Guide

ClashX TUN Mode Setup Guide [2025] Enable Enhanced Mode in 5 Steps

📅 2025-01-27 ⏱️ 12 min read 👁️ 6325 views

What is TUN Mode?

TUN (Network TUNnel) mode is an enhanced proxy mode provided by ClashX. It creates a virtual network interface (TUN device) to intercept and forward all traffic at the operating system's network layer.

💡
Core Advantages of TUN Mode

TUN mode operates at the network layer (Layer 3) and can capture all network traffic from all applications, regardless of whether the application supports proxy settings. This means you can achieve true "global proxy", including command-line tools, background services, and even applications that don't support system proxy.

Main Advantages of TUN Mode

  • True Global Proxy: All application network traffic is proxied without exception
  • No App Configuration: No need to configure proxy settings for each application
  • UDP Support: Can proxy UDP protocol, supports gaming, video conferencing, etc.
  • Better DNS Control: Complete control over DNS resolution process, prevents DNS leaks
  • Higher Rule Priority: Works at network layer, more precise rule matching
  • Prevents Proxy Bypass: Applications cannot bypass the proxy to connect directly

How TUN Mode Works

When TUN mode is enabled, ClashX creates a virtual network interface (usually named utun), and the system routes all network traffic to this virtual interface. After ClashX receives the traffic, it decides whether to forward through the proxy server or connect directly based on configured rules.

Traffic Interception
System Traffic → TUN Device
Rule Matching
ClashX Analyzes Target
Traffic Forwarding
Proxy or Direct

TUN Mode vs System Proxy Comparison

Understanding the difference between TUN mode and traditional system proxy mode helps you choose the most suitable proxy method.

Comparison TUN Mode System Proxy
Work Layer Network Layer (Layer 3) Application Layer (Layer 7)
Coverage All Applications Proxy-supporting Apps Only
UDP Support ✓ Fully supported ✗ Not supported
DNS Control Full Control Partial Control
Permission Required Admin Permission Required No Special Permission
Performance Impact Slight Impact (<5%) Almost None
Config Complexity Medium Simple
Compatibility Perfect (All Apps) Limited (Some Apps)
📌
Recommendations

Recommended for TUN Mode: When you need to proxy all apps, use command-line tools, game acceleration, prevent DNS leaks.
Recommended for System Proxy: Browser-only proxy, minimal performance overhead, quick temporary use.

Prerequisites

Before enabling TUN mode, please ensure the following conditions are met:

System Requirements

  • macOS Version: macOS 10.15 Catalina or later
  • ClashX Version: ClashX 1.90.0 or later (latest version recommended)
  • Admin Permission: Must have macOS administrator account privileges
  • System Integrity Protection: No need to disable SIP, TUN mode works normally

Hardware Compatibility

Intel Mac
✓ Fully Supported
Apple Silicon M1
✓ Native Support
Apple Silicon M2
✓ Optimized Support
Apple Silicon M3
✓ Best Performance
🍎
Apple Silicon Advantage

On Apple Silicon (M1/M2/M3) Macs, ClashX's TUN mode has been fully optimized, with performance better than Intel versions. The ARM64 native architecture provides higher network processing efficiency and lower power consumption, making it the best platform for TUN mode.

Preparation Checklist

  • ☑️ Ensure ClashX is properly installed and can use system proxy mode
  • ☑️ Have administrator account password ready (needed during configuration)
  • ☑️ Backup current configuration file (to prevent configuration errors)
  • ☑️ Close other proxy tools (to avoid port conflicts)
  • ☑️ Confirm subscription or configuration file is working properly

5 Steps to Enable TUN Mode

Follow these steps to successfully enable and configure ClashX TUN mode within 10 minutes.

Step 1: Grant System Permissions

TUN mode needs to create a virtual network interface, so you must first grant ClashX the corresponding system permissions.

  1. Open System PreferencesSecurity & Privacy
  2. Click the lock icon in the bottom left corner, enter admin password to unlock
  3. Switch to the Privacy tab
  4. Find Full Disk Access in the left list
  5. Click the + button, add ClashX app (usually in /Applications)
  6. Ensure the checkbox next to ClashX is checked
  7. In ClashX menu bar, click ConfigExperimental FeaturesInstall Network Extension
  8. Enter admin password, wait for installation to complete
💡
Note

When installing the network extension for the first time, the system may show a security prompt. Please click "Allow" in System Preferences → Security & Privacy → General. If you encounter permission issues, restart your Mac and try again.

Step 2: Edit Configuration File

Add TUN mode configuration items to your configuration file.

