What is Режим TUN?
TUN (Сеть TUNnel) mode is an enhanced режим прокси provided by ClashX. It creates a virtual сеть interface (TUN device) to intercept and forward all трафик at the operating system's сеть layer.
режим TUN operates at the сеть layer (Layer 3) and can capture all сеть трафик from all applications, regardless of whether the application supports proxy settings. This means вы можете achieve true "глобальный прокси", including command-line tools, background services, and even applications that don't support системный прокси.
Main Advantages of Режим TUN
- True Global Proxy: All application сеть трафик is proxied without exception
- No App Configuration: No need to configure proxy settings for each application
- UDP Support: Can proxy UDP протокол, supports gaming, video conferencing, etc.
- Better DNS Control: Complete control over DNS resolution process, prevents DNS leaks
- Higher Rule Priority: Works at сеть layer, more precise rule matching
- Prevents Proxy Bypass: Applications cannot bypass the proxy to connect directly
How Режим TUN Works
When режим TUN is enabled, ClashX creates a virtual сеть interface (usually named utun), and the system routes all сеть трафик to this virtual interface. After ClashX receives the трафик, it decides whether to forward through the прокси-сервер or connect directly based on configured rules.
Режим TUN vs System Proxy Comparison
Understanding the difference between режим TUN and traditional system режим прокси helps you choose the most suitable proxy method.
| Сравнение | Режим TUN | Системный прокси |
|---|---|---|
| Work Layer | Сеть Layer (Layer 3) | Application Layer (Layer 7) |
| Coverage | All Applications | Proxy-supporting Apps Only |
| UDP Support | ✓ 完全支持 | ✗ 不支持 |
| DNS Control | Full Control | Partial Control |
| Permission Обязательно | Admin Permission Обязательно | No Special Permission |
| Производительность Impact | Slight Impact (<5%) | Almost None |
| Config Complexity | Средне | Simple |
| Compatibility | Perfect (All Apps) | Limited (Some Apps) |
Recommended for Режим TUN: When вам нужно to proxy all apps, use command-line tools, game acceleration, prevent DNS leaks.
Recommended for System Proxy: Browser-only proxy, minimal производительность overhead, quick temporary use.
Prerequisites
Before enabling режим TUN, please ensure the following conditions are met:
Системные требования
- macOS Version: macOS 10.15 Catalina or later
- ClashX Version: ClashX 1.90.0 or later (latest version recommended)
- Admin Permission: Must have macOS administrator account privileges
- System Integrity Protection: No need to disable SIP, режим TUN works normally
Hardware Compatibility
On Apple Silicon (M1/M2/M3) Macs, ClashX's режим TUN has been fully optimized, with производительность better than Intel versions. The ARM64 native architecture provides higher сеть processing efficiency and lower power consumption, making it the best platform for режим TUN.
Preparation Checklist
- ☑️ Ensure ClashX is properly installed and can use system режим прокси
- ☑️ Have administrator account пароль ready (needed during configuration)
- ☑️ Backup current файл конфигурации (to prevent configuration errors)
- ☑️ Close other прокси-инструментs (to avoid port conflicts)
- ☑️ Confirm подписка or файл конфигурации is working properly
5 Steps to Enable Режим TUN
Follow these steps to successfully enable and configure ClashX режим TUN within 10 minutes.
Step 1: Grant System Permissions
режим TUN needs to create a virtual сеть interface, so you must first grant ClashX the corresponding system permissions.
- Open System Preferences → Security & Конфиденциальность
- Click the lock icon in the bottom left corner, enter admin пароль to unlock
- Switch to the Конфиденциальность tab
- Find Full Disk Access in the left list
- Click the + button, add ClashX app (usually in /Applications)
- Ensure the checkbox next to ClashX is checked
- In ClashX строка меню, click Config → Experimental Features → Install Сеть Extension
- Enter admin пароль, wait for установка to complete
When installing the сеть extension for the first time, the system may show a security prompt. Please click "Allow" in System Preferences → Security & Конфиденциальность → General. If you encounter permission issues, restart your Mac and try again.
Step 2: Edit Configuration File
Add режим TUN configuration items to your файл конфигурации.
- Click ClashX строка меню icon → Config → Open Config Folder
- Use a text editor (like TextEdit, VS Code) to open the current файл конфигурации
- Add the following content at the top of the файл конфигурации (in the general config area):
# TUN 模式配置
tun:
enable: true
stack: system # 或 gvisor,system 性能更好
dns-hijack:
- any:53
auto-route: true # 自动配置路由表
auto-detect-interface: true # 自动检测出口网卡stack parameter: Recommended to use system for best производительность. Try gvisor if you encounter compatibility issues.
dns-hijack: Hijacks all DNS requests to Clash, prevents DNS leaks.
auto-route: Automatically configures system routing table, no manual setup needed.
