Why people enable Clash LAN proxy on a home Wi‑Fi
Running Clash on a desktop or laptop is the default starting point: you import a subscription, tune rule groups, and let Mihomo steer traffic through the node you selected. The next practical question arrives quickly—can a phone, tablet, or secondary PC on the same local network reuse that tunnel without installing another full client stack? The answer is yes, as long as you treat the machine as a small LAN proxy endpoint rather than a magic router feature.
That pattern is popular in apartments and small offices where only one always-on computer keeps Clash connected, while other devices only need a browser or a handful of apps to follow the same exit. Compared with per-device VPN clients, a shared HTTP or SOCKS entry on the LAN is lighter to deploy. Compared with turning on mobile hotspot tethering, staying inside ordinary Wi‑Fi keeps battery drain on phones closer to normal and avoids double-NAT surprises when you still need the LAN printer.
The failure mode people report most often is not YAML syntax—it is connectivity that works on the host yet refuses to connect from a phone, usually because Clash still listens on loopback, because allow-lan is off, because the mixed port does not match what the mobile Wi‑Fi proxy form expects, or because the operating system firewall silently drops inbound packets from other stations on the subnet. This article walks those layers in order so you can fix the right layer first.
If you have not installed a client yet, grab a current build from our Clash download page and confirm basic connectivity on the PC before you expose listeners to the LAN. Sharing amplifies mistakes: a broken profile becomes a broken experience for every device you point at it.
Prerequisites: one subnet, a stable host IP, and realistic expectations
LAN proxy sharing assumes every participant receives an address from the same private range and can route to the host without carrier-grade NAT between them. In plain language, the phone and the PC should appear as neighbors on the LAN: typical patterns look like 192.168.0.0/24, 192.168.1.0/24, or 10.0.0.0/24. If the phone is on cellular data while the PC sits on Wi‑Fi, this guide does not apply—you need a different topology such as a VPN server or a routed tailnet.
Write down the host IPv4 address before you touch Clash. On Windows, ipconfig shows the active adapter; on macOS, System Settings → Network or ipconfig getifaddr en0 for a quick answer. You will type that address into the manual proxy form on mobile devices. If your router assigns addresses with short DHCP leases, consider binding a DHCP reservation so the PC keeps the same last octet across reboots—nothing is more frustrating than a working setup that breaks overnight because the gateway handed the host a new number.
Expect application coverage similar to manual proxy mode on each client. Mobile operating systems expose a system-wide HTTP proxy hook for many apps, yet some binaries ignore it, just as they ignore desktop system proxy settings. If you need full-device capture on the phone, install a dedicated client there or explore tethering plus TUN on the PC. LAN sharing is best understood as “reuse the same upstream node for compatible apps”, not as an automatic VPN for every UDP game packet.
allow-lan and bind-address: stop listening only on localhost
By default, many Clash distributions bind inbound listeners to 127.0.0.1 so only local processes can connect. That design is safe: it prevents strangers on the café Wi‑Fi from pointing their browsers at your SOCKS port. When you intentionally want neighbors on the LAN to connect, you must flip two conceptual switches: let the daemon accept non-loopback interfaces, and ensure the socket binds to an address reachable from those interfaces.
In YAML, allow-lan: true tells the core to permit inbound connections from other machines. Pair it with bind-address set to * or 0.0.0.0 depending on the exact Mihomo build and validation rules your GUI applies—both forms aim at the same outcome: listen on all IPv4 interfaces so traffic arriving at your Ethernet or Wi‑Fi adapter can reach the proxy port. Some profiles still carry older comments suggesting 127.0.0.1 for security; that value will keep LAN clients out even if allow-lan is true.
Graphical clients such as Clash Verge Rev surface these fields in settings panes with wording like “Allow LAN” or “Bind address.” If you edit raw YAML inside the app, reload the profile and watch the log for bind errors—typos in the bind-address field fail fast, whereas firewall issues fail silently with timeouts.
