⚠️ The nodes and airport subscription services mentioned in this article are entirely fictional and created for demonstration purposes only. They do not exist in reality. Please be aware of this.
Preface
Clash is a powerful tool for [[N]]. At its core, it’s simply a command-line utility called Clash Core (though one could argue that all software is fundamentally command-line based). Developers have built various GUI interfaces around it to simplify configuration and usage. I’ve previously used ClashX on Mac and Clash For Windows For Mac (yes, you read that right), commonly referred to as CFW. For development convenience, its GUI is built on Electron, allowing it to be packaged for both Mac and Windows, making it extremely user-friendly.
Currently, I’m using Clash For Windows.
As per international convention, this article not only explains the purpose of common settings but also briefly covers how to update subscription links and switch nodes. This is to prevent certain individuals from bombarding me with complaints like: “Why can’t I access Behance again?!” “Why is bypassing restrictions so complicated?!” “You spent so much money on this ‘ladder’—why does it still suck?!” In such cases, I can just throw this article at them and get back to gaming.
⚠️ Terminology note: [[N]] = bypassing restrictions.
Purpose of Some Settings
Most of these explanations are already in the documentation, but I’ll contextualize them with real-world usage scenarios.
GeoIP Database
This feature determines whether traffic should be routed through a proxy based on the geographical location of the IP address. It works by maintaining a local database for queries. Since IP addresses are constantly updated, this database also needs occasional (but infrequent) updates.
TUN Mode
Some applications, like Terminal, iTerm, or Infuse, don’t adhere to system proxy settings. TUN Mode solves this by intercepting their traffic and redirecting it through CFW.
In my case, I use it to access Emby via Infuse. My Emby service requires a specific node from my airport subscription, but Infuse (apparently) uses its own request tool and bypasses the system proxy. Even with CFW set as the system proxy and the correct node selected, I couldn’t access the Emby service provided by the airport. Enabling TUN Mode fixed this.
Another use case: with TUN Mode enabled, commands in iTerm also route through the proxy. Without it, operations like git clone wouldn’t use the proxy. My previous workaround was manually creating an alias to specify the proxy for the terminal, toggling it with ppp or sss (my proxy port is 7890):
1 | |
Enabling TUN Mode requires Service Mode. For details, refer to the documentation:
TUN 模式 | Clash for Windows "by Fndroid" https://docs.cfw.lbyczf.com/contents/tun.html#macos
However, I encountered an issue where CFW claimed Service Mode was active, but the globe icon remained red. I resolved this by first disabling Service Mode. After CFW restarted, it showed Service Mode as inactive, with only “Install” and “Uninstall” buttons available. Clicking “Install” and restarting still left the icon red, so I uninstalled and reinstalled it. After another restart, the globe turned green. The takeaway? The GUI might have bugs, so try different approaches if something doesn’t work.
💡 Remember to disable the software’s Secure DNS feature for TUN Mode to function properly. If TUN Mode isn’t working, this setting might be the culprit.
Parser
Also known as “Profile Preprocessing.”
Sometimes, you may want to apply custom rules before CFW’s routing rules take effect. For instance, most users rely on airport subscription links, which come with predefined routing rules like “Global Direct,” “Global Block,” or “Leak Protection”:
If you want to add custom rules—say, routing a specific link through a proxy—directly editing the downloaded profile will overwrite your changes when the subscription updates. This is where Parser comes in.
In short, Parser applies your configured rules before the airport’s rules, merging them into the final effective rules. For example, I frequently visit a site with two domain sets: one for mainland users and another for overseas visitors. With TUN Mode enabled, the site identifies me as overseas, preventing access to the mainland version (where accounts aren’t shared). Using Parser, I can add the mainland domain and set it to direct access:
However, the awkward part is that it only works for a specific YAML (i.e., the subscription node list mentioned below). Therefore, if you have multiple subscription node lists (airports), you’ll need to write multiple URLs.
Update: The good news is that CFW now supports matching multiple subscription node lists with a single rule. You can use the reg field for regex matching. For example, here’s how I match all configuration files:
Click on the subscription node list to view the corresponding Parser for that configuration.