Step 3: Configure DNS Settings
режим TUN requires DNS configuration for optimal производительность and privacy protection.
Add or modify DNS configuration in your файл конфигурации (same level as tun config):
dns:
enable: true
listen: 0.0.0.0:53
enhanced-mode: fake-ip # 或 redir-host,fake-ip 性能更好
fake-ip-range: 198.18.0.1/16
nameserver:
- 223.5.5.5 # 阿里 DNS
- 119.29.29.29 # 腾讯 DNS
- 114.114.114.114 # 114 DNS
fallback:
- https://1.1.1.1/dns-query # Cloudflare DoH
- https://dns.google/dns-query # Google DoH
fallback-filter:
geoip: true
ipcidr:
- 240.0.0.0/4Step 4: Set Up Routing Rules
Configure proxy rules to determine which трафик goes through proxy and which connects directly.
Ensure your файл конфигурации includes basic rules (usually подписка configs include them):
rules:
# 本地网络直连
- DOMAIN-SUFFIX,local,DIRECT
- IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
- IP-CIDR,10.0.0.0/8,DIRECT,no-resolve
- IP-CIDR,172.16.0.0/12,DIRECT,no-resolve
- IP-CIDR,127.0.0.0/8,DIRECT,no-resolve
# 国内网站直连
- GEOIP,CN,DIRECT
# 其他流量走代理
- MATCH,PROXYStep 5: Enable and Verify
- Save the файл конфигурации
- Click Config → Reload Config File in ClashX menu
- Click ClashX menu → Установить как системный прокси (uncheck, not needed in режим TUN)
- Click ClashX menu → Расширенный режим → Режим TUN (ensure it's checked)
- Select an available прокси-узел
- Open a browser or any app to test сеть connection
When режим TUN starts successfully, a small dot will appear next to ClashX's строка меню icon, and the status bar will show "Расширенный режим Включено". At this point, all application сеть трафик will be processed through ClashX's proxy rules.
Настройка Оптимизация DNS
DNS configuration is key to режим TUN производительность and privacy. Proper DNS configuration can significantly improve access speed and prevent DNS leaks.
Fake-IP vs Redir-Host
Fake-IP Mode (Recommended)
- How it works: Returns fake IP addresses (198.18.0.0/16 range), connects directly via domain name
- Advantages: Fast connection establishment, low DNS resolution latency, precise rule matching
- Disadvantages: Some apps may be incompatible (like NAS access, local services)
- Use cases: Daily use, game acceleration, streaming media access
Redir-Host Mode
- How it works: Returns real IP addresses, normal DNS resolution process
- Advantages: Good compatibility, suitable for all application scenarios
- Disadvantages: DNS resolution takes extra time, slightly slower connection
- Use cases: Accessing local services, NAS, router management interface
DNS Сервер Selection
119.29.29.29
8.8.8.8
Prevent DNS Leaks
Ensure your файл конфигурации includes the following settings to prevent DNS requests from leaking to your local ISP:
dns:
enable: true
listen: 0.0.0.0:53
enhanced-mode: fake-ip
fake-ip-filter: # 这些域名不使用 fake-ip
- '*.lan'
- 'localhost.ptlogin2.qq.com'
nameserver:
- 223.5.5.5
- 119.29.29.29
fallback:
- https://1.1.1.1/dns-query
- https://dns.google/dns-query
fallback-filter:
geoip: true # 国内 IP 使用 nameserver,国外 IP 使用 fallback
geoip-code: CNRule Configuration Recommendations
Proper rule configuration can optimize сеть производительность and reduce unnecessary proxy трафик.