  1. Click ClashX menu bar icon → ConfigOpen Config Folder
  2. Use a text editor (like TextEdit, VS Code) to open the current configuration file
  3. Add the following content at the top of the config file (in the general config area):
# TUN mode configuration
tun:
  enable: true
  stack: system  # or gVisor; system performs better
  dns-hijack:
    - any:53
  auto-route: true  # Auto configure routing table
  auto-detect-interface: true  # Auto detect egress interface
⚠️
Configuration Notes

stack parameter: Recommended to use system for best performance. Try gvisor if you encounter compatibility issues.
dns-hijack: Hijacks all DNS requests to Clash, prevents DNS leaks.
auto-route: Automatically configures system routing table, no manual setup needed.

Step 3: Configure DNS Settings

TUN mode requires DNS configuration for optimal performance and privacy protection.

Add or modify DNS configuration in your config file (same level as tun config):

dns:
  enable: true
  listen: 0.0.0.0:53
  enhanced-mode: fake-ip  # or redir-host; fake-ip performs better
  fake-ip-range: 198.18.0.1/16
  nameserver:
    - 223.5.5.5  # AliDNS
    - 119.29.29.29  # Tencent DNS
    - 114.114.114.114  # 114 DNS
  fallback:
    - https://1.1.1.1/dns-query  # Cloudflare DoH
    - https://dns.google/dns-query  # Google DoH
  fallback-filter:
    geoip: true
    ipcidr:
      - 240.0.0.0/4

Step 4: Set Up Routing Rules

Configure proxy rules to determine which traffic goes through proxy and which connects directly.

Ensure your config file includes basic rules (usually subscription configs include them):

rules:
  # Local network direct
  - DOMAIN-SUFFIX,local,DIRECT
  - IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
  - IP-CIDR,10.0.0.0/8,DIRECT,no-resolve
  - IP-CIDR,172.16.0.0/12,DIRECT,no-resolve
  - IP-CIDR,127.0.0.0/8,DIRECT,no-resolve

  # CN websitesDirect
  - GEOIP,CN,DIRECT

  # Other traffic via proxy
  - MATCH,PROXY

Step 5: Enable and Verify

  1. Save the configuration file
  2. Click ConfigReload Config File in ClashX menu
  3. Click ClashX menu → Set as System Proxy (uncheck, not needed in TUN mode)
  4. Click ClashX menu → Enhanced ModeTUN Mode (ensure it's checked)
  5. Select an available proxy node
  6. Open a browser or any app to test network connection
Success Indicators

When TUN mode starts successfully, a small dot will appear next to ClashX's menu bar icon, and the status bar will show "Enhanced Mode Enabled". At this point, all application network traffic will be processed through ClashX's proxy rules.

DNS Configuration Optimization

DNS configuration is key to TUN mode performance and privacy. Proper DNS configuration can significantly improve access speed and prevent DNS leaks.

Fake-IP vs Redir-Host

Fake-IP Mode (Recommended)

  • How it works: Returns fake IP addresses (198.18.0.0/16 range), connects directly via domain name
  • Advantages: Fast connection establishment, low DNS resolution latency, precise rule matching
  • Disadvantages: Some apps may be incompatible (like NAS access, local services)
  • Use cases: Daily use, game acceleration, streaming media access

Redir-Host Mode

  • How it works: Returns real IP addresses, normal DNS resolution process
  • Advantages: Good compatibility, suitable for all application scenarios
  • Disadvantages: DNS resolution takes extra time, slightly slower connection
  • Use cases: Accessing local services, NAS, router management interface

DNS Server Selection

Domestic DNS
Resolve domestic domains
223.5.5.5
119.29.29.29
Overseas DNS
Resolve overseas domains
1.1.1.1
8.8.8.8
DoH
Encrypted DNS
https://1.1.1.1/dns-query

Prevent DNS Leaks

Ensure your config file includes the following settings to prevent DNS requests from leaking to your local ISP:

dns:
  enable: true
  listen: 0.0.0.0:53
  enhanced-mode: fake-ip
  fake-ip-filter:  # These domains do not use fake-ip
    - '*.lan'
    - 'localhost.ptlogin2.qq.com'
  nameserver:
    - 223.5.5.5
    - 119.29.29.29
  fallback:
    - https://1.1.1.1/dns-query
    - https://dns.google/dns-query
  fallback-filter:
    geoip: true  # Use nameserver for CN IP, fallback for non-CN
    geoip-code: CN

Rule Configuration Recommendations

Proper rule configuration can optimize network performance and reduce unnecessary proxy traffic.

