Full Configuration Guide · Updated for 2026

Clash Configuration Guide
From Subscription Import to Advanced Routing

Whether you are a first-time Clash user or want to master TUN mode, rule splitting, and DNS leak protection, this guide covers the complete process for Windows, macOS, Android, and iOS.

0 Preparation 1 Clash Verge Rev 2 Clash for Android 3 iOS Clients 4 Advanced Config FAQ
0

Preparation

Before using Clash, you need two things: a suitable client and a valid subscription link from your provider.

Step 1 · Download Client

Choose the right client for your system

  • Windows → Clash Verge Rev
  • macOS → Clash Verge Rev
  • Android → Clash for Android
  • iOS → Shadowrocket / Stash
Go to Downloads

Step 2 · Get Subscription URL

Get Clash-format URL from your provider

  • Log in to your provider's dashboard and find the 'Subscriptions' page
  • Select the Clash / YAML format link
  • Copy the link and keep it private
Your subscription URL contains account info. Do not share it.
1

Clash Verge Rev

Windows macOS

Based on the Mihomo (Meta) core, this is the most recommended client for Win/Mac after the original CFW was discontinued.

1.1 Installation

1

Download from our Download Page

Visit our Download Page to select the latest version for your system.

Windows
ClashVerge_x64.msi
# Standard Installer
macOS
ClashVerge_aarch64.dmg
# Apple Silicon (M1/M2/M3)
2

Windows: Run .msi Installer

Double-click the installer and follow the prompts. If SmartScreen warns you, click 'More info' → 'Run anyway'.

3

macOS: Drag to Applications

Mount the .dmg and drag the app to Applications. If prompted 'cannot be opened', allow it in 'System Settings → Privacy & Security'.

1.2 Import Subscription

1

Open Clash Verge Rev and go to the Profiles tab.

2

Click New and select Remote.

3

Paste your subscription URL into the input box and click Import.

4

Once imported, click Select on the profile card to activate it (a blue checkmark will appear).

5

Go to Proxies, choose a node, and use the Speed Test icon to find the best latency.

We recommend enabling Auto Update (e.g., every 24h) to keep your node list fresh.

1.3 Proxy Modes

Clash Verge Rev offers three main modes, switchable via the selector at the top.

Rule Mode Recommended

Automatically decides whether to proxy based on rules. Domestic sites bypass the proxy while blocked sites use it.

Global Mode

All traffic goes through the proxy. Useful for specific needs but may slow down local sites.

Direct Mode

Bypasses the proxy for all traffic. Useful for temporary local-only access while keeping Clash running.

Ensure the System Proxy toggle is ON so that browsers and other apps can use the connection.

1.4 Enable TUN Mode (Global Proxy)

TUN mode creates a virtual NIC to intercept all traffic, including games and CLI tools that don't support system proxy settings.

Admin Rights Required: Enabling TUN mode requires administrator/root privileges.
1

Go to Settings and find the TUN Mode option.

2

iOS / iPadOS Notes

3

Ensure DNS Override is also ON to prevent DNS leaks in TUN mode.

4

Visit ipleak.net to verify your IP has changed to your proxy node's IP.

yaml · tun config 
# Core TUN Configuration (config.yaml)
tun:
  enable: true
  stack: mixed       # mixed mode for best compatibility
  auto-route: true
  auto-detect-interface: true
  dns-hijack:
    - any:53        # Hijack all DNS queries

dns:
  enable: true
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  nameserver:
    - https://dns.google/dns-query  # Google DoH
    - https://1.1.1.1/dns-query     # Cloudflare DoH
2

Clash for Android

Android

The most mature Clash GUI for Android (CFA), supporting full Clash configuration, TUN mode, and per-app proxy with excellent stability.

1

Download APK

Go to the download page or download the Clash for Android local APK.

2

Install APK

Open the file on your phone. If prompted, allow 'Install from Unknown Sources' in settings.

3

Import Subscription

Open the app, tap Profiles (or Config) → New ProfileURL, paste your link and save.

4

Select Profile & Start

Tap to select the imported profile, go back to the home screen and click Stopped to turn it into Running, then select a node in the Proxy tab.

Clash for Android is now archived but remains the most stable and compatible Android client. For newer protocols, consider ClashMeta for Android.
3

iOS Clients

iPhone / iPad

There are no free Clash-compatible clients on iOS. You must use a non-Mainland China Apple ID to buy one of the following:

Shadowrocket

$2.99 · US App Store
  • Direct import of Clash YAML subscriptions
  • Lightweight and beginner-friendly
  • Supports rule splitting and global modes
Import Method: Home '+' → 'Subscribe' → Paste URL → Done

Stash

$3.99 · US App Store Recommended
  • Full Clash Meta syntax support
  • Built-in traffic and connection monitoring
  • Supports rule sets, scripts, and overrides
Import Method: 'Config' → 'Remote Config' → 'Add' → Paste URL
Overseas Apple ID Tip: A US (or other non-Mainland China) Apple ID is required to purchase these apps. You can register one yourself and use gift cards, or obtain a shared account from trusted sources. Do not use an overseas ID as your primary iCloud account to avoid sync risks.
4

Advanced Config

Advanced configuration allows Clash to work more reliably, securely, and intelligently.

