Complete Clash FAQ

This site provides installation packages for all platforms. You can choose by system in the Download Center without visiting GitHub. Direct download for Mainland China users:

• Windows: Clash Verge Rev is recommended (the continuously maintained Verge community edition)
• macOS: Clash Verge Rev or FlClash is recommended
• Android: Clash Meta for Android (CMFA) is recommended
• iOS / iPadOS: Search for Stash or Shadowrocket in the App Store (requires an overseas account)
• Linux: Provides Mihomo core binaries and deb/rpm packages

All installation packages are hosted on this site. Refer to each download entry for version descriptions.

All three are common Clash graphical clients on Windows. The difference lies in their maintenance status:

• Clash for Windows (CFW): The earliest widely distributed version. The original repository is currently archived and no longer updated. It is feature-complete and suitable for users used to the old version, but security patches are no longer followed.
• Clash Verge: A new generation client rewritten based on Tauri. The original repository stopped updating for a while.
• Clash Verge Rev: A community-maintained Verge branch that is still actively updated. It has a built-in Mihomo kernel and full support for new protocols like Hysteria2 and TUIC. Best for new users.

If it's your first time using it, just choose Clash Verge Rev.

This is a warning from Windows SmartScreen for apps that are unsigned or have a relatively new signing certificate. It is not a virus prompt. How to handle:

1. Click "More info" in the pop-up window;
2. Click the "Run anyway" button when it appears.

It is recommended to always download from this site or the project's GitHub Releases page. Avoid obtaining installation packages from third-party channels to reduce risk.

macOS's Gatekeeper mechanism blocks apps not notarized by Apple. Common solutions:

1. Find the blocked app in "System Settings → Privacy & Security" and click "Open Anyway";
2. Or execute in the terminal: xattr -cr /Applications/ClashVerge.app (replace the path with the actual installation location) to remove the quarantine attribute and reopen.

Apple Silicon (M series chip) users should ensure they download the arm64 version to avoid network permission compatibility issues when running under Rosetta.

Android defaults to only allowing app installations from Google Play. To install third-party APKs, you need to manually enable permissions:

1. Go to "Settings → Security" (paths vary slightly by brand, some are under "Privacy");
2. Enable "Install unknown apps," or allow the corresponding browser/file manager to install in the system pop-up;
3. Click the APK file again to install.

If the device uses ARM64 architecture (most phones after 2019), please download the arm64-v8a version; for 32-bit old devices, choose armeabi-v7a.

Due to policy restrictions, there is no app named "Clash" directly available in the China App Store. Common alternatives:

• Stash: Supports Clash YAML config, with an experience close to Clash. Requires purchase;
• Shadowrocket (commonly known as "Shadowrocket"): Compatible with subscription formats, low price, available with an overseas account;
• Quantumult X: Powerful features, relatively complex configuration, suitable for users with some foundation.

The apps mentioned above all require a Non-Mainland China Apple ID for purchase. Please search and download from the corresponding region's App Store.

A subscription link is a URL that, when accessed, returns a YAML or Base64 encoded configuration file containing a list of nodes. Steps to import:

1. Open the client and find the "Config" or "Subscription" entry;
2. Paste the subscription URL and click "Update" or "Download";
3. After switching to that configuration, select Rule mode to start using it.

It is recommended to enable scheduled updates (e.g., every 24 hours) to prevent node information from expiring and failing completely. Subscription links are generated by service providers; Clash itself does not provide nodes.

Common reasons and corresponding solutions:

• URL Expired: Contact your service provider to get the latest subscription address;
• Large System Time Error: Open system settings, sync network time (NTP), and try again;
• Outbound Rule Interception: Temporarily switch Clash to Direct mode, restore to Rule mode after successful update;
• Network Blocked: Try using a mobile hotspot or another network;
• Subscription Server Failure: Try again later, or access the subscription URL directly in a browser to confirm if it's reachable.

