Covers 30+ high-frequency issues such as installation, subscription imports, and connection errors. Search below or browse by category to find your answer.
This is normal as the client is not signed by Microsoft. Steps: Click "More info" in the pop-up, then click "Run anyway." If Windows Defender quarantines the package, find it in "Protection history" and select "Allow on device," or add the installation directory to the exclusion list.
Do not double-click to open. Instead: Right-click the app icon → Select "Open" → Click "Open" again in the pop-up. If it still doesn't work, go to "System Settings → Privacy & Security," find the blocked app at the bottom of the page, and click "Open Anyway."
Alternatively, run the following in Terminal: xattr -cr /Applications/ClashVerge.app (replace with the actual installation path).
7890 is the default Mixed Port for Clash. If it's occupied by another process, you need to change it: In the client, go to "Settings → Port" and change Mixed Port to an unused value like 17890 or 17891. Restart the client after saving.
You can run lsof -i :7890 (macOS/Linux) or netstat -aon | findstr 7890 (Windows) in Terminal to find the process using the port.
Possible reasons: The file was modified by a network tool during download, or the download is incomplete. Suggestions:
Redownload the package and ensure all other proxy tools are closed during the download.
Verify if the file size matches the release page.
Try downloading in your browser's incognito mode to avoid cache issues.
In the client "Settings" page, find and enable the "Start on Boot" option. On Windows, this is achieved by adding an entry to the registry startup items; on macOS, it uses a LaunchAgent. If it doesn't take effect, you can manually add the client to the system startup items: · Windows: Press Win + R, type shell:startup, and place a shortcut of the client in that folder. · macOS: Go to "System Settings → General → Login Items" and add it manually.
Most clients support overwriting existing installations. Simply download the latest installer and run it; there's no need to uninstall the old version, and your subscriptions and configurations will be preserved. If the client has a built-in "Check for Updates" feature, using that is even more convenient. If you encounter issues after upgrading, try uninstalling the old version first (do not check the option to delete configuration files), then perform a clean installation of the new version.
If the system proxy was not turned off before uninstallation, the proxy settings may remain in the system. To fix this: · Windows: Go to "Settings → Network & Internet → Proxy" and turn off the "Use a proxy server" switch. · macOS: Go to "System Settings → Network → [Current Network] → Details → Proxies," uncheck all proxy options, and click "OK." In the future, always turn off the system proxy within the client before uninstalling.
Subscription & Config
6 Questions
Troubleshoot in this order:
Recopy the subscription link, ensuring there are no leading/trailing spaces or newlines.
Access the subscription link directly in a browser to confirm it downloads a YAML file (starting with proxies: or proxy-providers:).
If the link returns a Base64 string, it's an old SSR/V2Ray format. You'll need a client that supports automatic conversion or request a Clash-specific link from your provider.
Temporarily disable "SSL Certificate Verification" in the client and try again (remember to turn it back on afterward).
Possible reasons and solutions:
Account Expired: Log in to your service provider's dashboard to confirm your subscription is active.
Link Reset: Providers often have a "Reset Subscription Link" feature. Reset it and copy the new link into your client.
Network Issue: The subscription server itself might be temporarily unreachable; try again later.
Data Exhausted: Some services are metered. If you run out of data, the subscription URL may return empty content.
Switch Subscriptions: In the client's "Profiles" or "Subscriptions" page, click "Use" or simply click the configuration you want to activate to highlight it.
Merge Subscriptions: Use the "Override" feature. In the override script, use proxy-providers to import multiple subscription URLs, allowing you to merge nodes from different providers into a single configuration. Refer to the Mihomo Wiki on Proxy Providers for specific syntax.
Yes. Clash configuration files use the standard YAML format. You can write your own or use the built-in editor to modify config.yaml. The basic structure includes four core fields: port, proxies (node list), proxy-groups (policy groups), and rules (rule list).
Config file paths: · Windows / macOS: Use "Open Config Folder" within the client. · Linux: ~/.config/mihomo/config.yaml
Use the "Override" feature in your client. In the override script, you can prepend custom rules to the beginning of the subscription's rule list, for example:
rules.unshift('DOMAIN-SUFFIX,example.com,DIRECT')
This way, every time the subscription updates, the override script automatically re-applies your custom rules. Both Clash Verge Rev and FlClash support this feature.
Immediately go to your service provider's dashboard and use the "Reset Subscription Link" feature. This will generate a new link and immediately invalidate the old one. Then, update all your devices with the new link.
A subscription link is like an account password. Do not share it publicly, including in screenshots or chat groups.
Connection & Proxy
7 Questions
Troubleshoot in this order:
Confirm your local internet connection is working (e.g., you can access a site like Google or YouTube).
Click "Update Subscription" to get the latest nodes; old ones may have been taken offline.
Click "Test Latency" on the node list and wait for the results (usually 10–30 seconds).
Check if your firewall or security software is blocking the Clash process.
If some nodes work but have high latency, try nodes in different regions.
Contact your provider to confirm your account status and node availability.
System proxy mode only works for programs that respect system proxy settings (mainly browsers). For other programs, you should:
Recommended: Enable TUN Mode, which uses a virtual network card to take over all system traffic without requiring app-specific support.
Use the program's built-in proxy settings: set the HTTP proxy to 127.0.0.1:7890.
For terminal tools: set environment variables like HTTP_PROXY=http://127.0.0.1:7890.
Manually restore proxy settings: · Windows: Go to "Settings → Network & Internet → Proxy" → Turn off "Use a proxy server." · macOS: Go to "System Settings → Network → [Current Network] → Details → Proxies" → Uncheck all and apply.
Preventative measure: Always close the program properly using the "Quit" button in the client interface rather than force-closing it via Task Manager.
