Complete TUN Mode Setup Guide for Clash Verge Rev (Windows / macOS)

What is TUN Mode?

You may have run into this frustrating situation: Clash is running, your browser can access overseas sites just fine, but when you open a terminal and run git clone, npm install, or curl, you still get timeouts or connection errors. This is because the traditional "system proxy" mode only works with apps that support the HTTP/HTTPS proxy protocol. Terminal tools, game clients, and some Electron apps often make direct TCP/UDP connections, completely bypassing the system proxy.

TUN mode (Tunnel mode) was designed to solve exactly this problem. It creates a virtual NIC at the OS level (typically named utun or Meta), routing all system outbound traffic through Clash's rule engine for processing – enabling true "global proxy". Whether it's terminal tools, game clients, or system services making network requests, all are captured by the TUN virtual NIC and routed according to your configured rules.

Clash Verge Rev includes the Meta (Mihomo) core with native high-performance TUN mode support, and the setup process is far simpler than older tools. This guide covers the complete setup flow for both Windows and macOS.

TUN Mode vs System Proxy: Key Differences

Before we dive in, let's clarify the fundamental differences between these two proxy modes to help you make the right choice:

Before You Begin: Prerequisites

Before enabling TUN mode, make sure the following conditions are met:

• Latest version of Clash Verge Rev is installed (v2.0.0 or later recommended). Not installed yet? Visit the client download page to get the latest version.
• You have a valid subscription URL and have successfully imported it into Clash Verge Rev (you can see the node list in the Proxies page).
• Operating system is Windows 10/11 or macOS 12 Monterey or later.
• You have administrator account privileges on the machine (required for creating the TUN virtual NIC at the system level).

Enabling TUN Mode on Windows

Enabling TUN mode on Windows requires two steps: first install Service Mode, then enable TUN mode. Service Mode allows Clash Verge Rev to run as a Windows system service, granting it the system-level permissions needed to create the virtual NIC.

1Step 1: Install Service Mode

Open Clash Verge Rev and click Settings in the left menu. Scroll down to find the System Settings section, where you'll see the Service Mode option.

Click the Install button next to Service Mode. A UAC permission prompt will appear – click Yes to authorize the installation. Once installed successfully, the status indicator turns green and the button switches to Installed.

2Step 2: Enable TUN Mode

After Service Mode is installed, continue scrolling down the Settings page to find the TUN Mode option and toggle it on.

Once enabled, Clash Verge Rev automatically creates a virtual NIC named Meta in the system and routes all outbound traffic through it. You can open Windows Network Connections (Win + R → ncpa.cpl) to confirm that a new adapter named Meta has appeared – if it has, TUN mode is successfully active.

3Optional: Adjust TUN Configuration

Default settings work well for most users. If needed, you can expand the TUN mode details in Settings, or directly edit the tun field in your configuration file:

tun:
  enable: true
  stack: mixed        # 推荐 mixed：TCP 走 gVisor，UDP 走 system
  dns-hijack:
    - "any:53"        # 劫持所有 DNS 请求，防止泄漏
  auto-route: true    # 自动添加路由规则
  auto-detect-interface: true  # 自动检测出口网卡

Key parameters explained:

• stack: Network stack implementation. mixed mode offers the best overall performance and is recommended; gvisor has better compatibility but slightly lower performance; system has the lowest latency but may have compatibility issues in some scenarios.
• dns-hijack: DNS request hijacking scope. Setting any:53 ensures all DNS requests are handled by Clash, preventing DNS leaks.
• auto-route: When enabled, Clash automatically manages the routing table – no manual route rules needed.

Enabling TUN Mode on macOS

Enabling TUN mode on macOS is relatively straightforward – no separate service component installation is required as on Windows, but you'll need to grant system extension permissions the first time.

1Step 1: Grant Administrator Permissions

When running Clash Verge Rev for the first time, the system will request your administrator password to install the necessary Helper Tool. Enter your macOS login password in the prompt and confirm.

If you missed this step or previously denied the permission, go to Settings → System Settings in Clash Verge Rev, find Service Mode, click Install, and enter your password again to authorize.

2Step 2: Enable TUN Mode

Step 2: Enable TUN Mode

Once permissions are granted, go to Clash Verge Rev's Settings page, find the TUN Mode toggle, and switch it on. The system menu bar will notify you that the network configuration has changed – Clash Verge Rev has now created a utun virtual NIC and taken over global traffic. You can verify in System Settings → Network by checking for a new interface starting with utun.

