All nodes show timeout after importing subscription – what do I do?

First check if your subscription has expired; then try disabling your antivirus or firewall; finally check that your system time is accurate – a time difference of more than 90 seconds will cause protocol handshake failures.

What's the difference between TUN mode and system proxy?

System proxy only proxies apps that support proxy protocols (like browsers) and cannot cover terminal tools or game clients. TUN mode creates a virtual NIC to intercept all outbound traffic at the network layer, allowing any application to be proxied.

What are GeoIP rules? How do I set up custom routing?

GeoIP rules determine whether to proxy traffic based on the destination IP's geographic location. By adding a rules field to your config file, you can configure separate proxy policies for specific domains, IP ranges, or applications to achieve fine-grained traffic routing.

Clash Configuration Guide | TUN Mode, Subscription Import, GeoIP Routing, Rule Override

Chapter 01

Import Subscription Config

The Clash client fetches a YAML-format config file remotely from your provider via a subscription URL. The config file contains proxy server lists, policy groups, and routing rules – the foundation for all features.

1

Get Your Subscription URL

Log into your provider's dashboard and copy the Clash-format subscription URL (usually contains a ?token= parameter). This URL is sensitive – do not share it with others.

2

Import in the Client

Open Clash Verge Rev, click the " Profiles " tab on the left, click the " New " button in the top right, paste the URL in the input field, and click Import.

3

Activate the Config Profile

After importing, click the config card to set it as "Active" – the client icon will show as activated. It's recommended to enable " Auto Update " in settings (every 24 hours) to keep your node list current.

4

Speed Test and Select Node

Go to the Proxies page, find your policy group and click " Speed Test ⚡ ". Nodes with latency below 100ms are high quality – click to select. It's recommended to use the auto-select group (marked with 🔁) over DIRECT for automatic failover.

Typical YAML Config Structure (for reference)

# Clash Meta (Mihomo) config file structure overview
mixed-port: 7890         # HTTP + SOCKS5 mixed proxy port
allow-lan:  false        # Not accessible to LAN devices
mode:       rule         # Rule mode (recommended)
log-level:  info

proxies:                   # Node list (auto-populated by subscription)
  - name: "HK Node 01"
    type: vmess
    server: hk1.clashhelp.com
    port:   443
        # ... (other fields omitted)

proxy-groups:              # Policy Groups
  - name: "🚀 Node Selection"
    type: select
    proxies: ["Auto Select", "HK Node 01"]

rules:                     # Routing Rules
  - GEOIP,CN,DIRECT
  - MATCH,🚀 Node Selection

FlClash users:Import via main screen top right → Config → Add Config → Enter URL. Long-press a config card to set up scheduled auto-update.

Chapter 02

TUN Virtual NIC Mode

TUN (Tunnel) mode creates a virtual NIC in the operating system to intercept all outbound traffic at the network layer (L3), permanently solving the issue of system proxy not covering terminal tools (git, npm, curl), game clients, and other apps.

System Proxy (Old Method)

✗ Only covers apps that support proxy protocols
✗ Terminal tools require manual HTTP_PROXY configuration
Clash Meta (Mihomo) config file structure overview
HTTP + SOCKS5 mixed proxy port

TUN Mode (Recommended)

HK Node 01
✓ Terminal / IDE / games all auto-route through proxy
✓ DNS leak protection supported
△ First-time setup requires Service Mode installation

Enable TUN Mode in Clash Verge Rev

1

Install Service Mode

Go to Settings → System Settings → Service Mode and click Install. Windows requires UAC administrator approval; macOS requires your system password. The status icon turns green when installation is complete.

2

Enable TUN Toggle

Find the TUN Mode toggle in Settings and switch it on. After enabling for the first time, it's recommended to restart the client for the configuration to fully take effect.

3

Verify TUN is Active

Open a terminal and run curl -I https://www.google.com – if it returns HTTP 200, TUN proxy is successfully active. You can also see connection records from terminal tools in the client's Connections page.

Manually Enable TUN in YAML (Meta Core Config)

tun:
  enable:              true
  stack:               mixed    # mixed / gvisor / system (mixed recommended)
  auto-route:          true     # Auto-configure routing table
  auto-detect-interface: true   # Auto-detect outbound NIC
  dns-hijack:
    - any:53                   # Hijack all DNS queries to prevent leaks

dns:
  enable:    true
  enhanced-mode: fake-ip    # fake-ip is recommended in TUN mode
  nameserver:
    - https://doh.pub/dns-query
    - https://dns.alidns.com/dns-query

Note:On macOS, after installing Service Mode for the first time, the system may block the driver from loading. Go to System Settings → Privacy & Security → click Allow Anyway, then restart the client.

Chapter 03

GeoIP Traffic Routing Rules

Traffic routing gives you precise control over which traffic goes through the proxy and which connects directly. Proper configuration reduces latency, lowers bandwidth usage with your provider, and prevents domestic services from slowing down due to proxy re-routing.

