Smart rule engine, 12+ proxy protocols, TUN mode, automatic failover... every feature is designed for one goal: precise, stable, and high-speed network connectivity.
From a lightweight kernel to fine-grained control, every Clash feature is built for real-world scenarios.
The rule engine is the heart of Clash. It supports multi-dimensional matching based onDomain (exact/suffix/keyword)、IP Ranges (IPv4/IPv6)、GeoIP (location)、Process Name (PROCESS-NAME), and more. It evaluates each connection's priority to determine the outbound strategy: Direct, Proxy, or Reject. Domestic sites stay fast via direct connection, while global traffic is stabilized via proxy—all without manual switching.
Powered by the Mihomo core, Clash is compatible with all major protocols including Shadowsocks, VMess, VLESS, Trojan, Hysteria 2, TUIC, and WireGuard. Seamlessly connect via provider subscriptions or self-built nodes.
View Full Protocol ListBuilt with Go, the Goroutine concurrency model ensures extremely low memory usage (typically <50 MB) and supports high-concurrency connections, ensuring stable, high-speed performance even in weak or complex networks.
By creating a virtual network interface, TUN mode intercepts all system TCP/UDP traffic, solving the pain point of git、npm、pip、curl and other terminal tools not being proxied.
Subscribe to rule-providers third-party maintained rule lists (ad filtering, streaming unlock, etc.) with automatic updates. Keep your rule sets up-to-date without manual effort.
The Clash core (Mihomo) and all clients (Clash Verge Rev, FlClash, etc.) are hosted on GitHub under the GPL-3.0 license. The code is public and auditable, with zero subscription fees, no feature walls, and zero ads. All advanced features are ready to use out of the box.
Clash's rule engine matches connection requests line-by-line by priority, determining where traffic goes—direct for domestic, proxied for global, or blocked. Its precision far exceeds traditional VPNs.
DOMAIN
Matches the full domain exactly. If hit, the specified strategy is used without DNS resolution, ensuring the lowest latency.
DOMAIN-SUFFIX
Matches a domain and all its subdomains, e.g., .github.io covers all GitHub Pages.
DOMAIN-KEYWORD
Fuzzy matching based on keywords. Ideal for blocking ad domains or covering similar services in bulk.
IP-CIDR
Matches IPv4/IPv6 CIDR ranges exactly.
GEOIP CN
Automatically identifies domestic IPs via an internal GeoIP database for zero-maintenance "direct for domestic" routing.
PROCESS-NAME
Fine-grained control by process name, e.g., forcing git、npm through a proxy while the browser remains independent.
DST-PORT
Matches by destination port, e.g., routing all port 443 traffic through an HTTPS proxy.
RULE-SET
Reference remote rule set files (YAML/Text) with automatic periodic updates. Subscribe once for ad filtering or streaming unlock.
MATCH
A must-have rule at the end of your config to catch all unmatched traffic, ensuring every request has a clear exit.
Regardless of your provider or self-built node, Clash (Mihomo core) offers native support without extra plugins or converters.
The most widely used open-source encrypted proxy protocol. Clash fully supports Shadowsocks (including AEAD) and SSR, compatible with almost all providers. A top choice for beginners.
The V2Ray protocol suite. VMess offers built-in encryption; VLESS is lighter, relying on TLS and utilizing Vision flow control for high throughput.
Disguises traffic as standard TLS via port 443. Characteristics are highly similar to normal HTTPS, providing strong interference resistance.
A next-gen high-performance protocol based on QUIC. Maintains high throughput even in weak networks with high packet loss and latency. Superior to TCP.
Also QUIC-based, designed for high concurrency and low latency. 0-RTT connection speed is extremely fast, ideal for real-time applications.
An enhanced TLS disguise for VLESS, using real domain TLS certificates to mask traffic. Extremely difficult to identify via Deep Packet Inspection (DPI).
A modern, high-performance VPN protocol integrated into the Clash rule system. Can be used as a proxy tunnel, ideal for self-built nodes.
A lightweight proxy protocol designed for the Surge/Clash ecosystem. Very low latency, ideal for high-frequency interactions.
Compatible with traditional HTTP and SOCKS5 proxy protocols. Supports older tools and corporate intranet proxies with full backward compatibility.
Proxy groups determine which node is used once a rule is matched. Four strategies cater to different scenarios.
type: select
The most flexible group. Manually select the current node or proxy group in the client UI. The standard mode for daily use, supporting quick region switching.
type: url-test
Periodically measures latency to a specific URL for all nodes in the group. Automatically switches and remains connected to the lowest latency node.
type: fallback
Prioritizes the first available node in sequence. Automatically and seamlessly switches to a backup node if the primary is unreachable, maximizing stability.
type: load-balance
Distributes different connections across multiple nodes in the group to increase overall concurrency and throughput. Ideal for high-bandwidth users.
Traditional system proxies only handle requests via HTTP/HTTPS. Terminal tools (like git clone、npm install、curl、pip) often bypass system proxies, leading to connection issues.
TUN mode creates a virtual network interface to intercept all system-level TCP and UDP traffic. This solves the terminal proxy issue—all network requests from all processes pass through the Clash rule engine. Its precision and coverage far exceed traditional system proxies.
Regardless of your device, there's a Clash client for it. Reuse configurations across platforms and sync updates everywhere via a single subscription link.
Recommended:Clash Verge Rev
Recommended:Clash Verge Rev
Recommended:FlClash
Recommended:Stash · Shadowrocket
Recommended:Clash Verge Rev
Open source is more than a slogan; it's a commitment to every user's privacy and security.
The Clash core (Mihomo) and all official clients are hosted on GitHub. Any developer can fork, audit, compile, and modify the code—no need to trust a "black box." Unlike closed-source tools, you can verify yourself that no data is recorded or sold.
Visit Mihomo GitHub RepositoryEvery feature of Clash has been completely free since day one. No "Pro versions," no locked features, and no monthly subscriptions. All users enjoy the same full experience.
Over 100 contributors worldwide continuously improve the core and clients. Community feedback directly drives new features, with bug fixes far outpacing closed-source software.
Adhering to the GPL-3.0 license, any derivative version of Clash must also be open-source, ensuring the ecosystem remains open and user rights are protected.
Download the Clash client for free, complete setup in 5 minutes, and enjoy a stable, high-speed connection instantly.