Intro
Quick Start: Deploy Proxy in Three Steps
Regardless of which Clash client you use, the core process is identical: Download client → Import subscription link → Select node and enable proxy. The entire process usually takes less than 3 minutes.
1
Download and Install Clash Client
Go to the Client Download Page for your operating system to get the installer. We recommend Clash Verge Rev for Windows, ClashX Meta or Clash Verge Rev for macOS, and ClashMeta for Android.
2
Get Subscription Link from Provider and Import
Log in to your provider's dashboard and copy the subscription link (URL format). In the Clash client, find the "Subscription" or "Config" option, paste the link, and click "Update". The client will automatically download and parse all node settings.
3
Select Proxy Node and Enable System Proxy
Switch to the "Proxy" page and select a node with low latency. Enable "System Proxy" or "TUN Mode" (global traffic interception) to start using it.
Recommended Practice: Use the subscription link provided by your service rather than writing config.yaml manually. Subscriptions contain full node configurations and allow the client to update automatically.
Intro
Subscription Link Import Details
A subscription link is a configuration file address provided by a proxy service. When Clash accesses this URL, it downloads a complete YAML configuration containing all nodes, proxy groups, and rules, which is then saved locally.
Import Methods for Each Client
| Client |
Platform |
Import Location |
| Clash Verge Rev |
Windows / macOS / Linux |
Sidebar "Subscription" → Top Right "+" → Paste URL → Confirm |
| ClashX / ClashX Meta |
macOS |
Menu Bar Icon → Config → Remote Config → Manage → Add |
| ClashMeta for Android |
Android |
Bottom Bar "Config" → Top Right "+" → URL Import |
| FlClash |
Android / Windows |
Sidebar "Config" → "+" → Input link → Download |
| Stash |
iOS |
Home "Configuration File" → "Download from URL" |
| Shadowrocket |
iOS |
Top Right "+" → Type "Subscribe" → Paste URL |
Note: Subscription links are private data; do not share them. We recommend enabling the "Auto-update Subscription" feature (usually set to 24 hours) to ensure you have the latest nodes.
Recommended Subscription Update Interval
Most service nodes change every 1–7 days. Setting the auto-update interval to 24 hours ensures your nodes are always current without overloading the server.
Configuration File
config.yaml File Structure
Clash configuration files are in YAML format, typically named config.yaml. It consists of top-level fields separated by indentation; the order of fields does not affect parsing.
mixed-port: 7890
allow-lan: false
mode: rule
log-level: info
external-controller: 127.0.0.1:9090
dns:
proxies:
proxy-groups:
rules:
Global Parameters Overview
| Field | Default | Description |
|---|
| mixed-port | 7890 | Mixed port listening for both HTTP and SOCKS5 protocols |
| port | — | HTTP proxy port only (alternative to mixed-port) |
| socks-port | — | SOCKS5 port only (alternative to mixed-port) |
| allow-lan | false | Allow other devices on the LAN to use this proxy |
| mode | rule | rule (Rule-based) / global (Global Proxy) / direct (All Direct) |
| log-level | info | Log level; can be changed to debug for troubleshooting |
| external-controller | — | REST API address; GUI clients control the core via this interface |
| secret | — | Access key for REST API (optional) |
When using GUI clients (like Clash Verge Rev or ClashX), most global parameters are controlled via the interface, so you don't need to manually edit config.yaml. Manual configuration is primarily for server deployments or highly customized scenarios.
Configuration File
Proxy Nodes
The proxies field defines all proxy nodes. Each node starts with - name: and specifies the protocol via the type field. Clash supports all mainstream proxy protocols:
Shadowsocks
ShadowsocksR
VMess
VLESS
Trojan
Hysteria2
TUIC v5
WireGuard
NaïveProxy
SOCKS5
HTTP / HTTPS
Shadowsocks Node Example
proxies:
- nameHK-01 Hong Kong Node
type: ss
server: hk.example.com
port: 8388
cipher: aes-128-gcm
password: "your-password"
udp: true
VMess Node Example
- nameJP-02 Japan Node
type: vmess
server: jp.example.com
port: 443
uuid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
alterId: 0
cipher: auto
tls: true
network: ws
ws-opts:
path: "/ws"
headers:
Host: jp.example.com
Trojan Node Example
- nameUS-03 USA Node
type: trojan
server: us.example.com
port: 443
password: "your-trojan-password"
sni: us.example.com
skip-cert-verify: false
udp: true
In practice, node configurations are provided automatically via subscription links, so you don't need to fill in these fields manually. Manual setup is only for self-hosted nodes or fine-tuning scenarios.
