Explaining the complete proxy link from traffic entry to rule matching and then to protocol outbound—helping you truly understand the mechanisms behind rule routing, TUN transparent proxy, and DNS leak protection, rather than just knowing how to paste configurations.
When you open a URL in a browser, the traffic is not sent directly. Clash listens on one or more ports locally, intercepts all outbound connections, and after judgment by the rule engine, decides whether to take "Direct" or "Proxy Outbound."
The entire link is divided into five stages, each with a clear point of intervention by Clash:
rules list.
The rule engine is Clash's most core capability. It matches line-by-line from the first to the last in the rules list. The first rule that matches takes effect immediately, and subsequent rules are no longer executed—order determines everything.
The most commonly used type, accurate to the domain or suffix level, suitable for split-routing specific websites.
Based on target IP address or GeoIP database judgment, it is the core rule for "Domestic Direct, Foreign Proxy."
Routes traffic according to application process name or port number, suitable for separately configuring exits for specific software (such as development tools, game clients).
Packaging hundreds or thousands of rules into a remote subscription file, which the client pulls for periodic updates, is the standard practice for large-scale routing solutions.
interval can be set for automatic periodic updates.Rules match sequentially from top to bottom. The first match takes effect, and subsequent rules are not executed. Common mistake: putting MATCH,DIRECT before GEOIP will cause all traffic to connect directly. Recommended order:
IP-CIDR 192.168.0.0/16) → DIRECTGEOIP,CN,DIRECT—Direct if IP belongs to China.MATCH,Proxy—Fallback, unmatched traffic goes through proxy.Clash supports two ways to take over traffic. Choosing the wrong mode is a common root cause for "certain apps not using the proxy":
stack option:system uses the system network stack for higher performance; gvisor user-space network stack has better compatibility. Mihomo kernel also supports mixed hybrid mode.
DNS leak is the security blind spot proxy users most easily overlook—your traffic goes through the proxy, but DNS queries are sent in plaintext to your local ISP, exposing the domains you visit. Clash has a complete built-in DNS module to address this.
After receiving a DNS request, Clash immediately returns a fake IP (such as 198.18.x.x), allowing the app to initiate a connection as quickly as possible. The actual DNS resolution is deferred until the proxy side, avoiding early domain leakage locally.
198.18.0.1Real DNS resolution is completed locally first, and after the domain is resolved to a real IP, it's handed over to the rule engine for GEOIP matching. Better compatibility, but the DNS query itself may leak to the local ISP.
fallback with fallback-filter: When a domain resolves to a foreign IP, it's automatically re-resolved using encrypted DoT / DoH servers to prevent poisoning.
The protocol determines the traffic encryption and obfuscation strategy. Clash natively supports multiple protocols, and the Mihomo (Clash Meta) kernel further extends support for next-generation protocols.
Uses symmetric encryption (AES / ChaCha20) to encrypt traffic, making it look like random data to resist Deep Packet Inspection (DPI). Simple protocol design, widest client support.
Proprietary protocol designed by the V2Ray project, adding timestamp verification and obfuscation capabilities beyond encryption. Can be used with WebSocket + TLS to disguise as HTTPS traffic, with strong anti-blocking capabilities.
Directly transmits proxy data in the TLS layer, looking exactly like normal HTTPS without extra obfuscation. The server also provides real web responses to further hide proxy characteristics.
A new generation of high-performance protocols based on QUIC (UDP), significantly outperforming TCP protocol families in weak networks and high-packet-loss environments. Designed specifically for high-latency, unstable network scenarios.
Also based on QUIC, focusing on low latency and connection reuse. The 0-RTT handshake design reduces first-packet latency, suitable for response-speed sensitive scenarios (such as gaming, real-time audio/video).
Modern VPN protocol with minimal code and simple auditing, using ChaCha20 + Poly1305 encryption, and extremely high performance with kernel-level implementation. Mihomo supports using WireGuard as an outbound protocol.
Policy groups are the core mechanism for "packaging" rules and "scheduling" nodes. After a rule is hit, traffic is not sent directly to a node, but to a policy group—the policy group decides which node to use, enabling capabilities like automatic speed testing and failover.
Users manually pick the current node from the node list, usually displayed directly on the client interface. Suitable for users wanting precise control over the exit.
Regularly sends HTTP probe requests to all nodes and automatically selects the node with the lowest response latency. It only switches when node latency exceeds the tolerance threshold, avoiding frequent jitter.
Uses the first node in order; when it fails the health check, it automatically switches to the second, and so on. Suitable for scenarios requiring guaranteed stability.
Multiple nodes take turns carrying traffic, spreading connections across different nodes to improve overall throughput. Mihomo supports consistent-hashing to ensure the same session uses the same node.
Clash currently has two main branches, often used interchangeably in daily conversation, but with significant capability differences—especially in protocol support and TUN enhancement features.
Conclusion: New users should directly choose clients based on the Mihomo (Clash Meta) kernel (such as Clash Verge Rev, Mihomo Party, Clash Meta for Android) to get more complete protocol support and TUN capabilities without compromise. Classic Clash kernel clients remain stable, but continuous updates to the protocol ecosystem are concentrated in the Mihomo branch.
MATCH is placed at the top, all rules below it will never be triggered. A reasonable order should be: Local Network → Explicit Proxy Domains → Explicit Direct Domains → GEOIP → MATCH Fallback.198.18.x.x IP range specially, leading to anomalies. Clash provides a fake-ip-filter configuration item to exclude specific domains from Fake-IP, letting them use normal DNS resolution.system stack has higher performance than gvisor. If machine performance is insufficient, you can enable system proxy for specific apps instead of enabling TUN globally.http://www.gstatic.com/generate_204 (returns an empty 204 response) or http://cp.cloudflare.com/generate_204. It is recommended to use an overseas address accessible via proxy to avoid false positives caused by domestic addresses.