Symptoms: When “System Proxy” Feels Like a Decoration
People describe three related failures that sound identical in chat logs but point to different layers. First, the GUI claims system proxy is enabled, yet packet captures or simple IP checks show the browser still exits from the home ISP. Second, only some apps misbehave: a Chromium browser might follow the proxy while a command-line tool or a sandboxed app does not, which is normal on macOS because not every framework consults the same configuration store. Third, the client itself looks idle—no handshakes, no rule hits—because traffic never reaches the Meta core at all, so you blame “nodes” when the real problem is capture.
Before you chase remote rulesets, confirm what you expect from Clash Verge Rev. System proxy mode asks cooperative programs to send HTTP and HTTPS through a local listener, typically on 127.0.0.1 with the mixed port your profile exposes. That is polite advice to applications, not kernel enforcement. TUN mode, implemented through Apple’s Network Extension framework on modern macOS versions, creates a virtual interface so traffic can be pulled into the core even when an app ignores proxy environment variables. If you need terminal tools, many games, or stubborn system services to follow the tunnel, you will eventually touch the extension path described in our Complete TUN Mode Setup Guide for Clash Verge Rev—after you prove the baseline proxy path is honest.
Why macOS Makes Proxies a Permission Story
Apple treats network-wide changes as privileged operations. A normal user application cannot silently rewrite global Web Proxy and Secure Web Proxy fields for every network service; the operating system expects an elevated pathway, historically through a privileged helper tool installed with administrator consent, sometimes paired with Keychain entries that anchor trust for code signing or repeated authorization. When that helper is missing, blocked by MDM policy, or never granted in the first place, the UI toggle in Clash Verge Rev may animate while System Settings still shows proxies disabled or frozen on stale ports from an older install.
Separately, Network Extension payloads—packet tunnel providers, filter providers, and related entitlements—trigger their own approval flows under Privacy & Security. Users who mix corporate device management, parental controls, or third-party firewalls sometimes discover that extension installation is silently vetoed. The symptom is a TUN button that never stabilizes, or a VPN menu item that appears and vanishes. None of that is visible inside YAML, which is why macOS troubleshooting starts in Settings and Terminal, not inside remote rule providers.
Step 1: Read the Truth from System Settings
Open System Settings (or System Preferences on older releases) and navigate to Network. Select the active interface—Wi-Fi or Ethernet—then open Details and locate the Proxies section. When Clash Verge Rev manages system proxy correctly, you should see manual entries for Web proxy (HTTP) and Secure web proxy (HTTPS) pointing at 127.0.0.1 with the port your client displays for the mixed listener. SOCKS, if exposed separately, may appear as its own row depending on how the helper mapped settings.
If every proxy checkbox is off while the app insists it enabled them, you have already isolated the failure to the privileged path, not to your subscription. If the address is wrong—say an old port after you changed the profile—browsers will try to speak to a closed socket and “fail open” to direct routing in some configurations, which feels like random breakage. Toggle the master switch off and on in the client after aligning ports, and watch whether Settings updates within a few seconds. No change means the helper never ran.
Step 2: Keychain Prompts and the Privileged Helper
The first launch after install is the critical window. macOS may ask for your login password to install a helper in a system location, or show a Keychain dialog referencing the app or helper binary. If you click Deny or dismiss the prompt while distracted, subsequent attempts to set proxies can fail without a loud error in the main window. Re-run installation from a clean state when possible: quit the app fully, remove the broken helper registration if the vendor documents a path, then reopen and explicitly approve prompts.
Open Keychain Access and search for the application name or helper label if you suspect stale credentials. You are not “hacking” the system; you are verifying that trust material exists and is not expired. Corporate Macs with enforced MDM profiles may block helper installation entirely—if that is your environment, stop and read the policy: no amount of YAML tuning bypasses admin scope.
Security note: Only enter your macOS password for prompts that clearly belong to the signed app you installed from a trusted source. If a random dialog appears outside that context, cancel and verify bundle identity before proceeding.
Step 3: Confirm with scutil and networksetup
The graphical panes are helpful, but terminal output is copy-paste friendly for support threads. On Ventura and later, scutil --proxy prints the effective proxy dictionary the system is advertising to many subsystems. Look for HTTPEnable and HTTPProxy keys, plus the port fields. When everything is wired, you should see 127.0.0.1 and the expected listener port. An empty or disabled structure while the app claims success is a smoking gun for helper failure.