Basic Rule Template

rules:
  # Block ad domains
  - DOMAIN-KEYWORD,adservice,REJECT
  - DOMAIN-SUFFIX,googlesyndication.com,REJECT

  # Local NetworkDirect
  - DOMAIN-SUFFIX,local,DIRECT
  - IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
  - IP-CIDR,10.0.0.0/8,DIRECT,no-resolve
  - IP-CIDR,172.16.0.0/12,DIRECT,no-resolve
  - IP-CIDR,127.0.0.0/8,DIRECT,no-resolve

  # Common CN websites direct
  - DOMAIN-SUFFIX,cn,DIRECT
  - DOMAIN-KEYWORD,baidu,DIRECT
  - DOMAIN-KEYWORD,taobao,DIRECT
  - DOMAIN-KEYWORD,jd,DIRECT

  # Streaming services via proxy
  - DOMAIN-KEYWORD,youtube,PROXY
  - DOMAIN-KEYWORD,netflix,PROXY
  - DOMAIN-SUFFIX,twitter.com,PROXY

  # CN IP Direct
  - GEOIP,CN,DIRECT

  # Other traffic via proxy
  - MATCH,PROXY

Rule Priority

📊
Rule Matching Order

Clash matches rules from top to bottom, stopping once a match is found. Therefore you should put:
1. REJECT rules (ad blocking) at the very top
2. Exact matches (DOMAIN) at the top
3. Fuzzy matches (DOMAIN-KEYWORD) in the middle
4. IP rules towards the end
5. MATCH (fallback rule) at the very end

Recommended Rule Sets

Using rule sets can simplify configuration and automatically update rules. Recommended rule sets:

  • Loyalsoldier Rule Set: Covers common website routing rules
  • ACL4SSR Rule Set: Fine-grained routing, suitable for advanced users
  • DivineEngine Rule Set: Focuses on privacy and ad blocking

Verify TUN Mode is Working

Use the following methods to verify that TUN mode has started successfully and is working properly.

Method 1: Check Network Interface

Open Terminal and run the following command:

ifconfig | grep utun

If you see network interfaces starting with utun (like utun3, utun4), the TUN device has been created successfully.

Method 2: Check Routing Table

Run the following command to view the routing table:

netstat -nr | grep utun

If you see route entries pointing to the utun interface, routing configuration is successful.

Method 3: Test Application Connection

Test whether apps that don't support system proxy (like command-line tools) can use the proxy:

curl -I https://www.google.com

If you can successfully access Google, TUN mode is working properly.

Method 4: Check DNS Resolution

Verify that DNS is being hijacked correctly:

nslookup www.google.com

If the returned DNS server is 127.0.0.1 (local), DNS hijacking is successful.

All Verification Passed

If all 4 methods verify successfully, TUN mode is perfectly configured. Now all network traffic from all applications on your Mac will be processed through ClashX's proxy rules, achieving true global proxy.

Troubleshooting Common Issues

Issues you may encounter when using TUN mode and their solutions.

Issue 1: Cannot Enable TUN Mode

Symptom

After clicking "Enhanced Mode" → "TUN Mode", the menu item cannot be checked, or unchecks immediately after checking.

Solution
  • Check if network extension is installed: ClashX menu → Config → Experimental Features → Install Network Extension
  • Grant Full Disk Access: System Preferences → Security & Privacy → Privacy → Full Disk Access
  • Check System Preferences → Security & Privacy → General for any "Allow" prompts
  • Restart ClashX or restart Mac

Issue 2: No Internet After Enabling

🚫
Symptom

TUN mode is enabled but all network connections fail.

Solution
  • Check if proxy node is available: try switching to another node
  • Check DNS configuration: ensure dns.enable: true
  • Check rule configuration: ensure there's a MATCH fallback rule
  • Try disabling TUN mode and test the node with system proxy mode

Issue 3: Some Apps Cannot Connect

⚠️
Symptom

Most apps work but some apps (like NAS access, local services) cannot connect.

Solution
  • Add LAN IP ranges to direct rules: IP-CIDR,192.168.0.0/16,DIRECT
  • If using fake-ip mode, add local domains to fake-ip-filter
  • Try switching to redir-host mode: enhanced-mode: redir-host

Issue 4: Slow Network Speed

🐌
Symptom

Network speed significantly decreases after enabling TUN mode.

Solution
  • Use stack: system instead of gvisor for better performance
  • Use fake-ip mode instead of redir-host
  • Optimize rule configuration, set domestic sites and IPs to direct
  • Check proxy node quality, switch to lower latency nodes

Issue 5: Permission Error

🔒
Symptom

Error message "Insufficient permissions" or "Admin permission required" appears.

