Clash for Linux: A Comprehensive Guide
Clash for Linux, often referred to simply as “Clash,” is a powerful, rule-based network proxy client built in Go. It’s a popular choice for Linux users seeking advanced control over their internet traffic, allowing for complex routing, filtering, and proxying based on various criteria. Unlike traditional VPNs, Clash offers granular control, enabling users to define specific rules for different applications, domains, and IP addresses. This guide provides a comprehensive overview of Clash for Linux, covering installation, configuration, usage, and advanced features.
Key Features and Benefits:
- Rule-Based Routing: The core strength of Clash. You define rules that dictate how different network requests are handled (e.g., direct connection, proxy through a specific server, block the request). Rules can be based on:
- Domain:
domain:example.com, proxy:US_SERVER
. - Domain Suffix:
domain-suffix:netflix.com, proxy:US_SERVER
. - Domain Keyword:
domain-keyword:google, proxy:DIRECT
. - IP CIDR:
ip-cidr:192.168.1.0/24, proxy:DIRECT
(local network). - GEOIP:
geoip:CN, proxy:DIRECT
(connections originating from China). - User-Agent:
user-agent:curl/*, proxy:DIRECT
. - Process Name:
process-name:firefox, proxy:DIRECT
(Experimental & Linux-only feature).
- Domain:
- Multiple Proxy Protocols: Supports various proxy protocols including:
- Shadowsocks (SS): A popular obfuscation protocol.
- ShadowsocksR (SSR): An extension of Shadowsocks with additional features (though less commonly used now).
- Vmess: A protocol used by V2Ray.
- Trojan: A newer protocol designed for better censorship circumvention.
- Socks5: A general-purpose proxy protocol.
- HTTP(S): Standard HTTP and HTTPS proxies.
- Snell: Another relatively new protocol.
- Proxy Groups: Allows grouping multiple proxy servers for various purposes:
select
: Manually choose a proxy from the group.url-test
: Automatically selects the fastest server based on latency testing.fallback
: Tries servers in order until one connects successfully.load-balance
: Distributes traffic across multiple servers.
- DNS Management: Clash can act as a local DNS server, allowing for:
- Fake IP: Uses fake IP addresses internally to improve compatibility and avoid DNS leaks. This is highly recommended.
- DNS Hijacking: Redirect specific DNS requests to different servers.
- Enhanced DNS Performance: Caching and optimized DNS resolution.
- YAML Configuration: All configuration is done through a YAML file (
config.yaml
by default), providing a human-readable and easily editable format. - Built-in Web Dashboard (Clash Dashboard): Many GUI clients (discussed later) provide a user-friendly interface to manage connections, view logs, and adjust settings.
- Tun Mode (Experimental): Can capture all TCP and UDP traffic on the system, similar to a VPN. This requires elevated privileges and careful configuration.
- Cross-platform compatibility: Clash has clients available for multiple platforms.
Installation:
There are several ways to install Clash on Linux:
-
Pre-compiled Binaries (Recommended):
- Download the latest release from the official GitHub repository: https://github.com/Dreamacro/clash/releases. Choose the appropriate archive for your architecture (e.g.,
clash-linux-amd64-vX.X.X.gz
). - Extract the archive:
tar -xzf clash-linux-amd64-vX.X.X.gz
- Move the
clash
binary to a directory in your PATH (e.g.,/usr/local/bin/
):sudo mv clash /usr/local/bin/
- Make the binary executable:
sudo chmod +x /usr/local/bin/clash
- Download the latest release from the official GitHub repository: https://github.com/Dreamacro/clash/releases. Choose the appropriate archive for your architecture (e.g.,
-
AUR (Arch Linux User Repository): For Arch Linux users and derivatives:
- Use an AUR helper like
yay
:yay -S clash
(orclash-premium
for the premium core)
- Use an AUR helper like
-
Building from Source:
- Install Go (golang): Follow the instructions for your distribution.
- Clone the repository:
git clone https://github.com/Dreamacro/clash.git
- Navigate to the directory:
cd clash
- Build the binary:
go build
- (Optional) Move the
clash
binary to your PATH.
Configuration (config.yaml):
The heart of Clash is its configuration file, typically located at ~/.config/clash/config.yaml
. This file is in YAML format and defines all the rules, proxies, and settings. Here’s a breakdown of the essential sections:
“`yaml
Port used by Clash (for SOCKS5 and HTTP proxy)
port: 7890
SOCKS5 port
socks-port: 7891
Allow LAN connections (for sharing the proxy with other devices)
allow-lan: true # Set to false for security if you don’t need this.
