Having Issues?
Find Answers Here.

This is a false positive, not a virus. Open-source clients like Clash Verge Rev and FlClash haven't purchased expensive code signing certificates, causing some antivirus software to flag them as "Unknown Source".

Solution: Add the installation directory to your antivirus whitelist, or go to Windows Security → Virus & threat protection → Exclusions → Add a folder.

Common reasons and solutions:

• Missing WebView2 Runtime (Windows 10 users): Visit the official Microsoft website to download and install the Microsoft Edge WebView2 Runtime.
• Silently blocked by antivirus: Check your antivirus quarantine, restore the files, and add them to the whitelist.
• Path contains non-English characters or special symbols: Move the installation package to a pure English path (e.g., C:\Apps) before running.
• Residual processes from an old version: Open Task Manager, end all Clash-related processes, and try again.

This is a macOS Gatekeeper security prompt. Temporary workaround:

• Locate the app in Finder, Right-click → Open (do not double-click), and click "Open" in the popup dialog.
• Or go to System Preferences → Privacy & Security, find the blocked app, and click "Open Anyway".

Android does not allow installation of APKs outside the Play Store by default. You need to enable installation permissions for your browser/file manager in Settings → Security → Unknown Sources (or "Install Unknown Apps"). You can disable this after installation.

Some domestic ROMs (MIUI, ColorOS, etc.) have independent Security Centers. Find "Pure Mode" or "Virus Scan" and disable it temporarily.

Clash-related apps are removed from the China App Store due to policy. You must switch to a non-mainland Apple ID (e.g., US, HK) to download Shadowrocket or Stash.

• Sign out of your current Apple ID in "Settings → Your Name → Media & Purchases".
• Open the App Store, tap your profile icon, and sign in with your overseas Apple ID.
• Search for and purchase Shadowrocket ($2.99) or Stash (subscription-based).
• After downloading, you can switch back to your China ID; purchased apps will not be affected.

The most common reason is that the proxy mode is not correctly set to System Proxy. Check list:

• Ensure the "System Proxy" switch is ON in the client, not just the core running.
• Check if the proxy mode is set to "Rule" or "Global"; Direct mode bypasses the proxy.
• In the "Proxy" or "Nodes" panel, confirm you've selected a valid node with a specific latency number rather than timeout.
• Use the client's built-in "Test Connection" feature (usually pinging google.com) to confirm node reachability.

Timeouts across all nodes usually indicate one of the following:

• Subscription expired or nodes invalidated: Contact your service provider to update your subscription.
• Local firewall blocking: Windows Defender or third-party security software is blocking outbound connections. Add the Clash process to the allowlist.
• Port blocked by ISP: Try switching node protocols or ports (e.g., 443, 8443).
• System time deviation: Some protocols (like VMess) require system time error to be < 90 seconds. Calibrate your system time and try again.

Established TCP connections won't drop immediately when switching nodes; they close naturally (usually within seconds). To take effect immediately:

Go to the "Connections" page in the client and click "Close All Connections". New requests will use the new node.

If the client crashes or exits abnormally, it might not have cleared the system proxy settings, leaving the proxy pointing to a closed port.

• Reopen the Clash client, turn off "System Proxy", and then exit normally.
• Or clear manually: Windows → Settings → Network & Internet → Proxy → Turn off "Use a proxy server". macOS → System Preferences → Network → Advanced → Proxies, uncheck all options.

System Proxy (HTTP/HTTPS/SOCKS5) only affects programs that read system proxy settings, such as browsers. Most games, CLI tools (git, curl, pip), and UDP traffic bypass it.

Solution: Enable TUN Mode to capture all traffic (including TCP/UDP) at the network layer. Games and CLI tools will then be proxied. See TUN Mode Tutorial.

Common reasons:

• Incompatible format: Some providers offer V2Ray or Surge formats; Clash requires YAML. Use subscription conversion tools (Sub-Converter) to convert to Clash format.
• Expired link: Subscription URLs can expire. Regenerate the link in your provider's control panel.
• Network unable to reach subscription URL: Subscription servers are often overseas. Use a direct connection, another proxy, or the "Proxy Update" feature during updates.

Auto-update requires the client to run continuously in the background. Check these settings:

• Ensure "Start on Boot" is enabled and the background process isn't being terminated by the system.
• Android: Disable "Battery Optimization" (Battery → Clash App → No Restrictions) to prevent the system from killing the process.
• iOS: System limits prevent background updates; we recommend manual updates before each use.