Solution
  • Open Terminal and run: sudo chown root:admin /Applications/ClashX.app/Contents/Library/LaunchServices/ClashX.HelperTool
  • Run: sudo chmod +s /Applications/ClashX.app/Contents/Library/LaunchServices/ClashX.HelperTool
  • Reinstall network extension: ClashX menu → Config → Experimental Features → Install Network Extension
  • Restart Mac and try again

Performance Optimization Tips

Use the following optimization tips to further improve TUN mode performance.

1. Choose the Best Protocol Stack

Recommended: stack: system

  • system stack: Uses native system network stack, best performance, lowest latency
  • gvisor stack: User-space network stack implemented in Go, better compatibility but slightly lower performance
  • On Apple Silicon Macs, system stack advantage is more significant

2. Optimize DNS Configuration

  • Use fake-ip mode to avoid DNS resolution latency
  • Use the nearest DNS servers (Alibaba/Tencent for domestic, Cloudflare for overseas)
  • Enable DoH (DNS over HTTPS) for better security and interference resistance
  • Properly configure fake-ip-filter to exclude local service domains

3. Streamline Proxy Rules

  • Put frequently accessed domains at the top of the rule list for faster matching
  • Use GEOIP,CN,DIRECT to make domestic traffic direct, reducing proxy load
  • Avoid too many DOMAIN-KEYWORD rules as they affect matching efficiency
  • Regularly clean up unused rules

4. Choose Quality Nodes

  • Use latency testing to select the lowest latency nodes
  • Prefer nodes supporting XTLS or Reality protocols for better performance
  • Avoid overcrowded public nodes
  • Enable auto-select fastest node feature (if subscription supports it)

5. System-Level Optimization

  • Close unnecessary VPNs or other proxy tools to avoid conflicts
  • Ensure macOS is on the latest version for best compatibility
  • Regularly restart ClashX to clear cache and connections
  • On Apple Silicon Macs, ensure using the ARM64 native version
🚀
Performance Benchmark

On MacBook Pro M2, with optimized TUN mode configuration:
• Network latency increase: 5-8ms
• Speed loss: <3%
• Memory usage: 60-80MB
• CPU usage: <2% (idle)

Frequently Asked Questions

Q1: Are TUN mode and Enhanced Mode the same thing?

Yes. In ClashX, "Enhanced Mode" refers to TUN mode. It's displayed as "Enhanced Mode" in the menu, and uses the tun field in the config file.

Q2: Do I still need to enable System Proxy after enabling TUN mode?

No. TUN mode works at the network layer and doesn't need system proxy configured. In fact, enabling both system proxy and TUN mode simultaneously may cause conflicts. It's recommended to disable system proxy and use TUN mode only.

Q3: Can TUN mode proxy Docker container traffic?

Yes. TUN mode works at the network layer and can proxy all network traffic including Docker containers. But you need to ensure Docker's network configuration is correct to avoid IP range conflicts with the TUN device.

Q4: Can TUN mode usage be detected?

TUN mode itself doesn't increase detection risk. Traffic characteristics mainly depend on the proxy protocol you're using (like Shadowsocks, VMess, Trojan). TUN mode only changes how traffic is captured, not encryption or obfuscation.

Q5: Can I use the same TUN configuration on multiple Macs?

Yes. TUN mode config files are portable across multiple Macs. But note that each Mac needs to grant permissions and install network extensions separately. Config files can be directly copied and used.

Q6: Does TUN mode support IPv6?

Yes. ClashX's TUN mode supports IPv6 traffic. If your network environment and proxy nodes support IPv6, TUN mode will automatically handle IPv6 connections. You can add ipv6: true in the config to enable it.

Q7: Why does TUN mode sometimes turn off automatically?

Possible reasons: 1) Error during config file reload; 2) Network extension crashed; 3) System permission changes. Solutions: Check config file syntax, re-grant permissions, or restart ClashX.

Q8: What's the difference between TUN mode and Surge's Enhanced Mode?

The working principle is the same - both create virtual network interfaces at the network layer. The main differences are in implementation details and configuration options. Surge's enhanced mode has more features (like MITM), but ClashX's TUN mode is completely free and open source.

💬
Need More Help?

If you encounter issues not covered in this article when using TUN mode, you can:
• Visit ClashX GitHub to check Issues
• Check the ClashX FAQ page
• Refer to the Complete Tutorial

Tags: ClashX TUN Mode Enhanced Mode Global Proxy Performance Optimization

Related Articles