Full Tutorial · Recommended to bookmark and read in sections

Clash: From Understanding to Setup and Troubleshooting

This article is for readers who want to understand and configure things themselves. Use the table of contents on the left to jump to any section; a full reading takes about 40–50 minutes. Find installation packages on the Download Page, and quick three-step setup in the Home Guide.

Go to Download Home FAQ

Preface & Reading Tips

No need to read all at once. Use the table of contents or search for keywords. This site does not provide nodes or subscriptions; "Provider / Airport" in the text refers to your own legally prepared configuration source.

What is the Clash Ecosystem

Commonly referred to as "Clash," it is a proxy technology ecosystem centered on rule-based split-tunneling: a proxy core written in Go (common community branches like Clash / Mihomo) + GUI or CLI clients for various platforms. You typically install a client + a configuration (Subscription URL, YAML, or remote hosting).

Analogy to traffic control: rules are traffic lights, nodes are available roads, and application connections are the traffic flow.

Unlike "one-switch, full-tunnel" consumer products, Clash emphasizes: which domains or IPs connect directly, which go through a proxy, and which policy group to use, enabling combinations of manual/automatic/failover groups.

What it can do · What not to expect

Commonly achievable

  • Within local machine permissions, route matching TCP/UDP connections to nodes or direct connection based on rules.
  • Update node lists and rule sets with subscription refreshes (depending on the configuration source).
  • Expand coverage for "non-system-proxy" apps in TUN-enabled clients.

What not to expect

  • Not a built-in global node package: most scenarios require you to prepare your own legally compliant subscription or configuration.
  • Does not guarantee anonymity or bypass all restrictions; results depend on nodes, protocols, DNS, app behavior, and the legal environment.
  • Whether game/video/finance apps work depends on multiple factors like UDP, NAT, CDN, and whether they bypass the proxy.

Who should use Clash

Best For

Users who want direct local connections and only proxy specific traffic; willing to understand subscriptions, rules, and policies; need multiple nodes and flexible switching.

Consider More Hassle-Free Products

If you only want "one button for full tunnel" and don't want to read documentation at all, prioritize more packaged commercial VPNs (see the comparison table below).

Core Concepts Quick Lookup

Node (Proxy)

A single line entry in the configuration; items like "HK 01" in the interface are usually nodes.

Policy Group (Proxy Group)

A collection of multiple nodes or sub-policies for rule referencing or manual switching; common types include manual select, auto-speed-test, and fallback (syntax varies by core version).

Rules

Decides the path based on domain, IP, GeoIP, etc.; matching is top-down, with the first match taking effect.

Subscription

An HTTP(s) URL pulled periodically by the client; you must judge the source's trustworthiness yourself.

Profile / Configuration

The overall description of nodes, policy groups, and rules; "Current Config" in the GUI is usually a cache or view.

System Proxy

Directs apps that respect system proxy settings to the local port; programs that don't follow these settings often require TUN or in-app configuration.

Comparison with Common VPN Clients

The term "VPN" often broadly refers to encrypted tunnels; the table below compares common product forms, though specific brands may vary.

Dimension Consumer VPN Clash / Mihomo Line
Selling Point Account login and go, emphasizing one tunnel for the entire device. Emphasizes programmable split-tunneling: who connects directly, who uses proxy, and which group of nodes to use.
Config Source Usually issued uniformly by the provider. Commonly subscription / local or remote config, with swappable sources.
Traffic Granularity Primarily global tunnel, fine-tuning varies by product. By default, supports fine-grained matching by domain, IP, and rule sets.
Learning Curve Typically low. Medium-High: Subscriptions, policies, modes, system proxy, TUN, etc.
Relationship with Provider Usually bundled with the same brand's client + nodes. Client and node config can be decoupled (within compliance).

How to choose for typical scenarios

Full encryption, less hassle

Traditional VPNs might be more convenient; the cost is often lower split-tunneling flexibility.

Route specific sites via proxy

Clash is more suitable: direct local connection, proxy for overseas resources, saving latency and traffic.

