Advanced Configuration · In-Depth Core Features Guide

Deep Dive into
Clash Core Advanced Settings

Master TUN mode, rule-based routing, DNS anti-pollution, subscription management, and latency testing to unlock Clash's full potential

TUN Mode Rule Routing DNS Protection Subscriptions Latency Testing
Global Transparent Proxy

TUN Mode

TUN (network tunnel) mode creates a virtual network adapter at the kernel level, intercepting all TCP/UDP traffic at the driver layer for true global proxying — applications do not need to natively support proxy protocols.

When should you enable TUN mode?
  • Game clients (Steam, Epic, UPlay) ignore system proxy, causing high latency or connection failures
  • Command-line tools like git clone, npm install, and pip install cannot use the proxy
  • Electron apps (VS Code, Discord) send internal requests that bypass system proxy
  • You need to proxy UDP traffic (voice calls, DNS-over-UDP, game UDP protocols)

How to Enable TUN Mode

1
Launch the client as administrator TUN mode installs a virtual network adapter at the driver level and requires administrator privileges on first launch. On Windows, right-click and select "Run as administrator"; on macOS, approve the system authorization dialog.
2
Enable TUN in client Settings In Clash Verge Rev, go to Settings → System Settings → TUN Mode and toggle it on. On first use, you will be prompted to install the driver (wintun.dll on Windows, a kernel extension on macOS) — follow the prompts to complete authorization.
3
Enable TUN in the config file (optional fine-tuning) YAML configuration lets you precisely control TUN operating mode, DNS hijacking, and routing rules.

TUN Configuration Example

YAML config.yaml 
# TUN mode configuration
tun:
  enable: true
  stack: mixed        # mixed = gVisor(UDP) + system(TCP), best compatibility
  auto-route: true    # auto-add routing rules for TUN interface
  auto-redirect: true # auto-redirect TCP connections (Linux)
  auto-detect-interface: true
  dns-hijack:
    - any:53           # intercept all DNS queries to prevent leaks
  strict-route: true  # stricter routing, prevents traffic bypass
Recommended stack value: mixed offers the best compatibility (TCP via system, UDP via gVisor); pure system delivers higher performance but weaker UDP support; gvisor provides the most complete UDP support but slightly higher CPU usage.
Note: With TUN enabled, all traffic passes through Clash. Make sure your rules include domestic direct rules (e.g. GEOIP,CN,DIRECT) to prevent domestic traffic from being proxied and slowing down.
Smart Routing

YAML Rule-Based Routing

Clash uses the rules field in your config to control where each connection goes — domestic traffic direct, foreign traffic proxied, ad domains blocked. Rules are matched in order; the first match wins.

Rule Type Quick Reference

Rule Type Matches Example
DOMAIN Exact domain match DOMAIN,google.com,PROXY
DOMAIN-SUFFIX Domain suffix (includes subdomains) DOMAIN-SUFFIX,github.com,PROXY
DOMAIN-KEYWORD Domain contains keyword DOMAIN-KEYWORD,google,PROXY
IP-CIDR IP address range IP-CIDR,192.168.0.0/16,DIRECT
GEOIP IP geolocation (country/region) GEOIP,CN,DIRECT
RULE-SET External rule-set file RULE-SET,reject,REJECT
MATCH Catch-all rule (must be last) MATCH,PROXY

Complete Routing Configuration Example

YAML config.yaml 
# proxy groups
proxy-groups:
  - name: PROXY
    type: select
    proxies:
      - Auto-Speed-Test
      - HK-01
      - US-01

  - name: Auto-Speed-Test
    type: url-test
    url: https://www.gstatic.com/generate_204
    interval: 300
    proxies:
      - HK-01
      - US-01

# rule-sets from community-maintained lists
rule-providers:
  reject:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
    path: ./ruleset/reject.yaml
    interval: 86400

  proxy:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt"
    path: ./ruleset/proxy.yaml
    interval: 86400

  direct:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt"
    path: ./ruleset/direct.yaml
    interval: 86400

