Clash
A rule-based tunnel in Go.
Features
- Local HTTP/HTTPS/SOCKS server with authentication support
- VMess, Shadowsocks, Trojan, Snell protocol support for remote connections
- Built-in DNS server that aims to minimize DNS pollution attack impact, supports DoH/DoT upstream and fake IP.
- Rules based off domains, GEOIP, IPCIDR or Process to forward packets to different nodes
- Remote groups allow users to implement powerful rules. Supports automatic fallback, load balancing or auto select node based off latency
- Remote providers, allowing users to get node lists remotely instead of hardcoding in config
- Netfilter TCP redirecting. Deploy Clash on your Internet gateway with
iptables
. - Comprehensive HTTP RESTful API controller
Getting Started
Documentations are now moved to GitHub Wiki.
Advanced usage for this branch
TUN configuration
Supports macOS, Linux and Windows.
On Windows, you should download the Wintun driver and copy wintun.dll
into Clash home directory.
# Enable the TUN listener
tun:
enable: true
stack: system # system or gvisor
dns-listen: 0.0.0.0:53 # additional dns server listen on TUN
auto-route: true # auto set global route
Rules configuration
- Support rule
GEOSITE
. - Support
multiport
condition for ruleSRC-PORT
andDST-PORT
. - Support not match condition for rule
GEOIP
. - Support
network
condition for all rules. - Support source IPCIDR condition for all rules, just append to the end.
The GEOSITE
databases via https://github.com/Loyalsoldier/v2ray-rules-dat.
rules:
# network condition for all rules
- DOMAIN-SUFFIX,bilibili.com,DIRECT,tcp
- DOMAIN-SUFFIX,bilibili.com,REJECT,udp
# multiport condition for rules SRC-PORT and DST-PORT
- DST-PORT,123/136/137-139,DIRECT,udp
# rule GEOSITE
- GEOSITE,category-ads-all,REJECT
- GEOSITE,icloud@cn,DIRECT
- GEOSITE,apple@cn,DIRECT
- GEOSITE,apple-cn,DIRECT
- GEOSITE,microsoft@cn,DIRECT
- GEOSITE,facebook,PROXY
- GEOSITE,youtube,PROXY
- GEOSITE,geolocation-cn,DIRECT
- GEOSITE,gfw,PROXY
- GEOSITE,greatfire,PROXY
#- GEOSITE,geolocation-!cn,PROXY
- GEOIP,telegram,PROXY,no-resolve
- GEOIP,private,DIRECT,no-resolve
- GEOIP,cn,DIRECT
# Not match condition for rule GEOIP
#- GEOIP,!cn,PROXY
# source IPCIDR condition for all rules in gateway proxy
#- GEOIP,!cn,PROXY,192.168.1.88/32,192.168.1.99/32
- MATCH,PROXY
Proxies configuration
Support outbound transport protocol VLESS
.
The XTLS only support TCP transport by the XRAY-CORE.
proxies:
- name: "vless-tcp"
type: vless
server: server
port: 443
uuid: uuid
network: tcp
servername: example.com # AKA SNI
# flow: xtls-rprx-direct # xtls-rprx-origin # enable XTLS
# skip-cert-verify: true
- name: "vless-ws"
type: vless
server: server
port: 443
uuid: uuid
udp: true
network: ws
servername: example.com # priority over wss host
# skip-cert-verify: true
ws-path: /path
ws-headers:
Host: example.com
IPTABLES auto-configuration
Only work on Linux OS who support iptables
, Clash will auto-configuration iptables for tproxy listener when tproxy-port
value isn't zero.
If TPROXY
is enabled, the TUN
must be disabled.
# Enable the TPROXY listener
tproxy-port: 9898
# Disable the TUN listener
tun:
enable: false
Create user given name clash
.
Run Clash by user clash
as a daemon.
Create the systemd configuration file at /etc/systemd/system/clash.service:
[Unit]
Description=Clash daemon, A rule-based proxy in Go.
After=network.target
[Service]
Type=simple
User=clash
Group=clash
CapabilityBoundingSet=cap_net_admin
AmbientCapabilities=cap_net_admin
Restart=always
ExecStart=/usr/local/bin/clash -d /etc/clash
[Install]
WantedBy=multi-user.target
Launch clashd on system startup with:
$ systemctl enable clash
Launch clashd immediately with:
$ systemctl start clash
Display Process name
Add field Process
to Metadata
and prepare to get process name for Restful API GET /connections
.
To display process name in GUI please use https://yaling888.github.io/yacd/.
Premium Release
Development
If you want to build an application that uses clash as a library, check out the the GitHub Wiki
Credits
License
This software is released under the GPL-3.0 license.