FLCLASH + WireGuard + WSTUnnel Stable Configuration Practice (3): Google Play download problem solving

⚠️ Experimental description (important)

This article is the third part of a series of practice, continuation(1): The principle of minimalism and the construction of the first editionAnd(2): DNS minimum correctionexperimental technical exploration.

The current configuration is still in the validation stage:

• Not guaranteed to apply to all network environments
• It is not recommended to directly copy for production or critical business
• The main purpose is to verify the feasibility of ‘simple rule model + minimum DNS overwriting’

The network environment, DNS behavior and VPS line quality in different regions will have an impact on the final effect. If it runs stably in the future, this description will be removed in the final chapter, and it will be released as a reference stable plan.

1. Problems

When using flclash (the Android client of the Clash Meta core) with the self-built ZgoCloud + Wstunnel + Wireguard scheme, I have a typical problem:

• Play Store Page: You can open and browse normally.
• App Updates/Downloads: After clicking ‘Update’, the application has been stuck in the ‘Waiting’ state, there is no download progress, and finally fails.

At the same time, the same set of Clash Verge Rev works perfectly on a Windows computer——Google access is normal, and the web version of the Play Store can also be opened. Only the Play Store app on Android phones cannot be downloaded.

The problem positioning

On this issue, I am in another blogCan’t update the Play Store app after self-built VPN? Don’t toss wstunnel, the problem is in the Clash diversion rules’There is a detailed analysis, and the core conclusion is:

The root of the problem is not in wstunnel or network link, but in that the clash shunting rules are not detailed enough.

The specific solution is to adjust the order of the rules – will geosite, google, proxy Put on geosite, private before.

The solution

3.1 Core changes

On the basis of v2 configuration, just add one row of rules and adjust its position:

rules:
  # Wstunnel 服务器 IP 强制直连
  - IP-CIDR,154.21.196.249/32,DIRECT,no-resolve

  # ===== 关键：Google 服务走代理（必须放在 GEOSITE,private 之前） =====
  - GEOSITE,google,Proxy

  # 本地/私有网络直连
  - GEOSITE,private,DIRECT
  - GEOIP,private,DIRECT,no-resolve
  ...

rules:
  # Wstunnel 服务器 IP 强制直连
  - IP-CIDR,154.21.196.249/32,DIRECT,no-resolve

  # ===== 关键：Google 服务走代理（必须放在 GEOSITE,private 之前） =====
  - GEOSITE,google,Proxy

  # 本地/私有网络直连
  - GEOSITE,private,DIRECT
  - GEOIP,private,DIRECT,no-resolve
  ...

3.2 Why put it in geosite, private before?

Measured found: geosite, google, proxy Put on geosite, private Before, the PLAY store download is back to normal; put in geosite,cn It doesn’t work afterwards.

3.3 Final Profile (V3)

The full configuration has been uploaded to GitHub:shuijingwan/clash-config

# ==============================================
# ZgoCloud + Wstunnel + WireGuard
# MetaCubeX 极简稳定版 v3 (Google Play 优化)
# 兼容：Clash Verge Rev / FlClash
#
# 特点：
# - 最小化 DNS 覆写（仅防污染）
# - 不使用 SMTP / YouTube 特殊规则
# - 基于 GEOSITE + GEOIP
# - 结构最小化，便于排错
#
# 调整：将 GEOSITE,google 前置到 private 之前，
#       确保 Google 服务优先走代理（实测可解决 Play 下载问题）。
# ==============================================

# ----- 通用设置 -----
profile:
  store-selected: true # 记住用户在 Proxy 组中手动选择的节点（重启后不丢失）

# ----- DNS 最小覆写（防污染） -----
dns:
  # 国内域名解析：使用阿里公共 DNS over HTTPS，直连不经过代理
  nameserver:
    - https://dns.alidns.com/dns-query

