Rule-based Routing Engine
Precise multi-dimensional routing based on domains, IPs, GeoIP, and process names. Separate local and international traffic to eliminate bandwidth waste.
Learn More →From routing engines to YAML config, from Fake-IP DNS to multi-protocol compatibility—master Clash architecture and unleash its full potential.
Based on a high-performance core built in Go, Clash integrates all essential proxy capabilities—each refined by the community over years to become industry standards.
Precise multi-dimensional routing based on domains, IPs, GeoIP, and process names. Separate local and international traffic to eliminate bandwidth waste.
Learn More →Native support for Shadowsocks, VMess, Trojan, VLESS, Hysteria 2, TUIC, and more. A single core to replace fragmented clients.
View Protocols →Uses human-friendly YAML syntax. Supports version control and one-click sync via subscription links, eliminating manual maintenance.
View Config Examples →Take over system DNS with Fake-IP to prevent DNS leaks to ISPs. Protect your real location and digital fingerprint in any network environment.
How it Works →Supports select, url-test, fallback, and load-balance group types for high-availability proxy routing.
Proxy Groups Detail →Built-in HTTP RESTful API allows third-party dashboards like Yacd or MetaCubeX to switch nodes, monitor traffic, and manage rules visually.
API Docs →Clash's core strength is its powerful Rule-based Proxy system. Unlike traditional tools limited to global proxy or simple PAC lists, Clash offers fine-grained multi-dimensional routing.
Rules are matched top-to-bottom. On a hit, the action (PROXY / DIRECT / REJECT) is executed. The final MATCH rule acts as a fallback.
google.com
Rule Providers: Import remote YAML/TEXT rule files via the rule-providers field. Clash auto-fetches updates, eliminating the need to manually maintain massive config files.
Clash Meta (mihomo) core expands upon the original Clash to support nearly all mainstream proxy protocols. Native compatibility with any provider ensures a single client for all needs.
| Protocol | Transport | Encryption | Obfuscation | Use Case | Support |
|---|---|---|---|---|---|
| Shadowsocks | TCP / UDP | AEAD Encryption | Base | Widest compatibility, provider standard | Original + Meta |
| ShadowsocksR | TCP / UDP | Multi-Obfuscation | Obfuscation | Legacy provider compatibility | Original + Meta |
| VMess | TCP / WS / H2 / GRPC | AES / ChaCha20 | WebSocket TLS | Preferred for V2Ray ecosystem | Original + Meta |
| VLESS | TCP / WS / H2 / GRPC | No built-in encryption (depends on TLS) | TLS / Reality | Lightweight & high-performance, recommended for new setups | Meta Only |
| Trojan | TCP | Native TLS | HTTPS Website Obfuscation | Strongest anti-probing | Original + Meta |
| Hysteria 2 | UDP (QUIC) | TLS 1.3 | QUIC Obfuscation | Ultra-fast on high-latency/packet-loss networks | Meta Only |
| TUIC | UDP (QUIC) | TLS 1.3 | QUIC Multiplexing | Optimized for low-latency scenarios | Meta Only |
| Snell | TCP | AES-256-GCM | Base | Used with Surge ecosystem | Original + Meta |
| Socks5 / HTTP | TCP | Optional TLS | None | LAN internal transit | Original + Meta |
| Reality | TCP | XTLS / Vision | Real website TLS fingerprinting | Best for resisting TLS fingerprinting | Meta Only |
For new nodes, we recommend VLESS + Reality (best anti-detection) or Hysteria 2 (fastest on high-latency networks). Both require Clash Meta (mihomo). For widest compatibility, Shadowsocks (AEAD) remains the safest choice.
Clash uses YAML as its sole configuration format. A complete config consists of several top-level fields—understanding them is the first step to mastering Clash.
Users manually select the active proxy node or subgroup via the client UI. Ideal for precise control, such as always using a US node for Netflix.
Periodically sends HTTP probes to all nodes in the group and auto-selects the one with the lowest latency. Fully automated for the best experience.
url:Latency test URL (gstatic 204 recommended)interval:Interval (seconds), 300s recommendedtolerance:Tolerance value to avoid frequent switchingUses nodes in order; auto-switches to the next if the current one fails. Ideal for critical stability to ensure uninterrupted service.
Distributes traffic across multiple nodes. Supports consistent-hashing (fixed node per domain) and round-robin to maximize bandwidth and throughput.
In traditional proxying, browsers query the local ISP's DNS first, exposing access intent to the ISP even if traffic is encrypted.
