Clash Verge TUN Mode Configuration Guide

Posted on Edited on In Views: Word count in article: 2.4k Reading time ≈ 9 mins.
In this article, I will document the configuration process for Clash Verge, including creating configuration files, switching kernels, enabling TUN mode, and preventing DNS leaks.

Background

On the afternoon of November 2, 2023, the Clash for Windows (CFW) repository was deleted. Later that evening, related topics surged to the top ten on Weibo’s trending list, attracting some malicious self-media to add fuel to the fire, and rumors were flying. The following day, most of the Clash-related repositories took measures such as deletion or archiving and switching branches to temporarily avoid the limelight. Since CFW is no longer being updated, I decided to switch from CFW to Clash Verge for security reasons.

Download and Installation

Here is Clash Verge’s GitHub Release page. Please choose the appropriate installation package according to your operating system:

  • Windows users can download Clash.Verge_1.x.x_x64_zh-CN.msi
  • Mac users with Intel CPUs can download Clash.Verge_1.x.x_x64.dmg
  • Mac users with M-series CPUs can download Clash.Verge_1.x.x_aarch64.dmg

Clash Verge

Clash Verge Release Page

The installation process is very straightforward. Simply click Next repeatedly, and no additional settings are required.

Basic Configuration

First, click on Settings in the left sidebar to open the settings page.

Switch Clash Core

Clash Verge supports two cores: Clash Premium (closed-source and repo deleted) and Clash Meta (open-source). By default, Clash Premium is used, but it’s recommended to switch to Clash Meta.

  1. In Settings, locate the Clash Core section and click the small gear icon next to it.
  2. Select Clash Meta.
  3. Click Restart in the upper right corner.
Switch Clash Core.webp
Choose Clash Core And Restart.webp

Set External Controller

Previously, a vulnerability in Clash was exposed, allowing attackers to inject malware via the RESTful API interface. For security reasons, I changed the default external control port and added a password. For more details, refer to @bulianglin’s YouTube video.

  1. In Settings, locate the External section and click the arrow icon next to it.
  2. Modify the port for External Controller, the default value is 9090, and you can change it to other port like 11451.
  3. Enter a password in Core Secret.
  4. Save the settings.

Additional Configuration

Here are some of my own configurations for reference. Adjust them based on your specific needs.

  • Disable IPv6
  • Disable Allow LAN
  • Enable Auto Launch
  • Enable Silent Start

Configuration File Setup

  1. Click on Profiles in the left sidebar.
  2. Click New in the upper right corner.
  3. Choose Local as the type, name it as you like, and leave the other two fields blank.
  4. Click Save
  5. Right-click on the newly created configuration item, you can select Edit File, which will open the configuration file by clash verge itself, or select Open File, which will open the configuration file using VSCode.
  6. Fill in your configuration and save it.
    • If you are not familiar with the configuration, you can refer to the Clash Meta Documentation, which provides example configurations that you can use.
    • You can also directly use most of the configuration from your CFW configuration file.
New Profile.webp
Edit Profile.webp

My Configuration File

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
mixed-port: 7890 # proxy port
allow-lan: false # Do not allow other devices to access the Internet through the Clash's proxy port.
external-controller: 127.0.0.1:11451 # RESTful API listener address, the default port 9090, it is recommended to change to other ports.
secret: "Woshiyigemeiyouganqingdemima!" # API access key

# host: # Grasscutter, Launch!
#   '*.mihoyo.com': 127.0.0.1
#   '*.yuanshen.com': 127.0.0.1
#   '*.hoyoverse.com': 127.0.0.1

profile:
  store-selected: true # Stores the API's selection of policy groups for use at next startup.
  store-fake-ip: true # Store the fakeip mapping table and use the original mapping address when the domain name is connected again.