Parsing failure usually means the returned content is not a valid Clash YAML configuration. Possible reasons:

• The service provider only supports V2Ray/ShadowsocksR formats, which are incompatible with Clash—you need to ask them for a Clash-specific subscription link;
• An HTML page is returned (e.g., login page), meaning the subscription URL requires authentication or has expired;
• There are full-width characters like Chinese colons "：" in the YAML file. YAML format strictly requires English punctuation;
• Some client versions do not match kernel versions. You can try updating the client or manually specifying the kernel version.

Configuration file paths vary slightly between clients:

• Windows（Clash Verge Rev）：%APPDATA%\io.github.clash-verge-rev\profiles\
• macOS（Clash Verge Rev）：~/Library/Application Support/io.github.clash-verge-rev/profiles/
• Linux：~/.config/mihomo/config.yaml
• Android (CMFA): You can view and modify it directly in "Profile" → "Edit" in the app.

When editing manually, it's recommended to use an editor that supports YAML syntax highlighting (like VS Code). Restart the client or reload the configuration for changes to take effect.

Overrides (called "Mixin" or "Override" in some clients) allow you to append or replace certain fields in the subscription configuration itself without modifying it, such as DNS settings, TUN settings, or extra rules.

The advantage is that updating the subscription will not overwrite your own custom settings, making it suitable for users who need to maintain their personal configuration long-term. Clash Verge Rev's "Override" feature (Merge) supports both YAML and JavaScript scripts, providing high flexibility.

• Rule Mode: Matches traffic line-by-line according to rules in the configuration, usually domestic IP/domains go direct and foreign ones go through proxy. Recommended for daily use to balance speed and node bandwidth.
• Global Mode: All traffic is forwarded through selected nodes, suitable for temporarily needing all software to go through proxy, but it will consume more node traffic.
• Direct Mode: All traffic bypasses the proxy and connects directly, equivalent to turning off the proxy, suitable for cases where you just want to temporarily disable it.

Country.mmdb is an IP address attribution database. Clash uses it to determine which country an IP belongs to, thereby deciding whether to connect directly or use a proxy (the basis for GEOIP,CN,DIRECT rules).

Update methods:

• Most clients (Clash Verge Rev, etc.) provide an "Update GeoIP Database" button in the settings. Click it to update online;
• You can also manually download the latest Country.mmdb (such as versions maintained by MaxMind or Loyalsoldier communities) and replace the old file in the client's data directory, then restart.

An outdated database can lead to inaccurate IP attribution. It's recommended to update once every 1~3 months.

TUN (virtual network card) mode allows Clash to take over all network traffic at the system level, rather than being limited to the range covered by HTTP/SOCKS proxies.

Scenarios suitable for enabling TUN:

• Games, UDP applications, or software that does not follow system proxy (like certain terminal tools or P2P apps);
• When "Transparent Proxy" is needed—letting all traffic from the entire device go through Clash without awareness;
• When a router/software router is used as a gateway.

Note: Enabling TUN usually requires administrator/root permissions and may conflict with some VPN clients. It is not needed for general browsing.

Ordinary rules are single matching items written directly in the rules: field of the configuration file. RULE-SET refers to an external rule list file (usually in .yaml or .mrs format), which can contain thousands of rules and reduce the size of the main configuration.

Common community-maintained rule sets (like Loyalsoldier's clash-rules) cover scenarios such as mainstream ad domains, streaming platforms, and domestic direct connection. Referenced by subscription URL, the client will automatically update them regularly.

Usage: Declare the rule set source in rule-providers:, then use RULE-SET,RuleSetName,PolicyGroup to reference it in rules:.

• URL-Test: Regularly tests the speed of all nodes and automatically selects the one with the lowest latency. Suitable for scenarios where low latency is desired and you don't want to manually pick nodes.
• Fallback: Prioritizes the first node; if that node is unavailable, it switches to the next one in order. Suitable for ensuring availability.
• Load-Balance: Distributes traffic evenly across multiple nodes, suitable for scenarios needing to run multiple tasks simultaneously and share bandwidth.
• Select: Manual selection, no automatic switching, suitable for advanced users who need precise control over the exit.

