Overview
The TUN device lets Clash capture traffic at the network layer instead of relying only on application-level HTTP or SOCKS proxy settings. It is useful when an application ignores system proxy settings.
When to use it
Use TUN when browsers work but native applications, game launchers, terminals or package managers do not follow the proxy. TUN can provide more complete coverage, but it also requires system permissions and careful DNS settings.
Configuration notes
- Run the client with the required system permission.
- Keep DNS mode consistent with the routing strategy.
- Exclude local networks and captive portal domains when needed.
- Disable conflicting VPN or network filter tools before testing.
Support Checks
If TUN causes a full network outage, turn it off, restore system proxy settings, then re-enable it with a minimal profile. Check routes, DNS and firewall prompts before blaming the node.
Related pages
Reference examples
These examples mirror the corresponding Chinese documentation page so the English page carries the same configuration material.
interface-name: en0 # reference note
tun:
enable: true
stack: system # or gvisor
# dns-hijack:
# - 8.8.8.8:53
# - tcp://8.8.8.8:53
# - any:53
# - tcp://any:53
auto-route: true # manage `ip route` and `ip rules`
auto-redir: true # manage nftable REDIRECT
auto-detect-interface: true # reference notesudo ./clashtun:
enable: true
stack: gvisor # or system
dns-hijack:
- 198.18.0.2:53 # reference note
auto-route: true # reference note
# reference note
auto-detect-interface: true # reference note