1. Port Occupancy: Address already in use (7890)

This is arguably the most frequent error encountered by users. Clash uses port 7890 by default for its "Mixed Port" (HTTP and SOCKS5). If this port is being used by another application, Clash cannot start its proxy engine.

1.1 Error Symptom

In the logs, you will see a red message like: listen tcp 0.0.0.0:7890: bind: address already in use.

1.2 How to Fix It

  • Check for Ghost Instances: Ensure you don't have another Clash client running in the background. Use the Task Manager (Windows) or Activity Monitor (macOS) to force-quit any processes named Clash, Clash Verge, or Mihomo.
  • Change the Default Port: If 7890 is permanently occupied by system services or other software like download managers, navigate to the "Settings" or "Config" tab in your Clash client and change the "Mixed Port" to something else, such as 7891 or 10809.
  • Identify the Culprit (Windows): Open CMD as administrator and run netstat -ano | findstr :7890. Look at the last column (the PID), then find that PID in the Task Manager to see which app is blocking Clash.

2. Subscription Update Failed: Connection Refused or Timeout

Failures to pull the configuration from your provider usually stem from network environment issues, provider-side restrictions, or SSL certificate errors.

2.1 Root Causes

  • Network Blockage: Many subscription links are hosted on domains that might be throttled or blocked by your local ISP.
  • System Time Mismatch: If your computer's clock is inaccurate, SSL handshakes will fail, causing the download to be rejected for security reasons.
  • Circular Dependency: Sometimes, you need the proxy to download the update, but the proxy won't work because the update hasn't been downloaded.

2.2 How to Fix It

  • Sync Your Clock: Go to your system settings and ensure "Set time automatically" is enabled.
  • Toggle System Proxy: Temporarily disable the "System Proxy" switch in your client and then try updating the subscription again.
  • Use a Subscription Converter: If the original link is problematic, use a reputable third-party converter (like SubConverter) to transform the link into a different format or host it on a more accessible domain.
  • Check Provider Status: Log in to your provider's dashboard to ensure your account hasn't expired or run out of data.

3. TUN Mode Startup Exception: Service Start Error

TUN mode operates at the network card level, which requires elevated privileges and specific drivers. This makes it prone to system-level conflicts.

3.1 Permission Issues

On Windows, Clash must be Run as Administrator to install and activate the virtual network adapter (Wintun). If you see operation not permitted in the logs, you likely missed this step.

3.2 Driver Conflicts

If you have previously used other VPNs or proxy tools like V2RayN or older versions of Shadowsocks, their legacy virtual adapters might conflict with Clash. Go to "Device Manager" -> "Network Adapters" and uninstall any unused "Wintun" or "TAP" devices.

3.3 Stack Selection

In your settings, ensure you have selected Stack: gvisor or Stack: system. For most users, gvisor offers the best balance between performance and compatibility, as it handles the TCP/IP stack in user-space, avoiding many kernel-level bugs.

4. Rule Malfunction: All Traffic is Direct or All Traffic is Proxied

When your "Global" switch is off but the traffic isn't following your rules, it's usually a logic error in the YAML configuration.

4.1 The Top-Down Principle

Clash rules are processed from the top down. The first matching rule wins. If you have MATCH, DIRECT at the top of your ruleset, everything will go direct, and subsequent rules will never be checked. The correct order should be: Specific Domains > IP-CIDR > GEOIP/GEOSITE > MATCH.

4.2 DNS Poisoning

If your rules are based on IP-CIDR (geographic location) but your DNS returns a fake local IP before Clash can inspect the request, the rule will fail. We highly recommend using Fake-IP mode to ensure Clash maintains control over the entire resolution process.

5. DNS Leak: Why My Location is Still Visible?

A DNS leak occurs when your browser or apps bypass the proxy to ask your local ISP's DNS server for an IP address. This can reveal your identity and bypass streaming blocks.

5.1 Verification

Visit dnsleaktest.com. If you see your actual ISP (Comcast, AT&T, China Telecom, etc.) while the proxy is on, you have a leak.

5.2 The Fix

  • Enable Encrypted DNS: Configure dns: enable: true and use DoH (DNS over HTTPS) servers like https://dns.google/dns-query.
  • Disable IPv6: Many leaks happen over IPv6 because current proxy protocols have inconsistent IPv6 support. We recommend disabling IPv6 in your Windows/macOS network settings entirely for maximum privacy.

6. Miscellaneous Errors

6.1 EOF Error

This stands for "End of File." It usually means the connection was abruptly closed by the remote server or an intermediate firewall. This is common with Hysteria2 if your UDP port is being throttled by your ISP.

6.2 YAML Parsing Error

This means your configuration file has invalid syntax. YAML is extremely sensitive to spaces. Do not use Tabs; use only spaces for indentation. Use an online YAML validator to find the line where the indentation is broken.

Conclusion: The Troubleshooting Mindset

Fixing Clash errors is about following a logical path: Logs > Permissions > Config. Most issues are solved by simply updating your subscription, ensuring administrative rights, or correcting a small typo in the YAML file.

For those who want to avoid these headaches, we recommend using Clash Verge Rev. It features a modern Mihomo core that automatically detects port conflicts and provides a much more robust TUN mode implementation than legacy clients.

Download Clash for free and enjoy a hassle-free browsing experience