How to Set Up Stash on iPhone: Subscription Import and Split Rules

Why iPhone setup is not the same as Android or desktop

On Android, users typically sideload a Clash-family APK, grant VPN permission once, and manage profiles inside an open ecosystem. On iOS, Apple’s Network Extension framework and App Store policies shape every step. Stash is one of the mature clients that speaks the same Clash YAML language as desktop Mihomo-based tools, but the buttons, menus, and error messages live inside an iOS-native shell.

That matters for three practical reasons. First, you cannot “drop in” Android screenshots and expect the taps to line up. Second, subscription URLs that work on Windows may still fail on iOS if TLS interception, captive portals, or clipboard truncation get in the way. Third, split routing is still rule-based—but you verify it with iOS-specific logs and toggles. Keeping those differences in mind saves hours of confusion.

Before you start: subscription format and provider checklist

Stash expects a remote profile that resolves to a valid Clash configuration—usually YAML with proxies, proxy-groups, and rules. Your provider dashboard should offer a link labeled for Clash, Mihomo, or Stash. If the page returns raw Base64 node lists without a Clash header, you need a converter first; our subscription import guide explains how to recognize formats and fix mismatches before you waste time inside the app.

Also confirm that the URL uses HTTPS. Plain http:// links occasionally work on desktop but fail silently on mobile Safari or inside in-app WebViews when mixed-content policies apply. If your dashboard shows a short preview, always use the provider’s copy button so the token is not truncated.

Install Stash and grant the first-run permissions

Install Stash from the App Store on the device that will carry the VPN profile. After launch, iOS may prompt for local network access, notification permission, and background refresh—these are optional for basic proxy use but help keep subscription updates reliable on cellular networks.

The critical permission is the VPN / Network Extension consent. Until you approve it, Stash cannot tunnel traffic. If you previously denied it, open Settings → General → VPN & Device Management (wording varies slightly by iOS version) and ensure Stash is allowed, or delete and reinstall to trigger the prompt again.

Importing an airport subscription URL (illustrated flow)

Follow this sequence on a clean install; menu names may shift slightly between Stash versions, but the logic is stable.

1. Open the Profiles or Config area. From Stash’s main screen, navigate to where remote configurations are listed—often labeled Profiles, Config, or similar.
2. Add a remote profile. Choose the option to import from URL. Avoid typing long tokens by hand; paste from the provider’s copy button.
3. Name the profile. Use something memorable, especially if you maintain more than one subscription—for example “Work” vs “Personal.”
4. Set an update interval. A 12–24 hour refresh matches what most users need; aggressive hourly polling drains battery and hits provider rate limits.
5. Save and fetch. Stash downloads the YAML over HTTPS, parses proxies, and builds proxy groups. Wait until the progress indicator finishes.
6. Activate the profile. Select it as the active configuration so the dashboard reflects the correct rules and outbound list.

Think of each step as a checkpoint. Users who skip naming or activation often believe the import “did nothing” when the file downloaded successfully but never became the running config.

Turn on the tunnel and confirm traffic is flowing

Toggle Stash’s main connection switch. iOS shows the VPN badge in the status bar when the Network Extension is up. Open Safari and visit a site you know responds differently through the proxy. Then open Stash’s connection or log view—wording varies—and confirm you see live flows rather than an idle list.

If the VPN icon appears but pages do not load, do not assume the proxy is broken. Check whether the active policy group is set to DIRECT for that domain, whether DNS is failing, or whether the selected node is offline. The next sections cover how to read groups and rules so those diagnoses become mechanical instead of guesswork.

Proxy groups: what you are actually switching

Most provider-generated profiles ship with multiple proxy groups: a manual selector, an automatic lowest-latency pool, a fallback chain, and sometimes specialty groups for streaming or gaming. In Stash, you pick a node inside the group that matters for your traffic. The top-level group is usually named Proxy, PROXY, or 节点选择 depending on the author.

For everyday browsing, automatic selection is convenient. For services that break when the exit country changes—payments, app stores, regional media—switch the relevant group to manual and pin a stable node. Remember that changing one group does not retroactively fix DNS or rules that send a hostname elsewhere; it only affects traffic that reaches that group in the rule pipeline.

Latency numbers come from built-in health checks. A node showing timeout or extremely high ping is a poor choice even if the name looks attractive. Re-run the test on Wi-Fi and on cellular; routing to the same server can differ sharply between carriers.

