6.1 KiB
Clash
A rule-based tunnel in Go.
Features
- Local HTTP/HTTPS/SOCKS server with authentication support
- VMess, Shadowsocks, Trojan, Snell protocol support for remote connections
- Built-in DNS server that aims to minimize DNS pollution attack impact, supports DoH/DoT upstream and fake IP.
- Rules based off domains, GEOIP, IP CIDR or ports to forward packets to different nodes
- Remote groups allow users to implement powerful rules. Supports automatic fallback, load balancing or auto select node based off latency
- Remote providers, allowing users to get node lists remotely instead of hardcoding in config
- Netfilter TCP redirecting. Deploy Clash on your Internet gateway with
iptables
. - Comprehensive HTTP RESTful API controller
Getting Started
Documentations are now moved to GitHub Wiki.
Advanced usage for this fork branch
TUN configuration
Support macOS Linux and Windows.
For Windows, you should download the Wintun driver and copy wintun.dll
into the System32 directory.
# Enable the TUN listener
tun:
enable: true
stack: system # system or gvisor
dns-listen: 0.0.0.0:53 # additional dns server listen on TUN
auto-route: true # auto set global route
Rules configuration
- Support rule
GEOSITE
- Support
multiport
condition for ruleSRC-PORT
andDST-PORT
- Support not match condition for rule
GEOIP
- Support
network
condition for all rules
The GEOSITE
and GEOIP
databases via https://github.com/Loyalsoldier/v2ray-rules-dat
rules:
# network condition for rules
- DOMAIN-SUFFIX,bilibili.com,DIRECT,tcp
- DOMAIN-SUFFIX,bilibili.com,REJECT,udp
# multiport condition for rule SRC-PORT and DST-PORT
- DST-PORT,123/136/137-139,DIRECT,udp
# rule GEOSITE
- GEOSITE,category-ads-all,REJECT
- GEOSITE,icloud@cn,DIRECT
- GEOSITE,apple@cn,DIRECT
- GEOSITE,apple-cn,DIRECT
- GEOSITE,microsoft@cn,DIRECT
- GEOSITE,facebook,PROXY
- GEOSITE,youtube,PROXY
- GEOSITE,geolocation-cn,DIRECT
- GEOSITE,gfw,PROXY
- GEOSITE,greatfire,PROXY
#- GEOSITE,geolocation-!cn,PROXY
- GEOIP,telegram,PROXY,no-resolve
- GEOIP,private,DIRECT,no-resolve
- GEOIP,cn,DIRECT
# Not match condition for rule GEOIP
#- GEOIP,!cn,PROXY
- MATCH,PROXY
Proxies configuration
Support outbound transport protocol VLESS
proxies:
- name: "vless"
type: vless
server: server
port: 443
uuid: uuid
# udp: true
# skip-cert-verify: true
# servername: example.com # priority over wss host
# network: ws # not support xtls
# ws-path: /path
# ws-headers:
# Host: v2ray.com
- name: "vless-h2"
type: vless
server: server
port: 443
uuid: uuid
network: h2
# flow: xtls-rprx-direct # xtls-rprx-origin xtls-rprx-direct # enable xtls
h2-opts:
host:
- http.example.com
- http-alt.example.com
path: /
- name: "vless-http"
type: vless
server: server
port: 443
uuid: uuid
# udp: true
# network: http
# flow: xtls-rprx-direct # xtls-rprx-origin xtls-rprx-direct # enable xtls
# http-opts:
# # method: "GET"
# # path:
# # - '/'
# # - '/video'
# # headers:
# # Connection:
# # - keep-alive
- name: vless-grpc
server: server
port: 443
type: vless
uuid: uuid
network: grpc
# flow: xtls-rprx-direct # xtls-rprx-origin xtls-rprx-direct # enable xtls
servername: example.com
# skip-cert-verify: true
grpc-opts:
grpc-service-name: "example"
IPTABLES auto-configuration
Only work on Linux OS who support iptables
, Clash will auto-configuration iptables for tproxy listener when tproxy-port
value isn't zero.
If TPROXY
is enabled, the TUN
must be disabled.
# Enable the TPROXY listener
tproxy-port: 9898
# Disable the TUN listener
tun:
enable: false
Create user given name clash
Run Clash by user clash
as a daemon.
Create the systemd configuration file at /etc/systemd/system/clash.service:
[Unit]
Description=Clash daemon, A rule-based proxy in Go.
After=network.target
[Service]
Type=simple
User=clash
Group=clash
CapabilityBoundingSet=cap_net_admin
AmbientCapabilities=cap_net_admin
Restart=always
ExecStart=/usr/local/bin/clash -d /etc/clash
[Install]
WantedBy=multi-user.target
Launch clashd on system startup with:
$ systemctl enable clash
Launch clashd immediately with:
$ systemctl start clash
Display Process name
Add field Process
to Metadata
and prepare to get process name for Restful API GET /connections
To display process name in GUI please use https://yaling888.github.io/yacd/
Premium Release
Development
If you want to build an application that uses clash as a library, check out the the GitHub Wiki
Credits
License
This software is released under the GPL-3.0 license.
TODO
- Complementing the necessary rule operators
- Redir proxy
- UDP support
- Connection manager