Advanced Features & Functionality

Unlock the
Full Potential of Clash

From TUN global proxy to smart rule engines, from Hysteria2 high-speed protocol to Fake-IP DNS acceleration—deep analysis of every powerful Clash / Mihomo feature, putting your network truly under your control.

TUN Mode Rule Engine Multi-Protocol Support DNS Split Proxy Strategies Scripting Engine

TUN Mode

System-wide traffic capture, no per-app proxy settings needed

Smart Rule Engine

Domain/IP/GEOIP rules for local direct access and international proxy

10+ Protocols

VLESS · Hysteria2 · TUIC · Reality · VMess · Trojan

Fake-IP DNS

DNS Leak Prevention + Accelerated Resolution

Flexible Groups

Speed Test · Failover · Load Balance · Manual

Lua / JS Scripts

Scripting engine for request interception and traffic rewriting

All Traffic
Browser
Gaming
CLI Tools
Streaming
TUN Mode System-level Capture
Mihomo Core
Local Direct
International Proxy
TUN Mode

Virtual NIC Capture
Never miss a single app's traffic

Standard system proxies only affect apps that respect proxy settings (mostly browsers). TUN mode creates a virtual NIC at the OS level to captureall application IP traffic—including games, CLI tools (npm, pip, git), P2P software, and more.

  • True Global Proxy

    Game acceleration, Steam downloads, and terminal git clone all go through the proxy.

  • iptables Transparent Proxy (Linux)

    Achieve transparent proxying on Linux via iptables/nftables without per-app configuration.

  • gVisor / System Stack Modes

    gVisor offers better performance and isolation; System stack provides broader compatibility. Choose as needed.

  • Seamless Rule Integration

    Traffic captured by TUN still passes through the rule engine for smart split-tunneling.

config.yaml - TUN Config 
tun:
  enable: true
  stack: system       # or gvisor
  dns-hijack:
    - any:53
    - tcp://any:53
  auto-route: true
  auto-detect-interface: true
Rule Engine

Multi-Dimensional Routing
Precise Traffic Control

The Clash rule engine supports over ten matching conditions. Rules are matched from top to bottom; once a match is found, the corresponding strategy (Direct, Proxy, or Reject) is executed immediately.

DOMAIN / DOMAIN-SUFFIX

Precise domain matching and suffix wildcards for YouTube, Google, and more.

GEOIP / GEOSITE

Based on IP geolocation and domain databases; cover whole regions with one rule.

IP-CIDR / IP-CIDR6

Precise IP range matching (IPv4/IPv6), ideal for internal network direct access.

RULE-SET Feature

Subscribe to community GeoSite / GeoIP rulesets for automated maintenance.

PROCESS-NAME

Match by process name for granular control (e.g., Steam direct, browser proxy).

MATCH (Final Rule)

The ultimate strategy for any traffic that doesn't hit previous rules, typically set to Proxy or Direct.

config.yaml - Rule Examples 
rules:
  - GEOSITE,cn,DIRECT          # Direct for local domains
  - GEOIP,CN,DIRECT             # Direct for local IPs
  - GEOSITE,google,Proxy        # Proxy for Google
  - DOMAIN-SUFFIX,github.com,Proxy
  - PROCESS-NAME,Steam.exe,DIRECT
  - MATCH,Proxy                 # Default proxy
Traffic Matching Workflow
Incoming Traffic
GEOIP CN → DIRECT
GEOSITE google → PROXY
DOMAIN github.com → PROXY
IP-CIDR 192.168.0.0/16 → DIRECT
MATCH Final MATCH →PROXY
Direct
Proxy Node
Reject
Protocols

10+ Mainstream Protocols
Compatible with all major providers

The Mihomo kernel supports nearly all modern proxy protocols. Regardless of your provider's technology, Clash can connect natively without extra plugins.

VLESS
Top Choice

A stateless, lightweight protocol that removes VMess encryption layers. Combined with Reality or TLS 1.3, it offers stealthy traffic and high resistance to blocking.

Reality Stealth TCP / WebSocket / gRPC / HTTPUpgrade XTLS Vision Flow
Hysteria 2
Speed King

Next-gen high-speed protocol based on QUIC / UDP, designed for high-latency/loss networks. Speeds in weak networks can be 3-10x faster than TCP.

QUIC Multiplexing BBR Congestion Control Weak Network Acceleration
TUIC v5
QUIC Series

Tiny UDP Internet Connections, also based on QUIC, features 0-RTT handshakes and excellent UDP over QUIC performance for gaming and VOIP.

0-RTT Handshake UDP over QUIC Multiplexing
VMess
Stable Classic

The core protocol of V2Ray, featuring AES-128-GCM encryption. Supports TCP, WebSocket, HTTP/2, and gRPC for maximum compatibility.

Trojan / Trojan-Go
HTTPS Stealth

Mimics standard HTTPS traffic, making TLS handshakes identical to real websites and difficult for Deep Packet Inspection (DPI) to identify.

Shadowsocks / SS2022
Reliable Veteran

One of the earliest widely-used protocols. The SS2022 version introduces anti-replay mechanisms, significantly boosting security and performance.

WireGuard
VPN Kernel

Modern VPN protocol with minimal code and high performance. Mihomo can use WireGuard as an outbound proxy, ideal for services like Cloudflare WARP.

Snell v4
Surge Ecosystem

High-performance private protocol developed by the Surge team, featuring ECDH key exchange and widely used in the Surge community.

DNS Config

Fake-IP + DNS Split
Ending DNS Pollution

DNS hijacking and pollution are primary reasons for inability to access international sites. Clash provides two modes to solve this problem while supporting custom DNS servers per rule.