Common Rule Types Quick Reference

Rule Type	Match Logic	Example
DOMAIN	Exact domain match	DOMAIN,google.com,PROXY
DOMAIN-SUFFIX	Domain suffix (including subdomains)	DOMAIN-SUFFIX,github.com,PROXY
DOMAIN-KEYWORD	Domain contains keyword	DOMAIN-KEYWORD,google,PROXY
IP-CIDR	IP range match	IP-CIDR,192.168.0.0/16,DIRECT
GEOIP	IP geographic location (GeoIP database)	GEOIP,CN,DIRECT
GEOSITE	Domain category set (Meta exclusive)	GEOSITE,cn,DIRECT
RULE-SET	Remote ruleset (recommended)	RULE-SET,proxy,PROXY
MATCH	Fallback rule (must be last)	MATCH,PROXY

Recommended Routing Rule Example

The following config implements a standard "direct connection for domestic traffic, proxy for international" routing strategy:

rule-providers:          # Remote rulesets (recommended, auto-updated daily)
  reject:
    type:     http
    behavior: domain
    url:      "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
    interval: 86400
  proxy:
    type:     http
    behavior: domain
    url:      "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt"
    interval: 86400
  direct:
    type:     http
    behavior: domain
    url:      "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt"
    interval: 86400

rules:
  - RULE-SET,reject,REJECT       # Ad/tracking blocking
  - RULE-SET,proxy,🚀 Node Selection   # Common overseas services
  - RULE-SET,direct,DIRECT       # Common domestic domains
  - GEOSITE,cn,DIRECT            # Mainland China domain collection
  - GEOIP,CN,DIRECT              # Mainland China IPs
  - MATCH,🚀 Node Selection            # Fallback: remaining traffic goes through proxy

Recommended rulesets:Loyalsoldier/clash-rules is the most comprehensive community-maintained Clash ruleset, covering ad filtering, overseas proxy, and domestic direct connection – with daily automated updates.

Chapter 04

Multi-Subscription Merge & Config Override

When you have multiple provider subscriptions, or need to layer custom rules on top of a subscription, you can use Clash Verge Rev's Override or Merge feature – no need to modify the original subscription file.

Merge（Merge Mode）

Recommended

Deep-merges your custom config snippets with the subscription config. Ideal for appending personal rules, replacing DNS settings, adding your own nodes, and similar use cases.

Script Override（Script Override）

Modifies the config object arbitrarily via a JavaScript function, suitable for complex scenarios like conditionally filtering nodes or dynamically generating policy groups.

Using Merge to Append Custom Rules

In Verge Rev, go to Profiles → Override, create a new Merge-type config file with content like:

# merge-overwrite.yaml — only include fields to override/append
dns:
  nameserver:
    - https://doh.pub/dns-query       # Override DNS servers

rules:                                # Appended rules (inserted before existing rules)
  - DOMAIN-SUFFIX,internal.corp,DIRECT   # Company intranet direct connection
  - IP-CIDR,10.0.0.0/8,DIRECT            # Private IP ranges direct connection

proxies:                               # Append Your Own Nodes
  - name: "Your own VPS"
    type: trojan
    server: vps.mydomain.com
    port:   443
    password: "your-password"

Multi-subscription merge:In Verge Rev's Profiles page, you can import multiple config files simultaneously, then write a script in Override using config.proxies to merge node lists from different configs and build a unified policy group.

Chapter 05

Advanced JavaScript Scripting

Clash Verge Rev includes a built-in JavaScript engine (V8), enabling programmatic processing of config objects via scripts – for subscription conversion, node filtering, dynamic policy groups, and other advanced needs that static YAML cannot handle.

Config Script

Runs after subscription loads, modifies the entire config object

Override Script

Applied as an override layer, complementary to Merge mode

Scheduled Script

merge-overwrite.yaml — only include fields to override/append

Useful Script Example: Filter Nodes by Region

// Override script entry function, config parameter is the complete config object
function main(config) {

    // Keep only nodes whose name contains "Hong Kong" or "Japan"
  const allowedRegions = ['Hong Kong', 'HK', 'Japan', 'JP'];

  config.proxies = config.proxies.filter(proxy =>
    allowedRegions.some(r => proxy.name.includes(r))
  );

  // Get filtered node name list
  const proxyNames = config.proxies.map(p => p.name);

  // Update Node Selection policy group to use filtered nodes
  config['proxy-groups'].forEach(group => {
    if (group.name === '🚀 Node Selection') {
      group.proxies = ['DIRECT', ...proxyNames];
    }
  });

  return config;
}

Useful Script Example: Auto-Add Speed Test Group

function main(config) {
  const allProxies = config.proxies.map(p => p.name);

  // Insert a url-test auto-speed-select policy group
  config['proxy-groups'].unshift({
    name:     '⚡ Auto Speed Select',
    type:     'url-test',
    proxies:  allProxies,
    url:      'https://www.gstatic.com/generate_204',
    interval: 300,
    tolerance:50
  });

  return config;
}

Note:Script syntax errors will cause config loading to fail. It's recommended to use the built-in syntax validation in the client's Config Editor to verify correctness before saving and activating.