# rules — matched top to bottom, first match wins
rules:
  - RULE-SET,reject,REJECT       # block ads/trackers
  - RULE-SET,direct,DIRECT       # CN domains → direct
  - RULE-SET,proxy,PROXY         # known proxy domains
  - DOMAIN-SUFFIX,cn,DIRECT
  - GEOIP,LAN,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,PROXY                  # everything else → proxy
Recommended community rule sets: Loyalsoldier/clash-rules is actively maintained and auto-updated daily, covering ad blocking, domestic direct routing, and foreign proxy scenarios — no manual rule list maintenance required.
Anti-Pollution · Split DNS

DNS Anti-Pollution Setup

DNS pollution can cause foreign domains to resolve to incorrect IPs, leading to connection failures or traffic hijacking. Clash's built-in DNS module supports DoH / DoT encrypted resolution and can route domestic and foreign domains through different DNS servers for faster, more secure lookups.

Plain DNS (easily polluted)

Cleartext UDP on port 53 — ISPs can easily tamper with responses, pointing foreign domains to blocked or incorrect addresses.

DoH / DoT (encrypted DNS)

DNS-over-HTTPS or DNS-over-TLS — fully TLS-encrypted end to end. ISPs cannot tamper with queries, fully preventing DNS pollution and hijacking.

Recommended DNS Setup (Split Domestic/International Resolution)

YAML config.yaml 
dns:
  enable: true
  ipv6: false
  listen: 0.0.0.0:53
  enhanced-mode: fake-ip      # fake-ip prevents DNS leaks, recommended
  fake-ip-range: 198.18.0.1/16

  # Nameservers for domains NOT matched by nameserver-policy
  nameserver:
    - https://dns.google/dns-query       # Google DoH
    - https://cloudflare-dns.com/dns-query # Cloudflare DoH
    - tls://1.1.1.1:853                    # Cloudflare DoT

  # Fallback: used when nameserver returns potentially polluted result
  fallback:
    - https://dns.google/dns-query
    - https://doh.pub/dns-query             # Tencent DoH (fast in CN)

  # Fallback filter: if GEOIP is CN → use nameserver; else use fallback
  fallback-filter:
    geoip: true
    geoip-code: CN
    ipcidr:
      - 240.0.0.0/4

  # Policy: route specific domains to specific servers
  nameserver-policy:
    "geosite:cn":
      - https://doh.pub/dns-query   # fast domestic resolver for CN domains
      - 114.114.114.114
    "geosite:geolocation-!cn":
      - https://dns.google/dns-query
      - https://cloudflare-dns.com/dns-query
fake-ip mode Recommended

Assigns a fake IP to each domain — DNS resolves instantly locally, with the real address resolved at connection time. Prevents DNS leaks and delivers the fastest resolution speed.

redir-host mode Compatible

Resolves the real IP before establishing a connection. Better compatibility for apps that depend on real IPs, but carries a slight DNS leak risk.

Node Management

Subscription Management & Auto-Update

A subscription URL is a link provided by your proxy service that returns a YAML config containing all node information. Using proxy-providers, you can reference multiple subscription sources directly in your config file and set automatic refresh intervals.

Method 1: Import Subscription URL Directly in the Client

1
Copy the Clash subscription link from your provider Make sure you select the Clash / Mihomo format, not V2Ray or Shadowsocks. Subscription links typically start with https:// and return YAML content when fetched.
2
Import in Clash Verge Rev Open the Profiles page → click the "+" button in the top-right → select "URL Import" → paste the subscription link → click "Download".
3
Set the auto-update interval Right-click the imported profile → "Edit Info" → set "Auto Update" to 24 hours (recommended) to keep your node list current.

Method 2: proxy-providers (Merge Multiple Subscriptions)

For advanced users who use multiple providers or want to keep subscriptions separate from custom rules.