  # 【关键】让所有 DNS 查询（特别是 fallback）都通过代理组 Proxy 发出，避免本地 DNS 污染
  proxy: Proxy

  # 境外域名解析：使用 Cloudflare DNS over TLS，解析结果由代理隧道保护
  fallback:
    - tls://1.1.1.1:853

  # 只让非中国 IP 的域名使用 fallback，国内域名强制走 nameserver
  fallback-filter:
    geoip: true
    geoip-code: CN

# ----- 代理节点定义 -----
proxies:
  - name: ZgoCloud-WG # 节点名称，可自定义
    type: wireguard # 类型：WireGuard
    server: 127.0.0.1 # 【必须修改】WireGuard 服务器的地址（此处为本地 wstunnel 映射端口）
    port: 51820 # 【必须修改】WireGuard 端口

    ip: x.x.x.x # 【必须修改】分配给本机的 WireGuard 内网 IP

    public-key: xxx # 【必须修改】服务器公钥
    private-key: xxx # 【必须修改】本机私钥
    pre-shared-key: xxx # 【必须修改】预共享密钥

    udp: true # 启用 UDP 转发
    mtu: 1280 # MTU，若遇部分网站卡顿可尝试调整为 1200 或 1000

# ----- 代理组 -----
proxy-groups:
  - name: Proxy # 代理组名称，被分流规则引用
    type: select # 类型：手动选择
    proxies:
      - ZgoCloud-WG # 主代理节点
      - DIRECT # 直连（不走代理）

# ----- 分流规则（基于地理数据集） -----
rules:
  # Wstunnel 服务器 IP 强制直连，避免隧道自身流量回环（no-resolve 表示仅匹配 IP 规则，不触发 DNS 解析）
  - IP-CIDR,154.21.196.249/32,DIRECT,no-resolve # 【必须修改】替换为你的 Wstunnel 服务器公网 IP

  # ===== 关键：Google 服务走代理（必须放在 GEOSITE,private 之前） =====
  - GEOSITE,google,Proxy

  # 本地/私有网络直连
  - GEOSITE,private,DIRECT
  - GEOIP,private,DIRECT,no-resolve

  # 中国大陆域名和 IP 直连，保证国内访问速度
  - GEOSITE,cn,DIRECT
  - GEOIP,CN,DIRECT,no-resolve

  # 所有非中国大陆域名走代理
  - GEOSITE,geolocation-!cn,Proxy

  # 未匹配到任何规则的流量，默认走代理（防止泄漏）
  - MATCH,Proxy

# ==============================================
# ZgoCloud + Wstunnel + WireGuard
# MetaCubeX 极简稳定版 v3 (Google Play 优化)
# 兼容：Clash Verge Rev / FlClash
#
# 特点：
# - 最小化 DNS 覆写（仅防污染）
# - 不使用 SMTP / YouTube 特殊规则
# - 基于 GEOSITE + GEOIP
# - 结构最小化，便于排错
#
# 调整：将 GEOSITE,google 前置到 private 之前，
#       确保 Google 服务优先走代理（实测可解决 Play 下载问题）。
# ==============================================

# ----- 通用设置 -----
profile:
  store-selected: true # 记住用户在 Proxy 组中手动选择的节点（重启后不丢失）

# ----- DNS 最小覆写（防污染） -----
dns:
  # 国内域名解析：使用阿里公共 DNS over HTTPS，直连不经过代理
  nameserver:
    - https://dns.alidns.com/dns-query

  # 【关键】让所有 DNS 查询（特别是 fallback）都通过代理组 Proxy 发出，避免本地 DNS 污染
  proxy: Proxy

  # 境外域名解析：使用 Cloudflare DNS over TLS，解析结果由代理隧道保护
  fallback:
    - tls://1.1.1.1:853

  # 只让非中国 IP 的域名使用 fallback，国内域名强制走 nameserver
  fallback-filter:
    geoip: true
    geoip-code: CN

# ----- 代理节点定义 -----
proxies:
  - name: ZgoCloud-WG # 节点名称，可自定义
    type: wireguard # 类型：WireGuard
    server: 127.0.0.1 # 【必须修改】WireGuard 服务器的地址（此处为本地 wstunnel 映射端口）
    port: 51820 # 【必须修改】WireGuard 端口

