What is TUN Mode?
In the default "System Proxy" mode, Clash works by modifying the system's HTTP/HTTPS proxy settings. This method only proxies applications that follow system settings (like browsers). Command-line tools, game clients, and some Electron apps often ignore these settings, connecting directly and bypassing the proxy.
TUN (TUNnel) mode creates a virtual network interface in the operating system to intercept all TCP and UDP traffic at a lower network level. Regardless of the application making the request, the traffic passes through this virtual interface, where the Clash core decides whether to proxy it based on your rules. This achieves true "Global Proxy" and is the most thorough proxying method available.
When Should You Use TUN Mode?
- Gaming Acceleration: Game clients usually don't follow system proxy settings. TUN mode allows game traffic to pass through proxies for better speeds and lower latency.
- CLI Development Tools: Tools like npm, pip, git, and docker ignore system proxies by default. TUN mode solves connection issues for these tools in restricted network environments.
- Electron Apps: Many Electron-based apps (like VS Code plugin updates) bypass system proxies. TUN mode ensures this traffic is covered.
- UDP Proxying: System Proxy mode does not support UDP traffic. TUN mode does, which is critical for video calls, online gaming, and other UDP-dependent apps.
- Enterprise Environment Isolation: When all traffic needs to be routed through a specific proxy for security or compliance, TUN mode is the most reliable choice.
Windows: Enabling TUN in Clash Verge Rev
Enabling TUN mode on Windows requires administrator privileges. Clash Verge Rev handles the permission requests automatically:
- Ensure Clash Verge Rev is correctly installed and a valid subscription profile is imported.
- Click the "Settings" tab in the left navigation bar.
- Find the "TUN Mode" switch in the system settings section and toggle it on.
- A UAC prompt will appear; click "Yes" to grant administrator privileges.
- Clash Verge Rev will install the Wintun driver (first time only). Once the switch turns green, TUN mode is active.
On Windows, Clash Verge Rev uses the Wintun driver, which offers better performance and compatibility than the older TAP solution. If it fails to start, try switching the TUN stack mode to gVisor or Mixed in settings.
macOS: Enabling TUN in Clash Verge Rev
Enabling TUN on macOS also requires system permissions:
- Open Clash Verge Rev and navigate to the "Settings" page.
- Find "TUN Mode" and toggle it on.
- macOS will prompt you to allow a network extension in "System Settings → Privacy & Security." Follow the prompt and click "Allow."
- A restart of Clash Verge Rev is usually required for the changes to take effect.
- Once enabled, you can verify the existence of a virtual interface named
utunin Activity Monitor.
macOS 14 (Sonoma) and later have stricter controls over network extensions. You may need to manually allow the extension under "System Settings → Privacy & Security → Network Extensions."
Android: Enabling TUN in Clash for Android
Android natively supports a VPN interface. Clash for Android uses the VpnService API to achieve TUN-like transparent proxying, making it very easy to use:
- Open Clash for Android and ensure a profile is imported.
- Tap the large "Stopped" button on the home screen.
- A VPN connection request dialog will appear; tap "OK" to authorize.
- A key icon will appear in the status bar, indicating that Clash is running in VPN mode (functionally identical to TUN).
Choosing a TUN Stack Mode
Clash Verge Rev offers three stack modes for TUN, each with its advantages:
- System: Uses the OS kernel's TCP/IP stack. Highest performance and best compatibility; recommended for most users.
- gVisor: Uses Google's gVisor userspace network stack. Isolated from the system kernel for better stability but with slightly higher CPU usage.
- Mixed: A hybrid mode using System for TCP and gVisor for UDP. A good balance between performance and stability for UDP-heavy usage.
DNS Configuration for TUN Mode
When TUN mode is enabled, DNS resolution handling changes. To avoid DNS leaks (where DNS queries bypass the proxy), we recommend using enhanced-mode: fake-ip or redir-host. Here is a recommended DNS snippet:
dns:
enable: true
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/16
nameserver:
- 114.114.114.114
- 8.8.8.8
fallback:
- tls://8.8.4.4:853
- https://cloudflare-dns.com/dns-queryThe fake-ip mode prevents DNS leaks by returning a spoofed IP address, while fallback ensures encrypted resolution for international domains.
Common TUN Mode Issues
Traffic Loop (No Internet Access)
If all internet access fails after enabling TUN, Clash's own traffic might be getting intercepted by the TUN interface, causing a loopback. The solution is to add the Clash process to your direct rules. Recent versions of Clash Verge Rev handle this automatically.
Increased Game Latency
TUN mode doesn't inherently speed up games; it just ensures the traffic is proxied. If latency increases, check if your chosen node is suitable for gaming—BGP optimized or dedicated IPLC lines are recommended over high-bandwidth general nodes.
Android Battery Drain
Clash for Android stays active in the background when VpnService is running, which is a common trait of VPN apps. It's best to turn off Clash when not needed or use the "Access Control" feature to bypass apps that don't require proxying.
Why Clash Verge Rev's TUN Experience is Best
Different Clash clients implement TUN mode with varying quality. The discontinued Clash for Windows had a heavier TUN implementation with higher memory usage and occasional crashes. In contrast, Clash Verge Rev is optimized for the Mihomo core's TUN implementation: supporting Wintun (Windows), lightweight gVisor stacks, and precise DNS interception. In practice, Clash Verge Rev's TUN mode is significantly more stable, has fewer memory leaks, and switches on/off much more smoothly. If you've had bad experiences with TUN mode in other clients, Clash Verge Rev is definitely worth a try.