Why This Comparison Matters

Every Clash GUI exposes at least two ways to send traffic through your proxy: system proxy and TUN mode. They look like simple toggles, but they operate at different layers of the stack. Pick the wrong one and you will see symptoms that are easy to misdiagnose—browsers work while git fails, games connect but Discord does not, or DNS leaks even though the proxy switch is on.

This guide is written for users searching Clash TUN vs system proxy, when to use TUN mode, or how to configure Clash proxy modes. You will learn what each mode actually does, a side-by-side comparison table, practical use cases, step-by-step setup on major clients, and fixes for the problems that show up most often in support threads.

Whether you run Clash Verge Rev on Windows, ClashX Meta on macOS, or FlClash on Android, the underlying logic is the same: Clash (via the Mihomo core) decides where each connection goes using your rule set. The difference is how traffic reaches Clash in the first place.

Scope: This article focuses on desktop and mobile Clash GUIs built on Mihomo. Legacy Clash Premium used a different TUN stack; modern clients ship Mihomo with built-in TUN support.

What Is System Proxy Mode?

System proxy (sometimes labeled “Set as system proxy” or “System Proxy”) tells the operating system to route HTTP and HTTPS traffic through a local proxy endpoint—typically 127.0.0.1 on Clash’s mixed port (often 7890 by default).

When you flip the system proxy switch in a Clash client, the app writes proxy settings into the OS configuration:

  • Windows: Internet Options → Connections → LAN settings, or the modern WinHttp / per-user proxy registry keys
  • macOS: System Settings → Network → active interface → Proxies
  • Linux: Environment variables such as http_proxy / https_proxy, or desktop environment proxy panels

Applications that respect these settings open connections to Clash’s local port. Clash then applies your rules—DIRECT, PROXY, or REJECT—and forwards eligible traffic to the remote node you selected.

Strengths of system proxy

  • Low friction: No virtual adapter, no admin password on most setups
  • Lightweight: Minimal CPU and kernel involvement compared with TUN
  • Enough for daily browsing: Chrome, Edge, Firefox, and many Electron apps honor OS proxy settings
  • Easy to disable: One toggle restores direct connectivity instantly

Limitations you should know

  • Not all apps comply: Command-line tools, many games, Docker containers, and some store/UWP apps ignore system proxy
  • Protocol scope: Classic system proxy covers HTTP/HTTPS and SOCKS in most GUIs, but raw TCP/UDP from non-proxy-aware apps never reaches Clash
  • DNS handling: Without TUN, DNS queries may bypass Clash unless the app uses proxy-aware resolution or you configure dns in the profile
  • Per-app control is coarse: You cannot force a stubborn binary through the proxy without TUN or an external redirector

For casual web access—news, search, streaming in a browser—system proxy is usually the fastest path to a working setup. It is the default recommendation in most “quick start” tutorials for good reason.

What Is TUN Mode?

TUN mode creates a virtual network interface (a TUN/TAP device) and installs routes so that outbound IP packets are delivered to Clash before they leave your machine. Clash inspects each flow, matches it against rules, and either forwards it through a remote proxy, sends it direct, or drops it.

Think of system proxy as asking applications politely to use a local port. TUN mode sits lower in the stack and captures traffic whether or not the application cooperates—as long as the packet matches the routing table entries Clash manages.

What happens under the hood

  1. The Mihomo core enables tun: in the active configuration (via the GUI or config.yaml)
  2. A virtual adapter appears—Wintun on Windows, utun on macOS, or platform-specific drivers on Linux and Android
  3. Clash adds routes (and often DNS hijacking) so eligible traffic enters the TUN device
  4. Each connection is classified by domain, GEOIP, process name (where supported), or custom rules

Modern Mihomo builds support fake-ip and redir-host DNS modes under TUN. fake-ip assigns synthetic addresses to domain names so resolution stays inside Clash, which reduces DNS leaks and speeds up rule matching. That is why power users enable TUN when privacy and consistency matter as much as reachability.

Strengths of TUN mode

  • True full-system capture for TCP and UDP (subject to route and rule configuration)
  • CLI and IDE tools work: npm, git, curl, package managers, and build pipelines route through Clash
  • Better DNS control: DNS hijacking keeps queries on-policy with your rule file
  • Games and voice chat: UDP-heavy apps that ignore HTTP proxy settings can still be routed when rules allow

Trade-offs and requirements

  • Elevated permissions: Administrator on Windows; helper authorization on macOS; VPN permission on Android
  • Slightly higher overhead: Virtual adapter and kernel path add a small latency and CPU cost
  • Driver installation: First-run prompts for Wintun or similar components must succeed
  • Misconfiguration risk: Overly broad routes can loop traffic or break local LAN access until you adjust auto-route exclusions
Do not stack modes: When TUN is running, turn off system proxy. Running both can double-handle connections and produce “connected but nothing loads” behavior.

