Clash Global Mode Only Works in Browsers? System Proxy vs. TUN on Windows and macOS

The Symptom: “Global” in the App, Partial in Real Life

You opened a Clash-based client, chose something that reads like Global or System Proxy, and the browser immediately shows the exit IP you expect. Then a desktop game launcher refuses to log in, an IDE cannot reach a package registry, a Microsoft Store app times out, or Steam downloads crawl on a path that clearly is not your node. Nothing feels random—HTTP-heavy tools cooperate, while anything that opens raw TCP or UDP sockets, uses its own TLS stack, or lives in a sandbox may still hug the ISP path.

That pattern is so common that entire forum threads treat it as a mystery bug inside Clash. More often, the client is doing exactly what system proxy mode promises: it registers proxy endpoints with the operating system and waits for programs to volunteer. Browsers are trained from birth to read those tables; many executables are not. Separating user expectation from actual capture layer is the first step before you swap nodes or paste YAML from strangers.

Two Different Meanings of “Global”

In everyday speech, Clash global mode suggests every packet on the machine should exit through your proxy group. In implementation terms, two dominant mechanisms exist. System proxy updates the OS proxy configuration (and sometimes environment variables on Unix) so compliant applications send traffic to a local HTTP or SOCKS inbound. TUN mode adds a virtual network interface and asks the kernel to route matching IP flows into the Mihomo (Clash Meta) core before they leave the machine.

Only the second path looks like true “all programs” coverage for stubborn binaries. The first path looks global in the UI because the toggle is global for settings, not for every process on the computer. If your story starts with “the browser is fine,” always ask which of those two worlds you are actually standing in before reading another paragraph about DNS.

Step 1: Confirm Which Mode Is Really Active

Open your GUI and read the badges honestly. Many clients show System Proxy: On alongside TUN: Off. That single line already predicts the browser-first symptom. If TUN is off, do not expect parity between Chrome and an arbitrary Win32 binary until you change layers.

Cross-check with the OS. On Windows 11, Settings → Network & Internet → Proxy should list the manual proxy server your client registered when system proxy is enabled. On macOS, System Settings → Network → selected service → Details → Proxies fills the same role. If those panes are empty while the client claims system proxy is active, you may be looking at a failed helper, a second profile undoing changes, or a corporate policy reverting settings on a timer.

Finally, skim the core log for phrases like tun, interface, or permission errors. Silence about TUN usually means the tunnel never came up—which is different from “TUN is broken.” For a deeper tour of how TUN differs from SOCKS and HTTP forwards, read our Clash TUN mode and global proxy guide after you finish the OS-specific sections below.

Windows: More Than One Proxy Table

Windows historically split proxy configuration across several stores. Interactive desktop software often consults WinINET-style settings—the same ones Internet Explorer and Edge surfaced for decades—while background services and some CLI tools rely on WinHTTP. If your client updates only one store, you can get a precise flavor of partial success: the browser follows WinINET; a build service or Windows Update–adjacent component still uses WinHTTP defaults.

Modern Clash GUIs usually synchronize both when you enable system proxy, but third-party security suites, old VPN leftovers, or administrative templates can block writes. When in doubt, verify with official documentation for your fork or use the built-in log viewer rather than guessing registry keys. The goal is simple: ensure the executable you care about actually queries the table your client updated.

Another Windows wrinkle is elevation. A process started as Administrator does not always inherit the same filtered-network context as a standard user session. If your browser runs unelevated but your game runs as admin, mismatched proxy visibility can appear—even before we discuss TUN. Test with both sides at the same integrity level when something feels inconsistent.

Windows UWP, Loopback, and “Blocked from Localhost”

Store-distributed and some packaged applications use the UWP networking stack. By default, Windows restricts UWP apps from connecting to loopback addresses on the same machine unless explicitly allowed. Clash—and other local proxies—listen on 127.0.0.1 or a LAN address. If a UWP client cannot reach that loopback listener, it appears as “ignoring” your proxy while Win32 Chrome works fine.

Developers often enable loopback for specific package family names during testing; end users typically see this solved by switching to TUN mode, which removes the loopback hop from the app’s perspective by pulling traffic earlier in the stack, or by using tooling from the community that registers loopback exemptions. Whether you recognize the acronym UWP loopback or not, the user-visible signature is the same: Microsoft Store or Mail-style apps fail while classic desktop programs succeed.

Pair this section with firewalls: Windows Defender may prompt once for Private networks access. If you declined, the helper binary that installs adapters might be blocked—especially relevant when you later enable TUN and wonder why nothing changed. Revisit Firewall & network protection → Allow an app through firewall and approve the Clash-related executables for the profile you actually use (domain versus public Wi-Fi).