External Controller (for GUI clients)
external-controller: ‘127.0.0.1:9090’
Secret for external controller authentication (optional but recommended)
secret: ‘your_secret_password’
Mode: rule (recommended), global (all traffic through a single proxy), direct (no proxy)
mode: rule
Log level: info, warning, error, debug, silent
log-level: info
DNS settings
dns:
enable: true
listen: 0.0.0.0:53 #listen on all interfaces on port 53. You may want to restrict to 127.0.0.1
ipv6: false # Enable IPv6 resolution if needed.
enhanced-mode: fake-ip # Highly recommended for compatibility and leak prevention.
fake-ip-range: 198.18.0.1/16 # Define the range for fake IPs.
nameserver:
– 1.1.1.1 # Cloudflare DNS
– 8.8.8.8 # Google DNS
– tls://dns.rubyfish.cn:853 #Example of DNS over TLS. Use your preferred servers.
fallback: # Fallback DNS servers (used if primary servers fail or for specific domains).
– tls://1.1.1.1:853 # Use DoT to avoid DNS pollution in certain environments.
fallback-filter:
geoip: true # Use GEOIP filtering.
ipcidr: # Exclude certain IP ranges from fallback DNS.
– 240.0.0.0/4
– 0.0.0.0/32 #This is a bogus IP often associated with DNS leaks.
#You can use fake-ip-filter to define domains that should not be resolved to fake-ips.
#fake-ip-filter:
# – ‘+.lan’
Proxy servers (replace with your actual server details)
proxies:
– name: “US_SERVER”
type: ss
server: your_server_address
port: 443
cipher: chacha20-ietf-poly1305
password: “your_password”
– name: “JP_SERVER”
type: vmess
server: your_server_address
port: 443
uuid: “your_uuid”
alterId: 64
cipher: auto
– name: “SG_SERVER_TROJAN”
type: trojan
server: your_trojan_server_address
port: 443
password: “your_trojan_password”
sni: “your_sni_domain” # Server Name Indication (often required for Trojan)
Proxy groups (grouping servers for different strategies)
proxy-groups:
– name: “PROXY”
type: select # Manually select a proxy from this group
proxies:
– US_SERVER
– JP_SERVER
– SG_SERVER_TROJAN
– name: “Auto”
type: url-test
proxies:
– US_SERVER
– JP_SERVER
url: ‘http://www.gstatic.com/generate_204’ #URL for latency testing
interval: 300 # Test interval in seconds
tolerance: 50 #Allowable latency difference (ms) before switching.
Rules (defining how traffic is routed)
rules:
– DOMAIN-SUFFIX,google.com,PROXY # Route all Google domains through the PROXY group.
– DOMAIN-KEYWORD,netflix,PROXY
– GEOIP,CN,DIRECT # Direct connections for Chinese IP addresses.
– MATCH,PROXY # Default rule: everything else goes through the PROXY group.
“`
Explanation of Key Configuration Sections:
port
andsocks-port
: These define the ports Clash listens on for HTTP and SOCKS5 proxy connections, respectively. Applications can be configured to use these ports to route traffic through Clash.allow-lan
: If set totrue
, other devices on your local network can use your Clash instance as a proxy. Be cautious with this setting and ensure your network is secure.external-controller
: This specifies the address and port for the external controller API, used by GUI clients to manage Clash.secret
: An optional but recommended password for securing the external controller.mode
:rule
is the most common and flexible mode.global
forces all traffic through a single selected proxy.direct
bypasses proxying entirely.log-level
: Controls the verbosity of Clash’s logs.dns
: This section is crucial for proper DNS handling.enhanced-mode: fake-ip
is highly recommended to prevent DNS leaks and improve compatibility with certain websites and applications.proxies
: This section defines your individual proxy servers. You’ll need to replace the example details with your actual server information (address, port, password, etc.). Thetype
field specifies the proxy protocol (ss, vmess, trojan, etc.).proxy-groups
: This allows you to group multiple proxy servers together. Thetype
field determines the selection strategy (select, url-test, fallback, load-balance).rules
: This is the core of Clash’s routing logic. Rules are evaluated in order, and the first matching rule determines how a connection is handled. TheMATCH
rule is a catch-all that applies if no other rules match.
Running Clash:
Once you have your config.yaml
file set up, you can start Clash using:
bash
clash -d ~/.config/clash
-d
: Specifies the directory containing yourconfig.yaml
file. If omitted, Clash looks for the configuration file in the current directory.- To make the proxy available system-wide, use the
networksetup
command (macOS),gsettings
command (GNOME), or the network manager on other Linux desktop environments to configure the system’s proxy settings to use127.0.0.1:7890
(HTTP) and127.0.0.1:7891
(SOCKS5).