# Show the system proxy dictionary macOS is using
scutil --proxy
The networksetup family remains useful for per-service inspection, especially when you have multiple network locations or unusual interface names. Replace Wi-Fi with your service label if different.
networksetup -getwebproxy "Wi-Fi"
networksetup -getsecurewebproxy "Wi-Fi"If Terminal shows proxies enabled but browsers still misroute, consider a browser-specific override: some profiles ship with their own proxy policy, enterprise policies push PAC files, or an extension forces direct mode. Compare against Safari, which generally respects system settings when no profile conflicts exist.
Step 4: Network Extension and TUN When System Proxy Is Not Enough
After the helper path works, you may still need TUN because developers tools, Go binaries, and many games never ask macOS for the HTTP proxy table. Enabling TUN in Clash Verge Rev triggers the Network Extension workflow: macOS loads a signed extension, may prompt under Privacy & Security, and inserts routes that steer prefixes toward the virtual interface. If you skip approval, the UI can look enabled while the extension never attaches—classic “TUN does nothing” reports on forums.
Visit System Settings → Privacy & Security and review sections related to network extensions or developer tools if something was blocked. Reboot once after first grant; Apple’s extension cache occasionally needs a cold start after major OS upgrades. For YAML-side DNS alignment once TUN is up, pair this article with the Meta core DNS leak prevention guide, because resolver misconfiguration still masquerades as proxy failure when only some hostnames break.
Step 5: Other VPNs, Filters, and Sleep Resume
macOS allows only one primary packet-tunnel style experience at a time in many setups. If corporate AnyConnect, consumer VPN software, or a legacy kext-based filter is active, it may win the routing table race. Quit competing clients fully—not only disconnect—and retest. Wi-Fi captive portals and hotel splash pages also replace DNS until authenticated; your proxy will look “dead” until the hotspot allows real traffic.
Sleep and resume introduce a subtler class of bugs: adapters bounce, extensions restart, and helper state can desync. A pragmatic habit is toggling the master switch off and on after wake when things feel stale, or restarting the app once if connections freeze while Settings still shows correct proxies.
Clash-Side Checks So You Do Not Blame macOS Unfairly
Open Connections and Logs. If flows never appear while scutil --proxy is correct, suspect a local listener mismatch: the mixed port in YAML differs from what the helper wrote, or the core crashed and nothing listens on localhost. If flows appear but hit DIRECT unexpectedly, your rules or GEOIP ordering need attention—not Keychain. If TLS fails for specific domains only, inspect DNS and SNI policy before ripping out the helper.
Keep profiles boring during diagnosis: disable exotic script providers, shrink custom rules to a minimum, and use a known-good node. A dead outbound looks exactly like “macOS ignores Clash” when the browser retries silently. Document profile name, mode (Rule versus Global), capture mode (system proxy versus TUN), and the output of scutil --proxy whenever you ask for help—future you will appreciate the paper trail.
Ordered Playbook: Thirty Focused Minutes
1Prove the core and subscription
Select a healthy node, run a latency test inside the client, and confirm logs show outbound handshakes. If this fails, fix remote connectivity before macOS permissions.
2Reinstall or repair the helper with full attention to prompts
Quit the app, relaunch, trigger proxy enablement, and approve every password or Keychain dialog. Recheck Network → Proxies within seconds.
3Validate with scutil --proxy
Capture the output when it works and when it breaks so you can diff behavior after OS updates.
4Remove VPN conflicts, then try TUN with extension approval
Follow the dedicated TUN article, reboot once if needed, and only then tune DNS hijack or sniffer options.
Notebook habit: Write down your mixed port, the date of the last macOS upgrade, and whether MDM is present. Most mysterious regressions are silent policy changes, not black magic in rulesets.
Open Source, Builds, and Where to Download
Meta-class cores and Verge Rev publish sources for transparency—use them to read changelogs, file precise issues, and verify signatures. For day-to-day installs, prefer the official download page so you track consistent builds; treat GitHub as the engineering home rather than the only story for end users.
Summary
On macOS, a dead system proxy toggle usually means the privileged helper never wrote settings, a Keychain gate was refused, or another VPN owns the routing table. Read System Settings → Network → Proxies, confirm with scutil --proxy, then escalate to Network Extension-backed TUN when apps ignore HTTP proxy tables. Compared with random YAML edits, that sequence is dull—and dull is how you get a browser that finally shows the egress you selected.
When your stack is stable and you want a client that stays maintainable across capture modes, start from a clean install path you trust—