Clash : A Rule

Clash a rule-based tunnel in Go.

Features

Premium Features

Getting Started

You can either grab the pre-built binaries of Clash from https://github.com/Dreamacro/clash/releases or build locally.Clash requires Golang 1.17 or a higher version.

$ go install github.com/Dreamacro/clash@latest

The binary is built under $GOPATH/bin

$ clash -v

You can now move forward to the next chapters of this wiki in which we’ll cover the configuration syntax of Clash.

configuration

Introduction

Clash uses YAML, YAML Ain’t Markup Language, for configuration files. YAML is designed to be easy to be read, be written, and be interpreted by computers, and is commonly used for exact configuration files. In this chapter, we’ll cover the common features of Clash and how they should be used and configured.

Clash works by opening HTTP, SOCKS5, or the transparent proxy server on the local end. When a request, or say packet, comes in, Clash routes the packet to different remote servers (“nodes”) with either VMess, Shadowsocks, Snell, Trojan, SOCKS5 or HTTP protocol.

All Configuration Options

Port of HTTP(S) proxy server on the local endport: 7890Port of SOCKS5 proxy server on the local endsocks-port: 7891Transparent proxy server port for Linux and macOS (Redirect TCP and TProxy UDP)redir-port: 7892Transparent proxy server port for Linux (TProxy TCP and TProxy UDP)tproxy-port: 7893HTTP(S) and SOCKS4(A)/SOCKS5 server on the same portmixed-port: 7890authentication of local SOCKS5/HTTP(S) serverauthentication:“user1:pass1”“user2:pass2”Set to true to allow connections to the local-end server fromother LAN IP addressesallow-lan: falseThis is only applicable when allow-lan is truebind all IP addresses192.168.122.11: bind a single IPv4 address[aaaa::a8aa:ff:fe09:57d8]”: bind a single IPv6 addressbind-address: ‘*’Clash router working moderule: rule-based packet routingglobal: all packets will be forwarded to a single endpointdirect: directly forward the packets to the Internetmode: ruleClash by default prints logs to STDOUTinfo / warning / error / debug / silentlog-level: infoWhen set to false, resolver won’t translate hostnames to IPv6 addressesipv6: falseRESTful web API listening addressexternal-controller: 127.0.0.1:9090A relative path to the configuration directory or an absolute path to adirectory in which you put some static web resource. Clash core will thenserve it at http://{{external-controller}}/ui.external-ui: folderSecret for the RESTful API (optional)Authenticate by spedifying HTTP header Authorization: Bearer ${secret}ALWAYS set a secret if RESTful API is listening on 0.0.0.0secret: “”Outbound interface nameinterface-name: en0Static hosts for DNS server and connection establishment (like /etc/hosts)Wildcard hostnames are supported (e.g. *.clash.dev, .foo..example.com)Non-wildcard domain names have a higher priority than wildcard domain namese.g. foo.example.com > .example.com > .example.com P.S. +.foo.com equals to .foo.com and foo.com hosts: clash.dev’: 127.0.0.1 dev’: 127.0.0.1 ‘alpha.clash.dev’: ‘::1’ profile: Store the select results in $HOME/.config/clash/.cache set false If you don’t want this behavior when two different configurations have groups with the same name, the selected values are shared store-selected: false DNS server settings This section is optional. When not present, the DNS server will be disabled. dns: enable: false listen: 0.0.0.0:53 ipv6: false # when the false, response to AAAA questions will be empty These nameservers are used to resolve the DNS nameserver hostnames below. Specify IP addresses only default-nameserver: – 114.114.114.114 – 8.8.8.8 enhanced-mode: redir-host # or fake-ip fake-ip-range: 198.18.0.1/16 # Fake IP addresses pool CIDR use-hosts: true # lookup hosts and return IP record Hostnames in this list will not be resolved with fake IPs i.e. questions to these domain names will always be answered with their real IP addresses fake-ip-filter: ‘.lan’localhost.ptlogin2.qq.comSupports UDP, TCP, DoT, DoH. You can specify the port to connect to.All DNS questions are sent directly to the nameserver, without proxiesinvolved. Clash answers the DNS question with the first result gathered.nameserver:114.114.114.114 # default value8.8.8.8 # default valuetls://dns.rubyfish.cn:853 # DNS over TLShttps://1.1.1.1/dns-query # DNS over HTTPSdhcp://en0 # dns from dhcpWhen fallback is present, the DNS server will send concurrent requeststo the servers in this section along with servers in nameservers.The answers from fallback servers are used when the GEOIP countryis not CN.fallback:– tcp://1.1.1.1If IP addresses resolved with servers in nameservers are in the specifiedsubnets below, they are considered invalid and results from fallbackservers are used instead.IP address resolved with servers in nameserver is used whenfallback-filter.geoip is true and when GEOIP of the IP address