What Clash TUN mode actually does

Most people start with system proxy mode because it is easy: the operating system stores an HTTP or SOCKS endpoint, and well-behaved desktop applications read those settings before they open a connection. That workflow is enough for everyday browsing, yet it quietly fails for a long tail of software. Games, many Electron apps, terminals, language package managers, and background updaters often talk to the network as if no proxy exists. They never consult the WinINET catalog on Windows or the Network Extension preferences on macOS, so your carefully tuned Clash policy groups never see that traffic.

TUN mode solves the bypass problem at a lower layer. Clash (through the Mihomo core in modern clients) creates a virtual network adapter—think of it as a lightweight VPN interface registered with the OS. Default routes or more specific policy routes send packets into that adapter, the engine inspects each flow, applies routing rules and DNS logic, then forwards the traffic to the correct outbound: a remote node, a relay chain, or a direct path. From the application’s point of view nothing special happened; from your point of view every socket is now accountable unless you explicitly carve out exceptions.

This article focuses on desktop usage patterns for readers who already have a working profile and want to graduate from "browser only" to global proxy behavior without buying a separate commercial VPN stack. If you are still choosing an installer, skim our Clash download page first, then return here once you can import a subscription successfully.

ℹ️
Terminology: "TUN" refers to a layer-three tunnel interface (IP packets). Some documentation still says "TAP" for older layer-two bridges; Mihomo-based Clash builds you run today standardize on TUN-style capture paired with the routing table. The user-visible toggle in GUIs is still commonly labeled TUN mode.

System proxy versus TUN in plain language

System proxy mode is an application-level contract. The OS publishes a host and port; each program decides whether to honor that contract. TUN mode is closer to a traffic-level contract: packets destined outside local subnets meet the virtual interface first, so Clash can classify them even when the program author ignored proxy APIs.

That power comes with sharper edges. When TUN is misconfigured you can lose all connectivity in a second because the default route now points into an adapter whose userspace half is not running. When system proxy is misconfigured, browsers fail loudly while the rest of the machine still pings your router. Understanding that asymmetry helps you troubleshoot calmly instead of assuming the kernel is broken.

Quick mental checklist

  • Choose system proxy when you only need browsers and a handful of CLI tools where you can set HTTPS_PROXY manually, and you want the smallest possible footprint on corporate laptops that restrict drivers.
  • Choose TUN when you play online games that open arbitrary UDP ports, run Docker or WSL tooling that ignores Windows proxy settings, or use IDEs that fetch dependencies outside the proxy-aware stack.
  • Use both during migration: Many Mihomo GUIs let you keep system proxy enabled for compatibility while TUN handles the stubborn flows. Just avoid contradictory DNS settings between the two paths.

When global capture is worth the complexity

Global proxy in marketing slides sounds like "every byte leaves through Tokyo," but engineers usually mean consistent policy enforcement: the same GEOIP and domain-suffix rules apply whether the packet originated in Chrome or in a Windows service. TUN mode is the practical enabler for that story on a single machine.

Consider turning TUN on when you notice any of the following symptoms while system proxy already shows as enabled: speed tests still reveal your residential ISP on non-browser tests, curl without explicit flags resolves to your home region, game launchers download patches on the direct path, or enterprise SSO agents phone home outside the tunnel you thought you had opened. Each symptom is a hint that some process is not reading proxy variables.

Conversely, pause before you enable TUN on locked-down work devices. Some enterprises block third-party miniport drivers or kernel extensions. In those environments, system proxy plus documented exceptions may be the only compliant option.

How packets flow once TUN is active

After you flip the TUN toggle, three coordinated mechanisms usually move in parallel: interface creation, route programming, and DNS redirection. The GUI hides most details, yet knowing the sequence helps when you read debug logs.

First, the client asks the OS for a virtual adapter with a private IPv4 range (and sometimes IPv6, depending on your profile). Second, it installs split routes or a default route that is more specific than your physical interface for the prefixes you want to intercept. Third, optional DNS hijack settings forward UDP 53 (and sometimes DoH bootstrap queries) into Clash so domain rules and fake-ip logic stay coherent. Mihomo can combine gVisor or system stacks for userspace forwarding; the exact keyword names differ slightly between releases, but the architecture is the same: kernel hands IP datagrams to Clash, Clash hands proxied flows to your selected nodes.

⚠️
Elevation matters: Installing the WinTUN driver on Windows or approving the network extension on macOS requires administrator interaction. If you decline the prompt, the adapter never appears and the UI may still claim TUN is on—a classic source of "everything is broken" reports that are actually permission denials.

Windows: drivers, UAC, and typical GUI steps

On Windows 10 and Windows 11, Clash Verge Rev and FlClash both bundle the same Mihomo engine but surface controls differently. Regardless of the skin you prefer, the sequence is predictable: install while UAC can elevate, allow the miniport driver the first time TUN starts, then reboot if Windows Update previously half-installed an older Wintun revision.

Install and first launch

  1. Download the current release from our official download page so you inherit the newest driver metadata.
  2. Right-click the installer and run it as administrator if your organization enforces elevated installs.
  3. Open the application, import a profile that you already verified under system proxy mode, and confirm basic connectivity before you touch TUN.