sniffer:
  enable: true # Enable Domain Sniffing
  sniff:
    TLS:
      ports: [443, 8443]
    HTTP:
      ports: [80, 8080-8880]
      override-destination: true

tun:
  enable: true
  stack: system # For Mac Users, please use "gvisor" instead.
  dns-hijack:
    - 'any:53' # dns hijacking, usually set to any:53, that is, hijacking all udp traffic on port 53.
  auto-route: true # Auto-set global routing, which can automatically route global traffic into the tun card.
  auto-detect-interface: true # Automatic selection of the traffic outlet interface.
  strict-route: true # Strict routing, which prevents address leakage.

dns:
  enable: true
  listen: 0.0.0.0:53 # dns service listener
  ipv6: true # Whether to resolve IPV6, if false, responds an AAAA null resolution.
  enhanced-mode: fake-ip # Clash's dns processing model.
  fake-ip-range: 28.0.0.1/8 # The IP segment setting under fakeip, the default ip of tun NIC also uses this value.
  use-hosts: true # Whether to query system hosts.
  fake-ip-filter: # fakeip filtering, the following addresses will not be issued fakeip mappings for connections.
    - '*.lan'
    - cable.auth.com
    - '*.msftconnecttest.com'
    - '*.msftncsi.com'
    - network-test.debian.org
    - detectportal.firefox.com
    - resolver1.opendns.com
    - '*.*.*.srv.nintendo.net'
    - '*.*.stun.playstation.net'
    - xbox.*.*.microsoft.com
    - '*.*.xboxlive.com'
    - stun.*.*.*
    - stun.*.*
    - localhost.*.qq.com
    - '*.logon.battlenet.com.cn'
    - '*.logon.battle.net'
    - '*.blzstatic.cn'
    - music.163.com
    - '*.music.163.com'
    - '*.126.net'
    - musicapi.taihe.com
    - music.taihe.com
    - songsearch.kugou.com
    - trackercdn.kugou.com
    - '*.kuwo.cn'
    - api-jooxtt.sanook.com
    - api.joox.com
    - joox.com
    - y.qq.com
    - '*.y.qq.com'
    - streamoc.music.tc.qq.com
    - mobileoc.music.tc.qq.com
    - isure.stream.qqmusic.qq.com
    - dl.stream.qqmusic.qq.com
    - aqqmusic.tc.qq.com
    - amobile.music.tc.qq.com
    - '*.xiami.com'
    - '*.music.migu.cn'
    - music.migu.cn
    - proxy.golang.org
    - '*.mcdn.bilivideo.cn'
    - '*.cmpassport.com'
    - id6.me
    - open.e.189.cn
    - mdn.open.wo.cn
    - auth.wosms.cn
    - '*.jegotrip.com.cn'
    - '*.icitymobile.mobi'
    - '*.pingan.com.cn'
    - '*.cmbchina.com'
    - pool.ntp.org
    - '*.pool.ntp.org'
    - ntp.*.com
    - time.*.com
    - ntp?.*.com
    - time?.*.com
    - time.*.gov
    - time.*.edu.cn
    - '*.ntp.org.cn'
    - PDC._msDCS.*.*
    - DC._msDCS.*.*
    - GC._msDCS.*.*
    - speedtest.cros.wr.pvp.net
  default-nameserver: # default dns, domain name for resolving DNS servers, must be ip, can be encrypted dns.
    - https://223.5.5.5/dns-query
    - tls://223.5.5.5:853
  nameserver: # Default nameserver, if you don't configure fallback/proxy-server-nameserver , then all domain names will be resolved by nameserver.
    - https://dns.alidns.com/dns-query
    - https://doh.pub/dns-query
  fallback: # Backup domain name resolution servers, in general, the use of foreign DNS, to ensure that the results are credible, after the configuration of fallback, fallback-filter is enabled by default.
    - https://1.0.0.1/dns-query
    - tls://dns.google
  proxy-server-nameserver: # Proxy node domain name resolution server, only used to resolve the domain name of the proxy node
    - https://doh.pub/dns-query
  nameserver-policy: # Specify the resolving server for domain name queries, can use geosite, preferred over nameserver/fallback queries.
    "geosite:cn,private":
      - https://doh.pub/dns-query
      - https://dns.alidns.com/dns-query