Configuration File
Proxy Groups (proxy-groups)
proxy-groups combine multiple nodes into a policy group for flexible traffic control. Rules reference the proxy group name rather than specific nodes. Clash supports several group types:
| Type | Description |
|---|
| select | Manual node selection via dropdown in the GUI client; the most common method |
| url-test | Automatically tests latency and selects the fastest node |
| fallback | Sequential fault tolerance; automatically switches to the next node if the preferred one is unavailable |
| load-balance | Distributes traffic across multiple nodes to increase bandwidth utilization |
| relay | Traffic passes through multiple relay nodes to hide the outbound IP. |
Typical Group Configuration Examples
proxy-groups:
- nameNode Selection
type: select
proxies:
- Auto Select
- HK-01 Hong Kong Node
- JP-02 Japan Node
- US-03 USA Node
- DIRECT
- nameAuto Select
type: url-test
proxies:
- HK-01 Hong Kong Node
- JP-02 Japan Node
- US-03 USA Node
url: "http://www.gstatic.com/generate_204"
interval: 300
tolerance: 50
- nameFallback
type: fallback
proxies:
- HK-01 Hong Kong Node
- JP-02 Japan Node
url: "http://www.gstatic.com/generate_204"
interval: 120
DIRECT and REJECT are special built-in policies in Clash. They can be referenced directly in the proxies list of a group without being defined in the main proxies field.
Configuration File
Rule-based Splitting
The rules field defines traffic routing policies, matched from top to bottom. Once a rule matches, its policy is executed immediately, and further matching stops. Each rule follows this format:
Type, Match Value, Policy Name[, no-resolve]
Rule Type
| Type | Match Content | Example |
|---|
| DOMAIN | Exact full domain match | DOMAIN,google.com,Node Selection |
| DOMAIN-SUFFIX | Domain suffix match (including subdomains) | DOMAIN-SUFFIX,google.com,Node Selection |
| DOMAIN-KEYWORD | Domain contains keyword | DOMAIN-KEYWORD,youtube,Node Selection |
| IP-CIDR | Target IP address range | IP-CIDR,192.168.0.0/16,DIRECT |
| IP-CIDR6 | IPv6 address range | IP-CIDR6,2001:db8::/32,DIRECT |
| GEOIP | IP country of origin (GeoIP database) | GEOIP,CN,DIRECT |
| GEOSITE | Site category (requires GeoSite database) | GEOSITE,cn,DIRECT |
| PROCESS-NAME | Process name (desktop clients) | PROCESS-NAME,curl,DIRECT |
| MATCH | Default rule to match all remaining traffic | MATCH,Node Selection |
Rule Examples: Common Splitting Configurations
rules:
- DOMAIN-KEYWORD,ads,REJECT
- DOMAIN-SUFFIX,doubleclick.net,REJECT
- IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
- IP-CIDR,10.0.0.0/8,DIRECT,no-resolve
- IP-CIDR,127.0.0.0/8,DIRECT,no-resolve
- Node Selection
- Node Selection
- Node Selection
- Node Selection
- Node Selection
- GEOIP,CN,DIRECT
- Node Selection
Rule order is critical—more specific rules should come first. MATCH is the default fallback rule and must be the last line of the rules list. For IP-based rules (IP-CIDR, GEOIP), adding the no-resolve suffix is recommended to avoid unnecessary DNS resolution.
Use Rule Provider to reference external rule sets
Mihomo (Clash Meta core) supports rule-providers, allowing rule sets to be loaded from remote URLs to avoid manually maintaining large domain lists in config.yaml:
rule-providers:
reject:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
path: ./ruleset/reject.yaml
interval: 86400
rules:
- RULE-SET,reject,REJECT
- Node Selection
Network
DNS Configuration & Leak Protection
Clash includes a built-in DNS module to resolve domains for proxy traffic. Proper DNS configuration prevents DNS leaks (where your ISP can see which domains you visit), avoids DNS pollution, and improves resolution speed.
