Tutorial · Estimated reading 19 mins

Windows corporate VPN with Clash:
Split tunneling and policy-based exception routes

Many knowledge workers connect to the office with Palo Alto GlobalProtect or Cisco AnyConnect, then discover that a second tool—Clash or any Mihomo-based GUI—either stops working, breaks the tunnel, or silently steals traffic the VPN was supposed to protect. The fix is rarely “turn one off forever.” Instead, you align Windows routing, split tunnel policy from IT, and Clash’s own split routing rules so each flow picks the correct gateway: corporate prefixes through the VPN concentrator, personal or geo-sensitive destinations through your proxy profile, and localhost tooling untouched where policy allows.

Windows · VPN · GlobalProtect · AnyConnect · Clash · routes

1 Why enterprise VPN and Clash fight the same routing battle

A corporate VPN on Windows is not “just another app.” When GlobalProtect or AnyConnect establishes a secure tunnel, the client typically injects interface-specific routes, sometimes replaces the default gateway, and may push name servers that override what you configured at home. Clash, especially in TUN mode, also participates at the same layer: it creates a virtual adapter, installs forwarding rules, and can become the path of least resistance for broad destination ranges. Two stacks that both believe they own “the internet” produce classic symptoms: intranet hosts flap between reachable and unreachable, public sites load from the wrong country, or the VPN client disconnects because integrity checks detect unexpected interfaces.

The mental model that keeps engineers sane is simple. The operating system chooses a next hop per packet using longest-prefix match on the routing table, then breaks ties with metrics. Applications that honor the system proxy send TCP sessions to Clash’s mixed port instead of opening sockets directly, which is a different decision tree than kernel routing yet still interacts with it when DNS or UDP is involved. Your job is to document three lists: prefixes that must exit through the corporate VPN, prefixes that may exit through Clash, and everything else that stays on the physical NIC per policy. Until those lists exist on paper, tweaking YAML alone will feel random.

This guide assumes you already installed a maintained Clash-compatible client. If you are still choosing a Windows build, start with our Clash Verge Rev on Windows installation walkthrough so features such as service mode, TUN helpers, and readable logs are available before you stack a VPN on top.

2 Full tunnel versus split tunnel: what IT actually configured

Full tunnel (often called “tunnel all traffic”) sends essentially every IPv4/IPv6 flow toward the concentrator except for narrow exceptions carved out for captive portals or local printers. That design maximizes visibility for security teams and simplifies posture checks, but it leaves little room for a local proxy unless the VPN explicitly excludes certain subnets or supports application-level split exclusions. Split tunnel, conversely, installs routes only for corporate address space—think 10.0.0.0/8, overlapping RFC1918 islands, or explicit SaaS egress IPs—while leaving general internet traffic on the default route through the ISP or home router.

If your organization uses split tunneling, Clash can coexist more comfortably because Windows still has a sane default route for public destinations. You then use Clash rules to steer those destinations while keeping IP-CIDR or DOMAIN-SUFFIX rows for internal hostnames on DIRECT so they never touch your personal proxy chain. When IT mandates full tunnel, your realistic options narrow: ask for an official exception, accept that Clash only applies to traffic the VPN deliberately hairpins back toward the laptop (rare), or run Clash only for processes that bypass the VPN by design—which may violate policy even when technically possible.

Never guess which mode you have. After connecting, open an elevated command prompt and run route print -4. If the default route (0.0.0.0/0) points at a low-metric interface tied to the VPN virtual adapter, you are effectively in a full-tunnel posture regardless of marketing language on the login banner. If the default route still references your Wi-Fi gateway while more-specific routes reference the tunnel, you are closer to classic split tunneling and can plan Clash accordingly.

3 GlobalProtect, AnyConnect, and how they touch Windows

Palo Alto GlobalProtect on Windows typically pairs a user-mode agent with a kernel driver that manages the virtual interface and periodic HIP checks. The portal configuration—not anything you set inside Clash—defines included routes, excluded routes, DNS suffixes, and whether IPv6 is forced. Cisco AnyConnect follows the same broad pattern with its own profile XML pushed from the head-end. Both clients may reapply routes whenever the underlying Wi-Fi roams, when the machine sleeps, or when Windows updates miniport drivers, which means a working Clash stack can regress after a Tuesday patch even if nobody changed YAML.

Practical implication: treat VPN routes as dynamic. Capture a “known good” route print output after VPN connects and compare it when Clash misbehaves. If new overlapping routes appear with better metrics, the VPN won the race. Some enterprises publish internal knowledge base articles listing required exclusions for developer tools; search those before inventing static routes that security monitors might flag.

Always-on VPN Some profiles reconnect within seconds and remove manual routes you add without persistence. Prefer exclusions negotiated with IT over fragile local hacks that break every reconnect.

