1 Why move the proxy from PCs to the router
Desktop clients such as Clash Verge Rev excel when you control the operating system: you import subscriptions, flip rule mode, and optionally enable TUN to capture stubborn applications. The moment you add a television streaming box, a guest phone, or a console that only understands “use DHCP from the router,” those per-device workflows fall apart. You could chase manual HTTP proxy fields on the few gadgets that expose them, but that approach scales poorly and still misses UDP-heavy traffic unless you layer additional hacks.
A router running OpenWRT with OpenClash sits at the natural choke point of your LAN. Every device that obtains an address from your DHCP server already sends its default route through the router. Transparent interception—typically combining kernel redirection or a TUN stack with DNS steering—lets the Mihomo-compatible core classify flows using the same YAML vocabulary you already trust, without asking each client to install software. The trade-off is responsibility: misconfiguration affects the whole house, so you invest in backups, staged rollouts, and a recovery plan before you experiment on production Wi-Fi.
This article assumes you are comfortable flashing or purchasing OpenWRT-capable hardware and that you understand your upstream provider’s terms. Nothing here encourages bypassing lawful restrictions; treat advanced routing as a tool for privacy, performance tuning, and consistent policy on networks you administer.
2 OpenWRT and OpenClash in one paragraph each
OpenWRT is a Linux distribution for embedded routers. It replaces vendor firmware with a package manager, a writable filesystem, and community-maintained kernels—meaning you can install firewall tooling, QoS, and user-space daemons that would never ship on stock firmware. Stability depends on picking a device with sufficient flash and RAM for your workload; Clash-class cores are not free, especially when you enable large geosite databases and logging.
OpenClash is a popular LuCI application that wraps Mihomo (Clash.Meta) or compatible cores behind a web interface on OpenWRT. It handles installation, service supervision, subscription refresh, rule-provider updates, and toggles for transparent proxy features such as redirect, TUN, or a hybrid path depending on kernel capabilities. You still edit or merge YAML in advanced scenarios, but day-to-day operation mirrors what desktop users expect: pick a profile, choose an outbound group, and watch the connection log when something breaks.
Because upstream projects evolve quickly, treat version numbers in forum screenshots as hints rather than law. After major OpenWRT upgrades, verify that your OpenClash package matches the feed you use—snapshot builds, community bundles, and official releases diverge more than newcomers expect.
3 Hardware headroom and firmware hygiene
Transparent proxy on a router is heavier than simple NAT. Aim for devices with ample RAM if you plan to run large rule sets, GeoIP lookups, and frequent cron jobs. Storage matters too: persistent logs, multiple profiles, and cached rule providers consume flash. If you are shopping, community compatibility lists and OpenWRT’s own table of supported hardware are mandatory reading—radios, switch chips, and mainline kernel support all influence whether your install remains boringly stable.
Before you change anything, export a backup of your current configuration and note how to recover via TFTP or serial if you manage exotic boards. Keep a known-good Ethernet cable and a laptop with a static IP ready; the first time you mis-order firewall zones, you will be glad you can still reach 192.168.1.1 without Wi-Fi. Document the exact OpenWRT release string and feed URLs so you can reproduce the environment months later.
4 Topology: all-in-one gateway versus side router
Two layouts cover most homes. In the all-in-one model, your OpenWRT device is the primary gateway to the ISP: WAN plugs into the modem, LAN bridges Wi-Fi and Ethernet, and OpenClash intercepts traffic as it leaves the LAN toward the internet. DHCP assigns clients the router as both gateway and DNS, which keeps mental models simple. This is the cleanest path to “everything proxied by default” when the hardware can sustain the load.
The side router pattern—sometimes discussed in Chinese homelab circles as a “旁路由” companion—places OpenWRT downstream of another router that still speaks to the ISP. Clients point their default gateway (or static routes) at the side device while receiving DHCP from either box, depending on how you split responsibilities. This layout lets you experiment without reconfiguring the ISP’s bundled CPE, but it introduces double NAT quirks, asymmetric routing pitfalls, and more places for DNS leaks if DHCP options disagree. Document IP ranges deliberately; overlapping subnets are the fastest way to spend an evening chasing phantom connectivity.
Hybrid approaches exist—policy routing on the primary router to send only certain VLANs through the sidecar—but they belong in advanced documentation. Start with one clear path: either the OpenWRT box is the gateway of record, or you fully understand how DHCP options push traffic through a secondary hop.
5 Transparent modes, TUN, and DNS hijacking
“Transparent proxy” is an umbrella term. In practice OpenClash may offer combinations of TCP redirect, TUN interface capture, or eBPF-assisted paths depending on kernel support and package version. TCP redirect historically offered broad compatibility with modest CPU use, while TUN-style capture can steer more application classes at the cost of complexity. Your LuCI page typically labels these options plainly; read the tooltip text bundled with your build because naming drifts between releases.
DNS is non-negotiable. If clients keep querying ISP resolvers, you leak domain intent and often break split routing assumptions baked into your rules. OpenClash commonly integrates with dnsmasq or runs an internal DNS listener that hands addresses aligned with FakeIP or redir-host strategies. The goal is one coherent story: either the router answers DNS and forwards intelligently to Mihomo, or you explicitly forward upstream using the same policy engine that handles TCP. For a deeper dive into Mihomo DNS layering, our Meta core DNS leak prevention guide walks through DoH, FakeIP, and fallback ordering—concepts that map closely to router deployments even when the web UI hides the YAML.
# Align these three or expect odd leaks:
1) LAN clients use the router as DNS (DHCP option 6).
2) The router’s DNS path feeds Mihomo / OpenClash, not raw ISP only.