3macOS Tip: Enable Enhanced Mode

On macOS, it's recommended to also enable Enhanced Mode (found in Settings → Proxy Settings). This mode uses pf firewall rules to force all network traffic through the TUN virtual NIC, providing more complete coverage for the rare cases where system processes bypass the proxy.

Verifying TUN Mode is Active

After enabling TUN mode, you can verify it's actually working with these methods:

Method 1: Terminal Verification (Recommended)

Open a terminal (PowerShell / Terminal) and run the following command:

# 测试 curl 是否走代理（返回境外 IP 则说明 TUN 生效）
curl -s https://ipinfo.io/ip

# 测试 git 是否能正常访问 GitHub
git ls-remote https://github.com/MetaCubeX/mihomo.git HEAD

If the IP address returned by curl matches your proxy node's exit IP, TUN mode is successfully intercepting terminal traffic.

Method 2: Check Clash Connection Logs

In the Connections page of Clash Verge Rev, watch the live connection list. When running git clone or npm install, if you see entries for the relevant domains (e.g., github.com, registry.npmjs.org), the requests are being captured and routed by TUN mode.

Troubleshooting Common Issues

Q1: Network speed noticeably slower after enabling TUN

In TUN mode, all traffic passes through the virtual NIC, which introduces extra CPU overhead. Try switching the stack from gvisor to mixed or system, and ensure your proxy node latency is normal. If CPU usage is high, check whether large amounts of local traffic (e.g., NAS, intranet services) are being mis-routed through the proxy – add corresponding DIRECT rules to exclude them.

Q2: Some apps can't connect after enabling TUN on Windows

Some security software (e.g., Windows Defender, antivirus) may block the creation of the TUN virtual NIC or its traffic. Try adding Clash Verge Rev and its installation directory to your security software's whitelist, or allow inbound and outbound rules for clash-verge-rev.exe in Windows Defender Firewall.

Q3: macOS shows "Network Extension Blocked"

This is a normal macOS security (System Extension) prompt. Go to System Settings → General → Login Items & Extensions → Network Extensions, find the Clash Verge Rev entry, check the Allow box, then restart Clash Verge Rev.

Q4: DNS resolution issues after enabling TUN

If domain names fail to resolve after enabling TUN, check that the dns section in your config file is enabled:

dns:
  enable: true
  enhanced-mode: fake-ip    # 或 redir-host
  nameserver:
    - 223.5.5.5
    - 119.29.29.29
  fallback:
    - tls://8.8.8.8:853
    - tls://1.1.1.1:853

Also confirm that tun.dns-hijack is set to any:53 to prevent the system's original DNS server requests from bypassing Clash. For a deep dive into DNS leak prevention configuration, see the Ultimate Meta Core DNS Leak Prevention Guide .

Q5: TUN mode doesn't auto-start after rebooting

In Clash Verge Rev's Settings → General, enable the Launch at Login option, and confirm that Service Mode shows as installed. With these settings, Clash Verge Rev will automatically start as a service on boot and TUN mode will be restored.

Advanced Tips

Excluding Local Traffic

With TUN enabled, all traffic goes through Clash, including requests to local network devices (NAS, router admin pages, etc.). It's recommended to add the following entries to your rule config to bypass private address ranges directly:

rules:
  - IP-CIDR,192.168.0.0/16,DIRECT
  - IP-CIDR,10.0.0.0/8,DIRECT
  - IP-CIDR,172.16.0.0/12,DIRECT
  - IP-CIDR,127.0.0.0/8,DIRECT
  # ... 其他规则

UDP Forwarding & Gaming

TUN mode natively supports UDP traffic interception, which is the key advantage for gaming. Ensure your proxy nodes support UDP forwarding (Shadowsocks, Hysteria2, TUIC, and other protocols all support it), then enable udp: true in the corresponding Proxy Group for a low-latency gaming proxy experience – no more timeouts during game login or matchmaking.

Summary

TUN mode is one of the most defining features that sets Clash Verge Rev apart from ordinary proxy tools. Once properly configured, you'll find that the "proxy is on but it doesn't work" problem virtually disappears – whether it's terminal tools like git, npm, pip, game clients, or system services, everything routes precisely according to your rules, ensuring fast access without interfering with direct connections for local services.

Compared to the complex TAP driver installation process of other similar tools, the built-in Meta core in Clash Verge Rev reduces TUN mode configuration complexity to a minimum – nearly a "flip the switch and it works" experience. If you haven't yet experienced this level of full-traffic proxying, give it a try –

→ Download Clash Verge Rev for free and experience true seamless full-traffic acceleration