Clash TUN Mode Complete Guide: Enable Global Proxy and Fix Apps That Ignore Your Proxy

Why Some Applications Never Use Your “Global” Proxy

When people say they enabled a global proxy inside a Clash-based client, they often mean the app flipped on system proxy: it registers an HTTP or HTTPS (and sometimes SOCKS) endpoint with the operating system so well-behaved programs query WinHTTP, macOS network settings, or the http_proxy environment on Linux. That path is convenient and lightweight, but it is not universal.

Games, VoIP tools, many Electron bundles, custom TLS stacks, and background updaters frequently open raw TCP or UDP sockets without consulting those settings. Command-line utilities may inherit a shell profile that never exported proxy variables. On Windows, UWP and certain services use different networking stacks. The result looks like a mystery: the browser works because it honors the system table, while another executable cheerfully dials out on the physical interface and never touches your Clash inbound port.

TUN mode solves the problem at a different layer. Instead of asking each program to opt in, the kernel routes selected IP packets into a virtual network interface that Clash owns. From the application’s perspective, nothing changed—it still opens a normal socket—but the traffic crosses Clash first, where your rules, groups, and outbound protocols apply. That is why TUN is the practical answer when you need true device-wide coverage rather than “most browsers and a few polite apps.”

TUN Mode Versus System Proxy in One Glance

System proxy mode adjusts OS-level configuration tables and environment hints. It is easy to toggle, usually does not require a driver, and cooperates nicely with corporate tools that already expect an HTTP forwarder. Its weakness is voluntary participation: anything that skips the lookup bypasses the proxy entirely.

TUN mode installs or elevates a tunnel adapter (often backed by Wintun on Windows, a utun-style interface on macOS, or /dev/net/tun on Linux). The core receives packets, classifies them against your rule set, and emits them toward the correct outbound—direct, relay, or remote node. TCP and UDP can both be handled in this pipeline on modern Mihomo (formerly Clash Meta) kernels, which is essential for QUIC, VoIP, and games.

Trade-offs exist. TUN consumes more moving parts: elevated permissions, possible coexistence issues with other VPNs, and a higher expectation that your DNS configuration matches the tunnel (misaligned DNS is the root cause of many “connected but nothing resolves” reports). When you understand both modes, most users run rule mode with TUN for coverage and keep system proxy as an optional fallback for legacy workflows.

What Happens Inside the Stack When TUN Is On

After you enable TUN, the operating system adds a route (or several) that sends traffic matching your policy toward the virtual adapter. Clash reads the IP headers, determines the destination domain when possible—often with the help of fake-ip or redir-host style DNS—and matches the flow against rules. Approved flows are forwarded to the outbound you selected in proxy-groups; DIRECT sends them back to the real interface without looping.

DNS deserves explicit attention. Many profiles enable fake-ip for faster domain rules. In that mode, the client returns synthetic addresses for matching queries so it can capture the subsequent TCP connection and still apply domain-based rules. If the OS or a stubborn app bypasses Clash’s DNS listener, rule quality collapses and you may see leaks or failed connects. Aligning DNS hijack (or equivalent GUI switches) with TUN is not optional polish—it is part of the design.

Loopback traffic and local subnets are usually excluded by default templates so your LAN printers and localhost development servers stay reachable. If you import a minimal config from a random gist, verify those bypass rules still exist before blaming the tunnel.

Turning TUN On from a Typical GUI

Exact labels differ, but the pattern repeats: open Settings or Network, locate TUN Mode, Virtual NIC, or Enhanced Mode, and enable it. The first launch often triggers an administrator or helper install prompt to place the driver or network extension.

After activation, confirm three signals: the virtual adapter appears in the OS network list, the Clash dashboard shows elevated throughput on TUN, and a test client that previously ignored proxies now traverses your node (watch latency or server-side IP). If only the browser changes behavior, you are still on system proxy.

For a desktop-oriented tour that contrasts Verge’s switches with everyday tasks, pair this article with our Clash Verge Rev tutorial for Windows and macOS. It walks subscriptions and mode selection in the same ecosystem you will use for TUN.

Windows: Wintun, Services, and Security Software

Modern Clash GUIs on Windows typically rely on Wintun, a lightweight kernel driver. The installer or first-run elevation registers that driver; if you declined UAC once, subsequent toggles may silently fail. Open the adapter list in Control Panel or Settings and confirm a Clash-related interface exists when TUN is active.

Third-party antivirus and “internet security” suites sometimes block new adapters or classify the helper as suspicious. Create an explicit allow rule for your Clash executable and its service binary rather than disabling protection globally. Corporate Device Guard policies can also prohibit tunnel drivers—there is no YAML workaround for that class of restriction.

Another Windows-specific footgun is another VPN client that owns all traffic. Disconnect competing VPNs before testing. If you must chain tools, understand which product wins the routing table; the last writer usually prevails until reboot.

macOS: Approvals, Network Extensions, and SIP

Apple treats packet tunneling as a sensitive capability. After enabling TUN, visit System Settings → Privacy & Security and approve any pending Network Extension or Filter prompts. Without that click, the GUI may show TUN as on while the kernel never forwards packets.

