What is TUN Mode: From App Proxy to System Proxy
In the traditional proxy landscape, we often rely on browser-level settings (HTTP/SOCKS5) or system environment variables to route traffic. While effective for simple web browsing, this approach frequently falls short. Many applications—ranging from command-line tools and terminal utilities to gaming clients and background services—simply do not respect system proxy environment variables. This creates the infamous "browser works, terminal fails" scenario that has plagued users for years.
TUN Mode (TUN Device Mode) is the definitive solution to this problem. Unlike application-layer proxying, TUN mode operates at the OS kernel level by creating a virtual network interface (a TUN interface). Once enabled, the operating system treats this virtual NIC as a real physical connection. All network packets flowing through the kernel are routed through this interface. Clash then intercepts these Layer 3 (IP layer) packets, analyzes them against your rule set, and forwards them accordingly.
The shift from application-specific proxying to system-wide transparent proxying represents a fundamental change in how we manage connectivity. It moves the complexity away from the user and into the network stack, providing a seamless experience where "everything just works." Whether you are running a Docker container, a legacy enterprise app, or a modern multiplayer game, TUN mode ensures they all follow your defined routing rules without any manual intervention.
How It Works: Virtual NICs and Layer 3 Interception
To truly appreciate TUN mode, one must understand the journey of a network packet within the operating system.
When an application attempts to access the internet, it constructs a packet and hands it to the kernel. In a standard setup, the kernel consults the routing table and dispatches the packet to a physical network card, such as your Wi-Fi or Ethernet adapter.
When TUN mode is activated, Clash performs a sophisticated "interception" maneuver:
- Virtual Device Creation: Clash requests the kernel to allocate a TUN character device and assigns it a private IP range.
- Routing Table Modification: Clash modifies the system routing table, directing the default route (0.0.0.0/0) to the new virtual device.
- Packet Capture: Instead of reaching the physical adapter, packets are routed into the TUN device. Clash, acting as a user-space program, reads these raw IP packets directly from the device's file descriptor.
- Protocol Stack Reassembly: Clash contains a lightweight TCP/IP protocol stack implementation. It reassembles the raw packets back into logical connections, applies your filtering rules, and forwards the data through the appropriate proxy node.
This process involves a constant "handshake" between kernel space and user space. While this introduces a slight overhead compared to direct physical routing, modern hardware and optimized cores like Clash.Meta (mihomo) have reduced this latency to negligible levels. The result is a robust, fail-safe mechanism that captures all traffic, regardless of the source application.
System Proxy vs. TUN Mode: A Deep Comparison
Choosing between a standard system proxy and TUN mode depends on your specific use case. Here is a breakdown of how they compare across several critical dimensions:
| Dimension | System Proxy (HTTP/SOCKS5) | TUN Mode (Layer 3) |
|---|---|---|
| Scope | Only proxy-aware apps | System-wide (Full Stack) |
| UDP Support | Limited (requires SOCKS5/support) | Native & Complete |
| DNS Interception | Depends on browser/app settings | Forced interception of all requests |
| Resource Usage | Very Low | Moderate (Kernel/User space copies) |
| Setup Difficulty | Simple | Requires Admin/Root privileges |
| Gaming Compatibility | Poor (requires extra tools) | Excellent for all games |
Standard proxies are lightweight and perfect for web surfing. However, if you are a developer using terminal tools (git, curl, npm), a gamer requiring low-latency UDP, or someone who wants to ensure that no traffic leaks through unencrypted channels, TUN mode is the clear winner. It provides a level of certainty and coverage that application-level proxies simply cannot match.
Hands-on Config: Achieving Ultimate Transparency
In the Clash.Meta (mihomo) core—the foundation of modern Clash clients like Clash V.CORE—TUN mode has been significantly enhanced. To get the most out of it, you need a configuration that prioritizes both performance and leak prevention. Here is a recommended "Best Practice" configuration snippet for your config.yaml:
tun:
enable: true
stack: mixed # The recommended stack for most users
auto-route: true # Automatically sets system routes to intercept all traffic
auto-detect-interface: true # Detects physical outbound NIC to prevent routing loops
dns-hijack:
- 'any:53' # Hijacks all DNS requests directed to port 53
strict-route: true # Prevents traffic from bypassing the TUN interface
device: Meta # Custom name for the virtual network interface
mtu: 1500 # Default MTU, can be adjusted for specific network environments
udp-timeout: 60 # Seconds before an idle UDP connection is closed
Enabling auto-route and strict-route is essential for a true transparent proxy. auto-route ensures you don't have to manually mess with your OS routing table, while strict-route acts as a firewall, ensuring that no application can find a way to bypass the tunnel and connect to the internet directly. This is particularly important on Windows and macOS, where the OS often tries to "optimize" routes by finding shortcuts.
