AI-powered development tools have become essential for modern software engineering. Claude Code, OpenAI Codex CLI, Google Gemini CLI, GitHub Copilot, and Cursor IDE all depend on persistent API connections to US-based servers. In China, every one of these connections is a risk to your account if not properly protected.
The Three-Layer Protection Model
Safely using AI tools from China requires three simultaneous protections:
- OS-level traffic capture (TUN mode) -- ensures CLI tools cannot bypass the VPN
- Kill switch -- prevents any traffic during VPN disconnections
- Undetectable protocol -- prevents GFW from terminating the VPN and creating leak windows
Tool-by-Tool Setup
Claude Code (Anthropic)
Claude Code connects to api.anthropic.com via HTTPS. It makes frequent API calls during coding sessions -- sometimes multiple per second during file analysis. Each call carries your API key. Anthropic's risk control is the most aggressive of the three major AI companies.
Setup requirements:
- VPN must be in TUN mode before launching Claude Code
- Kill switch must be active
- Verify public IP shows non-China address before starting
- Use a private IP not associated with commercial VPN services
OpenAI Codex CLI
Codex connects to api.openai.com. OpenAI maintains blocklists of commercial VPN IP ranges -- connections from known NordVPN, ExpressVPN, or Astrill IPs are rejected regardless of the geo-location shown.
A private DigitalOcean IP in Singapore passes OpenAI's IP checks because it is from a standard hosting range, not a VPN range.
Google Gemini CLI
Gemini API is geo-restricted at the API level for China, Russia, and Iran. Google's detection is based on IP geolocation databases. A Singapore server IP resolves to Singapore in these databases, satisfying the geo-check.
GitHub Copilot
Copilot connects through Visual Studio Code or JetBrains IDE extensions. These are desktop applications that use system network settings -- a browser extension VPN will NOT capture Copilot traffic. TUN mode is required.
Cursor IDE
Cursor makes constant API calls to both Anthropic and OpenAI as you type. The frequency is high -- dozens of requests per minute during active coding. Even brief VPN interruptions expose multiple requests.
Common Mistakes
- Using a browser extension VPN: CLI tools bypass browser proxies entirely. Only TUN mode or system-wide VPN captures terminal traffic.
- Forgetting the kill switch: A 3-second VPN reconnection window can expose 5-10 API requests.
- Using a shared commercial VPN IP: Your connection may be clean, but other users on the same IP may have triggered blocklist additions.
- Running AI tools during VPN reconnection: If you see your VPN reconnecting, stop all AI tool activity until it stabilizes.
Daily workflow: Connect VPN (TUN mode + kill switch). Verify IP. Launch AI tools. Work. When done, close AI tools first, then disconnect VPN. Never reverse this order.