Note: Subscription conversion services may render the Parser ineffective.
Note: After setting up the Parser, you need to click the update button for the current proxy to take effect.
Diff
This feature works similarly to the Parser mentioned above but takes effect after the Parser. The principle is to manually generate a file (similar to a “base” version in Git), which can be a modified version of your current subscription configuration file. Whenever the subscription configuration file updates, it will diff the new version against the old one. If any issues are detected, you’ll need to manually resolve the conflicts.
The purpose of this feature is to ensure that updates don’t overwrite your modifications to the current configuration file.
Mixin
⚠️ Note: This feature is only suitable for injecting “functional attributes.” Additionally, rules in the mixin will override other rules in the airport subscription list! Therefore, you should only use the mixin to inject information like DNS settings and avoid setting rules, as doing so may invalidate the nodes in the airport subscription.
There’s another configuration entry in the Settings, where you can choose JavaScript-formatted Mixin settings. For details, refer to the documentation:
System Proxy
As the name suggests, this sets Clash as the system proxy. If turned off, some software that relies on the system proxy won’t be able to bypass restrictions, such as Safari. So, if you want Safari to bypass restrictions, make sure to enable System Proxy.
Troubleshooting When Bypassing Restrictions Fails
If you find that you can’t bypass restrictions when accessing websites that require it, follow these steps to troubleshoot:
Step 1: Check Proxies
Click the little cat icon in the menu bar.
In the opened interface, click the Proxies tab, then select a node:
💡 Auto-select: CFW will automatically choose an available node.
Make sure the text next to the node selection says “Auto-select” (this should be the default, and you shouldn’t change it). Then, click “Speed Test” to check the speed of the currently auto-selected node:
If the node is unavailable, it will show as Timeout timeout. If the latency is too high (e.g., 1000+), it will display in red, indicating slow bypass speed.
Step 2: Check Profiles
Typically, you should have multiple Profiles, like this:
If the speed test in Step 1 shows all nodes as Timeout, consider switching to a different node list. In the image above, click a new block. If it turns green on the left, it means you’ve switched to that block’s node list. Then, repeat Step 1 to check if the node speeds are normal.
Also, if the node list hasn’t been updated for a long time (the update time is shown in parentheses), click Update All to try updating. If it fails, switch to another block and click Update All to try updating again:
Note: Don’t switch between node lists too quickly, as it may cause errors. After switching one, wait 3–4 seconds before switching another (if necessary).
Step 3: Disconnect All Connections
If the first two steps show no issues but you still can’t open the page, it might be because your browser is maintaining old connections and hasn’t re-established them through the proxy. In this case, go to the Connections tab in CFW, click “Disconnect All,” and refresh the page you couldn’t open:
Adding a New Airport Subscription
A new airport subscription refers to the “node list” mentioned above.
In the Profiles tab, paste the link you obtained into the input box, then click Download. If the download is successful, you’ll see a prompt:
Other
Bypass Mode
Clash offers different proxy modes, such as Global, where all network traffic is proxied; Rule, where traffic is routed according to custom rules (some proxied, some direct); Direct, which means all traffic connects directly, equivalent to not using Clash at all; and Script, where you can write a JavaScript script to determine which connections are proxied and which are direct. These configurations can be switched here:
Proxying Other Devices on the Local Network
Clash can proxy network traffic for other devices on the same local network segment, allowing devices that cannot natively support proxies to benefit from one. A typical use case is proxying Apple TV. Since the Apple TV system does not expose proxy-related interfaces, it cannot directly install proxy software like smartphones. Therefore, you either need to rely on a router-level proxy or set the proxy server on the device running Clash. Then, simply enable “Allow LAN” in Clash:
What Is a Proxy Subscription Link?
A proxy subscription link is a URL provided by a proxy service (often called an “airport”). Clash parses this link to download a YAML-format configuration file, which instructs Clash on how to function.
From the author:
I often wish that when facing some key decisions in life, someone could tell me the best course of action so that I would not waste my precious time. Putting myself in others' shoes, I therefore write blogs often, hoping to record in this tiny corner of the vast Internet the once-in-a-lifetime experiences that matter to me, and to help those who seek help.