is CN.If fallback-filter.geoip is false, results from nameserver nameserversare always used if not match fallback-filter.ipcidr.This is a countermeasure against DNS pollution attacks.fallback-filter:geoip: truegeoip-code: CNipcidr:– 240.0.0.0/4domain:– ‘+.google.com’– ‘+.facebook.com’– ‘+.youtube.com’Lookup domains via specific nameserversnameserver-policy:‘www.baidu.com’: ‘114.114.114.114’‘+.internal.crop.com’: ‘10.0.0.1’proxies:# Shadowsocks# The supported ciphers (encryption methods):# aes-128-gcm aes-192-gcm aes-256-gcm# aes-128-cfb aes-192-cfb aes-256-cfb# aes-128-ctr aes-192-ctr aes-256-ctr# rc4-md5 chacha20-ietf xchacha20# chacha20-ietf-poly1305 xchacha20-ietf-poly1305name: “ss1”type: ssserver: serverport: 443cipher: chacha20-ietf-poly1305password: “password”# udp: truename: “ss2”type: ssserver: serverport: 443cipher: chacha20-ietf-poly1305password: “password”plugin: obfsplugin-opts:mode: tls # or http# host: bing.comname: “ss3”type: ssserver: serverport: 443cipher: chacha20-ietf-poly1305password: “password”plugin: v2ray-pluginplugin-opts:mode: websocket # no QUIC now# tls: true # wss# skip-cert-verify: true# host: bing.com# path: “/”# mux: true# headers:# custom: valuevmess# cipher support auto/aes-128-gcm/chacha20-poly1305/nonename: “vmess”type: vmessserver: serverport: 443uuid: uuidalterId: 32cipher: auto# udp: true# tls: true# skip-cert-verify: true# servername: example.com # priority over wss host# network: ws# ws-opts:# path: /path# headers:# Host: v2ray.com# max-early-data: 2048# early-data-header-name: Sec-WebSocket-Protocolname: “vmess-h2”type: vmessserver: serverport: 443uuid: uuidalterId: 32cipher: autonetwork: h2tls: trueh2-opts:host:– http.example.com– http-alt.example.compath: /name: “vmess-http”type: vmessserver: serverport: 443uuid: uuidalterId: 32cipher: auto# udp: true# network: http# http-opts:# # method: “GET”# # path:# # – ‘/’# # – ‘/video’# # headers:# # Connection:# # – keep-alivename: vmess-grpcserver: serverport: 443type: vmessuuid: uuidalterId: 32cipher: autonetwork: grpctls: trueservername: example.com# skip-cert-verify: truegrpc-opts:grpc-service-name: “example”socks5name: “socks”type: socks5server: serverport: 443# username: username# password: password# tls: true# skip-cert-verify: true# udp: truehttpname: “http”type: httpserver: serverport: 443# username: username# password: password# tls: true # https# skip-cert-verify: true# sni: custom.comSnellBeware that there’s currently no UDP support yetname: “snell”type: snellserver: serverport: 44046psk: yourpsk# version: 2# obfs-opts:# mode: http # or tls# host: bing.comTrojanname: “trojan”type: trojanserver: serverport: 443password: yourpsk# udp: true# sni: example.com # aka server name# alpn:# – h2# – http/1.1# skip-cert-verify: truename: trojan-grpcserver: serverport: 443type: trojanpassword: “example”network: grpcsni: example.com# skip-cert-verify: trueudp: truegrpc-opts:grpc-service-name: “example”ShadowsocksR# The supported ciphers (encryption methods): all stream ciphers in ss# The supported obfses:# plain http_simple http_post# random_head tls1.2_ticket_auth tls1.2_ticket_fastauth# The supported supported protocols:# origin auth_sha1_v4 auth_aes128_md5# auth_aes128_sha1 auth_chain_a auth_chain_bname: “ssr”type: ssrserver: serverport: 443cipher: chacha20-ietfpassword: “password”obfs: tls1.2_ticket_authprotocol: auth_sha1_v4# obfs-param: domain.tld# protocol-param: “#”# udp: trueproxy-groups:# relay chains the proxies. proxies shall not contain a relay. No UDP support.# Traffic: clash http vmess ss1 ss2 Internetname: “relay”type: relayproxies:– http– vmess– ss1– ss2url-test select which proxy will be used by benchmarking speed to a URL.name: “auto”type: url-testproxies:– ss1– ss2– vmess1# tolerance: 150# lazy: trueurl: ‘http://www.gstatic.com/generate_204’interval: 300fallback selects an available policy by priority. The availability is tested by accessing an URL, just like an auto url-test group.name: “fallback-auto”type: fallbackproxies:– ss1– ss2– vmess1url: ‘http://www.gstatic.com/generate_204’interval: 300load-balance: The request of the same eTLD+1 will be dial to the same proxy.name: “load-balance”type: load-balanceproxies:– ss1– ss2– vmess1url: ‘http://www.gstatic.com/generate_204’interval: 300# strategy: consistent-hashing # or round-robinselect is used for selecting proxy or proxy groupyou can use RESTful API to switch proxy is recommended for use in GUI.name: Proxytype: select# disable-udp: trueproxies:– ss1– ss2– vmess1– autoname: UseProvidertype: selectuse:– provider1proxies:Proxy– DIRECTproxy-providers:provider1:type: httpurl: “url”interval: 3600path: ./provider1.yamlhealth-check:enable: trueinterval: 600# lazy: trueurl: http://www.gstatic.com/generate_204test:type: filepath: /test.yamlhealth-check:enable: trueinterval: 36000url: http://www.gstatic.com/generate_204rules:DOMAIN-SUFFIX,google.com,auto