Windows: When System Proxy Is Not Enough, Turn on TUN Correctly

On Windows, functional TUN usually implies Wintun or an equivalent driver, a visible virtual adapter when the tunnel is up, and often a UAC elevation at least once. If you toggled TUN but the adapter never appears, read the log before editing YAML: “access denied” and “failed to create interface” are permission stories, not remote-server stories.

Competing VPN clients deserve an explicit mention. Another product may own default routes or inject filters that starve your tunnel. Disconnect the other VPN, reboot once, and retest Clash TUN alone. If two tunnel drivers fight, the symptom is frequently “some apps work because they accidentally aligned with the winning table,” which again masquerades as randomness.

For Clash Verge-style workflows on desktop, our Clash Verge Rev tutorial for Windows and macOS walks subscriptions and toggles in the same GUI family many readers already use—useful when you know TUN is the goal but the switches are buried three panels deep.

macOS: System Proxy Scope and Browser Alignment

macOS applies proxy settings per network service. If Wi-Fi has proxies but Ethernet does not, docking a laptop can silently change behavior. Safari and Chrome typically follow the active service’s proxy dictionary; command-line tools only honor proxy environment variables if you set them in the shell profile or wrap commands.

Developer utilities that spawn child processes—containers, local Kubernetes, certain IDEs—may bypass macOS proxy settings entirely unless you inject variables per project. Again, this is not Clash failing; it is the process never consulting the same configuration surface your browser uses. Document the gap once, and you stop reopening the same ticket every month.

macOS: TUN Requires Network Extension Approval

Apple treats packet tunneling as a privileged capability. After enabling TUN in a Clash-based app, open System Settings → Privacy & Security and clear any pending Network Extension prompts. Miss the prompt once, and the UI may still show TUN as enabled while the kernel never installs the path—producing an eerie match to the browser-only symptom on a superficial glance.

Keep the application in /Applications rather than launching from the Downloads quarantine folder; helper installation is more reliable there. On Apple Silicon Macs, prefer maintained arm64 builds from trustworthy sources. If Gatekeeper blocks a helper, logs tell you so; do not assume silent failure equals “Apple hates Clash.”

The phrase Network Extension in Release Notes is not marketing—it signals that your client is asking for the modern entitlement path instead of deprecated kernel extensions. If you run an ancient fork still expecting old kexts on a current macOS version, upgrading the app is usually cheaper than patching obsolete plist keys.

TUN Captures Packets; Rules Still Decide the Exit

Students of Mihomo learn quickly that TUN is not a magic “always proxy” flag. If your profile ends with MATCH,DIRECT or a selective GEOIP section that sends most domestic traffic out your ISP, you will observe exactly what looks like a failed global mode: browser traffic hits a rule that forwards to a node, while game traffic matches a broader DIRECT rule. Clash global mode in the UI selects a proxy group for new flows, but YAML semantics still apply—read the file before debating upstream quality.

DNS interacts here as well. System proxy mode without aligned DNS can still resolve hostnames through a public resolver that returns IPs your rules never classify the way you expect alongside fake-ip setups. If you enable TUN, enable the matching DNS hijack options recommended for your core or you will chase phantoms. For rule-order philosophy once capture mode is settled, see the rule-based routing guide.

An Ordered Checklist Before You Blame the Node

One. Identify whether system proxy alone is active. If yes, expect browsers and a subset of CLI tools to work first.

Two. On Windows, consider WinHTTP versus WinINET splits, firewall blocks on helpers, competing VPNs, and UWP loopback limits for Store-style binaries.

Three. On macOS, confirm the active network service, Network Extension approval, and that the app lives in Applications with a healthy helper.

Four. Enable TUN mode with a Mihomo-class core when you need IP-layer capture for games and UDP-heavy stacks. Verify the virtual adapter exists after toggling.

Five. Re-read your rules and DNS stanza so TUN is not faithfully sending traffic to DIRECT by design.

Why This Guide Is Not the WSL2 or Docker Article

Virtualization layers add their own default routes and DNS resolvers. If your symptom is “Windows host works, Linux VM does not,” stop here and open the dedicated Docker Desktop proxy guide or the Windows 11 WSL2 routing article instead. Those flows share vocabulary with TUN but fail for different architectural reasons.

Closing: Pick the Layer That Matches Your Pain

System proxy remains unbeatable for quick browser experiments and environments where installing a tunnel driver is politically or technically blocked—it is lightweight, reversible in seconds, and easy to explain to colleagues. The moment your pain sounds like “everything HTTP works, everything else does not,” you are usually describing its boundary, not discovering a rare Clash bug.

TUN mode meets applications where they already open sockets: at the IP layer, with UDP and TCP both eligible on modern Mihomo cores, subject to correct permissions and coexistence with other VPNs. Compared with wrapping every stubborn executable in a one-off SOCKS injector, a maintained GUI plus a working virtual adapter tends to accumulate fewer Sunday-afternoon surprises—especially when paired with DNS settings that match the tunnel.

→ Download Clash for free and experience the difference.