Shadowrocket Guide 2026 | Complete iOS Proxy Setup Tutorial

What Is Shadowrocket?

Shadowrocket is the most popular proxy app on iPhone and iPad for a reason. It is a one-time 2.99 USD purchase on the App Store, published by Shadow Launch Technology Limited, and in 2026 it is still commonly seen around version 2.2.67 with an App Store rating near 4.8 stars. The app manages to be both beginner-friendly and powerful enough for users who care about fine-grained routing.

It supports SS, SSR, VMess, VLESS, Trojan, HTTP, SOCKS5, and WireGuard, and it also includes advanced features such as MITM, JavaScript scripting, URL Rewrite, rule-based routing, ad blocking, local DNS mapping, and IPv6 handling. In other words, it is not just a subscription importer. It is a full network tool in a small mobile UI.

• Rule-based routing: Send Google, YouTube, or Telegram through proxy while keeping local services direct.
• MITM and scripts: Useful for ad cleanup and request handling when used legally and on your own devices.
• Subscription-friendly: Most providers can be imported with a single URL and refreshed later.
• Lightweight: It stays responsive enough for daily use instead of feeling like a desktop network lab squeezed into a phone.

How to Buy & Download Shadowrocket

The biggest blocker for new users is not configuration. It is the App Store region. In many cases, users in Mainland China simply cannot find Shadowrocket in the local App Store. The clean solution is to create a non-China Apple ID, usually US, Hong Kong, or Japan, then buy the app through that account.

For payment, Apple gift cards are usually the easiest option because they do not require a matching local bank card. PayPal and international credit cards can also work, but gift cards are the least painful route for most first-time buyers.

• Recommended regions: United States, Hong Kong, or Japan.
• Easiest payment: Apple gift card, then PayPal, then international credit card.
• Official App Store link: https://apps.apple.com/app/shadowrocket/id932747118

1. Open Settings on your iPhone and tap your Apple ID at the top.
2. Sign out of the current account, then create a new Apple ID with a US, HK, or JP region.
3. Log in to that account and redeem an Apple gift card, or bind PayPal or an international card.
4. Open the App Store, search for Shadowrocket, and confirm the developer name.
5. Pay the 2.99 USD purchase price and download the app.

If you already bought it once, you do not need to pay again. Just sign back into the same Apple ID and restore it from your purchased apps list.

First-Time Setup

The first launch is straightforward. Shadowrocket will ask to add a VPN configuration to iOS. You need to allow it, because all proxy apps on iPhone and iPad rely on the system VPN interface. Approve the request, then authenticate with Face ID, Touch ID, or your device passcode.

After that, the main screen shows your server or node list. At the bottom, you usually see tabs such as Home, Config, Data, and Settings. These are where you switch profiles, manage remote files, read traffic stats, and enable advanced features.

1. Home: Connect, disconnect, and switch nodes or proxy modes.
2. Config: Manage local files, subscription sources, and rule resources.
3. Data: Inspect upload and download usage, connection history, and traffic details.
4. Settings: Configure DNS, MITM, On Demand, URL Rewrite, and app behavior.

For the first test run, avoid global mode until your subscription and rules are confirmed to work. Starting with rule mode saves a lot of unnecessary troubleshooting.

Add Servers or Import a Subscription

There are three common ways to add usable servers into Shadowrocket: subscription links, single node URIs, and QR codes. Most users should choose subscription import first because it is easier to refresh and maintain over time.

Method 1: Import a subscription URL

1. Open the Home screen and tap the + button.
2. Set Type to Subscribe.
3. Paste the provider URL and give it a clear local name.
4. Tap Done, then pull down on the list page to refresh and fetch the latest nodes.

Method 2: Paste a single server URI

If your provider gives you a direct ss://, vmess://, vless://, or trojan:// link, copy it to the clipboard. Shadowrocket usually detects it automatically and asks whether you want to add the server. Confirm the prompt and the node is stored locally.

Method 3: Scan a QR code

QR import is the least error-prone option when the node contains a long string of parameters. This is especially useful for VMess and VLESS links that are annoying to type manually.

Once the node list is ready, run a connection test on a low-latency location before changing deeper settings. That gives you a clean baseline to work from.

Rule Configuration

Shadowrocket becomes truly useful once you stop thinking in terms of “on or off” and start thinking in terms of traffic routing. Rules let you proxy the traffic that needs it while keeping domestic or trusted traffic direct.

