What Is TUN Mode? How It Differs from System Proxy

Clash offers two ways to route traffic through a proxy: System Proxy and TUN Mode. Understanding the difference is key to using Clash correctly.

System proxy works by setting an HTTP/SOCKS5 address (e.g. 127.0.0.1:7890) at the OS level. Browsers and other proxy-aware apps send requests to that address, which Clash then forwards. However, game clients, CLI tools, and some Electron apps ignore the system proxy settings entirely and connect directly.

TUN mode creates a virtual network interface (Mihomo TUN) inside the OS and intercepts all outgoing packets at the driver level. Regardless of whether an application supports proxy protocols, its traffic is forcibly captured and processed by Clash's rule engine. This is true "global transparent proxying."

When Should You Enable TUN Mode?

TUN mode is strongly recommended in the following scenarios:

• Game acceleration: Steam, Epic Games, Battle.net and other game clients typically bypass system proxy; TUN mode proxies their traffic directly
• CLI tools: git clone, npm install, pip install, docker pull do not follow system proxy by default — TUN mode (or manual env vars) is required
• UDP applications: Video calls (Zoom, Teams), voice chat (Discord), DNS queries and other UDP-dependent traffic are poorly served by system proxy
• Non-standard apps: Some dev tools, academic software, and VPN clients ignore system proxy settings
• Full macOS proxy: Combined with Stash/Surge, TUN can take over all system traffic including system updates

Enabling TUN Mode on Windows (Clash Verge Rev)

Prerequisites

TUN mode requires Clash Verge Rev to run as Administrator. Right-click the tray icon → "Restart as Administrator", or right-click the app in the Start Menu → "Run as Administrator".

On first TUN startup, the app automatically installs the wintun.dll driver (the Windows TUN virtual NIC driver). This requires downloading ~1 MB over the network. The installation is a one-time step.

Steps to Enable

1. Confirm Clash Verge Rev is running as Administrator (look for the shield icon in the title bar or tray)
2. Click Settings in the left navigation
3. Find the System Settings section and toggle on TUN Mode
4. If a driver installation prompt appears, click "Confirm" and wait for it to finish
5. Once enabled, a "Mihomo" virtual network adapter will appear in Task Manager's network adapter list

Enabling TUN Mode on macOS (Clash Verge Rev)

Steps to Enable

1. In Clash Verge Rev's Settings page, find TUN Mode and toggle it on
2. A system security prompt will appear — go to System Preferences → Privacy & Security
3. At the bottom of the page, find the "System Extension Blocked" notice and click Allow
4. Enter your macOS password to authorize, then return to Clash Verge Rev and enable the TUN switch again

On macOS Sequoia (15) and later, you must also manually allow Mihomo's network extension under System Settings → VPN & Filters.

TUN Mode on Android (ClashMeta for Android)

CMFA's TUN mode on Android uses the system VpnService API — no root required. The VPN permission dialog that appears when you start the proxy is the TUN authorization prompt.

1. Launch CMFA and ensure a profile is active
2. Tap the start button on the main screen; on first launch a VPN permission request will appear
3. Tap "OK" — a key icon in the Android status bar confirms TUN is active
4. Under Settings → Override Config you can adjust the TUN working mode (Mixed / TUN only / System Proxy only)

Android TUN mode captures all app traffic by default with no additional setup. You can exclude specific apps (e.g. banking apps) in the app list to avoid triggering fraud detection.

TUN Mode YAML Configuration Explained

Add a tun block to your config file to fine-tune TUN mode behavior:

tun:
  enable: true
  stack: mixed          # mixed (recommended) / system / gvisor
  auto-route: true      # auto-add routes so traffic enters TUN
  auto-detect-interface: true  # auto-detect egress NIC, required for multi-NIC setups
  dns-hijack:
    - any:53            # hijack all DNS requests (including UDP port 53)
  strict-route: false   # when true, drops non-TUN traffic; more secure but affects LAN
  mtu: 9000             # max transmission unit; 9000 reduces fragmentation, improves throughput

# DNS config must be used together with TUN
dns:
  enable: true
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  nameserver:
    - 223.5.5.5
    - 119.29.29.29
  fallback:
    - tls://8.8.8.8:853
    - tls://1.1.1.1:853
  fallback-filter:
    geoip: true
    geoip-code: CN

Choosing the stack Parameter

Troubleshooting TUN Mode Issues

No Internet Access After Enabling TUN

1. Confirm you are running as Administrator (Windows) or have authorized the network extension (macOS)
2. Check that your config includes a GEOIP,CN,DIRECT rule to prevent domestic traffic from looping
3. Check Clash logs to confirm the TUN interface was created successfully (look for "inbound started" for tun)
4. Temporarily disable antivirus software — some security tools block virtual NIC drivers

Game Traffic Still Goes Direct

Verify that all of the following are in place:

• TUN switch is on and auto-route: true
• Proxy mode is set to "Rule" or "Global", not "Direct"
• Rules for the game server's domain/IP point to a proxy policy, not DIRECT
• Search for the game process name in Clash logs to confirm traffic is passing through Clash

DNS Loop / Resolution Failure

With TUN enabled, dns-hijack: any:53 captures all DNS queries for Clash to handle. If Clash's own DNS config is broken (e.g. nameservers unreachable), DNS resolution will fail.

Troubleshooting: temporarily set the DNS nameserver to 223.5.5.5 (Alibaba DNS) to verify basic connectivity, then adjust from there.

Speed Drops After Enabling TUN

TUN mode processes packets at the kernel level, adding roughly 5–15% extra CPU overhead. If you notice a significant slowdown:

• Switch stack from gvisor to mixed or system
• Confirm auto-route: true is set (prevents routing table conflicts)
• Check whether another VPN is running simultaneously, causing double-proxying

Summary: Key Points for TUN Mode

• TUN mode intercepts all traffic at the driver level; system proxy only covers proxy-aware applications
• For games, CLI tools, and UDP apps, TUN is the only reliable solution
• Windows requires Administrator rights + wintun driver; macOS requires network extension authorization; Android uses VpnService (no root needed)
• The best-practice YAML combo: stack: mixed + auto-route: true + dns-hijack: any:53
• Always include domestic direct-connect rules (GEOIP,CN,DIRECT) to avoid routing local traffic through the proxy

Further Reading

• Rule-Based Routing Guide: Deep dive into DOMAIN / IP-CIDR / GEOIP rule types
• DNS Anti-Pollution Setup: Eliminate DNS leaks when using TUN mode
• Clash Complete Setup Guide: Beginner's step-by-step installation tutorial