4.1 Subscription Conversion

Some providers only offer V2Ray (vmess://) or SSR links. Use a conversion tool to turn them into Clash YAML format.

Online Conversion (Recommended)

Self-hosted Backend (Advanced)

Use subconverter to host your own backend for maximum privacy.

docker run -d -p 25500:25500
tindy2013/subconverter
When using third-party online tools, your subscription info passes through their servers. Use trusted tools or self-host.

4.2 DNS Security

DNS leaks can expose your browsing history to your ISP. We recommend FakeIP mode with encrypted DNS (DoH/DoT).

FakeIP Mode
Maximum Leak Protection
Clash returns a fake IP; DNS resolution happens at the remote end, hiding the domain from your ISP.
DoH
DNS over HTTPS
DNS over HTTPS prevents man-in-the-middle attacks with the best compatibility.
DoT
DNS over TLS
DNS over TLS is more efficient but requires proxy support for port 853.
yaml · dns config 
dns:
  enable: true
  listen: 0.0.0.0:1053
  enhanced-mode: fake-ip      # FakeIP leak protection
  fake-ip-range: 198.18.0.1/16
  fake-ip-filter:             # Domains that skip FakeIP
    - '+.lan'
    - localhost.ptlogin2.qq.com
  nameserver:                 # Remote DoH server
    - https://dns.google/dns-query
    - https://1.1.1.1/dns-query
    - tls://8.8.8.8:853         # Google DoT
  fallback:                    # Direct for local domains
    - 223.5.5.5               # Ali DNS
    - 119.29.29.29            # Tencent DNS
  fallback-filter:
    geoip: true
    geoip-code: CN
    ipcidr:
      - 240.0.0.0/4

After setup, visit ipleak.net or browserleaks.com. Success means no local ISP DNS servers appear.

4.3 Custom Rules

Precisely control whether traffic goes through the proxy or direct connection based on domain, IP, GeoIP, or process name.

Rule Type Example Description
DOMAIN google.com Exact domain match
DOMAIN-SUFFIX google.com Matches domain and all subdomains
DOMAIN-KEYWORD youtube Matches if domain contains keyword
IP-CIDR 192.168.0.0/16 Matches specific IP range
GEOIP CN Tencent DNS
PROCESS-NAME WeChat Match by process name (TUN mode)
RULE-SET gfw Reference external rule files (Recommended for large rulesets)
MATCH Final catch-all rule for remaining traffic
yaml · rules example 
# Custom Rule Override Example (prepend-rules highest priority)
rules:
  # Private IP Direct
  - IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
  - IP-CIDR,10.0.0.0/8,DIRECT,no-resolve
  - IP-CIDR,127.0.0.0/8,DIRECT,no-resolve

  # Common Global Services Proxy
  - DOMAIN-SUFFIX,google.com,Select Node
  - DOMAIN-SUFFIX,youtube.com,Select Node
  - DOMAIN-SUFFIX,github.com,Select Node
  - DOMAIN-KEYWORD,openai,Select Node

  # Local Apps Direct
  - DOMAIN-SUFFIX,wechat.com,DIRECT
  - DOMAIN-SUFFIX,weixin.qq.com,DIRECT
  - PROCESS-NAME,WeChat.exe,DIRECT

  # Local IP Direct
  - GEOIP,CN,DIRECT

  # Fallback: Remaining Traffic Proxy
  - MATCH,Select Node

Recommended Rulesets

ACL4SSR GitHub →

Most comprehensive ruleset covering Netflix, Disney+, Telegram, and more with Lite/Online versions.

Loyalsoldier GitHub →

Lightweight GFW-based ruleset with clear categories (reject/direct/proxy/gfw), ideal for custom combinations.

FAQ

In Clash Verge Rev: Profiles → New → Remote → Paste URL → Import → Select activated profile.

In Clash for Android: Profiles → New Profile → URL → Paste URL → Save → Select activated profile.
System Proxy: Only affects apps supporting proxy settings (browsers, some apps). CLI tools and games often ignore it.

TUN Mode: Creates a virtual NIC to intercept all OS network traffic, handling everything including CLI and games.
System Proxy may still use local ISP DNS.

Solution: 1. Enable FakeIP; 2. Set DoH/DoT nameservers; 3. Enable TUN Mode. Verify at ipleak.net.
Troubleshooting:

1. Update subscription; 2. Switch nodes (check latency); 3. Change protocol (some ISPs throttle SS/VMess); 4. Check mode (Rule or Global); 5. Firewall: ensure Clash isn't blocked.
Clash uses YAML. Links like vmess:// must be converted using tools like sub.v1.mk.
Currently no free options. Top picks:

Shadowrocket ($2.99) - Lightweight
Stash ($3.99) - Full feature Meta support

Requires an overseas Apple ID.

Need a Clash client?

Jump to the download page for your device and get Clash for free.

Download for My Platform Download for Windows