TUN mode requires a virtual network card driver (WinTun or WinDivert on Windows):
Run the Clash client as an Administrator before enabling TUN mode.
Windows users may need to install the Microsoft Visual C++ Redistributable.
If security software blocks the driver, temporarily disable it, install the driver, and then re-enable it.
macOS will prompt for system authorization; enter your password to allow it.
Three ways to verify:
Visit google.com; if it loads, the proxy is working.
Visit https://ipinfo.io and check if the displayed IP is the node's location instead of your own.
Check the "Connections" page in the Clash client to see real-time traffic passing through the proxy.
Switch to a lower-latency node: test latency and choose a node with <100ms.
Try nodes in different regions closer to the target server (e.g., use a US node for US websites).
Use an "Auto Select" policy group to automatically switch to the fastest node.
UDP protocols (like QUIC/HTTP3) may be faster on some networks; enable UDP in the client settings.
If your local bandwidth is limited, a proxy cannot exceed your physical connection speed.
Turn on the "Allow LAN" switch in the Clash client settings. Then, manually configure the Wi-Fi proxy on the other device: · Proxy Address: Your computer's LAN IP (e.g., 192.168.1.100). · Port: 7890 (Mixed Port).
Ensure your computer's firewall allows inbound connections on port 7890.
Rules & Split Tunneling
5 Questions
· Rule Mode (Recommended for daily use): Automatically decides based on subscription rules—local traffic goes direct, while international traffic uses the proxy. It's fast and efficient. · Global Mode: All traffic goes through the proxy. Use this for testing node connectivity, accessing services with strict IP limits, or when rules fail for a specific site. · Direct Mode: No traffic goes through the proxy, equivalent to having Clash turned off. Use this to temporarily disable the proxy or troubleshoot network issues.
Confirm you are in "Rule Mode" rather than Global Mode. If it's still slow in Rule Mode, the ruleset might be incomplete:
Update your subscription for the latest rules.
Use an Override to prepend DOMAIN-SUFFIX,example.com,DIRECT to the rule list.
Ensure the "Domestic" or "DIRECT" policy groups are correctly configured.
The GeoIP database (Country.mmdb) needs periodic updates. Click "Update" under "GeoIP Database" in the client settings, or manually download the latest Country.mmdb from Loyalsoldier/geoip to replace it.
It is recommended to update the GeoIP database every 1–2 months for accurate IP attribution.
The domain might not be in the ruleset, triggering the fallback MATCH,DIRECT rule. To fix this: Use an Override to prepend a proxy rule for that domain at the top of the list, e.g.: DOMAIN-SUFFIX,example.com,PROXY
Alternatively, temporarily switch to "Global Mode" to confirm if the node itself works before troubleshooting the rules.
DNS leakage occurs when DNS queries are still sent through your local ISP's DNS despite the proxy being active, allowing your ISP to see which domains you visit. It can also lead to inaccurate rule matching.
Prevention: Set dns.enable to true in your Clash config and use encrypted DNS (DoH or DoT), such as: nameserver: ['https://dns.google/dns-query', 'https://1.1.1.1/dns-query']
Most subscriptions already include a reasonable DNS configuration, so manual changes are often unnecessary.
Platform Specific
4 Questions
These apps have been removed from the Mainland China App Store. You'll need an Apple ID for a different region (like the US) to search and purchase them. Steps:
Register a US Apple ID (or purchase an app gift card for a US account).
In the App Store, click your profile icon → Sign Out → Sign in with the US account.
Search for and buy the app (using a US credit card or gift card).
After purchasing, you can switch back to your original ID; the app will remain and can be updated normally.
Do not sign in to the US Apple ID for iCloud; use it only for the App Store to avoid data conflicts.
Android's battery optimization may restrict background apps. To keep it alive:
Go to "Settings → Apps → FlClash → Battery" and select "Unrestricted."
Disable "Background App Restrictions" or add FlClash to the battery optimization whitelist.
Enable the "Persistent Notification"; the system won't kill the process while the notification exists.
For some Chinese ROMs (MIUI/HarmonyOS), you may need to "lock" the app in the recent tasks view.
Create a service file at /etc/systemd/system/mihomo.service:
macOS Sonoma and later have limited menu bar space. You can adjust items in "System Settings → Control Center → Menu Bar Only" or use tools like Bartender.
If the proxy isn't working, try toggling the "System Proxy" switch off and then on again in the client.
If it still fails, check "System Settings → Privacy & Security → Network Extensions" to ensure Clash Verge has permission.
Restarting the client usually resolves most status issues on macOS.
Privacy & Security
3 Questions
The Clash client itself is a fully open-source local program that does not collect or upload user data. Local logs are stored only on your device and can be viewed on the "Logs" page or disabled in settings.
Note: Your traffic passes through the proxy node server. The node owner (service provider) technically has the ability to log metadata (destination, timestamps, etc., but not HTTPS encrypted content). We recommend choosing a reputable provider with a clear privacy policy.
MITM (Man-in-the-Middle) is an optional feature for development and debugging—it decrypts HTTPS traffic locally for packet analysis. This requires the user to manually:
Enable tls.enable: true in the config.
Manually install and trust the local CA certificate generated by Clash.
Regular users don't need to worry about this as it's off by default. Without installing the CA certificate, HTTPS traffic remains encrypted and unreadable to Clash.
Always download from the official GitHub Releases page or this site; avoid third-party sources.
Compare the SHA256 checksum of the downloaded package with the value listed on the Release page.
All recommended clients (Clash Verge Rev, FlClash, Mihomo, etc.) are open-source projects; you can view the full source code on GitHub.
If security software flags it, upload the file to VirusTotal for a multi-engine scan; false positives are common for proxy tools.
Didn't find your question?
View the full user guide for detailed instructions from installation to advanced configuration.