Chapter 06

Log Debugging & Common Errors

When facing connection issues, the Logs view is your most direct diagnostic tool. This chapter covers the most common error messages and their solutions.

Log Level Reference

debug → Most detailed; use when debugging deep issues – generates a high volume of logs

info → Recommended for daily use; records connection and rule matching info

warning / error → Only outputs error messages; suitable for production environments

High-Frequency Error Troubleshooting Guide

dial tcp: i/o timeout — Node Connection Timeout

The node address is unreachable. Possible causes: ① Node IP blocked by ISP; ② Port blocked by firewall; ③ Node is offline. Solution:Switch to another node, or enable TCP Concurrent in settings to let the client automatically select available nodes.

proxyconnect tcp: EOF — Proxy Handshake Interrupted

The proxy server dropped the connection during the handshake. Common causes include incorrect protocol parameters (UUID, password, or encryption mismatch) or server version incompatibility. Solution:Re-import your subscription file, or contact your provider to confirm whether the server config has been updated.

no such rule provider — Ruleset Download Failed

The remote ruleset URL is inaccessible (rules cannot be downloaded before the client has established a proxy channel). Solution: proxy: 🚀 Node Selection field to download rulesets through the proxy, or replace the ruleset URL with a mirror address accessible without a proxy.

DNS resolution failed — DNS Resolution Failed

In TUN mode, improper DNS configuration can cause all domain names to fail to resolve. Solution:Ensure dns.enable: trueis enabled in the config, and set dns-hijack to any:53. It's also recommended to configure multiple reliable DoH upstream servers (e.g., doh.pub + dns.alidns.com).

TUN device not found — TUN NIC Creation Failed

Service Mode is not properly installed, or the system security policy is blocking driver loading. Solution (Windows):Restart Clash Verge Rev as administrator and reinstall Service Mode. Solution (macOS):Go to System Settings → Privacy & Security, allow the system extension, and restart your system.

How to View Real-Time Logs

Clash Verge Rev

Left menu → Logs → live scrolling display. Switch log level in the top right (select debug when troubleshooting); supports keyword filtering.

Command Line Access

# View real-time logs via the Clash RESTful API
curl -N http://127.0.0.1:9090/logs \
  -H "Authorization: Bearer <secret>"

Log file location:Windows — %APPDATA%\io.github.clash-verge-rev\logs\; macOS — ~/Library/Logs/io.github.clash-verge-rev/. When reporting crashes or hard-to-reproduce issues, sharing the log file with the community Issue tracker speeds up diagnosis.

FAQ

What's the difference between Clash Verge Rev and Clash for Windows? Are configs compatible?

CFW (Clash for Windows) stopped being maintained in late 2023 and has unpatched security vulnerabilities. Clash Verge Rev is its Tauri 2.0-rewritten successor with a more modern UI, smaller package size (<15MB), and the latest built-in Meta core. Config files are fully compatible– you can import your old YAML config files directly into Verge Rev without modifying any fields.

All nodes show timeout / 9999ms latency after importing subscription – what should I do?

Troubleshoot in the following order: ① Check if your subscription has expired (log into your provider's dashboard); ② Temporarily disable your antivirus / Windows Defender firewall; ③ Verify your system time is correct (a difference of more than 90 seconds causes handshake failures); ④ Try switching to a different network (e.g., mobile hotspot) to check if the issue is ISP blocking.

Can other devices on my LAN use the proxy after enabling TUN mode?

TUN mode only proxies local traffic by default. To share with LAN devices, set allow-lan: truein your config and point other devices' gateway or proxy to your machine's IP (default port 7890). Be sure to set up proper access controls after enabling this to prevent proxy abuse.

How do I make terminal tools like git / npm / pip go through the proxy?

Easiest solution: Enable TUN mode for fully automatic proxying – no extra configuration needed. Without TUN, temporarily set environment variables in the terminal:

# macOS / Linux
export https_proxy=http://127.0.0.1:7890 http_proxy=http://127.0.0.1:7890

# Windows PowerShell
$env:https_proxy="http://127.0.0.1:7890"

Domestic websites are slow after enabling proxy – how do I optimize?

Make sure your rules include GEOSITE,cn,DIRECT and GEOIP,CN,DIRECT to bypass the proxy for domestic traffic. If using fake-ip-filter DNS mode, add common domestic domains to fake-ip-filter (e.g., *.baidu.com, *.qq.com) to avoid unnecessary DNS delays.

Are there any recommended Clash clients for iOS?

iOS options currently include: ① ① Stash(paid, compatible with Clash configs, polished UI, full features, available in CN App Store); ② ② Shadowrocket(paid, requires a non-mainland Apple ID, supports multiple protocols); ③ ③ Sing-Box(open-source free, newer ecosystem, powerful). FlClash's iOS version is still in development – follow its GitHub for progress.

Complete Clash Configuration Tutorial