Basic Rule Template
rules:
# 屏蔽广告域名
- DOMAIN-KEYWORD,adservice,REJECT
- DOMAIN-SUFFIX,googlesyndication.com,REJECT
# 局域网直连
- DOMAIN-SUFFIX,local,DIRECT
- IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
- IP-CIDR,10.0.0.0/8,DIRECT,no-resolve
- IP-CIDR,172.16.0.0/12,DIRECT,no-resolve
- IP-CIDR,127.0.0.0/8,DIRECT,no-resolve
# 常用国内网站直连
- DOMAIN-SUFFIX,cn,DIRECT
- DOMAIN-KEYWORD,baidu,DIRECT
- DOMAIN-KEYWORD,taobao,DIRECT
- DOMAIN-KEYWORD,jd,DIRECT
# 流媒体服务走代理
- DOMAIN-KEYWORD,youtube,PROXY
- DOMAIN-KEYWORD,netflix,PROXY
- DOMAIN-SUFFIX,twitter.com,PROXY
# 国内 IP 直连
- GEOIP,CN,DIRECT
# 其他流量走代理
- MATCH,PROXYRule Priority
Clash matches rules from top to bottom, stopping once a match is found. Therefore you should put:
1. REJECT rules (ad blocking) at the very top
2. Exact matches (DOMAIN) at the top
3. Fuzzy matches (DOMAIN-KEYWORD) in the middle
4. IP rules towards the end
5. MATCH (fallback rule) at the very end
Recommended Rule Sets
Using набор правилs can simplify configuration and automatically update rules. Recommended набор правилs:
- Loyalsoldier Rule Set: Covers common website routing rules
- ACL4SSR Rule Set: Fine-grained routing, suitable for advanced users
- DivineEngine Rule Set: Focuses on privacy and ad blocking
Verify Режим TUN is Working
Use the following methods to verify that режим TUN has started successfully and is working properly.
Method 1: Check Сеть Интерфейс
Open Терминал and run the following command:
ifconfig | grep utunIf you see сеть interfaces starting with utun (like utun3, utun4), the TUN device has been created successfully.
Method 2: Check Routing Table
Run the following command to view the routing table:
netstat -nr | grep utunIf you see route entries pointing to the utun interface, routing configuration is successful.
Method 3: Test Application Connection
Test whether apps that don't support системный прокси (like command-line tools) can use the proxy:
curl -I https://www.google.comIf вы можете successfully access Google, режим TUN is working properly.
Method 4: Check Разрешение DNS
Verify that DNS is being hijacked correctly:
nslookup www.google.comIf the returned DNS сервер is 127.0.0.1 (local), DNS hijacking is successful.
If all 4 methods verify successfully, режим TUN is perfectly configured. Now all сеть трафик from all applications on your Mac will be processed through ClashX's proxy rules, achieving true глобальный прокси.
Troubleshooting Типичные проблемы
Issues you may encounter when using режим TUN and their solutions.
Issue 1: Cannot Enable Режим TUN
After clicking "Расширенный режим" → "Режим TUN", the menu item cannot be checked, or unchecks immediately after checking.
Решение- Check if сеть extension is installed: ClashX menu → Config → Experimental Features → Install Сеть Extension
- Grant Full Disk Access: System Preferences → Security & Конфиденциальность → Конфиденциальность → Full Disk Access
- Check System Preferences → Security & Конфиденциальность → General for any "Allow" prompts
- Restart ClashX or restart Mac
Issue 2: No Internet After Enabling
режим TUN is enabled but all сеть connections fail.
Решение- Check if прокси-узел is available: try switching to another node
- Check DNS configuration: ensure
dns.enable: true - Check rule configuration: ensure there's a
MATCHfallback rule - Try disabling режим TUN and test the node with system режим прокси
Issue 3: Some Apps Cannot Connect
Most apps work but some apps (like NAS access, local services) cannot connect.
Решение- Add LAN IP ranges to direct rules:
IP-CIDR,192.168.0.0/16,DIRECT - If using fake-ip mode, add local domains to fake-ip-filter
- Try switching to redir-host mode:
enhanced-mode: redir-host
Issue 4: Slow Сеть Speed
Сеть speed significantly decreases after enabling режим TUN.
Решение- Use
stack: systeminstead ofgvisorfor better производительность - Use
fake-ipmode instead ofredir-host - Optimize rule configuration, set domestic sites and IPs to direct
- Check прокси-узел quality, switch to lower latency nodes
Issue 5: Permission Error
Error message "Insufficient permissions" or "Admin permission required" appears.
Решение- Open Терминал and run:
sudo chown root:admin /Applications/ClashX.app/Contents/Library/LaunchServices/ClashX.HelperTool - Run:
sudo chmod +s /Applications/ClashX.app/Contents/Library/LaunchServices/ClashX.HelperTool - Reinstall сеть extension: ClashX menu → Config → Experimental Features → Install Сеть Extension
- Restart Mac and try again
Производительность Оптимизация Tips
Use the following оптимизация tips to further improve режим TUN производительность.