Some distributions ship a privileged helper that must survive Gatekeeper. If the app lives in Downloads instead of Applications, helper installation can fail in subtle ways. Drag the bundle to Applications, rerun, and restart once.

On Apple Silicon, Rosetta is rarely required for maintained clients, but mixed architectures in plugin folders can confuse first launch. Prefer official builds from the vendor or our curated download page to avoid tampered binaries.

Linux: Capabilities, systemd, and Namespaces

Headless mihomo with TUN traditionally required root or CAP_NET_ADMIN. Desktop GUIs may use PolicyKit to acquire privileges for you. If you run under systemd, confirm the unit grants the capability set the documentation lists; otherwise the tunnel interface never appears.

Containerized development environments (Docker, LXC) add another dimension. Traffic from a container may not traverse the host TUN unless you forward accordingly. For ordinary desktop use, stick to a single active tunnel owner and avoid nested network namespaces until you have a diagram of who routes what.

Distro maintainers occasionally ship kernels without TUN modules in minimal images; install the standard tun package or module before debugging Clash itself.

Android: VPNService, Battery Limits, and Split Apps

Android does not expose a generic TUN toggle like desktop OSes. Instead, Clash-compatible apps request VPNService permission, which allocates a virtual interface functionally similar to TUN for user-space VPNs. Grant the connection prompt, then verify the key icon appears in the status bar during operation.

OEM battery optimizers kill background cores aggressively. If subscriptions update but the tunnel drops in sleep, whitelist the client. For a full mobile workflow including imports, read our FlClash Android guide.

Per-app split tunneling features, when enabled accidentally, produce the same symptom as a broken desktop rule: only some processes use the tunnel. Reset to full-device mode when testing.

Configuration Expectations (Without Locking You to One Fork)

Most maintained cores expect a tun section when you manage raw YAML. A representative skeleton enables the stack, sets a private IPv4 block, and chooses a stack implementation:

tun:
  enable: true
  stack: system
  auto-route: true
  strict-route: false
  dns-hijack:
    - any:53

Keys vary slightly between releases; treat this as conceptual. GUI toggles often write equivalent fields for you. If you import a profile from a provider, they may ship TUN off by default—flipping only the client switch is enough until you need custom hijack lists or MTU tweaks.

After editing YAML manually, always validate indentation. A two-space error under tun: prevents the entire block from parsing, and the core falls back to non-tunnel behavior without an obvious banner in some GUIs.

Rules, Fake-IP, and When Traffic Still Leaks

TUN captures packets, but rules decide the path. A catch-all MATCH entry pointing to DIRECT will send “global tunnel” traffic straight to your ISP. Likewise, misconfigured GEOIP or private IP lists can direct more than you intended through an expensive node.

DNS leakage is not the same as IP leakage, but both undermine the goal. If the OS still talks to a public resolver outside Clash, domains can resolve to addresses your rules never see. Enable hijack options in the client, or set the OS DNS to the local Clash inbound while the tunnel is active.

For deeper routing theory once TUN is stable, our rule-based routing guide explains how DOMAIN, IP-CIDR, and logical groups interact.

Troubleshooting Checklist That Actually Saves Time

No connectivity at all. Disable TUN, confirm plain system proxy or direct internet works, then re-enable. Check logs for permission denied, route add failed, or missing driver messages.

Sites load in browser but not in IDE or CLI. Those tools may ignore system proxy; TUN should fix them. If not, verify they are not pinned to a fixed interface or using raw link-local discovery that bypasses IPv4 routes you expect.

DNS timeouts. Align hijack settings, try redir-host versus fake-ip temporarily for diagnosis, and ensure no other resolver fights port 53.

Speed collapses. MTU issues on certain Wi-Fi chipsets appear as severe slowdowns through TUN. Some GUIs expose MTU sliders; others require YAML. Test with wired Ethernet to separate radio quirks from proxy overhead.

Before You Tune TUN, Confirm the Profile Loads

TUN cannot invent upstream nodes. If your subscription failed to fetch, you are debugging an empty profile, not a tunnel driver. Walk through the multi-platform subscription import guide first so proxies and proxy-groups exist, then return to TUN for coverage.

Choosing the Right Tool for the Job

System proxy mode remains excellent for quick browser tests and environments where installing a tunnel driver is politically impossible. When your real pain is “this one executable ignores everything,” TUN is the architectural fix: it meets applications where they already are, at the IP layer, instead of hoping they implement PAC or environment lookups correctly.

Compared with juggling ad hoc SOCKS injectors or wrapper scripts for every stubborn binary, a maintained Clash GUI with Mihomo, sane DNS defaults, and a working TUN stack tends to feel calmer day to day—fewer mystery leaks, clearer logs, and one place to flip global behavior when the network changes.

→ Download Clash for free and experience the difference.