1 Why Ubuntu 24.04 LTS Mihomo warrants its own playbook
Plenty of Mihomo tutorials still say “Debian-ish” without anchoring behaviour to a numbered release. That glosses over realities that Ubuntu users hit every day: noble ships with nftables-compatible ufw defaults, systemd 255-era transaction ordering quirks, unattended security updates that recycle userland packages, AppArmor enforcing unexpected paths, and systemd-resolved’s stub at 127.0.0.53 colouring every DNS-heavy workflow. Searching “Linux proxy” yields guidance that skips those integration edges, whereas explicitly naming Ubuntu 24.04 LTS helps your future self—and search engines—map exact symptoms to reproducible remediation.
This guide also complements our distribution-wide primer on installing Mihomo on Linux with systemd: that article explains cross-distro rationales while this walkthrough biases toward Noble’s package expectations, tarball naming conventions you will see referenced in dashboards, and the tight loop between systemd journal output and APT-managed libraries. Desktop readers get the same artefacts as unattended servers once the binary lands under /usr/local/bin.
Security posture deserves an explicit line: Mihomo terminates TLS for traffic you deliberately route through it—treat outbound nodes and configs as Tier-1 secrets, rotate dashboards frequently, audit remote subscription URLs before pasting them, and reconcile every change with organisational policy regarding encrypted tunnels. Documentation cannot replace jurisdiction-specific compliance homework.
2 Prerequisites on a fresh Noble image
Canonical’s Minimal cloud images omit tools some operators expect—install curl or wget plus ca-certificates prior to grabbing GitHub release artifacts behind corporate TLS inspection appliances. GNOME desktops already expose browsers, yet shell-only workflows still thrive on APT-transported trust roots. Upgrade indexes with sudo apt update; apply security patches deliberately before layering long-lived daemons requiring kernel modules for future TUN playbooks.
Architecture detection is paramount because Apple Silicon-like arm64 workstations and Ampere VPS SKUs collide with amd64 fleets. Issue uname -m: literal x86_64 maps cleanly to Mihomo filenames containing amd64, while aarch64 aligns with arm64 artefacts. Matching string reduces download retries when automation scripts concatenate release tags scraped from upstream JSON feeds rather than brittle copy-pastes.
Time synchronisation seldom appears in Mihomo discourse yet rescues JWT-rich subscription gateways: enable systemd-timesyncd or point chrony at authoritative pools so skewed clocks do not falsely invalidate signed URLs brokers issue. Operators mixing containerised sidecars alongside bare-metal systemd services should reconcile timezone settings so rotated logging correlates cleanly during incident timelines.
3 Download the Mihomo gzip tarball from GitHub Releases
Mihomo distributes compressed single-file binaries labelled mihomo-linux-amd64-{version}.gz (or arm64 equivalents). Releases track the MetaCubeX repository; skim the changelog for regressions pertinent to QUIC transports or rewritten DNS stacks before pinning production tags. Scripted operators parse the latest semver via GitHub’s API, prepend https://github.com/MetaCubeX/Mihomo/releases/download/, and append deterministic filenames so CI artefacts remain reproducible.
Store downloads under /tmp or a dedicated provisioning workspace. Use curl -fLJO to follow redirects politely and fail fast when GitHub throttle pages appear. Inspect checksums whenever maintainers attach .sha256 sidecars—you can ingest them via sha256sum -c before elevating binaries into protected directories. Offline air-gapped environments should verify detached signatures mirrored through internal artefact repos instead of blindly trusting transit networks.
Gunzip and stage the executable
Noble’s coreutils expose gunzip out of the box. Decompress yields a single executable without nested directories, reducing packaging complexity relative to heavyweight tarballs layering licensing files you may omit on servers entirely focused on systemd supervision. Typical commands resemble the following illustrative block—replace version strings with the artifact you audited.
cd /tmp
curl -fLO https://github.com/MetaCubeX/Mihomo/releases/download/v1.18.0/mihomo-linux-amd64-v1.18.0.gz
gunzip -f mihomo-linux-amd64-v1.18.0.gz
sudo install -o root -g root -m 0755 mihomo-linux-amd64-v1.18.0 /usr/local/bin/mihomo
/usr/local/bin/mihomo -v
install duplicates mv plus chmod semantics atomically—a detail teams appreciate during configuration management runs that must converge idempotently. After placement, rerun hash -r in shells or update automation caches so scripted health checks probe the refreshed inode rather than stale PATH lookups.
