Tutorial · Estimated reading 8 mins

Clash Verge Rev TUN Mode Complete Guide
Routing Terminal, Git, and Docker all through proxy

Ordinary system proxy can only cover browser traffic, while terminals and Docker are still raw. This article teaches you step-by-step how to enable TUN virtual network card mode, taking over all underlying traffic at once without configuring any environment variables.

Clash Verge Rev · TUN Mode · Windows · macOS

1 What is TUN mode

Before diving into the configuration, let's clarify a concept: what exactly is the difference between System Proxy and TUN mode?

In daily use of Clash, most people turn on the "System Proxy". This mode essentially sets an HTTP/SOCKS5 proxy address at the operating system level. Browsers and some applications actively read this setting and send traffic over, but many programs — especially command-line tools — don't recognize these rules at all. Have you ever encountered this situation: the browser bypasses the firewall flawlessly, but as soon as you open a terminal to execute npm install or git clone, it's still crawling at a snail's pace or just times out? This is a typical manifestation of the limited coverage of a system proxy.

The concept of TUN Mode (Tun Mode) is completely different. It creates a virtual network interface card in the system (usually named Meta or utun), "tricks" all outbound traffic of the operating system — whether HTTP, TCP, or UDP — entirely into this virtual network card, and then lets the Clash core decide whether each connection should route to a proxy or connect directly according to your rules. From the perspective of underlying traffic, the network of this machine is completely taken over by Clash, and no program can bypass it.

The advantages of Mihomo (Meta) core Clash Verge Rev uses the Mihomo (i.e. Clash.Meta) core. Its TUN implementation is based on the gvisor or system stack, and its stability and compatibility are both superior to the old Clash Premium core.

2 Why you need TUN mode

If you have any of the following requirements, TUN mode is almost a must:

  • Terminal Developers: Package managers like npm, pip, cargo, brew do not use system proxies
  • Git Users: git clone or git push to GitHub/GitLab often times out
  • Docker Users: Pulling Docker Hub images or downloading dependencies during builds always fails
  • Gamers: UDP traffic from clients like Steam or Epic cannot be covered by the system proxy
  • Remote Connections: SSH or some VPN clients do not support configuring proxy parameters

Simply put, whenever you encounter the dilemma of "proxy is on but some software still doesn't use it", TUN mode is the ultimate solution.

3 Prerequisites for enabling

Software Version Requirements

  • Clash Verge Rev 1.7.0 or aboveversion (latest version recommended)
  • Windows systems need to install Npcap or have the WinTUN driver enabled
  • macOS systems need to grant "Network Content Filter" permissions

Administrator Privileges

Creating a virtual network card requires system-level permissions. Windows users should run Clash Verge Rev as administrator, or enable the "Run with administrator privileges" option in settings (the latter is recommended to avoid manual operation each time). macOS will show a system prompt requesting authorization when TUN is first enabled, just click "Allow".

Note: Turn off system proxy before enabling TUN mode and system proxy can coexist, but to avoid speed anomalies caused by double-interception of traffic, it is recommended to disable the system proxy when enabling TUN, letting TUN exclusively take over all traffic.

4 Enabling TUN Mode on Windows

Step 1: Launch Clash Verge Rev with administrator privileges

Right-click the desktop icon → select "Run as administrator". Or go to Clash Verge Rev's "Settings" → "System Settings" → enable the "Run with administrator privileges" switch, and every subsequent launch will automatically elevate privileges.

Step 2: Install Service Mode

Navigate to: Settings → System Settings → Service Mode, click the "Install" button. Service mode allows Clash to run as a service in the system background, which is a prerequisite for the TUN driver. The status will show "Installed" when complete.

Step 3: Enable TUN Mode

Return to the main interface, find the "TUN Mode" switch (usually in the home card area or "Settings → Core Settings"), and turn it on. When first enabled, Clash will automatically install the WinTUN virtual driver, which takes a few seconds. The taskbar icon may briefly flash, which is normal.