# Proxy settings, using Just My Socks as an example
proxies:
  - name: jms-s1
    type: ss
    server: xxxx1.xxxxx.com
    port: 12345
    cipher: aes-256-gcm
    password: xxxxx
  - name: jms-s2
    type: ss
    server: xxxx2.xxxxx.com
    port: 12345
    cipher: aes-256-gcm
    password: xxxxx
  - name: jms-s3
    type: vmess
    server: xxxx3.xxxxx.com
    port: 12345
    uuid: xxx-114514-xxxxxx
    alterId: 0
    cipher: auto
    # tls: true
    # skip-cert-verify: true
    # servername: example.com
  - name: jms-s4
    type: vmess
    server: xxxx4.xxxxx.com
    port: 12345
    uuid: xxx-114514-xxxxxx
    alterId: 0
    cipher: auto
    # tls: true
    # skip-cert-verify: true
    # h2-opts:
    #   host:
    #     - http.example.com
  - name: jms-s5
    type: vmess
    server: xxxx5.xxxxx.com
    port: 12345
    uuid: xxx-114514-xxxxxx
    alterId: 0
    cipher: auto
    # tls: true
    # skip-cert-verify: true
    # servername: example.com
  - name: jms-s801
    type: vmess
    server: xxxx801.xxxxx.com
    port: 12345
    uuid: xxx-114514-xxxxxx
    alterId: 0
    cipher: auto
    # tls: true
    # skip-cert-verify: true
    # servername: example.com

# Policy Groups, I only used the manual selection of this one
proxy-groups:
  - name: PROXY
    type: select
    proxies:
      - jms-s1
      - jms-s2
      - jms-s3
      - jms-s4
      - jms-s5
      - jms-s801

# For the ruleset, I used [Loyalsoldier's](https://github.com/Loyalsoldier/clash-rules) ruleset.
rule-providers:
  reject:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
    path: ./ruleset/reject.yaml
    interval: 86400

  icloud:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt"
    path: ./ruleset/icloud.yaml
    interval: 86400

  apple:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt"
    path: ./ruleset/apple.yaml
    interval: 86400

  google:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt"
    path: ./ruleset/google.yaml
    interval: 86400

  proxy:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt"
    path: ./ruleset/proxy.yaml
    interval: 86400

  direct:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt"
    path: ./ruleset/direct.yaml
    interval: 86400

  private:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt"
    path: ./ruleset/private.yaml
    interval: 86400

  gfw:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt"
    path: ./ruleset/gfw.yaml
    interval: 86400

  tld-not-cn:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.txt"
    path: ./ruleset/tld-not-cn.yaml
    interval: 86400

  telegramcidr:
    type: http
    behavior: ipcidr
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt"
    path: ./ruleset/telegramcidr.yaml
    interval: 86400

  cncidr:
    type: http
    behavior: ipcidr
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt"
    path: ./ruleset/cncidr.yaml
    interval: 86400

  lancidr:
    type: http
    behavior: ipcidr
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt"
    path: ./ruleset/lancidr.yaml
    interval: 86400

  applications:
    type: http
    behavior: classical
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/applications.txt"
    path: ./ruleset/applications.yaml
    interval: 86400

# Rules
rules:
  - RULE-SET,applications,DIRECT
  - DOMAIN,clash.razord.top,DIRECT
  - DOMAIN,yacd.haishan.me,DIRECT
  - RULE-SET,private,DIRECT
  - RULE-SET,reject,REJECT
  - RULE-SET,icloud,DIRECT
  - RULE-SET,apple,DIRECT
  - RULE-SET,google,DIRECT
  - RULE-SET,proxy,PROXY
  - RULE-SET,direct,DIRECT
  - RULE-SET,lancidr,DIRECT
  - RULE-SET,cncidr,DIRECT
  - RULE-SET,telegramcidr,PROXY
  - GEOIP,LAN,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,PROXY

geodata-mode: true # Using geoip files in dat format
geox-url: # Custom geo download address
  geoip: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat"
  geosite: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat"
  mmdb: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb"

For more configuration options, please refer to the Clash.Meta Official Documentation.