Sensitive to Low Latency

No tool can guarantee speed; you need to separately look at UDP, lines, and whether the application bypasses the proxy.

Relationship with "Airport" providers

"Airport" often refers to service providers that offer subscriptions. The Clash client is one of the common ways to consume subscriptions and is not equivalent to any merchant. Please verify service compliance and terms yourself.

Recommended Operation Order (Desktop Thinking)

Menu names vary by client; the following is a general logical order.

  1. Installation and Permissions: Complete the installation and grant network, VPN, or extension permissions as prompted.
  2. Import Subscription or File: Paste the URL or import the file in "Profiles / Subscriptions," etc.; set it as currently enabled.
  3. Update and Speed Test: Refresh the subscription; view latency in the proxy panel (for reference only).
  4. Select Policy Group: Switch commonly used groups to connectable nodes; switch to manual troubleshooting if AUTO fails.
  5. Enable System Proxy: Priority for beginners; confirm that applications using the system proxy, such as browsers, are available.
  6. Verification: Self-test in a compliant manner (pay attention to privacy).

Post-Import Self-Checklist

  • System time error within about one minute
  • Current configuration is consistent with the expected subscription
  • In Rule mode rather than accidentally switched to Global, causing local traffic to bypass
  • System proxy port is not occupied by other software
  • No serious errors like persistent TLS/subscription 403 in the log

Security Habits

Do not expose full subscriptions on untrusted devices or screenshots; check download sources; still handle accounts and payments carefully under public networks.

Rule, Global, Direct

  • Rule: Default recommended, matches by rules, misses follow the default policy (determined by configuration).
  • Global: More traffic uniformly goes through the proxy side, suitable for controlled experiments: if Global is normal and Rule is abnormal, it is mostly rules or DNS.
  • Direct: Try not to go through a remote proxy, used for recovery or comparison.

Common Reasons for Slow Local Access

Accidentally in Global Mode

Local traffic also goes through the remote, with obvious latency and jitter.

Rules are Too Broad

Catch-all rules push common local domains into the proxy; need to narrow down or update the rule set.

DNS Path

When resolution is on the proxy side or polluted, you may get suboptimal CDN, manifesting as "slow first load, video lag."

DNS & Split Tunneling

Only switching outbound IPs without paying attention to DNS may still result in slow loading or resolution to unexpected regions. Specific strategies (such as fake-ip, redir-host) are strongly related to the version; please refer to the official documentation of the version you have installed. Remember: DNS and rules affect the experience just as much.

TUN Basics

TUN allows more programs to be included in the policy through a virtual network card, at the cost of higher permissions and more complex troubleshooting (permission pop-ups, security software, conflicts with other virtual network cards, etc.).

Recommendation: Use the system proxy stably → confirm there are indeed stubborn applications → then try after reading the official TUN description.

If the whole machine is disconnected after enabling, first turn off TUN to restore internet access, then search for keywords like handshake, permission, loop in the log.

Suggested Troubleshooting Order

  1. Time: Whether the time zone and system time are accurate.
  2. Configuration: Whether the current Profile is correct and the subscription is updated successfully.
  3. Mode: Whether Global is accidentally used; whether "all down" is excluded under Direct.
  4. Logs: Handshakes, certificates, DNS, connection rejections, etc., are more effective than blindly switching nodes.
  5. Single Variable: Change only one item at a time for easy attribution.

High-Frequency Questions

Subscription Update Failed

Check if the URL has expired, whether the old proxy needs to be turned off first to access the subscription domain, and whether it is blocked by the company network.

Some Apps Do Not Go Through the Proxy

May ignore system proxy or use hardcoded DNS/QUIC; try in-app proxy or TUN (if supported).

Low Latency but Slow Web Pages

Commonly seen in DNS or CDN: can compare network environments, experiment with different browsers, and pay attention to QUIC behavior.

More short answers can be found in the Home FAQ; for downloads and architecture, see the Download Page Description.