Clash's Fake-IP mode takes over system DNS, returning a fake local IP (e.g., 198.18.x.x) immediately so apps can connect. Clash then resolves the real domain via an encrypted tunnel to the remote proxy, preventing DNS leaks to ISPs.
Returns a fake local IP; domain is sent via encrypted tunnel for remote resolution. Prevents DNS leaks with lowest connection latency.
Resolves DNS locally first, then routes based on IP rules. Good compatibility, but risks DNS leaks.
Fake-IP Filter (fake-ip-filter): Some local services (e.g., WeChat, QQ login domains) are incompatible with Fake-IP and should be excluded via fake-ip-filter.
Recommended DoH Upstreams: For China, https://doh.pub/dns-query or https://dns.alidns.com/dns-query; for Fallback, https://1.1.1.1/dns-query (Cloudflare).
The Clash core's HTTP RESTful API (opened via external-controller) allows dashboards like Yacd, MetaCubeX, or clash-dashboard to manage nodes, monitor traffic, and more in real-time without restarts.
GET /proxies
Get all proxy and group info
PUT /proxies/:name
Switch nodes for a specific group
GET /proxies/:name/delay
Test real-time node latency (ms)
GET /traffic
WebSocket real-time traffic throughput
GET /connections
Get current active connections
DELETE /connections/:id
Close specified connections
PUT /configs
Hot reload config (no restart needed)
PATCH /configs
Dynamically modify single fields
PUT /rules
Hot update routing rule sets
GET /logs
WebSocket real-time logs with level filtering
GET /version
Get core version info
GET /memory
Get real-time core memory usage
Each connection is handled by a separate goroutine. Performance scales linearly with CPU cores under high concurrency without thread-switching overhead.
Domain rules use hash tables. Matching completes in constant time regardless of rule count, ensuring performance even with massive configs.
Built-in DNS caching and Fake-IP mode allow immediate connections without waiting for remote DNS, significantly reducing perceived latency.
Compiled to a single binary with no dependencies. Supports Windows, macOS, Linux, and Android for zero-threshold deployment.
Follow these steps to complete Clash setup in about 5 minutes on any OS and enjoy stable, smooth international access.
Pick a GUI client for your OS: Windows users (Clash Verge Rev), macOS users (Clash Verge Rev or ClashX Pro), Android users (Clash Meta for Android), Linux users (Clash Meta core with Yacd).
Go to Download Page →Windows: Double-click .exe and follow the wizard. macOS: Drag the app from the .dmg to the Applications folder. Android: Enable 'Unknown Sources' and install the APK. On first launch, allow any system proxy permission prompts.
Find the 'Profiles' or 'Subscription' page in the client UI. Paste your provider's subscription URL and click 'Download' or 'Update'. Clash will auto-parse all nodes and groups—no manual server entry needed.
Go to 'Proxies' and run a 'Latency Test' on groups. Pick the node with the lowest latency (usually in green). If your subscription includes a 'url-test' group, Clash will auto-select the best node for you.
Turn on 'System Proxy' in the main UI. Clash now handles all system traffic—visit Google, YouTube, or GitHub to see the speed boost. We recommend enabling 'Start on Boot' for convenience.
Check: 1) 'System Proxy' is ON. 2) Subscription is downloaded (node list visible). 3) Selected node has valid latency (not timeout). 4) Firewall allows Clash. Windows users: verify that system proxy settings point to 127.0.0.1:7890.
Visit dnsleaktest.com or ipleak.net. If DNS servers from your local ISP (e.g., China Telecom) appear, you have a leak. Set DNS enhanced-mode to 'fake-ip' in your config and restart.
Some clients use local cache. Use 'Force Refresh' or 'Update' in the 'Profiles' page. If issues persist, try re-adding the link or check if your subscription has expired.
Add 'tun: enable: true' and 'stack: mixed' to your config, and run the client as admin/root. TUN mode captures non-proxy-aware traffic (games, CLI tools) for true transparent proxying. Windows requires the Wintun driver.
Mostly. Original Clash configs work on Clash Meta (mihomo). However, Meta's new fields (VLESS, Reality, Hysteria 2, TUIC) won't work on the original core, which was deprecated in 2023. We recommend migrating to Meta.
1) Download the Clash Meta binary. 2) Set 'tproxy-port: 7893' and 'allow-lan: true' in YAML. 3) Forward traffic to port 7893 via iptables/nftables. 4) Use systemd for boot startup. Point other LAN devices' gateways to this server.
Download the Clash client for your platform. Set it up in 3 minutes and enjoy fast, stable international access.