How to confirm that the TUN driver installed successfully Open "Device Manager" → "Network Adapters". If you see a virtual adapter named WinTUN Userspace Tunnel or Meta, the driver is ready.

Step 4: Recommended TUN parameter configuration

In Clash Verge Rev's "Override Config" or by directly editing the subscription YAML, add the following TUN section:

YAML 
tun:
  enable: true
  stack: mixed          # mixed has the best compatibility (gvisor + system hybrid)
  dns-hijack:
    - any:53            # Intercepts all DNS requests, preventing DNS leaks
  auto-route: true      # Automatically adds routing rules
  auto-detect-interface: true  # Automatically detects the outbound network interface

stack: mixed is the most recommended mode right now: TCP traffic uses the gvisor user-mode protocol stack (better compatibility), UDP traffic uses system (higher performance), each handling its own role. If you find some UDP applications behaving incorrectly, you can switch to stack: gvisor for unified processing.

5 Enabling TUN Mode on macOS

Step 1: Grant system permissions

On macOS, TUN implementation relies on the system's "Network Content Filter" (Network Extension). After clicking the TUN switch for the first time, the system will show a permission request dialog. Go to "System Preferences (or System Settings)" → "Privacy & Security" → click "Allow" at the bottom.

Step 2: Enable the TUN switch

After authorization, return to Clash Verge Rev's main interface, click the "TUN Mode" toggle button. When the status turns blue, it means it's activated. You'll notice a small shield icon appears next to the menu bar icon, indicating TUN is active.

Step 3: YAML configuration is the same as Windows

The YAML configuration on macOS is exactly the same as Windows. It is also recommended to set stack: mixed, auto-route: true, and dns-hijack. See the Windows configuration example above for details.

Notes for macOS Sequoia (15.x) After Apple Silicon Macs upgrade to macOS 15, the Network Extension permission management has been adjusted. Some users need to manually add Clash Verge Rev to the allow list in "System Settings → Privacy & Security → Network".

6 Verifying that TUN Mode is truly effective

After enabling, don't rush to use it. First do a few simple verifications to confirm that TUN has taken over all traffic.

Method 1: Terminal curl test

Open Command Prompt (Windows) or Terminal (macOS), and execute:

Shell 
curl -v https://www.google.com

If a normal response (HTTP 200) is returned, it means terminal traffic is going through the proxy. Previously without TUN, this command would most likely time out or report a connection refused error.

Method 2: Check current IP location

Shell 
curl https://ip.sb

The returned IP address should be a foreign IP where your node is located, not your local ISP's IP. If they are the same, TUN is not working. Check if you are running with administrator privileges.

Method 3: Observe in Clash's connections panel

Open Clash Verge Rev → "Connections" panel. After executing any terminal command, see if the corresponding connection record appears. In TUN mode, connections initiated by commands like curl, git, npm will all appear in the list with the process name clearly visible. This is the most direct way to troubleshoot problems.

Method 4: Docker image pull test

Shell 
docker pull hello-world

If you can successfully pull images from Docker Hub (without separately configuring a proxy in Docker Desktop), it means TUN has successfully taken over Docker's network traffic. For users in China, this is almost the golden test of whether TUN is working properly.

7 Advanced: Fine-grained routing rules

After TUN takes over all traffic, reasonable routing rules become even more important — after all, there is no need to proxy domestic websites, otherwise it will increase latency. Here are a few commonly used fine-grained configuration suggestions:

Reserve direct connection for LAN and domestic IPs

YAML · rules snippet 
rules:
  - IP-CIDR,192.168.0.0/16,DIRECT
  - IP-CIDR,10.0.0.0/8,DIRECT
  - IP-CIDR,127.0.0.0/8,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,Proxy

The GEOIP,CN,DIRECT rule makes all IPs located in mainland China connect directly without going through the proxy. This is very important for accessing domestic websites, online games, banking apps, etc.