1. Choose the Best Протокол Stack
Recommended: stack: system
- system stack: Uses native system сеть stack, best производительность, lowest latency
- gvisor stack: User-space сеть stack implemented in Go, better compatibility but slightly lower производительность
- On Apple Silicon Macs, system stack advantage is more significant
2. Optimize Настройка DNS
- Use
fake-ipmode to avoid DNS resolution latency - Use the nearest DNS серверы (Alibaba/Tencent for domestic, Cloudflare for overseas)
- Enable DoH (DNS over HTTPS) for better security and interference resistance
- Properly configure
fake-ip-filterto exclude local service domains
3. Streamline Proxy Rules
- Put frequently accessed domains at the top of the rule list for faster matching
- Use
GEOIP,CN,DIRECTto make domestic трафик direct, reducing proxy load - Avoid too many
DOMAIN-KEYWORDrules as they affect matching efficiency - Regularly clean up unused rules
4. Choose Quality Nodes
- Use тест задержкиing to select the lowest latency nodes
- Prefer nodes supporting XTLS or Reality protocols for better производительность
- Avoid overcrowded public nodes
- Enable auto-select fastest node feature (if подписка supports it)
5. System-Level Оптимизация
- Close unnecessary VPNs or other прокси-инструментs to avoid conflicts
- Ensure macOS is on the latest version for best compatibility
- Regularly restart ClashX to clear cache and connections
- On Apple Silicon Macs, ensure using the ARM64 native version
On MacBook Pro M2, with optimized режим TUN configuration:
• Сеть latency increase: 5-8ms
• Speed loss: <3%
• Память usage: 60-80MB
• CPU usage: <2% (idle)
Часто задаваемые вопросы
Q1: Are режим TUN and Расширенный режим the same thing?
Yes. In ClashX, "Расширенный режим" refers to режим TUN. It's displayed as "Расширенный режим" in the menu, and uses the tun field in the файл конфигурации.
Q2: Do I still need to enable System Proxy after enabling режим TUN?
No. режим TUN works at the сеть layer and doesn't need системный прокси configured. In fact, enabling both системный прокси and режим TUN simultaneously may cause conflicts. It's recommended to disable системный прокси and use режим TUN only.
Q3: Can режим TUN proxy Docker container трафик?
Yes. режим TUN works at the сеть layer and can proxy all сеть трафик including Docker containers. But вам нужно to ensure Docker's сеть configuration is correct to avoid IP range conflicts with the TUN device.
Q4: Can режим TUN usage be detected?
режим TUN itself doesn't increase detection risk. Трафик characteristics mainly depend on the протокол прокси you're using (like Shadowsocks, VMess, Trojan). режим TUN only changes how трафик is captured, not encryption or obfuscation.
Q5: Can I use the same TUN configuration on multiple Macs?
Yes. режим TUN файл конфигурацииs are portable across multiple Macs. But note that each Mac needs to grant permissions and install сеть extensions separately. Config files can be directly copied and used.
Q6: Does режим TUN support IPv6?
Yes. ClashX's режим TUN supports IPv6 трафик. If your сеть environment and прокси-узелs support IPv6, режим TUN will automatically handle IPv6 connections. You can add ipv6: true in the config to enable it.
Q7: Why does режим TUN sometimes turn off automatically?
Possible reasons: 1) Error during файл конфигурации reload; 2) Сеть extension crashed; 3) System permission changes. Solutions: Check файл конфигурации syntax, re-grant permissions, or restart ClashX.
Q8: What's the difference between режим TUN and Surge's Расширенный режим?
The working principle is the same - both create virtual сеть interfaces at the сеть layer. The main differences are in implementation details and configuration options. Surge's enhanced mode has more features (like MITM), but ClashX's режим TUN is полностью бесплатно and с открытым исходным кодом.
If you encounter issues not covered in this article when using режим TUN, вы можете:
• Visit ClashX GitHub to check Issues
• Check the ClashX FAQ page
• Refer to the Complete Tutorial
TUN 模式故障 3 步诊断(终端版)
当你遇到“开启后无法上网”“部分应用不走代理”时,建议先做下面的最小诊断,再改配置文件。
第 1 步:确认 TUN 接口和路由是否存在
ifconfig | grep utun
netstat -nr | grep utun
无 utun 通常是权限或扩展未成功加载,先处理授权再继续。
第 2 步:确认 DNS 是否按预期走本地链路
scutil --dns
nslookup www.google.com
如果解析链路异常,先回到 DNS 防泄漏检查清单,统一系统 DNS 与浏览器 DoH 策略。
第 3 步:用日志定位规则命中而不是猜测
tail -f ~/Library/Logs/ClashX/clashx.log
grep -E "MATCH|RULE|DIRECT|REJECT" ~/Library/Logs/ClashX/clashx.log | tail -n 60
若发现关键域名被宽规则吞掉,参考 规则优先级实战 调整顺序。