The classic Clash kernel natively supports: Shadowsocks, VMess, Trojan, SNELL, SOCKS5, HTTP/HTTPS, ShadowsocksR, etc.

If using a client based on the Mihomo (Clash Meta) kernel (like Clash Verge Rev, CMFA), it also supports:

• VLESS (including Reality)
• Hysteria2 (High-speed UDP protocol)
• TUIC v5
• WireGuard (Point-to-point encrypted tunnel)
• And more TLS transmission combinations.

具体支持范围以你实际使用的客户端版本和内核版本为准，详见 Specific support scope depends on the actual client and kernel version you use. See the Core Principles page for details.。

Mihomo (formerly Clash.Meta, maintained by MetaCubeX) is a community branch that continuously evolves from the classic Clash. Key extensions:

• Supports next-generation protocols like Hysteria2, TUIC, and VLESS Reality;
• Introduces .mrs binary rule sets in rule-providers for faster loading;
• More complete TUN stack and DNS configuration options;
• RESTful API extensions for easy external control.

Currently, most actively maintained graphical clients (Clash Verge Rev, FlClash, CMFA, etc.) have built-in Mihomo kernels. For ordinary users, there's no need to manually distinguish; simply use the latest client to get all capabilities.

• Shadowsocks: Lightweight, long-standing, with the best compatibility, suitable for most conventional scenarios;
• VMess: The core protocol of V2Ray, supporting multiple transport layers (WebSocket, gRPC, etc.), with strong anti-detection capabilities;
• Trojan: Disguises traffic as HTTPS, friendly to TLS sniffing, suitable for environments with high obfuscation requirements;
• Hysteria2: Based on QUIC/UDP, its performance is significantly better than TCP protocols in high-latency, high-packet-loss networks (such as cross-ocean links), suitable for users seeking a high-speed experience;
• VLESS + Reality: Stateless design, almost no traffic characteristics, suitable for scenarios with the highest stealth requirements.

The actual choice depends on the protocols supported by your service provider, not something you select yourself; the above information is for reference.

All three are client-side proxy tools with overlapping functions but different positionings:

• Clash / Mihomo: Strong in rule-based routing, policy group management, and multi-protocol aggregation. Configuration files are YAML, suitable for users who need fine-grained traffic routing;
• V2Ray / Xray: Rich protocol extensions (VMess, VLESS, XTLS, etc.). Configuration files are in JSON format, more commonly used in server-side deployment and low-level protocol research;

The two cannot directly interchange configuration files, but Clash (Mihomo) natively supports protocols like VMess and VLESS. Converting between subscription link formats requires a third-party conversion tool (like subconverter).

Self-check in the following order:

1. Confirm Current Mode: Whether it's in Rule mode and the rules haven't mistakenly judged the target traffic as direct;
2. Check if System Proxy is Effective: Some browsers have independent proxy settings. You need to enable "System Proxy" in the client or manually configure the browser proxy (127.0.0.1:7890 or actual port);
3. Test Node Latency: Manually test speed in the policy group interface to confirm that the selected node is actually available rather than all timed out;
4. DNS Problem: Try switching DNS modes (Fake-IP ↔ Redir-Host), or check if DNS resolution failure appears in the client logs;
5. Firewall/Security Software: Some antivirus software and Windows Defender Firewall will block Clash's outbound connections. Temporarily turn them off and test again.

Common reasons:

• Rule is displayed on the interface but the actual configuration is still Global or Direct. Re-click to switch and confirm it takes effect;
• Country.mmdb file is missing or corrupted, causing GEOIP rules to fail. Update the database and try again;
• Incorrect rule order: placing MATCH,DIRECT or MATCH,PROXY at the top of the list will cause all traffic to be matched by one rule early, making subsequent rules useless—check that MATCH rules should be placed last;
• mode: global is hardcoded in the configuration file, so it doesn't take effect even if switched in the interface—delete it or change it to rule.