Running Clash as a Systemd Service (Recommended):
For Clash to start automatically on boot and run in the background, it’s best to create a systemd service:
-
Create a service file:
bash
sudo nano /etc/systemd/system/clash.service -
Paste the following content into the file (adjust paths if needed):
“`ini
[Unit]
Description=Clash Service
After=network.target[Service]
User=your_username # Replace with your username
WorkingDirectory=/home/your_username/.config/clash #Replace with your clash config directory.
ExecStart=/usr/local/bin/clash -d /home/your_username/.config/clash
Restart=on-failure
RestartSec=10s[Install]
WantedBy=multi-user.target
“`User
: Specify the user account under which Clash should run. It’s generally recommended not to run Clash as root.WorkingDirectory
: This should point to your Clash configuration directory.ExecStart
: The command that executes when the service starts.
-
Save and close the file.
-
Reload systemd:
bash
sudo systemctl daemon-reload -
Enable the service (to start on boot):
bash
sudo systemctl enable clash.service -
Start the service:
bash
sudo systemctl start clash.service -
Check the service status:
bash
sudo systemctl status clash.service -
Check logs:
bash
sudo journalctl -u clash.service
GUI Clients:
While Clash itself is a command-line tool, several excellent GUI clients provide a more user-friendly interface:
- Clash for Windows (CFW): Despite the name, it runs on Linux using Electron. Provides a comprehensive dashboard, rule editor, and proxy management.
- ClashX (macOS): A native macOS client (not for Linux).
- Clash Verge: A cross-platform client (Windows, macOS, Linux) built with Tauri, offering a modern and clean interface. Highly recommended. https://github.com/zzzgydi/clash-verge
- Yacd: Yet Another Clash Dashboard. A web-based dashboard.
- Other Clients: Various other clients are available, often specific to certain distributions or desktop environments. Search for “Clash GUI” for your system.
These GUI clients typically connect to Clash’s external controller (defined in config.yaml
) to manage the proxy and display information.
Advanced Features and Considerations:
- Tun Mode: As mentioned earlier, Tun mode allows Clash to capture all TCP and UDP traffic. This is useful for creating a system-wide proxy, but it requires careful configuration and elevated privileges. It’s often used in conjunction with tools like
iptables
to manage routing. This is an experimental feature and may require specific kernel modules. - Scripting (Premium Core): The premium core of Clash supports JavaScript scripting for more advanced rule logic and custom behavior. This allows for highly dynamic and flexible proxy configurations.
- External Resources: Clash can load rules and proxy providers from external URLs, making it easy to keep your configuration up-to-date.
- Traffic Monitoring: The web dashboard or GUI clients provide real-time traffic monitoring, allowing you to see which connections are being made and how they are being routed.
- Security: While Clash itself is secure, the security of your connection ultimately depends on the proxy servers you use. Choose reputable and trustworthy providers. Consider using a proxy that supports encryption and obfuscation.
Troubleshooting:
- Configuration Errors: Clash is very strict about the YAML syntax. If you encounter errors, carefully check your
config.yaml
file for typos, incorrect indentation, or missing fields. Use a YAML validator online to help identify issues. - Connectivity Issues: If you can’t connect to the internet, check:
- Your proxy server details are correct (address, port, password, etc.).
- Your rules are not blocking the necessary connections.
- Your DNS settings are configured correctly.
- Your system’s proxy settings are pointing to Clash (if you intend to use it system-wide).
- DNS Leaks: Use a website like https://www.dnsleaktest.com/ to check for DNS leaks. If you see your ISP’s DNS servers, it means your DNS requests are not going through Clash. Ensure
enhanced-mode: fake-ip
is enabled in your DNS settings. - Logs: Clash’s logs (usually in
~/.config/clash/clash.log
) can provide valuable information for diagnosing problems. Increase thelog-level
in your configuration for more detailed logging.
Conclusion:
Clash for Linux is a powerful and versatile proxy client that offers fine-grained control over your internet traffic. Its rule-based system, support for various proxy protocols, and DNS management capabilities make it an excellent choice for users seeking advanced proxy functionality. While the initial configuration can seem daunting, the benefits of customized routing and enhanced privacy make it well worth the effort. The active community and availability of GUI clients further enhance its usability. This guide has provided a comprehensive overview of Clash; remember to consult the official documentation and community resources for the most up-to-date information and advanced usage scenarios.