Go to file
2020-02-15 21:42:46 +08:00
.github Chore: add issue templates 2020-02-14 19:16:43 +08:00
adapters Feature: add default-nameserver and outbound interface 2020-02-15 21:42:46 +08:00
common Fix: use the fastest whether the result is successful 2020-02-14 16:36:20 +08:00
component Feature: add default-nameserver and outbound interface 2020-02-15 21:42:46 +08:00
config Feature: add default-nameserver and outbound interface 2020-02-15 21:42:46 +08:00
constant Fix: should prehandle metadata before resolve 2020-02-07 20:53:43 +08:00
dns Feature: add default-nameserver and outbound interface 2020-02-15 21:42:46 +08:00
docs Update: README.md logo and badges 2018-06-23 00:44:28 +08:00
hooks Fix: add docker hub pre build 2020-01-30 17:25:55 +08:00
hub Feature: add default-nameserver and outbound interface 2020-02-15 21:42:46 +08:00
log Feature(API): logs and traffic support websocket 2019-07-12 15:44:12 +08:00
proxy Feature: add default-nameserver and outbound interface 2020-02-15 21:42:46 +08:00
rules Chore: aggregate mmdb (#474) 2020-01-11 21:07:01 +08:00
tunnel Feature: add default-nameserver and outbound interface 2020-02-15 21:42:46 +08:00
.gitignore Optimization: socks UDP & fix typo (#261) 2019-08-12 14:01:32 +08:00
Dockerfile Migration: change geoip address 2019-12-31 12:30:42 +08:00
Dockerfile.arm32v7 Fix: qemu permission 2020-01-30 21:19:51 +08:00
Dockerfile.arm64v8 Fix: qemu permission 2020-01-30 21:19:51 +08:00
go.mod Chore: update dependencies 2020-01-01 18:30:26 +08:00
go.sum Chore: update dependencies 2020-01-01 18:30:26 +08:00
LICENSE License: use GPL 3.0 2019-10-18 11:12:35 +08:00
main.go Chore: aggregate logger 2019-12-20 17:22:24 +08:00
Makefile Chore(build): add mipsle-softfloat (#240) 2019-07-26 18:45:50 +08:00
README.md Feature: add default-nameserver and outbound interface 2020-02-15 21:42:46 +08:00


A rule-based tunnel in Go.

Github Actions


  • Local HTTP/HTTPS/SOCKS server
  • GeoIP rule support
  • Supports Vmess, Shadowsocks, Snell and SOCKS5 protocol
  • Supports Netfilter TCP redirecting
  • Comprehensive HTTP API


Clash Requires Go >= 1.13. You can build it from source:

$ go get -u -v github.com/Dreamacro/clash

Pre-built binaries are available here: release

Pre-built TUN mode binaries are available here: TUN release

Check Clash version with:

$ clash -v


Unfortunately, there is no native and elegant way to implement daemons on Golang.

So we can use third-party daemon tools like PM2, Supervisor or the like.

In the case of pm2, we can start the daemon this way:

$ pm2 start clash

If you have Docker installed, you can run clash directly using docker-compose.

Run clash in docker


The default configuration directory is $HOME/.config/clash.

The name of the configuration file is config.yaml.

If you want to use another directory, use -d to control the configuration directory.

For example, you can use the current directory as the configuration directory:

$ clash -d .
This is an example configuration file (click to expand)
# port of HTTP
port: 7890

# port of SOCKS5
socks-port: 7891

# redir port for Linux and macOS
# redir-port: 7892

allow-lan: false

# Only applicable when setting allow-lan to true
# "*": bind all IP addresses
# bind a single IPv4 address
# "[aaaa::a8aa:ff:fe09:57d8]": bind a single IPv6 address
# bind-address: "*"

# Rule / Global/ Direct (default is Rule)
mode: Rule

# set log level to stdout (default is info)
# info / warning / error / debug / silent
log-level: info

# RESTful API for clash

# you can put the static web resource (such as clash-dashboard) to a directory, and clash would serve in `${API}/ui`
# input is a relative path to the configuration directory or an absolute path
# external-ui: folder

# Secret for RESTful API (Optional)
# secret: ""

# experimental feature
  ignore-resolve-fail: true # ignore dns resolve fail, default value is true
  # interface-name: en0 # outbound interface name

# authentication of local SOCKS5/HTTP(S) server
# authentication:
#  - "user1:pass1"
#  - "user2:pass2"

# # experimental hosts, support wildcard (e.g. *.clash.dev Even *.foo.*.example.com)
# # static domain has a higher priority than wildcard domain (foo.example.com > *.example.com)
# hosts:
#   '*.clash.dev':
#   'alpha.clash.dev': '::1'

