Go to file
2021-11-03 15:02:40 +08:00
.github Merge from remote branch 2021-10-28 11:36:11 +08:00
adapter Merge from remote branch 2021-10-28 11:36:11 +08:00
common Style: use gofumpt for fmt 2021-10-10 23:44:09 +08:00
component Chore: move "geodata" to package "component" 2021-11-02 18:23:01 +08:00
config Merge from remote branch 2021-10-28 11:36:11 +08:00
constant Merge from remote branch 2021-10-28 11:36:11 +08:00
context Refactor: plain http proxy (#1443) 2021-06-15 17:13:40 +08:00
dns Merge from remote branch 2021-10-28 11:36:11 +08:00
docs Update: README.md logo and badges 2018-06-23 00:44:28 +08:00
hub Wintun: use new swdevice-based API for upcoming Wintun 0.14 2021-11-03 15:02:40 +08:00
listener Wintun: use new swdevice-based API for upcoming Wintun 0.14 2021-11-03 15:02:40 +08:00
log Merge from remote branch 2021-10-28 11:36:11 +08:00
rule Chore: move "geodata" to package "component" 2021-11-02 18:23:01 +08:00
test Merge from remote branch 2021-10-28 11:36:11 +08:00
transport Merge from remote branch 2021-10-28 11:36:11 +08:00
tunnel Merge from remote branch 2021-10-28 11:36:11 +08:00
.gitignore Chore: contexify ProxyAdapter ListenPacket 2021-10-15 21:44:53 +08:00
Dockerfile Chore: standardized Dockerfile label (#1191) 2021-01-20 16:08:24 +08:00
go.mod Wintun: use new swdevice-based API for upcoming Wintun 0.14 2021-11-03 15:02:40 +08:00
go.sum Wintun: use new swdevice-based API for upcoming Wintun 0.14 2021-11-03 15:02:40 +08:00
LICENSE License: use GPL 3.0 2019-10-18 11:12:35 +08:00
main.go Chore: version fmt 2021-10-28 12:55:40 +08:00
Makefile Merge from remote branch 2021-10-28 11:36:11 +08:00
README.md Wintun: use new swdevice-based API for upcoming Wintun 0.14 2021-11-03 15:02:40 +08:00

Clash
Clash

A rule-based tunnel in Go.

Github Actions

Features

  • Local HTTP/HTTPS/SOCKS server with authentication support
  • VMess, Shadowsocks, Trojan, Snell protocol support for remote connections
  • Built-in DNS server that aims to minimize DNS pollution attack impact, supports DoH/DoT upstream and fake IP.
  • Rules based off domains, GEOIP, IPCIDR or Process to forward packets to different nodes
  • Remote groups allow users to implement powerful rules. Supports automatic fallback, load balancing or auto select node based off latency
  • Remote providers, allowing users to get node lists remotely instead of hardcoding in config
  • Netfilter TCP redirecting. Deploy Clash on your Internet gateway with iptables.
  • Comprehensive HTTP RESTful API controller

Getting Started

Documentations are now moved to GitHub Wiki.

Advanced usage for this branch

TUN configuration

Supports macOS, Linux and Windows.

On Windows, you should download the Wintun driver and copy wintun.dll into Clash home directory.

# Enable the TUN listener
tun:
  enable: true
  stack: system # system or gvisor
  dns-listen: 0.0.0.0:53 # additional dns server listen on TUN
  auto-route: true # auto set global route

Rules configuration

  • Support rule GEOSITE.
  • Support multiport condition for rule SRC-PORT and DST-PORT.
  • Support not match condition for rule GEOIP.
  • Support network condition for all rules.
  • Support source IPCIDR condition for all rules, just append to the end.

The GEOSITE databases via https://github.com/Loyalsoldier/v2ray-rules-dat.

rules:
  # network condition for all rules
  - DOMAIN-SUFFIX,bilibili.com,DIRECT,tcp
  - DOMAIN-SUFFIX,bilibili.com,REJECT,udp
    
  # multiport condition for rules SRC-PORT and DST-PORT
  - DST-PORT,123/136/137-139,DIRECT,udp
  
  # rule GEOSITE
  - GEOSITE,category-ads-all,REJECT
  - GEOSITE,icloud@cn,DIRECT
  - GEOSITE,apple@cn,DIRECT
  - GEOSITE,apple-cn,DIRECT
  - GEOSITE,microsoft@cn,DIRECT
  - GEOSITE,facebook,PROXY
  - GEOSITE,youtube,PROXY
  - GEOSITE,geolocation-cn,DIRECT
  - GEOSITE,gfw,PROXY
  - GEOSITE,greatfire,PROXY
  #- GEOSITE,geolocation-!cn,PROXY

  - GEOIP,telegram,PROXY,no-resolve
  - GEOIP,private,DIRECT,no-resolve
  - GEOIP,cn,DIRECT
    
  # Not match condition for rule GEOIP
  #- GEOIP,!cn,PROXY
    
  # source IPCIDR condition for all rules in gateway proxy
  #- GEOIP,!cn,PROXY,192.168.1.88/32,192.168.1.99/32

  - MATCH,PROXY

Proxies configuration

Support outbound transport protocol VLESS.

The XTLS only support TCP transport by the XRAY-CORE.

proxies:
  - name: "vless-tcp"
    type: vless
    server: server
    port: 443
    uuid: uuid
    network: tcp
    servername: example.com # AKA SNI
    # flow: xtls-rprx-direct # xtls-rprx-origin  # enable XTLS
    # skip-cert-verify: true
    
  - name: "vless-ws"
    type: vless
    server: server
    port: 443
    uuid: uuid
    udp: true
    network: ws
    servername: example.com # priority over wss host
    # skip-cert-verify: true
    ws-path: /path
    ws-headers:
      Host: example.com

IPTABLES auto-configuration

Only work on Linux OS who support iptables, Clash will auto-configuration iptables for tproxy listener when tproxy-port value isn't zero.

If TPROXY is enabled, the TUN must be disabled.

# Enable the TPROXY listener
tproxy-port: 9898
# Disable the TUN listener
tun:
  enable: false

Create user given name clash.

Run Clash by user clash as a daemon.

Create the systemd configuration file at /etc/systemd/system/clash.service:

[Unit]
Description=Clash daemon, A rule-based proxy in Go.
After=network.target

[Service]
Type=simple
User=clash
Group=clash
CapabilityBoundingSet=cap_net_admin
AmbientCapabilities=cap_net_admin
Restart=always
ExecStart=/usr/local/bin/clash -d /etc/clash

[Install]
WantedBy=multi-user.target

Launch clashd on system startup with:

$ systemctl enable clash

Launch clashd immediately with:

$ systemctl start clash

Display Process name

Add field Process to Metadata and prepare to get process name for Restful API GET /connections.

To display process name in GUI please use https://yaling888.github.io/yacd/.

Premium Release

Release

Development

If you want to build an application that uses clash as a library, check out the the GitHub Wiki

Credits

License

This software is released under the GPL-3.0 license.

FOSSA Status