clash/docs/premium/tun-device.md

2.9 KiB

sidebarTitle sidebarOrder
Feature: TUN Device 2

TUN Device

The Premium core has out-of-the-box support of TUN device. Being a Network layer device, it can be used to handle TCP, UDP, ICMP traffic. It has been extensively tested and used in production environments - you can even play competitive games with it.

One of the biggest advantage of using Clash TUN is the built-in support of the automagic management of the route table, routing rules and nftable. You can enable it with the options tun.auto-route and tun.auto-redir. It's a drop-in replacement of the ancient configuration option redir-port (TCP) for the sake of easier configuration and better stability.

::: tip tun.auto-route is only available on macOS, Windows, Linux and Android, and only receives IPv4 traffic. tun.auto-redir is only available on Linux(needs netlink support in the kernel). :::

There are two options of TCP/IP stack available: system or gvisor. In order to get the best performance available, we recommend that you always use system stack unless you have a specific reason or compatibility issue to use gvisor. If that's the case, do not hesitate to submit an issue.

Technical Limitations

  • For Android, the control device is at /dev/tun instead of /dev/net/tun, you will need to create a symbolic link first (i.e. ln -sf /dev/tun /dev/net/tun)

  • DNS hijacking might result in a failure, if the system DNS is at a private IP address (since auto-route does not capture private network traffic).

Linux, macOS or Android

This is an example configuration of the TUN feature:

interface-name: en0 # conflict with `tun.auto-detect-interface`

tun:
  enable: true
  stack: system # or gvisor
  # dns-hijack:
  #   - 8.8.8.8:53
  #   - tcp://8.8.8.8:53
  #   - any:53
  #   - tcp://any:53
  auto-route: true # manage `ip route` and `ip rules`
  auto-redir: true # manage nftable REDIRECT
  auto-detect-interface: true # conflict with `interface-name`

Be advised, since the use of TUN device and manipulation of system route/nft settings, Clash will need superuser privileges to run.

sudo ./clash

If your device already has some TUN device, Clash TUN might not work - you will have to check the route table and routing rules manually. In this case, fake-ip-filter may helpful as well.

Windows

You will need to visit the WinTUN website and download the latest release. After that, copy wintun.dll into Clash home directory. Example configuration:

tun:
  enable: true
  stack: gvisor # or system
  dns-hijack:
    - 198.18.0.2:53 # when `fake-ip-range` is 198.18.0.1/16, should hijack 198.18.0.2:53
  auto-route: true # auto set global route for Windows
  # It is recommended to use `interface-name`
  auto-detect-interface: true # auto detect interface, conflict with `interface-name`