    ip: x.x.x.x # 【必须修改】分配给本机的 WireGuard 内网 IP

    public-key: xxx # 【必须修改】服务器公钥
    private-key: xxx # 【必须修改】本机私钥
    pre-shared-key: xxx # 【必须修改】预共享密钥

    udp: true # 启用 UDP 转发
    mtu: 1280 # MTU，若遇部分网站卡顿可尝试调整为 1200 或 1000

# ----- 代理组 -----
proxy-groups:
  - name: Proxy # 代理组名称，被分流规则引用
    type: select # 类型：手动选择
    proxies:
      - ZgoCloud-WG # 主代理节点
      - DIRECT # 直连（不走代理）

# ----- 分流规则（基于地理数据集） -----
rules:
  # Wstunnel 服务器 IP 强制直连，避免隧道自身流量回环（no-resolve 表示仅匹配 IP 规则，不触发 DNS 解析）
  - IP-CIDR,154.21.196.249/32,DIRECT,no-resolve # 【必须修改】替换为你的 Wstunnel 服务器公网 IP

  # ===== 关键：Google 服务走代理（必须放在 GEOSITE,private 之前） =====
  - GEOSITE,google,Proxy

  # 本地/私有网络直连
  - GEOSITE,private,DIRECT
  - GEOIP,private,DIRECT,no-resolve

  # 中国大陆域名和 IP 直连，保证国内访问速度
  - GEOSITE,cn,DIRECT
  - GEOIP,CN,DIRECT,no-resolve

  # 所有非中国大陆域名走代理
  - GEOSITE,geolocation-!cn,Proxy

  # 未匹配到任何规则的流量，默认走代理（防止泄漏）
  - MATCH,Proxy

4. Verification results

After the configuration modification is completed, after reloading the Clash:

View real-time request logs in flclash, all Play Store-related requestsAll go to the agent, the download works normally:

tcp://play-fe.googleapis.com:443  → ZgoCloud-WG / Proxy
tcp://rr2---sn-a5mekn6l.xn--ngstr-Ira8j.com:443 → ZgoCloud-WG / Proxy
tcp://services.googleapis.cn:443  → ZgoCloud-WG / Proxy
tcp://connectivitycheck.gstatic.com:443 → ZgoCloud-WG / Proxy

tcp://play-fe.googleapis.com:443  → ZgoCloud-WG / Proxy
tcp://rr2---sn-a5mekn6l.xn--ngstr-Ira8j.com:443 → ZgoCloud-WG / Proxy
tcp://services.googleapis.cn:443  → ZgoCloud-WG / Proxy
tcp://connectivitycheck.gstatic.com:443 → ZgoCloud-WG / Proxy

This is exactly the expected behavior:geosite, google The rule will uniformly identify Google-related domain names as proxy traffic, and the complete communication link of the Play Store will be established, and the download will return to normal.

5. Summary

Looking back at the entire investigation process, the biggest lessons are:

Don’t attribute the problem to the underlying network too early.

Wstunnel, although the long link, is not the root cause of the play update to get stuck. The real crux of the Sequence of Clash shunting rules.

In the end, only one line of configuration was changed.– will geosite, google, proxy Put on geosite, private before. This is the power of ‘minimalized configuration’: the problem is in the order of the rules, rather than the need to build up complex DNS overwrites or sets of external rules.

The complete code of the three configurations of this series has been uploaded to GitHub:
👉 shuijingwan/clash-config

Welcome to STAR and FORK, and welcome to submit ISSUE discussions.

Related reading:

• (1): The principle of minimalism and the construction of the first edition
• (2): DNS minimum correction
• Can’t update the Play Store app after self-built VPN? Don’t toss wstunnel, the problem is in the Clash diversion rules