TUN Mode vs System Proxy: Side-by-Side

Aspect System Proxy TUN Mode
Operating layer Application / OS proxy settings Network stack (virtual adapter)
Admin rights Usually not required Required on most desktop OSes
Browser traffic Works when browser respects OS proxy Works
CLI tools (git, curl) Often bypass unless env vars set Captured by default
Games / UDP apps Frequently bypass Captured when rules permit
DNS control Limited without extra config Strong (hijack + fake-ip)
Resource usage Lower Slightly higher
Setup complexity One toggle Driver + toggle + optional YAML tuning
Best for Quick browsing, low-privilege environments Development, gaming, full-tunnel needs

Use the table as a decision shortcut: if every tool you care about already respects system proxy, stay there. The moment something critical ignores it, TUN is the structural fix—not another browser extension or manual environment variable hunt.

When to Use Which Mode

Choose system proxy when…

  • You mainly need web access in Chrome, Edge, or Firefox
  • You are on a locked-down PC where installing virtual adapters is blocked
  • You want the lightest footprint for occasional use
  • You are testing a new subscription and want a fast sanity check before enabling TUN
  • You share a machine and prefer not to grant administrator rights to the proxy client

Choose TUN mode when…

  • Terminal tools, IDEs, or package managers must reach blocked registries
  • You play online games or use voice apps that ignore HTTP proxy settings
  • You need consistent DNS behavior and leak reduction
  • UWP or sandboxed Windows apps fail even with system proxy enabled
  • You run Docker, WSL, or VMs and want host-level routing into Clash (with appropriate exclusions)

A practical hybrid workflow

Many users run system proxy on weekdays for browser-only tasks and flip TUN on for development sessions or gaming. That is perfectly valid—as long as only one capture mode is active at a time. You can also leave TUN off on battery-powered laptops when you do not need full capture and re-enable it when you open a terminal-heavy project.

How to Configure System Proxy

System proxy setup follows the same pattern across Clash GUIs: import a profile, select a node, enable the toggle. Below are client-specific notes for the platforms most readers use.

Clash Verge Rev (Windows / macOS / Linux)

  1. Import and activate a profile
    Open Profiles, add your remote subscription URL, and click the profile so it is highlighted.
  2. Pick a node
    Go to Proxies, run a latency test, and select an auto group or a specific server.
  3. Enable System Proxy
    On the home dashboard, switch System Proxy to ON. The tray icon usually turns colored when routing is active.
  4. Verify in the browser
    Visit a site that was previously unreachable. If it loads, system proxy is working for that browser.

Optional: under Settings → Clash Port, confirm the mixed port (default 7890) matches what your apps expect if you configure manual proxy entries.

ClashX / ClashX Meta (macOS)

  1. Import a remote config from the menu bar icon → ConfigRemote Config.
  2. Select Set as system proxy from the menu. macOS network settings update immediately.
  3. Choose outbound mode Rule (recommended) so domestic traffic stays direct per your subscription rules.

FlClash / Android clients

On Android, “system proxy” often means enabling the VPN service without full TUN capture details exposed in the UI. FlClash and similar apps request VPN permission; traffic is routed into the Mihomo core similar to desktop TUN. Check your app’s label—some Android builds use a single VPN toggle that behaves closer to TUN than classic desktop system proxy. When in doubt, read the in-app description: if it mentions a VPN interface, treat it as full capture.

How to Configure TUN Mode

Clash Verge Rev on Windows

  1. Run as administrator
    Right-click the shortcut → Run as administrator. TUN cannot install Wintun without elevation.
  2. Open Settings → Clash field / TUN
    Enable TUN Mode. Accept the Wintun driver prompt if Windows shows it.
  3. Disable System Proxy
    Turn off the system proxy toggle on the home screen to avoid duplicate handling.
  4. Test from Command Prompt
    Run ping google.com and curl https://www.google.com. Success indicates non-browser traffic is flowing through Clash.
Tip: Set the shortcut to always run as administrator under Properties → Compatibility if you rely on TUN daily and want to skip repeated UAC prompts.

Clash Verge Rev on macOS

Enable TUN in Settings. macOS prompts for authorization to install a helper tool—approve it once. If TUN fails after an OS upgrade, remove and reinstall the helper from the client’s settings page, then toggle TUN again.