Clash supports consolidating multiple subscriptions via Profile Merge:

• Use a subscription conversion tool (like sub-web), enter multiple URLs, and output the merged Clash YAML.
• Or use the "Override" feature in the client to reference multiple remote config fragments (YAML Merge).

TUN Mode requires Admin / Root privileges to create virtual network cards:

• Windows: Right-click the Clash Verge Rev icon → Run as Administrator, or enable "Admin Mode" in settings for auto-elevation.
• macOS: A system permission request will pop up when first enabled; click allow and enter your login password.
• Android / iOS: The app will request VPN permissions; the system handles it automatically—no root needed.
• Linux: Run the core with sudo, or configure setcap cap_net_admin+ep.

TUN captures all network traffic; improper configuration can lead to routing loops or DNS circular dependencies.

• Confirm dns.enable: true in the config and dns.enhanced-mode is set to fake-ip or redir-host.
• Check if tun.dns-hijack includes any:53 to avoid resolution failure from uncaptured DNS traffic.
• Disable TUN Mode: Network should restore immediately. If not, restart your network adapter or device.

Both TUN and VPNs capture system traffic via virtual network cards; running both simultaneously will cause conflicts. Choose one.

If you need an enterprise VPN (e.g., Cisco AnyConnect) at the same time: Add the VPN address ranges to Clash's Direct list (RULE-SET or IP-CIDR → DIRECT), disable TUN, and use System Proxy mode instead.

Latency ≠ Throughput. Low latency only means fast handshakes; actual bandwidth depends on:

• Provider throttling: Speed might be limited after exceeding data caps; contact your provider.
• Overloaded nodes: Too many users on one node during peak hours; switch to a lower-load node in the same region.
• Local network bottlenecks: Poor WiFi signal or insufficient ISP bandwidth; test with a wired connection.
• Protocol overhead: Some protocols (like trojan-go) are more efficient than VMess; try switching.

High CPU usage is typically caused by:

• Large rule sets: Matching efficiency drops with tens of thousands of rules; simplify the set or use rule-providers for lazy loading.
• DNS request storms: Multiple DNS servers with long timeouts; reduce nameserver count or enable dns.cache.
• TUN Mode + Heavy UDP: Video conferencing or gaming generates significant UDP traffic—this is normal; try reducing TUN MTU.
• Logging level too high: Change the log level from debug to info or warning.

Clash has several built-in auto-selection policies:

• url-test: Regularly tests all nodes and automatically selects the one with the lowest latency. Set type: url-test in the policy group.
• fallback: Automatically switches to a backup node if the primary is unavailable.
• load-balance: Distributes traffic across multiple nodes, ideal for high-bandwidth needs.

We recommend manually triggering a "Speed Test" in the "Proxy" panel to confirm node availability before configuring url-test auto-selection.

YAML is extremely indentation-sensitive. Common errors:

• Using Tabs instead of spaces—YAML only allows spaces.
• Using full-width colons ： instead of standard colons :, or using smart quotes.
• String values containing special characters (: # @) aren't enclosed in quotes.
• Inconsistent indentation of list items (-) compared to their parent field.

We recommend using VS Code with the YAML extension or an online YAML validator (yaml.lint) to check your config.

Add direct rules in the rules section of your configuration file. Rules are prioritized from top to bottom, so they must be placed before general rules:

Direct by domain: DOMAIN-SUFFIX,example.com,DIRECT
Direct by IP range: IP-CIDR,192.168.0.0/16,DIRECT
Direct by process name (Desktop only): PROCESS-NAME,WeChat,DIRECT

You can also add rules graphically using the "Override" feature in the client without manually editing the YAML file.

fake-ip: DNS returns a fake IP (198.18.x.x), and domain info is sent directly to the remote end for resolution. This offers lower latency and fewer DNS leaks, making it the recommended mode.

redir-host: DNS is resolved locally first, and then traffic is forwarded based on IP matching. This has better compatibility but risks DNS leaks—suitable for scenarios requiring precise IP rule matching.

The Clash core provides a RESTful API. Once enabled in your config, any compatible dashboard can take over control:

Add this to config.yaml:

external-controller: 127.0.0.1:9090
secret: your_password (optional)
external-ui: /path/to/dashboard (local UI directory, optional)

Then visit http://127.0.0.1:9090/ui to open the Dashboard, or use an online version of Yacd (http://yacd.haishan.me) and enter your API address.