YAML config.yaml 
# Reference multiple subscription sources
proxy-providers:
  AirportA:
    type: http
    url: "https://your-airport-a.com/clash/subscribe?token=xxx"
    interval: 86400         # refresh every 24 hours
    path: ./providers/airport_a.yaml
    health-check:
      enable: true
      interval: 600
      url: https://www.gstatic.com/generate_204

  AirportB:
    type: http
    url: "https://your-airport-b.com/clash/subscribe?token=yyy"
    interval: 86400
    path: ./providers/airport_b.yaml
    health-check:
      enable: true
      interval: 600
      url: https://www.gstatic.com/generate_204

# Use providers in proxy groups
proxy-groups:
  - name: PROXY
    type: select
    use:
      - AirportA      # include all nodes from AirportA
      - AirportB      # include all nodes from AirportB

  - name: Auto-Best
    type: url-test
    use:
      - AirportA
      - AirportB
    url: https://www.gstatic.com/generate_204
    interval: 300
Subscription link security tip: Subscription links contain your account token — do not share them publicly. Reset your token periodically in your provider's dashboard, and replace it immediately if you notice unusual traffic.

Common Subscription Issues

"No nodes" or empty node list after importing
Wrong subscription format — confirm it is Clash/Mihomo format, not V2Ray JSON or Shadowsocks. On your provider's "My Subscription" page, look for a link labeled "Clash" or "Mihomo". If the link is correct but still empty, try manually clicking the "Update Subscription" button.
Subscription update failed with a network error
The subscription server itself may require a proxy to reach. In Clash Verge Rev, try enabling "System Proxy" before clicking update subscription; or enable the "Update subscription via proxy" option in client settings.
How do I combine a local YAML file with an online subscription?
Use proxy-providers to reference the online subscription, then manually add local nodes in the proxies field. In proxy-groups, reference both use (providers) and proxies (manual nodes) to combine them.
Auto-Switch · Failover

Latency Testing & Optimization

Clash proxy groups support multiple automatic routing modes — no manual node switching required: url-test automatically picks the lowest-latency node, fallback switches when a node fails, and load-balance distributes traffic across multiple nodes.

url-test Most Common

Periodically sends requests to a test URL and automatically switches to the lowest-latency node. Ideal for latency-sensitive use cases (gaming, streaming).

fallback

Uses the first node in the list by default; automatically switches to the next when that node is unavailable. Ideal when you have a stable preferred node and need failover.

load-balance

Distributes traffic across multiple nodes in rotation, improving overall bandwidth. Ideal when running multiple download tasks simultaneously.

Latency Test Proxy Group Example

YAML config.yaml 
proxy-groups:
  # Auto select lowest-latency node
  - name: Auto-Best
    type: url-test
    url: https://www.gstatic.com/generate_204
    interval: 300         # test every 5 minutes
    tolerance: 50          # switch only if new node is 50ms faster (prevents thrashing)
    lazy: true             # only test when traffic is present
    proxies:
      - HK-01
      - HK-02
      - US-01
      - SG-01

  # Failover: use HK-01 first, switch if unavailable
  - name: Failover
    type: fallback
    url: https://www.gstatic.com/generate_204
    interval: 180
    proxies:
      - HK-01       # primary
      - US-01       # backup 1
      - SG-01       # backup 2

  # Load balance across multiple nodes
  - name: LoadBalance
    type: load-balance
    strategy: consistent-hashing  # same domain always uses same node
    url: https://www.gstatic.com/generate_204
    interval: 300
    proxies:
      - HK-01
      - US-01
      - SG-01

  # Manual selection group (top-level entry point)
  - name: PROXY
    type: select
    proxies:
      - Auto-Best
      - Failover
      - LoadBalance
      - HK-01
      - US-01
The tolerance parameter matters: Setting a switch threshold (e.g. 50ms) prevents nodes from switching too frequently. Without it, even a 1ms difference in test results triggers a switch, causing unstable connections.
Choosing a test URL: We recommend https://www.gstatic.com/generate_204 (Google 204) or https://cp.cloudflare.com/generate_204 (Cloudflare 204) — both respond extremely fast, are highly reliable, and are unaffected by content.
Back to User Guide Mihomo Core on GitHub →