Split routing rules on Stash: how to read the pipeline

Split routing means different destinations take different paths. In Clash YAML, rules are evaluated top to bottom until one matches; the winner points to a policy (DIRECT, REJECT, or a proxy group). Domestic CDNs, local banking sites, and LAN resources commonly hit DIRECT rules early. Foreign services and blocked domains ride a proxy group later. A final catch-all rule handles everything else.

Provider profiles often bundle community rule sets—RULE-SET, GEOIP, and domain lists. Stash downloads and refreshes these according to the profile metadata. You do not need to edit YAML on iOS for basic use. When something misbehaves, open the live connection list, tap a stalled entry, and read which rule matched. If a domestic app is wrongly tunneled, you need a higher-priority direct rule; if a foreign site goes direct, you may be missing a domain rule or your DNS mode disagrees with the rule engine.

Advanced users sometimes import a trimmed profile with fewer rules for debugging. That is a valid strategy: fewer moving parts make it obvious whether a failure is node-related or rule-related.

DNS, fake-ip, and why “it works on Wi-Fi but not LTE”

Many Clash profiles enable fake-ip DNS mode. The client returns synthetic addresses for domain queries, then maps them back to real destinations internally. This prevents common leak patterns, but it also means misconfigured DNS upstreams show up as mysterious hangs on cellular networks where IPv6 or resolver blocking differs from home broadband.

If you observe that pattern, compare behavior on Wi-Fi versus LTE, then inspect the profile’s dns section for unreachable DoH endpoints. Switching to a resilient public resolver often stabilizes things without touching proxy nodes. For a platform-wide discussion, the Clash troubleshooting guide walks through DNS and port issues that mirror what you see on iOS.

Common failures: subscription validation, empty nodes, and timeouts

“Validation failed” or download errors right after paste

Check for invisible whitespace or line breaks in the clipboard—some chat apps trim URLs. Re-copy from the provider page. Confirm the link is HTTPS and still within its validity period. If the provider rotated tokens, old bookmarks break immediately.

If the error references TLS or certificate pinning, ensure the device clock is correct and no enterprise root MITM is intercepting HTTPS on your network. Public Wi-Fi portals sometimes block raw HTTPS fetches until you complete the captive login in Safari first.

Profile loads but shows zero nodes or blank groups

The YAML downloaded, but nothing usable was inside. Typical causes include an expired trial, a provider-side outage returning an empty file, or a profile that references external resources Stash could not fetch. Trigger a manual refresh after you confirm the subscription status on the provider dashboard.

VPN connected but nothing loads

Open the log and look for repeated timeouts to the proxy server. Switch groups or nodes. If every request is DIRECT yet still fails, the underlying data link—not Stash—is the problem. If requests hit the proxy but stall, pick another exit region or ask the provider for a maintenance notice.

One app ignores the proxy

Some apps use their own DNS-over-HTTPS stack or pinned certificates. Stash’s VPN tunnel can still capture IP traffic, but the app may require full-tunnel mode or per-app policies depending on version. Start by verifying the domain in the connection log, then adjust rules accordingly.

How this differs from our Android ClashMeta guide

We publish a dedicated walkthrough for ClashMeta on Android because the platform stack is different: APK sideloading, background execution limits, and Material Design workflows do not map one-to-one to iOS. The underlying idea—Mihomo-compatible YAML, subscription refresh, split rules—is shared, but this article keeps naming and failure modes specific to iOS Stash so you do not mix up instructions.

Security habits worth keeping on a phone

Your subscription URL is effectively a password. Do not paste it into public forums or screenshots. Revoke and rotate from the provider if you suspect leakage. On shared devices, disable iCloud backup for sensitive configs if your client stores local files, and use Screen Time or device passcodes to prevent casual profile swaps.

Closing thoughts: a clean mobile path with room to grow

Stash on iPhone fills the gap for users who want Clash-grade flexibility without carrying a laptop. Once the subscription import succeeds, most day-to-day work is just picking the right group and letting the rule engine handle split routing. When something breaks, the fix is usually upstream—a dead node, an expired token, or DNS—not mysterious iOS magic.

For desk-bound workflows, a desktop Mihomo client still offers richer editing and faster log analysis. The ecosystem lines up: same YAML philosophy, different shell. If you want that parity on Windows or macOS with a polished UI, grab our recommended build from the official download page—→ Download Clash for free and experience the difference