Specifying Configuration Directory

If not otherwise specified, Clash by default reads the configuration file at $HOME/.config/clash/config.yaml. If it doesn’t exist, Clash will generate the default settings.

You can use command-line option -d to specify a configuration directory:

$ clash -d . # current directory$ clash -d /etc/clash

You can use command-line option -f to specify a configuration:

$ clash -f ./config.yaml # current directory$ clash -f /etc/clash/config.yaml

Syntax

DNS

The DNS server shipped with Clash aims to minimize DNS pollution attack impact and improve network performance. There are two modes for it to work: redir-host and fake-ip. The biggest difference between the two is how IP addresses are resolved and how the connections are established.

redir-host

This is more of a traditional way of how proxies work. In this mode, depending on the settings in dns.nameserver, dns.fallback and dns.fallback-filter, the destination FQDN are resolved in several different ways. The first result received by Clash DNS module will be sent back to the client. The client can then establish a connection to the said IP address through Clash.

fake-ip

The concept of “fake IP” addresses is originated from RFC 3089:

A “fake IP” address is used as a key to look up the corresponding “FQDN” information.

When a DNS request is sent to the DNS server, Clash allocates a free fake IP address in the fake IP address pool, a mapping table that manages mappings between the FQDN and “fake IP” address. Note that the IP addresses in the fake IP address pool should never be used in real communications. The default CIDR for the pool is a reserved IPv4 address space 198.18.0.1/16, which can be changed in dns.fake-ip-range.

Clash will then lookup the FQDN and check the GEOIP for the IP address, this is merely for the rules (like GEOIP). When a request to the said, “fake IP” address is sent to Clash, Clash establishes a connection to the FQDN linked with the “fake IP” through a SOCKS5, Shadowsocks (or other protocols) server.

Proxy Groups

Proxy Groups are groups of proxies that you can utilize some special features of Clash to manage and make use of.

Proxy Providers

Proxy Providers give users the power to load proxy server lists dynamically, instead of hardcoding them in the configuration file. There are currently two sources for a proxy provider to load server list from:

Health check is available for both modes, and works exactly like fallback in Proxy Groups. The configuration format for the server list files is also exactly the same in the main configuration file:

#config.yamlproxy-providers:provider1:type: httpurl: “url”interval: 3600path: ./provider1.yamlhealth-check:enable: trueinterval: 600# lazy: trueurl: http://www.gstatic.com/generate_204test:type: filepath: /test.yamlhealth-check:enable: trueinterval: 36000url: http://www.gstatic.com/generate_204

test.yamlproxies:

Rules

Available keywords:

There are two additional special policies:

A policy can be either DIRECT, REJECT, a proxy group or a proxy server.

no-resolve

no-resolve is an additional option for GEOIP, IP-CIDR, or IP-CIDR6 rules. Append ,no-resolve to these rules to enable. Clash by default translates the domain names to IP addresses when encountering IP rules. Clash skips the IP rules with this option enabled when encountering packets that have an FQDN target.