4 Reading the Windows routing table like a network engineer

Open PowerShell or cmd and run route print -4. The IPv4 section lists destination networks, netmasks, gateways, interfaces, and metrics. Lower metrics win when two rows match the same destination prefix length. Pay attention to “On-link” gateways, which mean the next hop is reached directly from the interface without traversing another router. Corporate VPNs often add dozens of host routes for individual SaaS edges or overlapping private ranges imported from acquisitions; do not assume a tidy /16 summary route.

For a quick sanity check on which path a given public IP would take, use Find-NetRoute -RemoteIPAddress 1.1.1.1 in PowerShell (replace the address with your test target). The cmdlet prints the interface alias and next hop Windows selected. Repeat the command for an internal file server address. If both answers show the same interface unexpectedly, your split tunnel assumptions are wrong or a policy route is overriding defaults.

When Clash runs in TUN mode, it may register additional routes that attract broad traffic. Cross-check those additions against the VPN table immediately after enabling TUN; overlapping /1 or /0 style tricks are uncommon on Windows compared with Linux, yet some third-party helpers still install aggressive summaries. Our Clash Verge Rev TUN mode guide explains how terminal and GUI programs share one capture path—read it before enabling TUN on a locked-down corporate image.

5 Exception routes and persistent policy routes

Sometimes IT cannot grant application-level split tunneling but will approve a static exception for a lab subnet or a cloud VPC range. On Windows you can add a host or network route with route add pointing at the interface that should win. Example pattern (values are illustrative only—replace with addresses your network team supplies):

cmd.exe (administrator) 
route add 203.0.113.0 mask 255.255.255.0 192.168.1.1 metric 5 if 12 -p

The -p flag makes the route persistent across reboots until removed with route delete. The if index must match the interface number from route print’s interface list. Metrics matter: if the VPN re-adds the same prefix with metric 1 on reconnect, your manual metric-5 route loses. Some teams script PowerShell startup tasks that reapply personal exceptions after the VPN service finishes its own programming sequence—document ordering if you go that route.

Modern Windows also exposes New-NetRoute and Set-NetIPInterface -InterfaceMetric for finer control. Raising the metric on the VPN interface is occasionally suggested on forums; doing so without approval can violate compliance because it effectively deprioritizes security inspection. Prefer explicit destination-based exceptions rather than globally weakening the tunnel adapter unless risk owners sign off.

If your goal is “send only GitHub through Clash while the VPN owns everything else,” combine a narrow Windows route (when allowed) with Clash rules that match DOMAIN-SUFFIX,github.com to your proxy group. That stacks policy at both layers and reduces surprise when the VPN client refreshes routes mid-day.

6 Clash modes that play nicer with corporate VPN

On a VPN-heavy laptop, system proxy mode is often the first lever to try. Win32 applications that respect system proxy settings will send HTTP(S) traffic to Clash’s listener without requiring a virtual tunnel interface that competes with the VPN’s own adapter. The trade-off is coverage: store apps, many Electron bundles with custom network stacks, and all UDP-centric protocols may ignore WinINET proxy configuration unless you add per-app overrides. For Microsoft Store titles specifically, review UWP loopback and system proxy fixes because VPN plus loopback exemptions is a frequent double complication.

TUN mode gives Clash broader capture—including DNS forwarded into Mihomo—but increases the chance you starve the VPN client of packets it expects to originate from the original physical interface. If you enable TUN, configure Clash’s own bypass lists so corporate IP-CIDR ranges short-circuit to DIRECT before generic GEOIP rules send them offshore. Keep logs open: when a helpdesk ticket says “SharePoint loads from the wrong region,” the first artifact is almost always a misplaced rule order entry, not a mysterious VPN bug.

Mixed ports and “only localhost” bindings remain important. Binding Clash exclusively to 127.0.0.1 reduces accidental exposure on guest networks, yet still allows local browsers to forward through the stack. Pair that with Windows Defender Firewall rules scoped to your user account if policy permits custom rules.

7 YAML patterns: keep intranet on DIRECT, public on PROXY

Clash cannot fix a broken OS route table, but once Windows delivers packets to Mihomo, declarative rules decide the exit node. Place the most specific corporate matches high in the rules: list. Typical skeleton:

rules excerpt (illustrative) 
rules:
  - IP-CIDR,10.0.0.0/8,DIRECT
  - IP-CIDR,172.16.0.0/12,DIRECT
  - IP-CIDR,192.168.0.0/16,DIRECT
  - DOMAIN-SUFFIX,corp.example,DIRECT
  - DOMAIN-SUFFIX,internal.example,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,PROXY

Replace the RFC1918 blocks with the actual RFC1918 or public ranges your employer publishes; blindly copying 10.0.0.0/8 may send traffic to DIRECT that should still traverse an inspected path if your company uses overlapping addressing with cloud providers. When internal apps use public DNS names that resolve to private IP space, combine DOMAIN or DOMAIN-SUFFIX rows with IP-CIDR guards so FakeIP mode does not rewrite names into addresses your VPN route table cannot reach.