These are common real-world examples:

DOMAIN-SUFFIX,google.com,PROXY
DOMAIN-KEYWORD,youtube,PROXY
IP-CIDR,91.108.4.0/22,PROXY
GEOIP,CN,DIRECT
FINAL,PROXY

• DOMAIN-SUFFIX: Matches a domain and all of its subdomains.
• DOMAIN-KEYWORD: Matches any hostname containing a given keyword.
• IP-CIDR: Matches a specific IP range, often useful for Telegram or business traffic.
• GEOIP,CN,DIRECT: Sends China IP ranges direct, which is a common baseline rule.
• FINAL: The fallback action when nothing above matches.

Rule order matters. Shadowrocket processes the file from top to bottom. That means your most specific rules should appear first, then broader matches, and the final catch-all rule should be near the bottom. If you place FINAL too early, everything after it becomes almost pointless.

You can import remote rule files from a provider or maintain your own custom lines. For most people, the best approach is to keep the provider's remote file as the base, then add a few local custom rules for sites or services you want to force through DIRECT or PROXY.

MITM Setup

MITM is one of Shadowrocket's advanced features. Some HTTPS rewrites, script-based filtering, and response edits will not work unless MITM is enabled and a local CA certificate is installed. That power also means you should understand the trust model before turning it on.

1. Open Settings → MITM.
2. Enable the MITM switch.
3. Tap Generate CA Certificate.
4. Install the generated profile on your device.
5. Go to Settings → General → About → Certificate Trust Settings and manually trust the certificate.

Once trusted, MITM-backed features can inspect and modify supported HTTPS traffic on your own device. Common legal use cases include ad blocking, request debugging, and script-based content cleanup.

URL Rewrite

URL Rewrite lets you reshape a request before it continues. In practice, this is helpful for removing tracking parameters, fixing insecure links, or redirecting old endpoints to cleaner destinations.

^http://example\.com url 302 https://example.com
^https://example\.com/(.*)\?utm_.* url 302 https://example.com/$1

• HTTP to HTTPS: The first example upgrades plain HTTP requests to encrypted HTTPS.
• Tracking cleanup: The second example removes utm_* marketing parameters from shared links.
• Combine with MITM: Some advanced rewrites only work properly when MITM is enabled for the target host.

If a rewrite rule seems broken, check the regex, check whether the host is covered by MITM, and make sure the actual request URL matches what you think the app is calling. Bad matching logic is more common than app bugs here.

On Demand Rules

On Demand is one of the best quality-of-life features in Shadowrocket. It can connect automatically on cellular, stay off on trusted WiFi, or react to specific SSID names. That means less tapping and better battery behavior.

1. Open Settings → On Demand.
2. Tap Add Rule.
3. Select a condition such as Cellular, WiFi SSID, or SSID keyword match.
4. Choose the action, for example auto-connect, disconnect, or switch to a specific profile.

A very practical setup is to auto-connect on cellular, disconnect on your home or office WiFi, and auto-connect again on unknown public WiFi networks. That balance keeps trusted traffic simple while still protecting the environments where you actually need a proxy.

• Great for commuters: Cellular auto-connect keeps the app useful without manual intervention.
• Great for battery life: You avoid forcing a tunnel all day on trusted local networks.
• Great for reliability: WiFi-specific rules reduce “why is my intranet broken?” moments at home or work.

Shadowrocket on macOS

Yes, Shadowrocket can run on Apple Silicon Macs. If you already purchased it on your iPhone with the same Apple ID, you can usually open the Mac App Store, switch to the iPhone & iPad Apps section, and install it there.

That said, Shadowrocket is still primarily an iOS app. It works on macOS, but it is not a purpose-built native desktop experience. If you want a macOS-first proxy client with system-level integration, cleaner menu bar behavior, and a more natural desktop workflow, ClashX is the recommended choice. You can grab it from the download page.

Shadowrocket vs Quantumult X

These two apps are often compared because both are well-known paid network tools on iOS. The short version is simple: Shadowrocket is cheaper and easier, while Quantumult X is more powerful if you need deeper scripting and automation.

If you mostly want a dependable daily proxy app with sensible rules and an easy price point, Shadowrocket wins for most people. Only choose Quantumult X when you know you need the extra complexity.

Common Issues

Connection fails immediately

Check the server address, port, encryption method, and password first. In many cases the app is fine, but the node details changed or the provider expired the server.

Subscription will not update

The provider URL may be expired, or your current network may not be able to reach it. Try refreshing on another network before assuming the app is broken.

Battery drain feels higher than normal

Global mode, MITM, always-on scripts, and nonstop proxy tunnels naturally use more power. Turn off features you do not need and use On Demand instead of forcing everything to stay enabled all day.

FAQ