Clash
Clash

A rule-based tunnel in Go.

Github Actions

## Features - Local HTTP/HTTPS/SOCKS server with/without authentication - VMess, Shadowsocks, Trojan (experimental), Snell protocol support for remote connections. UDP is supported. - Built-in DNS server that aims to minimize DNS pollution attacks, supports DoH/DoT upstream. Fake IP is also supported. - Rules based off domains, GEOIP, IP CIDR or ports to forward packets to different nodes - Remote groups allow users to implement powerful rules. Supports automatic fallback, load balancing or auto select node based off latency - Remote providers, allowing users to get node lists remotely instead of hardcoding in config - Netfilter TCP redirecting. You can deploy Clash on your Internet gateway with `iptables`. - Comprehensive HTTP API controller ## Install Clash requires Go >= 1.13. You can build it from source: ```sh $ go get -u -v github.com/Dreamacro/clash ``` Pre-built binaries are available here: [release](https://github.com/Dreamacro/clash/releases) Pre-built Premium binaries are available here: [Premium release](https://github.com/Dreamacro/clash/releases/tag/premium). Source is not currently available. Check Clash version with: ```sh $ clash -v ``` ## Daemonize Clash Unfortunately, there is no native or elegant way to implement daemons on Golang. We recommend using third-party daemon management tools like PM2, Supervisor or the like to keep Clash running as a service. In the case of [pm2](https://github.com/Unitech/pm2), start the daemon this way: ```sh $ pm2 start clash ``` If you have Docker installed, it's recommended to deploy Clash directly using `docker-compose`: [run Clash in Docker](https://github.com/Dreamacro/clash/wiki/Run-clash-in-docker) ## Config The default configuration directory is `$HOME/.config/clash`. The name of the configuration file is `config.yaml`. If you want to use another directory, use `-d` to control the configuration directory. For example, you can use the current directory as the configuration directory: ```sh $ clash -d . ```
This is an example configuration file (click to expand) ```yml # port of HTTP port: 7890 # port of SOCKS5 socks-port: 7891 # (HTTP and SOCKS5 in one port) # mixed-port: 7890 # redir port for Linux and macOS # redir-port: 7892 allow-lan: false # Only applicable when setting allow-lan to true # "*": bind all IP addresses # 192.168.122.11: bind a single IPv4 address # "[aaaa::a8aa:ff:fe09:57d8]": bind a single IPv6 address # bind-address: "*" # ipv6: false # when ipv6 is false, each clash dial with ipv6, but it's not affect the response of the dns server, default is false # rule / global / direct (default is rule) mode: rule # set log level to stdout (default is info) # info / warning / error / debug / silent log-level: info # RESTful API for clash external-controller: 127.0.0.1:9090 # you can put the static web resource (such as clash-dashboard) to a directory, and clash would serve in `${API}/ui` # input is a relative path to the configuration directory or an absolute path # external-ui: folder # Secret for RESTful API (Optional) # secret: "" # experimental feature experimental: ignore-resolve-fail: true # ignore dns resolve fail, default value is true # interface-name: en0 # outbound interface name # authentication of local SOCKS5/HTTP(S) server # authentication: # - "user1:pass1" # - "user2:pass2" # # hosts, support wildcard (e.g. *.clash.dev Even *.foo.*.example.com) # # static domain has a higher priority than wildcard domain (foo.example.com > *.example.com > .example.com) # # +.foo.com equal .foo.com and foo.com # hosts: # '*.clash.dev': 127.0.0.1 # '.dev': 127.0.0.1 # 'alpha.clash.dev': '::1' # '+.foo.dev': 127.0.0.1 # dns: # enable: true # set true to enable dns (default is false) # ipv6: false # it only affect the dns server response, default is false # listen: 0.0.0.0:53 # # default-nameserver: # resolve dns nameserver host, should fill pure IP # # - 114.114.114.114 # # - 8.8.8.8 # enhanced-mode: redir-host # or fake-ip # # fake-ip-range: 198.18.0.1/16 # if you don't know what it is, don't change it # fake-ip-filter: # fake ip white domain list # - '*.lan' # - localhost.ptlogin2.qq.com # nameserver: # - 114.114.114.114 # - tls://dns.rubyfish.cn:853 # dns over tls # - https://1.1.1.1/dns-query # dns over https # fallback: # concurrent request with nameserver, fallback used when GEOIP country isn't CN # - tcp://1.1.1.1 # fallback-filter: # geoip: true # default # ipcidr: # ips in these subnets will be considered polluted # - 