3) Firewall redirects catch TCP/UDP per your chosen transparent mode.IPv6 realities
If your ISP ships IPv6 and clients prefer it, a v4-only redirection plan leaves surprising traffic on direct paths. Decide early whether you will disable IPv6 temporarily while tuning, delegate prefixes carefully, or extend your policy stack to cover both families. Half-enabled IPv6 is a notorious source of “it works on my laptop but not on the TV” reports.
6 DHCP, default gateway, and optional static routes
For whole-home coverage, DHCP must advertise the correct default gateway and DNS servers. When OpenWRT is the sole gateway, this is straightforward: set the LAN interface address, enable DHCP, and verify that phones pick up the expected lease within your chosen subnet. When you rely on a side router, you may need custom DHCP options on the upstream device to inject the secondary gateway, or you statically configure critical hosts. Some users prefer static leases for TVs and consoles so troubleshooting does not involve guessing which address changed overnight.
If you segment IoT into a VLAN without proxying, ensure firewall zones reflect that isolation. Not every camera needs to ride through a remote exit node; blasting every IoT gadget through a congested overseas hop can introduce needless failure modes. Thoughtful grouping—trusted LAN, guest Wi-Fi, IoT cage—pairs well with OpenWRT’s zone model even before you touch Clash rule files.
7 How this compares to a PC running Clash for the LAN
Our Switch and PS5 LAN proxy guide documents the Allow LAN pattern: a desktop listens on a mixed port while consoles aim manual HTTP proxies at the PC. That workflow is excellent when you already have a gaming machine online and only need a handful of devices to share the tunnel. Router-level transparent proxy generalizes the idea: no per-console IP hunting, no host firewall exceptions on Windows, and no dependency on a PC staying awake.
The router approach shines for phones and streaming hardware that lack proxy dialogs entirely. The PC approach shines when you want zero firmware risk and can tolerate manual steps. Many households end up using both—a router for bulk traffic and a tuned desktop client when traveling—sharing the same subscription and YAML idioms through Mihomo. If you also operate headless Linux servers, the mental model overlaps with our Linux Mihomo systemd guide, minus systemd but plus switch chips.
8 Gaming, UDP, and realistic expectations
Competitive multiplayer still depends on UDP timing. Transparent proxy stacks can forward UDP when your outbound supports it, but adding hops does not repeal geography. For latency-sensitive titles, many administrators create DIRECT rules for publisher CDNs or keep consoles on subnets that bypass the tunnel entirely. OpenClash’s logging helps identify whether a flow is even hitting the core or slipping past your rules because of IPv6 or split-DNS effects.
Streaming boxes that rely on widevine or regional licensing may behave differently once DNS and egress regions shift. Test incrementally: enable transparent mode for a single test laptop first, then expand DHCP scope. That discipline isolates whether a problem is policy-related or merely a mis-set DHCP option on one VLAN.
9 Security, exposure, and maintenance
A router running Clash-class software holds powerful keys: subscription URLs, provider credentials, and the ability to intercept LAN traffic. Harden SSH with keys instead of passwords, keep LuCI behind HTTPS if exposed, and patch regularly. Disable WAN-side management entirely unless you truly need remote access; if you do, use VPN into the home network instead of naked port forwards. Remember that guest Wi-Fi segments should not reach management planes or trusted file shares unless you intend that explicitly.
Open-source transparency matters: Mihomo and OpenClash publish sources for audit, yet your operational security still depends on verifying downloads from trusted channels and checking signatures when maintainers provide them. If you need desktop-class tooling for editing YAML before you push profiles to the router, the Clash download hub remains the right place to fetch current graphical clients—keep router and desktop packaging separate in your head to avoid mixing installer artifacts.
10 Troubleshooting signals worth memorizing
- Some devices work, others do not: Compare DHCP leases, IPv6 status, and VLAN placement; half of “random” failures are inconsistent DNS or rogue IPv6.
- DNS works but pages fail: Transparent TCP rules may be off while DNS hijack succeeded—re-check mode toggles and firewall ordering.
- Throughput collapses: Enable hardware offload cautiously; some offload paths bypass custom chains. Profile CPU with
topduring speed tests. - Subscription refresh errors: Time sync matters on embedded devices. Confirm NTP, certificate store, and outbound DNS for HTTPS fetches.
- Recovery: Boot failsafe, disable OpenClash autostart, restore last backup—document the keystrokes before you need them.
Keep a paper notebook with your baseline latency, traceroute snapshots, and the exact OpenWRT release. Future you will not remember which checkbox turned transparent mode on when the household asks why Netflix changed regions at midnight.
11 Wrap-up
OpenClash on OpenWRT brings Mihomo’s policy language to the edge of your network, which is the closest thing to “set and forget” transparent proxying for TVs, phones, and consoles that will never run a native Clash UI. Choose hardware with headroom, pick a topology you can explain on a whiteboard, align DHCP gateway and DNS with your interception mode, and stage rollouts so one mis-toggled option does not black out the entire apartment. Compared with juggling per-device proxies, a well-tuned router deployment feels quieter: fewer moving parts at each desk, one place to update subscriptions, and a clearer story for guests who just want Wi-Fi that works.
Compared with other ad-hoc stacks, the OpenWRT plus OpenClash pairing stays maintainable because community packages track core releases and LuCI surfaces operational toggles that raw iptables recipes hide. Pair that discipline with DNS literacy—FakeIP, DoH upstreams, and IPv6 planning—and you spend more time enjoying stable streaming and less time rebooting boxes. When you still need kernel-grade capture on a laptop for developer tools, desktop Clash clients remain the natural complement rather than a competing religion.