Recommended

Fake-IP Mode

DNS queries immediately return a fake IP (e.g., 198.18.x.x). Clash then decides whether to use a proxy or a direct connection based on domain rules. This avoids polluted DNS points and provides near-zero latency.

  • Prevent DNS Leaks
  • Zero Latency Resolution
  • Best with TUN Mode

Redir-Host Mode

Obtains the real IP via trusted DNS (e.g., 8.8.8.8 over HTTPS) before the rule engine decides the route. Better compatibility for specific scenarios where Fake-IP is not supported.

  • Obtain Real IP
  • High Compatibility
  • Ideal for NAS / Routers
config.yaml - DNS Config 
dns:
  enable: true
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  nameserver:              # International DoH
    - https://8.8.8.8/dns-query
    - https://1.1.1.1/dns-query
  nameserver-policy:       # Local DNS for local domains
    geosite:cn: 114.114.114.114
DNS Resolution Path
Query youtube.com
Clash DNS Module
Local Domain
114.114.114.114 Local DNS
Real IP → Direct
International Domain
8.8.8.8 DoH Encrypted DNS
Fake-IP → Proxy
Proxy Strategies

Four Proxy Group Modes
Intelligent Traffic Scheduling

Clash's Proxy Group feature allows combining multiple nodes into a single logical exit. Different strategies decide the traffic path, enabling automatic disaster recovery, speed-based selection, and load balancing.

url-test
Speed-Based Selection

Periodically tests latency to a target URL and automatically switches to the node with the lowest delay. Ideal for daily browsing and streaming.

type: url-test
url: http://www.gstatic.com/generate_204
interval: 300

fallback
Automatic Failover

Checks node availability in order; if the primary node fails, it automatically downgrades to the next available one, ensuring uninterrupted service.

type: fallback
url: http://www.gstatic.com/generate_204
interval: 120

load-balance
Load Balancing

Distributes traffic across multiple nodes. Supports consistent-hashing (same target to same node) and round-robin strategies to maximize bandwidth usage.

type: load-balance
strategy: consistent-hashing

select
Manual Selection

Manually choose a node or sub-proxy group via the UI or API. Best for fine-grained control, such as using a specific country for Netflix or DMM.

type: select
proxies:
- Hong Kong Node
- US Node
- Japan Node
Scripting Engine

JavaScript Scripting Engine
Dynamic Rules & Traffic Rewriting

Mihomo includes a lightweight JS engine allowing users to write scripts for dynamic connection handling. This enables complex routing logic and real-time HTTP/HTTPS request/response rewriting beyond standard rules.

  • Dynamic Rule Scripts

    Return proxy strategies dynamically based on IP, domain, process name, or time for maximum flexibility.

  • HTTP Request Rewriting

    Intercept and modify HTTP/HTTPS headers or bodies for advanced operations like ad-blocking or cookie injection.

  • MitM Decryption

    Works with self-signed CA certificates to decrypt and analyze HTTPS traffic for deep filtering and script processing.

  • Scheduled Task Scripts

    Execute JS scripts at set intervals to automatically update configs or switch policy groups without manual intervention.

script.js - Dynamic Rule Example 
/**
 * Dynamic proxy selection script
 * Returns proxy group name based on metadata
 */
function main(params) {
  const { host, dstPort } = params;

  // Gaming ports → direct connection
  const gamePorts = [3074, 27015, 7777];
  if (gamePorts.includes(dstPort)) {
    return "DIRECT";
  }

  // Streaming domains → dedicated group
  if (host.endsWith(".netflix.com")
      || host.endsWith(".nflxso.net")) {
    return "Netflix-Group";
  }

  return "Auto-Select";
}
RESTful API & Dashboard

Full REST API
Programmatic Control

The Mihomo kernel includes an HTTP RESTful API server. All config changes, node switching, and real-time monitoring can be done via API, supporting various visual Web dashboards.

Real-time Node Switching

Instantly switch current nodes in a proxy group via API without restarting the kernel; ideal for automation.

Real-time Traffic Monitoring

Push throughput, connection counts, and latency data via WebSocket for custom monitoring systems.

Connection Log Tracking

View domains, rule hits, and proxy usage for all active connections to easily troubleshoot config issues.

Hot Reload Config

Trigger a config reload via API after modifying config.yaml to apply new settings without a restart.

Latency Speed Test

Batch test all node latencies via API and automatically update group sorting and selections.

Web Management Panel

Supports multiple community dashboards like Yacd, MetaCubeXD, and Zashboard for browser-based management.

Compatible Web Dashboards
Yacd-meta
MetaCubeXD
Zashboard
RESTful API
More Advanced Features

Even More Powerful Features
Waiting for You to Explore

Subscription Management & Auto-Update

Import multiple subscription URLs and set automatic fetch intervals to keep your node list current.

Full IPv6 Support

Mihomo supports IPv6 outbound traffic and rule matching, adapting to next-gen internet infrastructure.

Rule Provider Support

Dynamically load rulesets from remote URLs; automatically sync community-maintained GFW lists.

Mixed Port Support

Simultaneous HTTP/SOCKS5 support on a single port, simplifying client setup and app compatibility.

Sub-rules & Logic Operations

Use AND / OR / NOT logical combinations for complex rule matching comparable to firewall policies.

Multi-Architecture Native Support

Mihomo builds are available for amd64, arm64, ARMv7, and MIPS, covering routers and NAS devices.

Ready to experience these features?

Download a Clash client, import your subscription, and start your smart routing journey. Cross-platform support, setup in 3 minutes.

Download Client Now View Mihomo Source
10+ Supported Protocols
5 Cross-Platform Coverage
100% Open Source & Free