Optional: TUN section in config.yaml

GUIs generate TUN settings automatically, but understanding the YAML helps when you merge custom profiles:

tun:
  enable: true
  stack: system
  auto-route: true
  auto-detect-interface: true
  dns-hijack:
    - any:53

dns:
  enable: true
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  nameserver:
    - https://1.1.1.1/dns-query
    - 223.5.5.5

Key fields:

  • stack: system — uses the OS network stack; common default on Mihomo
  • auto-route: true — installs routes for captured traffic; set false only if you manage routes manually
  • dns-hijack — redirects DNS queries into Clash while TUN is active
  • enhanced-mode: fake-ip — pairs with TUN for faster domain-based rules

Edit YAML only if you know which profile file is active. Prefer GUI toggles for first-time setup; drop to YAML when you need exclusions for LAN segments or corporate VPN interfaces.

Platform-Specific Notes

Windows

Wintun is the standard driver. Windows Defender Firewall may block Mihomo the first time TUN starts—allow it on private networks. Hyper-V, WSL2, and corporate VPN clients can conflict with auto-route; add interface exclusions in advanced TUN settings or pause the other virtual switch while testing.

macOS

System proxy integrates cleanly with Safari and most Cocoa apps. TUN requires the helper bundle and may interact with iCloud Private Relay or other VPN profiles—disable overlapping VPNs when debugging routes.

Linux

Clash Verge Rev and CLI Mihomo builds use TUN with cap_net_admin or root. Desktop environments vary in system proxy support; TUN is often more predictable on Linux workstations used for development.

Android

Android does not expose classic desktop system proxy toggles the same way. VPN-based Clash apps route through a TUN-like service after you grant VPN permission. Battery optimizations may kill background processes—exclude your Clash app from aggressive OEM task killers.

Troubleshooting Common Issues

Browser works, terminal does not

Classic sign of system-proxy-only mode. Enable TUN (with admin rights) or manually export proxy environment variables:

export http_proxy=http://127.0.0.1:7890
export https_proxy=http://127.0.0.1:7890
export all_proxy=socks5://127.0.0.1:7890

TUN is usually less fragile than maintaining shell profiles across tools.

TUN enabled but nothing loads

  • Confirm system proxy is off
  • Reinstall the virtual adapter driver as administrator
  • Check that a valid node is selected—not a dead server or empty group
  • Temporarily switch to Global mode to isolate rule-file issues from capture issues

Suspected DNS leaks

Under TUN, enable DNS hijacking and use fake-ip or redir-host. Point upstream DNS to DoH servers your provider recommends. Test with a DNS leak checker while TUN is active—not with system proxy alone.

Local LAN printers or NAS unreachable

Broad TUN routes can send RFC1918 traffic the wrong way. Add private-ip or CIDR exclusions in advanced TUN settings, or use subscription rules that mark LAN destinations as DIRECT.

Weird loops with corporate VPN

Running Clash TUN alongside a full-tunnel corporate VPN often conflicts. Use system proxy only while the VPN is connected, or configure split exclusions so both tools do not fight for default route ownership.

Frequently Asked Questions

Should I use TUN mode or system proxy in Clash?

Start with system proxy if browsers are your main use case. Move to TUN when command-line tools, games, or DNS consistency require full capture. There is no performance prize for enabling TUN “just because”—use it when system proxy leaves gaps.

Can I enable TUN mode and system proxy at the same time?

No. Disable system proxy whenever TUN is on. Clients may not block you from enabling both, but the combination causes hard-to-debug connection failures.

Why does TUN mode require administrator privileges on Windows?

Installing and controlling Wintun touches kernel networking APIs. Standard user tokens cannot create virtual adapters safely; elevation is an OS requirement, not a Clash quirk.

Does system proxy work for all applications?

Definitely not. Anything that opens raw sockets without reading OS proxy settings will bypass it. That is the core reason TUN mode exists in modern Mihomo builds.

Does proxy mode affect Rule / Global / Direct?

No. Rule, Global, and Direct are outbound policies applied after traffic reaches Clash. System proxy and TUN are ingress paths. You still want Rule mode for split routing in most subscriptions.

If you are configuring a specific client, these walkthroughs cover subscription import and first launch in more detail:

Standalone VPN apps often force all traffic through one remote server—you lose split routing, latency testing, and per-domain rules. Browser extensions only cover page loads inside that browser. Even other proxy GUIs sometimes hide TUN behind experimental flags or ship outdated cores that break on new OS releases. Clash with Mihomo gives you both ingress modes in one place: flip system proxy for a five-minute test, enable TUN when your toolchain demands it, and keep the same rule file either way. If you want that flexibility without juggling multiple products, grab a maintained client from our download page and import your subscription once.

Download Clash free for every platform →