “npm broke” even though the registry handshake succeeded instantly. Mirror the discipline from our MCP tooling article when your stack installs language servers or plugins beside the CLI.

Avoid lazy DOMAIN-KEYWORD spans unless you accept the blast radius. Prefer suffix rules you measured, widen deliberately, and document the rationale in your team notes so the next subscription import does not silently undo your work.

4. One Policy Group for the Whole Session

Create a dedicated select or conservative fallback group—call it “Gemini+Dev” or similar—that fronts nodes you trust for both API latency and registry throughput toward the regions your Google AI account expects. Avoid ultra-aggressive url-test pools that flap every minute; streaming responses punish oscillation even when speed tests look pretty. A modest primary with a fallback tail, tuned using the patterns in our url-test and failover guide, usually behaves better than constantly re-hashing connections mid-request.

Narrow naming buys observability. When something regresses after a client upgrade, you filter logs for that group and immediately see whether npm and Gemini hosts still share the bucket. If half the flows fell through to DIRECT, you fix ordering—not API keys.

If you merge commercial rule providers, keep a personal override file you actually read. Duplicate Google rows across merges create the worst failures: half the UI loads, the CLI fails, and newcomers assume “Google is down.”

5. Example YAML: Google AI + npm Rule Block

The snippet below is illustrative. Replace proxy group members and expand domains using your mihomo logs. Insert these rows before broad GEOIP shortcuts, consistent with our routing reference.

proxy-groups:
  - name: ✨ Gemini+Dev
    type: select
    proxies:
      - US-Dev-Primary
      - US-Dev-Backup
      - DIRECT

rules:
  - DOMAIN-SUFFIX,generativelanguage.googleapis.com,✨ Gemini+Dev
  - DOMAIN-SUFFIX,ai.google.dev,✨ Gemini+Dev
  - DOMAIN-SUFFIX,aistudio.google.com,✨ Gemini+Dev
  - DOMAIN-SUFFIX,registry.npmjs.org,✨ Gemini+Dev
  - DOMAIN-SUFFIX,npmjs.org,✨ Gemini+Dev
  - DOMAIN-SUFFIX,github.com,✨ Gemini+Dev
  - DOMAIN-SUFFIX,githubusercontent.com,✨ Gemini+Dev
  # Add accounts.google.com / googleapis siblings only if traces prove misses
  # ... GEOIP and MATCH follow ...

6. Rule Order Before GEOIP and MATCH

Rule order quietly kills otherwise perfect configs. If a GEOIP direct rule or a lazy MATCH line wins before your registry.npmjs.org entry, you will waste hours tuning nodes. Promote explicit developer suffixes above geography shortcuts, then retest. The same lesson appears across every serious mihomo playbook; the only variable here is the conjunction of Google AI and npm hostnames on one workstation.

When providers ship updates, inspect merge order. “It broke right after refresh” often means someone else’s keyword rule now precedes your hand-tuned rows. Version-control your overrides so you can see the diff immediately.

If IP-first flows require a sniffer to recover TLS Server Name Indication, reconcile that with your DNS mode. Our HTTPS SNI logging guide explains how to read evidence when connections hit rules before names materialize.

7. DNS, Fake-IP, and “Correct Rules That Never Fire”

Under fake-ip, applications may resolve names to synthetic addresses locally while DOMAIN-SUFFIX matching still works when the pipeline is coherent. If macOS, WSL, or a container bypasses the core resolver, you inherit “works here, fails there” behaviour. Align trusted upstreams inside mihomo, keep enhanced-mode semantics consistent, and resist the temptation to let random public resolvers “speed things up” outside the tunnel.

When symptoms resemble resolver schizophrenia, read fake-ip versus redir-host and choose deliberately. The wrong DNS mode mimics proxy failures no node will fix.

Windows deserves an extra beat: browser secure DNS and OS overrides can coexist with Clash in confusing ways. Our Chrome and Edge secure DNS note documents the pattern—one resolver story per machine, not three that race each other.

8. Terminal Proxy, npm, and Split Paths

Environment variables are deceptively simple. Node honours HTTP_PROXY and HTTPS_PROXY in many setups but not all transitive dependencies; some spawn bespoke HTTP agents. Meanwhile TUN mode can steer traffic without per-shell variables—if packets actually enter the tunnel and DNS stays aligned. The painful failure is mixed mode: stale proxy ports plus active TUN, yielding duplicated or divergent exits for the same logical request.

If you standardize on proxies for npm, document the combination alongside your mihomo group names. Our Windows npm and pnpm proxy article walks through split-tunnel shapes that map closely to AI CLI installs—especially mismatched HTTP versus HTTPS forwarding.

For automation spawned by editors or language servers, the effective binary may not be the shell you configured interactively. When uncertain, default to one strategy—usually TUN with verified DNS—then delete redundant environment knobs instead of multiplying them.

9. TLS, Registries, and Corporate Inspection

Sometimes the proxy is innocent. Corporate HTTPS inspection swaps trust anchors; captive portals intercept TLS; antivirus vendors shim sockets. The symptom still looks like a timeout from the CLI because handshake retries burn the clock. Compare behaviour on a clean network segment before rewriting fifty Clash lines. If only npm fails inside a VM while the host succeeds, suspect divergent trust stores rather than node quality.

Private registry mirrors and verdaccio-style proxies add another twist: the hostname is no longer registry.npmjs.org. Mirror those exact hosts in your rule set or your “npm works, Gemini fails” story inverts overnight when someone toggles npm config set registry.

Keep CA bundles for Node aligned with your OS when you terminate TLS locally. A manual NODE_EXTRA_CA_CERTS hack without engineering review tends to become tomorrow’s outage.

10. How This Fits Beside MCP and Claude Code Guides

We publish narrow guides so readers are not forced through one giant page. The MCP stack article centres Model Context Protocol installs; the Claude Code piece foregrounds Anthropic naming. This entry targets Gemini CLI and Google AI keyword intent while reusing the same engineering habits: log hostnames, respect rule order, unify DNS, keep npm on-path.

If your team collapses multiple vendors into one outbound, document which commercial terms apply to which traffic. Auditable YAML beats anonymous cleverness during an incident.

11. Verification Checklist

After upgrades or mysterious Tuesday-only failures, walk this list before opening another support ticket:

If each item passes and Google still rejects traffic, pivot to quotas, billing, or admin policy—not another blind node lottery.

12. Frequently Asked Questions

Closing Thoughts

Gemini CLI reliability is less about chasing mythical “faster nodes” and more about predictable plumbing: explicit hostnames from logs, Clash rows that win before geography shortcuts, DNS that agrees with fake-ip, and one steady policy group that carries both Google AI calls and npm fetches. Generic VPN apps often force coarse all-or-nothing tunnels and hide per-domain decisions; consumer “one-click” proxies rarely expose the mihomo-style connection evidence you need when a terminal tool stalls. Compared with those black boxes, a maintained Clash Meta desktop client gives the rule granularity and observability that AI developer workflows assume—provided you actually align the YAML with how your shell resolves names.

When you want a current installer and ecosystem that tracks the Meta core, start from our download hub, then layer DNS overrides and domain rules in that order rather than hoping a random upstream profile guessed your toolchain correctly. → Download Clash for free and get a client built for serious routing workflows