Stack Selection: System, gVisor, and Mixed
The stack field is perhaps the most critical setting in TUN mode. It determines the underlying implementation Clash uses to handle the intercepted IP packets. Choosing the right one is key to balancing compatibility and performance:
- System: Utilizes the operating system's native network stack. This offers the highest compatibility with existing drivers and software. However, it can be less efficient at handling a high volume of short-lived connections and may have inconsistent UDP performance on certain versions of Windows or Linux.
- gVisor: A user-space network stack originally developed by Google. It parses packets entirely in user space, offering superior security and precise control over every connection state. It is incredibly stable for UDP but comes with a slightly higher CPU cost due to the intensive processing required in user space.
- Mixed: As the name suggests, this is the modern, recommended choice. It intelligently routes TCP traffic through an efficient kernel-based mechanism (or similar high-performance path) while handing off complex UDP traffic to the gVisor-inspired module. This provides the best of both worlds: high throughput for downloads and low latency for gaming and VoIP.
Avoiding Pitfalls: DNS Leaks and Bypassing
A common misconception is that simply turning on TUN mode makes your connection 100% private. In reality, without proper DNS configuration, you may suffer from DNS Leaks. This occurs when your browser or OS sends DNS queries to your local ISP's servers outside the proxy tunnel. Your traffic might be encrypted, but your ISP still knows exactly which websites you are visiting.
To eliminate DNS leaks, we highly recommend using fake-ip mode. In this mode, when an app asks for an IP for a domain, Clash immediately returns a "fake" IP from a reserved range (e.g., 198.18.x.x). The app connects to this fake IP, the traffic hits the TUN interface, and Clash resolves the actual domain internally through its own encrypted DNS settings before forwarding the traffic to your proxy node.
dns:
enable: true
enhanced-mode: fake-ip
nameserver:
- 'https://dns.google/dns-query'
- 'https://1.1.1.1/dns-query'
fallback:
- 'tls://8.8.8.8:853'
- 'tls://1.1.1.1:853'
fake-ip-range: 198.18.0.1/16This setup ensures that no real DNS resolution ever happens on your local machine's OS stack. Everything is contained within the Clash process, providing total privacy and preventing ISP-level hijacking or logging.
Performance Optimization Tips
For power users with high-speed connections (Gbit fiber, 4K streaming), small tweaks can yield significant performance gains:
- TCP Concurrent: Enable
tcp-concurrent: trueto speed up the establishment of new connections by trying multiple paths simultaneously. - MTU Tuning: If you experience "half-loaded" pages or dropped connections, try lowering your
mtuto 1400 or 1350. This can solve issues related to packet fragmentation in certain ISP environments or VPN-over-VPN scenarios. - Core Selection: Ensure you are using the latest version of the mihomo core. Clash V.CORE, for instance, utilizes a highly optimized version of this core with enhanced TUN read/write buffers, significantly reducing the CPU overhead associated with high-speed data transfers.
- Kernel Memory Optimization: On Linux, adjusting
sysctlparameters for network buffers (rmem/wmem) can further improve throughput when the TUN interface is under heavy load.
Conclusion: The Future of Seamless Proxying
TUN mode represents the pinnacle of modern proxy technology. It bridges the gap between simple browser-based tools and full-scale enterprise VPNs, offering a "set it and forget it" experience that covers your entire digital life. While the underlying technology is complex and requires administrative privileges to set up, the benefits of universal compatibility and total traffic control are undeniable.
Whether you are a developer looking to fix terminal connectivity, a gamer seeking low-latency global servers, or a privacy advocate ensuring every packet is encrypted, TUN mode is your best ally. It transforms Clash from a simple proxy tool into a powerful, system-wide network gateway.
If you're looking for a client that masters TUN mode while hiding the complexity of YAML files behind a beautiful, intuitive interface, Clash V.CORE is built for you. It brings these advanced network-layer capabilities to your fingertips with a single click.
→ Download Clash V.CORE now and experience true transparent proxying.