240.0.0.0/4 proxies: # shadowsocks # The supported ciphers(encrypt methods): # aes-128-gcm aes-192-gcm aes-256-gcm # aes-128-cfb aes-192-cfb aes-256-cfb # aes-128-ctr aes-192-ctr aes-256-ctr # rc4-md5 chacha20-ietf xchacha20 # chacha20-ietf-poly1305 xchacha20-ietf-poly1305 - name: "ss1" type: ss server: server port: 443 cipher: chacha20-ietf-poly1305 password: "password" # udp: true # old obfs configuration format remove after prerelease - name: "ss2" type: ss server: server port: 443 cipher: chacha20-ietf-poly1305 password: "password" plugin: obfs plugin-opts: mode: tls # or http # host: bing.com - name: "ss3" type: ss server: server port: 443 cipher: chacha20-ietf-poly1305 password: "password" plugin: v2ray-plugin plugin-opts: mode: websocket # no QUIC now # tls: true # wss # skip-cert-verify: true # host: bing.com # path: "/" # mux: true # headers: # custom: value # vmess # cipher support auto/aes-128-gcm/chacha20-poly1305/none - name: "vmess" type: vmess server: server port: 443 uuid: uuid alterId: 32 cipher: auto # udp: true # tls: true # skip-cert-verify: true # servername: example.com # priority over wss host # network: ws # ws-path: /path # ws-headers: # Host: v2ray.com - name: "vmess-http" type: vmess server: server port: 443 uuid: uuid alterId: 32 cipher: auto # udp: true # network: http # http-opts: # # method: "GET" # # path: # # - '/' # # - '/video' # # headers: # # Connection: # # - keep-alive # socks5 - name: "socks" type: socks5 server: server port: 443 # username: username # password: password # tls: true # skip-cert-verify: true # udp: true # http - name: "http" type: http server: server port: 443 # username: username # password: password # tls: true # https # skip-cert-verify: true # snell - name: "snell" type: snell server: server port: 44046 psk: yourpsk # obfs-opts: # mode: http # or tls # host: bing.com # trojan - name: "trojan" type: trojan server: server port: 443 password: yourpsk # udp: true # sni: example.com # aka server name # alpn: # - h2 # - http/1.1 # skip-cert-verify: true proxy-groups: # relay chains the proxies. proxies shall not contain a relay. No UDP support. # Traffic: clash <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet - name: "relay" type: relay proxies: - http - vmess - ss1 - ss2 # url-test select which proxy will be used by benchmarking speed to a URL. - name: "auto" type: url-test proxies: - ss1 - ss2 - vmess1 # tolerance: 150 url: 'http://www.gstatic.com/generate_204' interval: 300 # fallback select an available policy by priority. The availability is tested by accessing an URL, just like an auto url-test group. - name: "fallback-auto" type: fallback proxies: - ss1 - ss2 - vmess1 url: 'http://www.gstatic.com/generate_204' interval: 300 # load-balance: The request of the same eTLD will be dial on the same proxy. - name: "load-balance" type: load-balance proxies: - ss1 - ss2 - vmess1 url: 'http://www.gstatic.com/generate_204' interval: 300 # select is used for selecting proxy or proxy group # you can use RESTful API to switch proxy, is recommended for use in GUI. - name: Proxy type: select proxies: - ss1 - ss2 - vmess1 - auto - name: UseProvider type: select use: - provider1 proxies: - Proxy - DIRECT proxy-providers: provider1: type: http url: "url" interval: 3600 path: ./hk.yaml health-check: enable: true interval: 600 url: http://www.gstatic.com/generate_204 test: type: file path: /test.yaml health-check: enable: true interval: 36000 url: http://www.gstatic.com/generate_204 rules: - DOMAIN-SUFFIX,google.com,auto - DOMAIN-KEYWORD,google,auto - DOMAIN,google.com,auto - DOMAIN-SUFFIX,ad.com,REJECT # rename SOURCE-IP-CIDR and would remove after prerelease - SRC-IP-CIDR,192.168.1.201/32,DIRECT # optional param "no-resolve" for IP rules (GEOIP IP-CIDR) - IP-CIDR,127.0.0.0/8,DIRECT - GEOIP,CN,DIRECT - DST-PORT,80,DIRECT - SRC-PORT,7777,DIRECT # FINAL would remove after prerelease # you also can use `FINAL,Proxy` or `FINAL,,Proxy` now - MATCH,auto ```
## Advanced [Provider](https://github.com/Dreamacro/clash/wiki/Provider) ## Documentations https://clash.gitbook.io/ ## Credits [riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2) [v2ray/v2ray-core](https://github.com/v2ray/v2ray-core) ## License [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2FDreamacro%2Fclash.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2FDreamacro%2Fclash?ref=badge_large) ## TODO - [x] Complementing the necessary rule operators - [x] Redir proxy - [x] UDP support - [x] Connection manager - ~~[ ] Event API~~