Mixed port, 7890, and matching HTTP with SOCKS expectations
Mihomo-based Clash bundles a mixed port listener that speaks both HTTP proxy and SOCKS on the same TCP port—commonly 7890 in stock templates, though your pack may choose another number to avoid collisions. That convenience matters on phones: iOS and Android manual proxy screens usually ask for a single host and port under HTTP; SOCKS-capable clients can often target the same numeric port because the mixed listener negotiates the correct protocol.
If you split services across separate ports—say 7890 for HTTP and 7891 for SOCKS—double-check which field each app uses. A browser pointed at the SOCKS port with an HTTP scheme will stall; a SOCKS5 client aimed at the HTTP port will equally fail. When in doubt, prefer the mixed entry for simplicity and document the number on paper beside your PC’s IP.
External controller and metrics ports (often labeled REST or external-controller) are unrelated to phone browsing. Do not expose them broadly; focus your firewall allowances strictly on the proxy listener you intend family devices to use. Reducing attack surface matters even on a trusted LAN because laptops join and leave, guests arrive, and malware occasionally scans adjacent hosts.
For readers comparing this workflow with full TUN mode on the PC, remember the division of labor: TUN captures local applications on the host. LAN sharing extends whichever inbound proxy listeners you opened, not the TUN adapter itself. Our TUN mode guide stays relevant for the machine that runs Clash; this article extends its listeners outward.
Windows Defender Firewall: allow inbound on the proxy port
Windows treats unsolicited inbound TCP connections to listening ports as a separate decision from outbound browsing. Even when Clash runs interactively, the first time another device connects, Defender may prompt to allow the binary—or silently deny if rules are strict. The reliable fix is to create an explicit inbound rule tied to either the Clash executable or the specific TCP port you exposed.
Open Windows Security → Firewall & network protection → Advanced settings, then choose Inbound Rules → New Rule. Select Port, TCP, and enter your mixed port number. Allow the connection on Private profiles at minimum; Public should stay off unless you truly roam untrusted networks with LAN sharing still enabled—which we do not recommend. Name the rule clearly—“Clash mixed LAN”—so future you remembers why it exists.
Executable-based rules trade precision for convenience: pointing the firewall at verge.exe or the Mihomo service binary covers whichever port the app opens today, but you must update the rule if you switch clients. Port-based rules survive client upgrades as long as the port stays stable. If you still see blocks, check whether a third-party suite (enterprise endpoint protection) layers on top of Defender; those products maintain their own matrices.
On Windows 11, confirm the active network is classified as Private; a Guest/Public classification tightens defaults even when you thought the rule was correct. After changing profiles, retest from the phone: open a simple HTTP site, then a second test that forces HTTPS to ensure TLS handshakes traverse the proxy path you expect.
macOS firewall and listener visibility
macOS application firewalls interact with signed binaries and user prompts. When Clash first listens beyond localhost, you may see a dialog asking whether incoming connections are allowed. Approve it for your trusted client. If you previously clicked Deny, open System Settings → Network → Firewall → Options and reset the entry for the Clash helper, or remove and recreate the rule.
Unlike Windows, macOS users less often need manual port rules when the application firewall approves the binary, but corporate MDM profiles can still block unsolicited listeners. If you manage a machine with enforced security software, mirror the same strategy: explicit allow for the signed app, verified by testing from a phone on the same SSID.
Remember Little Snitch and similar tools—they sit above the stock firewall and can deny lateral movement even when System Settings looks permissive. Temporarily logging those prompts while you test LAN sharing saves hours of guessing.
Router pitfalls: guest Wi‑Fi, AP isolation, and repeater double NAT
Consumer routers sometimes ship with AP isolation (also called client isolation or station isolation) enabled on guest networks. When isolation is on, wireless clients cannot talk to each other—excellent for cafés, fatal for LAN proxy sharing. Move both devices to the primary SSID or disable isolation for the segment you control.
Guest networks also assign different subnets or apply captive portals. If your phone sits on 192.168.33.0/24 while the PC lives on 192.168.1.0/24, they are not “on the same LAN” in the sense this article uses, even if the same plastic router blinks LEDs for both. Wire them into a single bridging path or route explicitly; otherwise packets never arrive at your proxy listener.