# dns:
  # enable: true # set true to enable dns (default is false)
  # ipv6: false # default is false
  # listen:
  # # default-nameserver: # resolve dns nameserver host, should fill pure IP
  # #   -
  # #   -
  # enhanced-mode: redir-host # or fake-ip
  # # fake-ip-range: # if you don't know what it is, don't change it
  # fake-ip-filter: # fake ip white domain list
  #   - '*.lan'
  #   - localhost.ptlogin2.qq.com
  # nameserver:
  #   -
  #   - tls://dns.rubyfish.cn:853 # dns over tls
  #   - # dns over https
  # fallback: # concurrent request with nameserver, fallback used when GEOIP country isn't CN
  #   - tcp://
  # fallback-filter:
  #   geoip: true # default
  #   ipcidr: # ips in these subnets will be considered polluted
  #     -

  # shadowsocks
  # The supported ciphers(encrypt methods):
  #   aes-128-gcm aes-192-gcm aes-256-gcm
  #   aes-128-cfb aes-192-cfb aes-256-cfb
  #   aes-128-ctr aes-192-ctr aes-256-ctr
  #   rc4-md5 chacha20-ietf xchacha20
  #   chacha20-ietf-poly1305 xchacha20-ietf-poly1305
  - name: "ss1"
    type: ss
    server: server
    port: 443
    cipher: chacha20-ietf-poly1305
    password: "password"
    # udp: true

  # old obfs configuration format remove after prerelease
  - name: "ss2"
    type: ss
    server: server
    port: 443
    cipher: chacha20-ietf-poly1305
    password: "password"
    plugin: obfs
      mode: tls # or http
      # host: bing.com

  - name: "ss3"
    type: ss
    server: server
    port: 443
    cipher: chacha20-ietf-poly1305
    password: "password"
    plugin: v2ray-plugin
      mode: websocket # no QUIC now
      # tls: true # wss
      # skip-cert-verify: true
      # host: bing.com
      # path: "/"
      # mux: true
      # headers:
      #   custom: value

  # vmess
  # cipher support auto/aes-128-gcm/chacha20-poly1305/none
  - name: "vmess"
    type: vmess
    server: server
    port: 443
    uuid: uuid
    alterId: 32
    cipher: auto
    # udp: true
    # tls: true
    # skip-cert-verify: true
    # network: ws
    # ws-path: /path
    # ws-headers:
    #   Host: v2ray.com

  # socks5
  - name: "socks"
    type: socks5
    server: server
    port: 443
    # username: username
    # password: password
    # tls: true
    # skip-cert-verify: true
    # udp: true

  # http
  - name: "http"
    type: http
    server: server
    port: 443
    # username: username
    # password: password
    # tls: true # https
    # skip-cert-verify: true

  # snell
  - name: "snell"
    type: snell
    server: server
    port: 44046
    psk: yourpsk
    # obfs-opts:
      # mode: http # or tls
      # host: bing.com

Proxy Group:
  # url-test select which proxy will be used by benchmarking speed to a URL.
  - name: "auto"
    type: url-test
      - ss1
      - ss2
      - vmess1
    url: 'http://www.gstatic.com/generate_204'
    interval: 300

  # fallback select an available policy by priority. The availability is tested by accessing an URL, just like an auto url-test group.
  - name: "fallback-auto"
    type: fallback
      - ss1
      - ss2
      - vmess1
    url: 'http://www.gstatic.com/generate_204'
    interval: 300

  # load-balance: The request of the same eTLD will be dial on the same proxy.
  - name: "load-balance"
    type: load-balance
      - ss1
      - ss2
      - vmess1
    url: 'http://www.gstatic.com/generate_204'
    interval: 300

  # select is used for selecting proxy or proxy group
  # you can use RESTful API to switch proxy, is recommended for use in GUI.
  - name: Proxy
    type: select
      - ss1
      - ss2
      - vmess1
      - auto

  - DOMAIN-SUFFIX,google.com,auto
  - DOMAIN-KEYWORD,google,auto
  - DOMAIN,google.com,auto
  # rename SOURCE-IP-CIDR and would remove after prerelease
  # optional param "no-resolve" for IP rules (GEOIP IP-CIDR)
  # FINAL would remove after prerelease
  # you also can use `FINAL,Proxy` or `FINAL,,Proxy` now
  - MATCH,auto









FOSSA Status


  • Complementing the necessary rule operators
  • Redir proxy
  • UDP support
  • Connection manager
  • Event API