DNS leak means your DNS query requests bypass the proxy and are sent directly to your ISP's (operator's) DNS server, exposing the domain you are visiting.

Detection: Visit dnsleaktest.com or browserleaks.com/dns. If the displayed DNS server is your operator's, a leak exists.

Fix Ideas:

• Set dns.enable to true in the Clash configuration and set trusted upstream DNS (such as 8.8.8.8, 1.1.1.1);
• Using Fake-IP mode can effectively prevent DNS leaks—Clash assigns a fake IP to the domain, and actual resolution is completed on the proxy side;
• Enabling TUN mode allows Clash to take over system-level DNS, preventing other software from bypassing the client to send queries.

Port conflict is the most common reason for Clash failing to start. Troubleshooting steps:

1. Check if there are other Clash processes (or proxy tools like V2Ray, Trojan) already running in the background, close them before starting;
2. Modify the port number in the configuration file: mixed-port: 7890 (default), can be changed to an unoccupied port like 7891;
3. On Windows, you can execute netstat -ano | findstr 7890 in the command prompt to view the PID of the process occupying that port, and then end that process;
4. On macOS / Linux, use lsof -i :7890 to find the occupying process.

Speed problems need to be checked layer by layer:

• Node Latency: Test speed of all nodes in the policy group interface and switch to a node with lower latency;
• Protocol Selection: If the service provider supports Hysteria2, speed can be significantly improved on high-packet-loss lines;
• Slow DNS: Check if DNS resolution is taking too long; in Fake-IP mode, there is almost no resolution wait;
• Too Many Rules: Matching thousands of rules increases the processing time for each request; consider using RULE-SET and enabling cache;
• Local Network: Confirm that the local Wi-Fi signal is good, or switch to a wired connection;
• Node Bandwidth Bottleneck: This is a service provider problem and is unrelated to Clash configuration.

Open the log panel in the Clash client (usually in the "Log" or "Log" tab), adjust the log level to debug or info, and then reproduce the problem, focusing on:

• Rule Hit: Which rule was hit for each request and which policy group was used, to judge if rules are working as expected;
• DNS Resolution: Whether the IP resolved for the domain is correct;
• Connection Failed: dial tcp ... connection refused means the node is unavailable, context deadline exceeded means timeout;
• TUN Initialization Error: If TUN is enabled, insufficient permissions or missing drivers will be displayed here.

After taking screenshots or pasting relevant logs, you can get more precise help in communities (like GitHub Issues).

Clash 内核与 Mihomo（Clash Meta）均在 MIT 开源协议下发布，永久免费使用，无任何隐藏收费。

各平台图形客户端（Clash Verge Rev、FlClash、CMFA 等）也基本免费开源。iOS 上的 Stash、Shadowrocket 等第三方兼容客户端属于独立商业应用，需在 App Store 付费购买，但它们并非 Clash 官方出品。

Clash 本身不提供节点，使用任何节点服务均需自行评估相关费用与合规性。

Clash 内核采用零日志策略，所有流量调度与转发均在本机完成，不经过任何第三方服务器，也不会将流量记录上传。

源代码托管于 GitHub，任何人均可审计，不存在后门或暗中收集数据的风险。

使用图形客户端时，建议始终从官方 GitHub Releases 或本站托管地址下载，避免第三方篡改版本。

可通过以下方式验证安装包完整性：

• 校验哈希值：部分 GitHub Releases 页面提供 SHA256 或 MD5 哈希文件，下载后对比本地文件的哈希值是否一致；
• 仅从可信来源下载：官方 GitHub 仓库（Releases 页面）或本站托管地址，不使用来路不明的网盘链接；
• 检查签名：Windows 上右键安装包 → 属性 → 数字签名，确认签名主体与预期一致；
• 使用杀毒软件扫描：安装前用 Windows Defender 或第三方杀软扫描，部分开源工具因签名问题有误报，可提交样本至 VirusTotal 进行多引擎比对。