Mesh kits and wireless repeaters occasionally introduce asymmetric paths where one hop cannot forward mDNS or broadcast traffic while unicast TCP still works. If discovery apps fail but direct IP connects succeed, ignore the mDNS symptom and keep testing with explicit IPv4 addresses.
Phones and tablets: configure manual HTTP proxy toward the PC
On iOS, open the Wi‑Fi network details, scroll to HTTP Proxy, choose Manual, and enter the PC’s IPv4 address with the mixed port. Authentication fields stay empty for default Clash listeners without auth—if you enabled authentication in YAML, mirror those credentials or connections will fail immediately.
On Android, Wi‑Fi network advanced settings expose a similar manual proxy form; vendor skins relocate menus but the data model repeats: hostname, port, optional bypass list for local domains. Add private ranges like 192.168.0.0/16 to bypass if you need direct access to NAS or printer web UIs without forcing them through remote nodes.
Some Android apps ignore the system proxy entirely. Test with the browser first; if Chrome works but a random utility does not, the issue is application-level proxy support, not Clash. For those cases, per-app VPN tools or SOCKS-aware libraries remain the answer.
Verification steps that isolate the failing layer
Start from the PC itself. With Clash running and allow-lan enabled, open a second machine or use curl from another shell if available: curl -x http://<PC_LAN_IP>:7890 https://ipinfo.io should return the upstream IP associated with your exit node. If that fails locally, fix listeners before involving mobile devices.
From the phone, visit an IP check site over HTTPS. Compare the reported country with the node you selected in Clash. If the IP matches your ISP, the phone is still exiting direct—either proxy settings did not apply, or the app bypasses them. Toggle airplane mode briefly to flush Wi‑Fi state on stubborn phones after proxy changes.
Read Mihomo logs while testing. Successful LAN connects show accepted sockets; immediate resets often mean firewall denial; hangs with SYN retransmits point to routing or isolation. Keep the log window open during tests so you correlate timestamps with attempts.
Security and housekeeping on a shared LAN
Opening listeners transforms your PC into a network service. On a trusted home LAN with family devices, that is manageable. On hotel or conference Wi‑Fi, disable allow-lan before you connect—strangers should not browse through your node, and you should not leak your proxy port to arbitrary VLAN peers.
Consider adding lightweight authentication if your client supports it and you occasionally share the port with roommates who should not share admin rights to the GUI. Rotate ports if you observe unexpected hits in logs. Keep Clash updated; proxy cores receive fixes for parsing and protocol edge cases that matter when untrusted input can reach them.
For policy-heavy networks, remember that LAN proxy sharing does not absolve you of acceptable-use rules. Apply the same care you would when running Clash only for yourself.
Troubleshooting quick map
Phones time out immediately
Verify the PC IP, confirm allow-lan and bind-address, then inspect firewall inbound rules. Ping the PC from the phone; if ICMP fails but TCP to the port works, ignore ping—some routers block ICMP while HTTP still succeeds.
HTTP sites load but HTTPS fails
You might have aimed an HTTP-only listener. Switch to the mixed port or configure HTTPS proxies appropriately. Also check for TLS inspection tools on the phone that fight custom proxies.
Everything works wired but not on wireless
Suspect guest SSID isolation or a mesh backhaul that segments clients. Move both devices to the same AP and retest with static IPs if needed.
Closing: share the node, not the confusion
Clash LAN proxy sharing is less about exotic YAML and more about listening where your neighbors can reach you, aligning ports with mobile expectations, and teaching the OS firewall to expect lateral traffic. Once those three ideas click, the same pattern scales to tablets, secondary laptops, and even embedded browsers on TVs that respect manual proxy settings.
Compared with duplicating subscriptions on every gadget, a single well-managed host reduces sync drift: one place to update nodes, one log stream to read when something misbehaves. Compared with commercial cloud proxies, you keep control of the rule stack you already tuned—GEOIP, rule-providers, and policy groups stay coherent because every device funnels through the same Mihomo instance.
When you are ready to standardize on a maintained client build with sensible defaults for mixed ports and LAN toggles, download Clash for free from our official page and experience the difference.