Recommended DNS Settings
dns:
enable: true
listen: 0.0.0.0:1053
ipv6: false
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/16
fake-ip-filter:
- "*.lan"
- localhost.ptlogin2.qq.com
nameserver:
- 114.114.114.114
- 223.5.5.5
fallback:
- tls://1.1.1.1:853
- tls://8.8.8.8:853
- https://1.1.1.1/dns-query
fallback-filter:
geoip: true
geoip-code: CN
ipcidr:
- 240.0.0.0/4
FakeIP vs. Redir-Host Mode Comparison
| Mode | Principle | Advantages | Applicable Scenarios |
|---|
| fake-ip |
Returns a fake IP; actual domain resolution is handled by Clash at the proxy layer |
Completely prevents DNS leaks; high speed |
Recommended for most scenarios |
| redir-host |
Resolves real IP first, then determines routing policy based on the IP |
Better compatibility; required for some NAS / gaming scenarios |
Use when facing compatibility issues with FakeIP |
Network
TUN Mode Global Proxy
TUN Mode creates a virtual network interface to intercept all TCP/UDP traffic at the OS kernel level, eliminating the need for manual per-app proxy settings. it is the ultimate solution for software that ignores system proxy settings, including games, terminal tools, and Electron apps.
TUN Mode requires administrator privileges (Windows requires running as admin; macOS requires authorizing a helper tool). Most GUI clients handle the permission request process; simply toggle it in the interface.
Enable TUN in config.yaml
tun:
enable: true
stack: mixed
dns-hijack:
- any:53
auto-route: true
auto-detect-interface: true
TUN Stack Mode Selection
| stack value | Description | Recommended |
|---|
| mixed | TCP uses system, UDP uses gvisor, balancing performance and compatibility | Recommended First Choice |
| system | Calls system network stack; best performance but slightly lower UDP compatibility in some cases | Use when performance is priority |
| gvisor | User-space network stack; best compatibility but slightly higher CPU usage | Use when compatibility is priority |
How to Enable TUN on Each Client
| Client | Operation Path |
|---|
| Clash Verge Rev | Settings → System Settings → Enable "Virtual Network Interface (TUN Mode)" |
| ClashX Meta | Menu Bar → Enhanced Mode |
| ClashMeta for Android | Bottom Bar "VPN" → Toggle TUN Mode |
| FlClash | Sidebar Settings → Service Mode (requires service installation) |
Advanced
Advanced Settings
Proxy Provider: Unified Node Management
proxy-providers allow nodes to be dynamically loaded from a URL or local file, perfect for managing multiple services in one place:
proxy-providers:
airport-a:
type: http
url: "https://sub.airport-a.com/clash/subscribe?token=xxx"
interval: 86400
path: ./providers/airport-a.yaml
health-check:
enable: true
url: "http://www.gstatic.com/generate_204"
interval: 300
proxy-groups:
- nameNode Selection
type: select
use:
- airport-a
Profile Mixin: Override Subscription Config
Clients like Clash Verge Rev support the Mixin feature, allowing you to "mix" custom settings into the final active configuration without modifying the subscription file. This is often used to force-enable TUN mode or override DNS settings:
mixed-port: 7890
allow-lan: false
tun:
enable: true
stack: mixed
auto-route: true
auto-detect-interface: true
dns:
enable: true
enhanced-mode: fake-ip
nameserver:
- 223.5.5.5
- 114.114.114.114
Advanced
FAQ
Nodes are empty after importing subscription?
Check the following: Has the subscription link expired? (You'll need to re-copy it if reset). Is the subscription URL accessible? (Some provider URLs are blocked locally; try updating with an existing proxy enabled). Is the subscription in Clash format? (Some providers offer multiple formats like Clash or ShadowsocksR; ensure you choose "Clash").
Some software still cannot bypass the firewall after enabling system proxy?
Some software (such as games, UWP apps, and terminal tools) may not follow system proxy settings. The solution is to enable TUN Mode, which intercepts all traffic at the system kernel level. See the TUN Mode section for details.
Latency test shows the node is available, but actual access is slow?
Latency tests (PING) only reflect the handshake round-trip time and do not represent actual download speeds. Try switching to another node or select the "Auto Select" group to let Clash find the best speed automatically. Also, check if the current node's protocol is being throttled by your local network (Shadowsocks is more prone to QoS; try Hysteria2 or TUIC).
Config file reporting YAML parse error?
YAML is very sensitive to indentation. Please ensure: use 2 spaces for indentation (do not use Tab); string values containing special characters must be wrapped in quotes; list items must have a space after -. It is recommended to use YAML Lint to validate your configuration file syntax online.
How to view real-time Clash connection logs?
Most GUI clients provide built-in log panels: Clash Verge Rev → Sidebar "Logs"; ClashX → Menu Bar → Dashboard → Logs. You can also access the REST API directly at http://127.0.0.1:9090 (requires external-controller configuration) and use panels like Yacd or MetaCubeXD to view connection details.
Ready to get started?
Download Clash client, import your subscription link, and complete your proxy deployment in minutes.
Configuration Docs