Exclude specific processes to use direct connection

The Mihomo core supports PROCESS-NAME rules to set exceptions by process name:

YAML · rules snippet 
rules:
  - PROCESS-NAME,WeChat,DIRECT      # WeChat uses direct connection
  - PROCESS-NAME,QQ,DIRECT          # QQ uses direct connection
  - PROCESS-NAME,Thunder,DIRECT     # Xunlei uses direct connection

Use Rule Provider to subscribe to community rule sets

Manually maintaining rules is time-consuming and prone to omissions. It is recommended to use Rule Provider to import ACL4SSR rule sets, which covers precise routing for tens of thousands of domains along with Netflix/YouTube unlocking and ad filtering, ready to use out of the box.

DNS Leak Protection Configuration

After enabling TUN, DNS leak issues become more prominent than with system proxy mode. It is recommended to simultaneously configure FakeIP mode and DoH. For detailed solutions, refer to our"Completely Prevent DNS Leaks" article.

8 Common troubleshooting

Q: Network completely dropped after enabling TUN?

The most common cause is not running with administrator privileges, or the WinTUN driver installation failed. First turn off the TUN switch, check whether there is a virtual network card in "Device Manager". If not, reinstall Service Mode and try again.

Q: Domestic websites loading slowly?

Check whether the routing rules have GEOIP,CN,DIRECT set correctly. Also confirm that the GeoIP database (Country.mmdb) is the latest version. Clash Verge Rev supports one-click updates in settings.

Q: UDP issues with games or voice software?

Try changing stack from mixed to system, or add a PROCESS-NAME,xxx,DIRECT rule for the software's process to connect its UDP traffic directly.

Q: TUN switch click has no response on macOS?

Go to "System Settings → Privacy & Security → Network", confirm that Clash Verge Rev has appeared in the list and its permissions are turned on. Some macOS versions require restarting the application for permissions to take effect.

Q: Docker Desktop still cannot pull images?

Docker Desktop has its own independent virtual network layer. Some versions may require manually configuring a proxy in Docker Desktop settings. It is recommended to set both HTTP Proxy and HTTPS Proxy in Docker settings to http://127.0.0.1:7890 (or your Clash mixed port), used in parallel with TUN mode for best compatibility.

9 Conclusion

TUN mode is the dividing line between "good enough" and "truly great". System proxy resolves 80% of scenarios, while TUN addresses the most troublesome 20% — traffic from terminals, Git, Docker, and game clients that "don't follow the common path" can finally be unified under proxy rule management.

The configuration looks like it has many steps, but in practice it takes no more than 5 minutes: install service mode, enable the TUN switch, paste the YAML snippet above into the override config — that's it. Configure once, and you'll never need to scratch your head over "some software not using the proxy" again.

Compared to other clients that require manually writing driver configurations or using third-party tools, Clash Verge Rev integrates TUN configuration into the GUI interface, manageable with just a few switches. This is one of the reasons it has an excellent reputation among developers in China. If you haven't tried it yet, now is the best time to start.

Download Clash Verge Rev for free now, experience the new TUN mode →

Tags: Clash Verge Rev TUN Mode Windows macOS Virtual Network Card Proxy Terminal Proxy
Clash Client Logo

Clash Verge Rev

Next-gen Clash Client · Free & Open Source

Inheriting the legacy of Clash for Windows, with built-in TUN mode, supporting one-click subscription import, available on Windows, macOS, and Linux. Designed for developers and advanced users, whether for everyday browsing or advanced routing, it handles everything with ease.

TUN Full Traffic Takeover Mihomo High-Performance Core Precise Rule Routing DNS Leak Protection Multi-Subscription Management
Windows Download macOS Download Linux Download

Related Reading

Advanced Config

Completely prevent DNS leaks: Meta core DoH + FakeIP best practice configuration

 Advanced Config

Detailed Explanation of ACL4SSR Rule Subscription Configuration: Netflix, Disney+ Unlocking and Ad Blocking in One Step