Enable TUN Mode

TUN interface is a virtual network interface that allows communication between user-space programs and the core to pass packets from one network stack to another. Clash Meta supports enabling TUN mode, which takes control of layer 3 packets in the user’s network by creating a TUN virtual NIC. In TUN mode, all applications and traffic are forced to route through the proxy server, regardless of whether the application supports proxy settings.

  1. Click Settings in the left sidebar and locate Service Mode and click on the small shield icon next to it.
  2. Click INSTALL.
    • Installation may report a failure, but it is actually successful; this may be a bug.
  3. Turn on the switch for Service Mode and Tun Mode, then turn off the switch for System Proxy.
  4. If the network icon in the lower left corner of the taskbar changes from Wi-Fi to the icon shown in the screenshot below, the installation was successful.
    icon screenshot.png
  5. Click on Profiles in the left sidebar, right-click on the configuration profile you created earlier, and click Select
Install Service Mode.webp
Click INSTALL.png
Enable/Disable relevant options.webp

Prevent DNS Leaks

DNS leaks are a network privacy issue that typically occurs when using a Virtual Private Network (VPN) or proxy service. It refers to the situation where DNS queries bypass the VPN or proxy and are sent directly to a local or public DNS server. This can potentially leak information about a user’s online activities, as DNS queries often contain information about the websites being accessed, even if their network traffic is encrypted and hidden by a VPN or proxy.

For more information about DNS leaks, please refer to @bulianglin’s YouTube video:

Turn Off Smart Multi-Homed Name Resolution

Windows operating systems use Smart Multi-Homed Domain Name Resolution to issue parallel DNS queries to all networks simultaneously for improved performance. Even though I have configured DNS rules in the settings, these rules only apply to the TUN virtual network card set up by Clash, and they do not control the physical network card. Therefore, without disabling Smart Multi-Homed Name Resolution, the system might initiate DNS queries through both the virtual network card and the physical network card. The physical network card typically uses local or public DNS servers, meaning that third parties like your internet service provider can see the websites you’re visiting. This is when DNS leaks occur.

You can use Wireshark to capture data from the physical network card and compare the differences before and after disabling Smart Multi-Homed Name Resolution.

To disable it, follow these steps:

  1. Open the Start menu and search for Edit Group Policy and open the corresponding Control Panel.
  2. Navigate to Computer Configuration > Administrative Templates > Network > DNS Client.
  3. Find and click on Turn off smart multi-homed name resolution.
  4. Check the Enabled option in the upper left corner.
  5. Click OK.
Search For Edit Group Policy.webp
Find Relevant Options.webp
Cliick Enabled.webp

Disable QUIC

QUIC (Quick UDP Internet Connections) is a network transport protocol designed to accelerate data transmission on the Internet and provide faster network connections. Developed by Google, QUIC has been standardized to improve network performance and security. An increasing number of web browsers are beginning to support QUIC to enhance users’ online experiences. However, in certain cases, QUIC can lead to DNS leaks. Therefore, it is recommended to disable QUIC in your web browser.

Since UDP must use real IP in some scenarios, Clash currently sends DNS requests for UDP traffic domains, even when using fake IP mode. For example, the UDP-based QUIC protocol used by browsers for HTTP3 will initiate DNS requests when accessing websites that support QUIC. This can result in DNS leaks. The solution is to disable the QUIC feature in your web browser.
Quoted from Advanced • DNS Shunting Section

As an example, for Microsoft Edge browser, you can enter edge://flags/#enable-quic in the address bar, which will take you to the Experimental QUIC protocol option. Set it to Disabled.

Disable QUIC.webp

Disable Browser Secure DNS

Most modern web browsers now have Secure DNS features enabled by default, which can interfere with TUN mode by hijacking DNS requests, causing reverse domain name resolution to fail.

Taking Microsoft Edge browser as an example, go to Settings > Privacy, search, and services > Security > Use secure DNS to specify how to look up the network address of websites. Turn off the switch.
Disabl Browser Secure DNS.webp