Windows Guide Featured Tags: Clash TUN Windows routing firewall

Clash TUN Mode No Internet on Windows?Step-by-Step Routing and Firewall Fix

After you enable Clash TUN, a full blackout or “some sites only” failures are not always a bad node. This guide walks you through a fixed order: virtual adapter and kernel, Windows route table and metrics, firewall and security tools, then DNS and Fake-IP—so you can tell kernel issues apart from routing conflicts or blocking.

Approx. 18 min read
Clash Editorial
Table of Contents

1. What TUN Does vs. System Proxy

Clash TUN creates a virtual network adapter on Windows. The core (for example Mihomo) intercepts IP traffic that matches your rules and feeds it through the proxy stack before it leaves the machine. That is fundamentally different from setting only a system HTTP/SOCKS proxy: many applications ignore the system proxy (some games, CLI tools, certain UWP apps), while TUN can steer traffic at a lower layer—at the cost of touching routing, drivers, and firewall behavior more often.

If turning TUN off and using system proxy or plain rule mode restores connectivity, the problem is usually not “the remote node died overnight.” It is more likely that local takeover of the network stack is incomplete or conflicting: the tunnel is up in the UI, but traffic is steered into a path that does not actually work. The rest of this article assumes the same subscription works without TUN; we only discuss failures that appear when TUN is enabled.

Advanced users sometimes stack multiple features—TUN plus a local SOCKS port, or TUN plus browser-only extensions. For troubleshooting, simplify to one clear path: one client, one mode, one stack option. Once the baseline works, you can add complexity back with confidence.

Tip: Skim our configuration and rules overview so tun toggles, DNS modes, and stack choices (such as system vs. gVisor) match what your build expects. GUI clients put these in different places, but the underlying core behavior is the same.

2. Classify the Symptom First

Before changing nodes or reinstalling, describe what you see in one of three buckets. Mixing them up leads to endless speed tests that never fix the root cause.

  • Full blackout: Browsers, chat, and even domestic sites fail together, or only LAN addresses work. That pattern often points to a broken default route, an adapter that never came up, or traffic forced into a tunnel that cannot forward.
  • Partial reachability: Domestic sites load while some foreign hosts time out, or the opposite. That can still be rules, DNS, or node quality—but it can also be a firewall or filter blocking only certain ports or destinations.
  • Chat works, web feels “stuck”: Frequently DNS or Fake-IP mismatch: names resolve through a path the rest of the stack does not use consistently.

Write down two facts: does connectivity return immediately when you disable TUN, and do you run another VPN or tunnel product at the same time? Those two answers cut the search space dramatically.

3. Kernel and Wintun: Is the Virtual Adapter Real?

On Windows, TUN usually depends on the Wintun driver. If the driver never installed, was quarantined by security software, or the client lacks permission to create the interface, you may see “TUN enabled” in the UI while no traffic flows—or an instant disconnect when the feature turns on.

What to verify

  1. Search client logs for strings like wintun, create tun, or permission. Confirm the core reports a successful interface creation, not a silent fallback.
  2. In Device Manager or Network Connections, look for a virtual adapter associated with your Clash or Mihomo stack. If it appears and disappears in a loop, suspect driver conflict or another filter fighting for the same role.
  3. Run the client as Administrator once and retry TUN. Some environments require elevated rights to install or bind the adapter the first time.
  4. If the client exposes a TUN stack option (system vs. gVisor and similar), try switching it only after you have ruled out obvious permission and route issues—compatibility varies by machine.

When logs say TUN creation failed, fix driver and permissions before you touch outbound groups or subscription URLs.

4. Route Table: Default Routes, Metrics, and Conflicts

TUN often injects a more specific or higher-priority default route so traffic hits the virtual adapter. If that route disagrees with your physical NIC’s gateway, a corporate VPN, ZeroTier, or Hyper-V virtual switches, you can get a black hole: everything enters the tunnel, but the tunnel cannot deliver—so the machine looks completely offline.

Inspecting routes on Windows

Open an elevated Command Prompt or PowerShell. Use route print or Get-NetRoute -DestinationPrefix 0.0.0.0/0 to list default routes and their metrics. Capture output with TUN off, then again with TUN on. Compare:

  • Whether multiple 0.0.0.0/0 entries exist and which interface index wins by metric.
  • Whether the virtual adapter’s index matches what the client displays.
  • Whether stale routes remain after you fully quit the client—pointing at an interface that no longer exists.

If you suspect leftovers, exit the client completely, wait a few seconds, and run the same commands. Still wrong? Disabling and re-enabling the physical adapter or rebooting clears many transient states. On managed corporate networks, static routes pushed by IT may fight user-mode changes; you may need policy help rather than a YAML tweak.