4 Create /etc/mihomo and logging paths early
Separation of binaries and declarative configs clarifies backups: APT never owns /usr/local/bin/mihomo, whereas your ops git repository should track /etc/mihomo/config.yaml with secret redaction pipelines. Create directories before first service start so Mihomo can fetch remote rule providers into predictable locations and write optional cache indices without racing systemd’s filesystem namespace initialisation.
sudo mkdir -p /etc/mihomo
sudo mkdir -p /var/log/mihomo
sudo chown root:root /etc/mihomo
sudo chmod 755 /etc/mihomo
Some shops prefer /usr/local/etc/mihomo for parity with BSD habits—choose one standard per fleet rather than scattering configs. Persist GeoIP artefacts or rule-provider caches here so transparent upgrades do not implicitly drop geo databases mid-flight unless you purposely rotate them alongside release notes.
/etc/apparmor.d/ if you stray from packaged defaults enforced by Canonical. Document exemptions instead of blindly toggling Complain mode globally.
5 Minimal Clash Meta YAML plus subscription-backed proxy providers
Mihomo honours the broader Clash configuration dialect but layers Meta-specific knobs such as granular inbound auth, QUIC-capable transports, and refined DNS behaviour tuned for FakeIP interplay. Minimal YAML prioritises readability: expose a mixed HTTP and SOCKS listener, enable DNS interception on a dedicated high port (1053 avoids sparring with systemd-resolved’s UDP 53 loop), stash secrets on external-controller behind strong random strings or bind it to localhost, and postpone TUN experimentation until outbound paths validate under explicit application proxy settings first.
Importing subscriptions scales through proxy-providers referencing remote YAML or convertible endpoints. Mihomo evaluates interval timers plus health-check metadata to prune dead nodes proactively—far less brittle than statically enumerating proxies you paste by hand weekly. Populate use arrays inside selectors so dashboards surface provider-generated tags cleanly. Respect provider rate limits because aggressive pulls may trip anti-abuse tooling at the subscription broker.
mixed-port: 7890
allow-lan: true
mode: rule
log-level: info
ipv6: false
external-controller: 127.0.0.1:9090
secret: "replace_with_long_random_secret"
dns:
enable: true
listen: 0.0.0.0:1053
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/16
nameserver:
- 223.5.5.5
- tls://dns.quad9.net
fallback:
- https://1.1.1.1/dns-query
proxy-providers:
airport:
type: http
url: "https://example.net/sub/clash.meta?token=YOUR_TOKEN"
path: ./providers/airport.yaml
interval: 3600
health-check:
enable: true
url: https://cp.cloudflare.com/generate_204
interval: 300
proxy-groups:
- name: Proxy
type: select
use:
- airport
proxies:
- DIRECT
rules:
- GEOIP,CN,DIRECT
- MATCH,Proxy
Replace placeholders with audited endpoints. Encrypt disk copies with filesystem permissions (sudo chmod 600 /etc/mihomo/config.yaml) whenever secrets coexist with provider tokens. Operators needing local-only edits can omit remote URLs temporarily and hydrate ./providers/airport.yaml manually from air-gapped jump hosts using scp—Mihomo still loads static files referenced through provider blocks as long as file paths remain consistent relative to -d.
6 systemd unit tuned for Ubuntu boot ordering
Ubuntu’s default After=network-online.target ordering keeps Misconfigured DHCP races from spawning Mihomo before resolvers settle. Combine Type=simple with foreground execution because Mihomo already blocks as a long-lived process. Logging through StandardOutput=append: augments journald with human-friendly flat files operators sometimes tail from log aggregators lacking native journal exporters; delete those lines if you prefer pure journalctl ingestion.
sudo nano /etc/systemd/system/mihomo.service[Unit]
Description=Mihomo Daemon (Clash Meta) on Ubuntu 24.04 LTS
After=network-online.target nss-lookup.target
Wants=network-online.target
[Service]
Type=simple
User=root
ExecStart=/usr/local/bin/mihomo -d /etc/mihomo
Restart=always
RestartSec=5
StandardOutput=append:/var/log/mihomo/output.log
StandardError=append:/var/log/mihomo/error.log
[Install]
WantedBy=multi-user.target
Running as root remains the pragmatic default when you anticipate TUN or low-port listeners. Dedicated service accounts remain viable when you isolate log paths and configs with ACLs, but you typically revisit capabilities once FakeIP-heavy stacks graduate to transparent routing layers that expect CAP_NET_ADMIN. Factor that into roadmap planning instead of refactoring twice.