If you maintain separate profiles for “on VPN” versus “off VPN,” store them as different files or use Clash Verge Rev profile switching so you are not editing live YAML during a conference call. Version-control the working copy; diffing yesterday’s file against today’s prevents the classic “I commented one line and forgot.”

8 DNS: split brains break faster than split tunnels

Enterprise VPNs frequently push split DNS suffix lists so *.corp.example resolves through internal resolvers while consumer domains use public DNS. Clash’s dns: stanza may override that behavior when enhanced modes rewrite queries. Misalignment shows up as “ping works, HTTPS fails” because the browser resolved an internal service to a public CDN edge that your VPN never routes. Align Clash DNS upstreams with what IT expects, or disable Mihomo DNS features for queries that must hit corporate resolvers.

For deep Mihomo DNS tuning—DoH, FakeIP, and leak-resistant defaults—pair this article with the Meta core DNS leak prevention guide. The guiding principle on VPN laptops is one coherent resolver story: either queries go to corporate DNS through the tunnel, or you deliberately forward only non-sensitive lookups through Clash, never both at random per application.

Quick test: Compare nslookup sharepoint.corp.example with VPN connected versus disconnected. If answers differ but Clash logs show all queries hitting a public DoH endpoint, reorder DNS rules before touching routing again.

9 Startup order: VPN first, then Clash (usually)

A pragmatic sequence is connect the corporate VPN first, wait until internal sites load, then start Clash and apply the “on VPN” profile. That ordering lets the VPN client finish injecting routes before Clash opens its adapter. Reversing the order sometimes works on split-tunnel networks but often triggers reconnect loops because GlobalProtect detects an unexpected default route during handshake. If your organization uses pre-logon tunnels, the sequence may differ; treat vendor documentation as authoritative.

Scheduled tasks can enforce ordering for power users, but they are brittle across VPN upgrades. Prefer documented manual steps for teammates unless IT automates distribution. When disconnecting, quit Clash before disconnecting the VPN if you notice dangling routes—again, compare route print snapshots to catch leaks.

10 Compliance: when simultaneous connection is not allowed

Many employment agreements and endpoint policies explicitly forbid chaining consumer proxies on top of managed VPNs. Some security stacks flag unknown TUN adapters within minutes. Before investing hours in route metrics, confirm in writing—or at minimum through an internal ticket—that split tunneling plus local proxy usage is permitted for your role. The technical elegance of a working setup does not outweigh contractual obligations or regulatory constraints in finance, healthcare, or government environments.

Policy first If security says no, stop. This article explains mechanics for legitimate dual-use scenarios (for example, contractors with approved lab exceptions), not evasion of monitoring.

11 FAQ

  • Clash connects but intranet sites break: You likely routed private IP space to a foreign proxy—move IP-CIDR intranet rules above GEOIP or subscription catch-alls.
  • VPN disconnects seconds after enabling TUN: Posture agent detected a new adapter—try system proxy only, or request an IT-approved exclusion.
  • Everything is slow, not broken: Double default routes with similar metrics can cause asymmetric paths; inspect metrics after each reconnect.
  • Does WSL2 inherit this? WSL has its own stack; see our WSL2 and Clash guide for host/VPN interaction nuances.

12 Wrap-up

Running Clash beside GlobalProtect or AnyConnect on Windows is fundamentally a coordination exercise between two policy engines: the OS routing table that the VPN owns, and Mihomo’s declarative split routing that decides which upstream carries each flow once packets arrive at the proxy. Start by classifying tunnel modes, snapshot route print when healthy, prefer system proxy when TUN causes posture failures, and keep intranet destinations on DIRECT with explicit IP-CIDR and DOMAIN-SUFFIX rows ahead of broad GEOIP shortcuts. Layer DNS hygiene on top so name resolution does not contradict either stack.

Compared with all-or-nothing consumer VPNs, Clash-class clients reward structured YAML, reproducible profiles, and readable connection logs—exactly the observability you need when a corporate tunnel reconnects mid-day and rewrites metrics underneath you. When policy allows simultaneous use, that observability is the difference between guessing and knowing which hop dropped a packet.

For installers and release notes you can share with teammates without pointing everyone at upstream repositories first, use our download page; reserve GitHub for source review and issue tracking separate from day-one distribution.

→ Download Clash for free and experience the difference

Tags: Windows corporate VPN GlobalProtect AnyConnect Clash split tunnel routing
Clash Verge Rev logo for Windows VPN and split tunnel readers

Clash Verge Rev

Next-gen Clash client · Free and open source

Profiles, logs, system proxy or TUN, and DNS controls that stay understandable when a corporate VPN keeps rewriting your route table underneath you.

TUN full traffic takeover Mihomo high-performance core Precise rule routing DNS leak helpers Multi-subscription management
Windows macOS Linux

Related reading

TUN

Clash Verge Rev TUN mode: routing terminal, Git, and Docker through the proxy

 Windows

Fix UWP apps not using Clash: loopback exemption and system proxy