Enable TUN safely

  1. Open the settings area labeled Service, Kernel, or TUN (wording varies) and switch TUN mode on.
  2. Accept the driver installation dialog. If SmartScreen hesitates, verify the file hash against the release notes, then continue.
  3. Set the service mode to run at startup only after a successful manual test; otherwise a bad YAML on boot can lock you out until you safe-mode the config.
  4. Re-run your connectivity checks: browser IP, nslookup against a public resolver, and a quick ping to a domestic host that should stay on DIRECT per your rules.

If you live inside WSL2, remember that the Linux kernel uses a virtual switch. The Windows side TUN adapter does not magically re-parent WSL traffic unless you also configure mirrored networking or per-distro proxies. That limitation trips advanced users who expect one toggle to cover every subsystem.

macOS: helper tools, privacy prompts, and Apple silicon

macOS routes TUN traffic through a system extension or helper signed by the developer. Gatekeeper prompts are normal the first time. On Apple silicon Macs, Rosetta is not required for most Mihomo GUIs anymore, but you should still match the architecture when you download the DMG.

  1. Install Clash Verge Rev or ClashX Meta from the macOS section of the download page.
  2. Launch the app, open settings, enable TUN, and type your administrator password when macOS asks to install the helper.
  3. Open System Settings → Privacy & Security if the helper is blocked, then approve it manually.
  4. Verify DNS by running scutil --dns in Terminal; you should see the resolver list referencing Clash-controlled addresses when hijack is active.
Tip: Keep a second admin account or a hardware tethering path before you experiment with aggressive auto-route YAML on a laptop you need for work. Mis-routed defaults are easier to fix when you can still reach the network settings UI.

YAML knobs you will eventually touch

Graphical clients generate the tun: stanza for you, yet power users still edit YAML to tune stack (system vs gVisor), auto-route, strict-route, and interface names. A conservative starter profile often enables TUN, turns on dns-hijack for common DNS ports, and keeps IPv6 either disabled or explicitly handled—dual-stack surprises cause many "works in browser, fails in CLI" bugs.

Pair TUN with a sane dns section. Fake-ip mode is fast for domain-based rules but confuses some local services unless you maintain a rich fake-ip-filter. If you route everything through a remote resolver, remember latency doubles when queries travel twice. Our documentation hub links to deeper examples if you want copy-ready YAML fragments after you finish the conceptual map in this article.

DNS hijack, fake-ip, and the illusion of "global"

Capturing IP packets alone is not enough when applications resolve domain names before they connect. If DNS still goes to your ISP while TCP flows through Clash, split-brain results: GEOIP may see the wrong country, streaming rules misfire, and split-tunnel intranet pages may leak metadata. That is why Mihomo emphasizes unified DNS handling alongside TUN.

When hijack is on, Clash answers locally or forwards upstream according to your nameserver-policy. When hijack is off, some apps still work through TUN because they use hard-coded IPs, but user-visible oddities accumulate. Treat DNS configuration as half of the global-proxy story, not an optional appendix.

Troubleshooting the failures people actually hit

The entire network dies the moment TUN enables

Check elevation and driver state first. On Windows open Device Manager and confirm the Wintun adapter exists without a yellow warning triangle. On macOS open the Console app and filter for your client’s bundle ID. If routes were inserted but the userspace process crashed, rebooting clears stale interfaces faster than toggling random switches.

Only foreign sites break while domestic CDNs are fast

You probably lack a balanced DIRECT path for domestic IP ranges. Audit your rule providers and confirm that streaming or download domains you want local are not accidentally pinned to a congested overseas node. TUN magnifies bad rules because more traffic actually traverses them.

DNS works in Safari but not in Terminal

Terminal utilities often use libc resolvers differently than WebKit. Align /etc/resolv.conf behavior with the hijack design you chose, or set explicit DoH inside the tools you care about. Mixed mode is workable but requires discipline.

UDP games connect but voice chat drops

UDP is not a monolith. Some voice stacks need consistent symmetric NAT behavior. Try another node, disable unnecessary UDP relay features, or test with system proxy off so only TUN owns the flow. Capture a short Mihomo debug log; look for repeated timeout lines on the same destination port.

Closing thought: global does not mean careless

TUN mode is the closest Clash-style tools come to whole-device policy routing without shipping a separate kernel module per vendor. Used well, it ends the cat-and-mouse game of applications ignoring proxies. Used blindly, it becomes a magnifying glass pointed at every typo in your YAML.

The sustainable approach is incremental: verify under system proxy, enable TUN during a maintenance window, keep backups of working configs, and document any corporate constraints before you push routes to interns. Modern Mihomo clients make that workflow approachable, especially when you pair them with curated rule sets and realistic DNS plans.

Compared with chasing per-app SOCKS hooks, a maintained TUN stack usually feels calmer once it is dialed in: fewer mystery leaks, clearer logs, and one place to adjust when your provider rotates endpoints. When you are ready to standardize on a build that receives regular patches, download Clash for free from our official page and experience the difference for yourself.