/etc/logrotate.d/mihomo so append-only logs cannot exhaust /var during noisy rule-provider churn.
7 Enable the service and exercise the Linux proxy path
Reload systemd’s unit catalogue, enable autostart for multi-user targets, and bring the daemon online immediately. Parallel journalctl -u mihomo -f windows reveal YAML typos before restart loops exhaust journal disk quotas. Validate binary health with systemctl status mihomo --no-pager -l, watching for active (running) alongside zero Result=exit-code churn.
sudo systemctl daemon-reload
sudo systemctl enable --now mihomo
sudo systemctl status mihomo --no-pager
journalctl -u mihomo -n 50 --no-pager
Application-level proxy validation keeps debugging bounded: export http_proxy=http://127.0.0.1:7890 and https_proxy accordingly, then curl -I https://www.cloudflare.com/cdn-cgi/trace to confirm exit IP alignment with selected nodes. Cross-check Mihomo’s dashboard or REST API for live connection tables when ambiguous routing surfaces. Container hosts should inject proxy environment variables into buildkit or Docker daemons separately because Mihomo does not magically proxy rootless socket bridges you never configured.
Subscription refresh cycles trigger asynchronous downloads; if health checks mark every node dead, revisit provider URLs, token freshness, and outbound DNS because Meta cores hard-fail closed when name resolution stalls mid-bootstrap. Lightweight packet captures on Noble rarely prove necessary once logs enumerate failing hostnames plainly—reserve tcpdump for stubborn TLS middleboxes interfering with QUIC handshakes.
8 UFW firewall edges and systemd-resolved coexistence
Uncomplicated Firewall on Ubuntu wraps nftables tables with ergonomic syntax. If you expose mixed-port to LAN devices, allow the port explicitly: sudo ufw allow 7890/tcp comment 'Mihomo mixed' plus equivalent UDP when protocols demand. Remote dashboards bound to 0.0.0.0 require parallel rules and ideally VPN constraints—default-deny posture still applies on public cloud security groups independent of host firewalls.
Mihomo’s DNS listener on 1053 sidesteps direct conflict with resolved’s stub, yet policy routing may still require forwarding rules or split DNS once you graduate to TUN. Document every manual change to /etc/systemd/resolved.conf.d/ because Noble’s netplan stack may regenerate fragments during cloud-init re-runs. Maintaining clear runbooks prevents midnight pager storms when automation reprovisions instances using the same cloud-init payload but divergent resolver assumptions.
9 FAQ: Ubuntu 24.04 LTS Mihomo install edge cases
Can I keep Snaps out of the loop? Absolutely—this guide never requires Snap packages. Binary drops plus systemd remain the lightest footprint for servers concerned about background update daemons competing for bandwidth.
How do I upgrade Mihomo without orphaning configs? Download the newer gzip, stop the service momentarily, replace the binary atomically with install, restart, and diff release notes for breaking schema updates. Maintain git-tracked YAML so rollbacks remain one git checkout away.
Does Clash Verge Rev eliminate the YAML grind on Ubuntu desktops? Graphical clients wrap the same core with GUIs for subscription imports, latency charts, and togglable modes—yet headless VPS workflows still benefit from the declarative files you built here.
10 Wrap-up
You now own a Noble-specific loop: verify architecture, pull a gzip release, land the binary under /usr/local/bin, centralise metadata in /etc/mihomo, express subscriptions through Clash Meta proxy providers, and supervise everything with systemd tuned to Ubuntu’s network targets. That stack answers the search intent behind “Ubuntu 24.04 LTS Mihomo install” without pretending every distribution behaves identically—especially where resolved, UFW, and unattended upgrades intersect.
Generic shell recipes and one-off Docker images often leave you editing opaque layers when something breaks at 2 a.m.; you cannot diff a black-box container the way you can read your own YAML and journal slices. Meanwhile, proprietary clients may hide subscription formats or charge for features that open cores expose for free, which becomes expensive when you scale across dozens of staging hosts. A clean Mihomo plus systemd baseline keeps observability honest: every failure surfaces in structured logs you already ship to centralized monitoring.
When you want the same Mihomo DNA with polished import flows, built-in profile switching, and desktop-grade TUN helpers, Clash Verge Rev packages those ergonomics for Linux alongside Windows and macOS—useful when teammates reject living inside nano but still expect compatible rules. Grab a maintained build from our downloads hub if graphical workflows suit your workstation while servers stay on the lean unit you just configured—the rule engine underneath stays familiar either way.