Warning: Do not delete arbitrary routes you do not recognize. Prefer “turn off TUN → quit client → re-check routes” over manual surgery that can strand you without connectivity.

5. Windows Firewall and Security Suites

LAN mixed-port guides focus on inbound rules because other devices connect to your PC. TUN troubleshooting usually emphasizes outbound paths: the core and helper processes must reach the Internet, and some suites treat traffic from a virtual adapter as untrusted.

Practical steps

  1. In Windows Security → Firewall, ensure your Clash executable is allowed on Private and, if needed, Public profiles. Some installs split traffic across multiple binaries; whitelist the ones that actually own sockets.
  2. Third-party “internet security” or endpoint products may add another layer. Add the client to the trust list or briefly disable network shielding to see if behavior changes—then re-enable and narrow a proper exception.
  3. Enterprise environments with application allowlists may block unknown processes originating from virtual interfaces even when the same binary worked through the physical NIC.

For inbound rules tied to local proxy sharing, our Windows 11 mixed port and firewall article still applies. TUN users should read that section and then double-check outbound parity so you are not blocking yourself twice.

6. DNS, Fake-IP, and Split Rules

With TUN on, DNS is often handled inside the core together with modes like fake-ip or redir-host. A mismatch between how names resolve and how connections are classified looks like random “half the internet is down,” especially for domains that sit near the boundary between domestic and remote rule sets.

  • Confirm upstream DNS resolvers are reachable; captive portals and office filters sometimes block third-party DNS.
  • With Fake-IP, verify domestic domains are not mis-tagged, and that fake-ip-filter (or equivalent) covers local and commonly used mainland hostnames if your rules require it.
  • If you recently edited hosts or installed a local DNS accelerator, revert and retest—those layers interact badly with kernel-level DNS capture.

Problems that hide while you only use system proxy may surface with TUN because resolution and connection setup follow a different code path. Treat DNS as its own checkpoint, not something you fix only by cycling nodes.

7. Other VPNs and Adapter Contention

Running a commercial VPN, a corporate tunnel, or virtualization bridges alongside Clash TUN means several components may fight over the same default route or over who owns Wintun. The pragmatic experiment is binary: exit every other tunnel product, reboot if needed, then enable only Clash TUN and retest.

Game boosters and “network optimizers” sometimes install filter drivers that behave like invisible VPNs. If symptoms resist clean routing and firewall checks, uninstall or suspend those tools temporarily and compare. For a broader view of desktop clients before you standardize on one stack, see Clash Verge vs. Clash for Windows.

8. Symptom Cheat Sheet

What you see Check first
Log shows Wintun / create tun failure Driver install, admin rights, adapter conflict; try alternate TUN stack if offered
Fine without TUN, blackout with TUN on route print / default route metrics; another VPN stealing the default path
Domestic OK, some foreign sites fail Rules and nodes; DNS / Fake-IP; firewall filtering specific protocols
Messaging apps work, browsers spin DNS path and pollution; Fake-IP alignment with rules

Keep the discipline: logs and routes before speed tests. That saves hours of swapping subscriptions when the machine never had a working tunnel to begin with.

9. Summary

Clash TUN on Windows pulls traffic in at the adapter layer, which is powerful—and more exposed to routing table mistakes and firewall quirks than plain system proxy mode. When you see no internet or selective cannot access behavior, walk the stack in order: virtual adapter and kernel, then routes, then firewall and security tools, then DNS. That sequence usually separates kernel or driver faults from routing conflicts and from filtering or name-resolution issues.

Compared with one-tap consumer VPNs that hide diagnostics, a maintained Clash client with readable logs rewards methodical users—you can correlate each hop with configuration instead of guessing. When you need a clean installer and up-to-date core features, prefer the official site channel over random repacked binaries.

After you stabilize TUN, snapshot your working YAML and note firewall exceptions so the next driver or Windows update does not send you back to square one.

Download Clash for free and experience the difference

Clash TUN mode on Windows routing and firewall troubleshooting Advanced fix

Stabilize Clash TUN on Windows
Routes, firewall, and DNS in one pass

Install a current Clash build for Windows, import your profile, enable TUN when you need full capture, then use the checklist above—so “toggle TUN and everything dies” becomes a solvable pattern instead of mystery.

  • TUN reaches apps that ignore system proxy settings
  • Logs and routes before random node swaps
  • Complements mixed-port and macOS proxy guides
Download for Windows All Platforms
Clash Clash TUN on Windows

TUN issues are often routes or firewall. Grab the latest client from our download page, then rerun the checks in order.

Free Download Clash