A rule-based tunnel in Go.
clash -v
show golang versionConnection
is close
profile:
# store the `select` results in $HOME/.config/clash/.cache
# when two different configurations have groups with the same name, the selected values are shared
# set false if you don't want this behavior
store-selected: false
net.Conn
to avoid using *net.TCPConn.(ReadFrom) (#1209)redir-port
means Redirect TCP and TProxy UDPtproxy-port
means TProxy TCP and TProxy UDPdisable-udp
option for all proxy grouplazy
for proxy group and provider (the default value is true)
lazy
open, proxy group
and proxy provider
that have not been used during the cycle will not be speed tested.network: http
support TLS (https)http
outboundudp
option should be effectedPROCESS-NAME
potential PCB buffer overflow on bsd systems (#941 #947)1.0 has many breaking changes: https://github.com/Dreamacro/clash/wiki/Breaking-Changes-in-1.0.0
+.example.com
= .example.com
+ example.com
)path
would auto "mkdir" on initialmode
use lower case (backward compatible)localhost
https://release.dreamacro.workers.dev/
inbound_port
expr
engine support more builtin function https://github.com/antonmedv/expr/releases/tag/v1.14.0
ipv6: true
will affect the dns field.interval
and tolerance
support human-friendly config (30s
1h
10m30s
etc.)expr
script engine, 10x~20x faster than starlark (detail on expr.medv.io)script:
engine: expr
shortcuts:
# hw-sh-pcdn-35.biliapi.net
# hw-gz-live-p2p-06.chat.bilibili.com
# cn-jsyz-ccc-live-tracker-02.chat.bilibili.com
bilibilishit: "any(['biliapi', 'bilibili'], host contains #) and any(['-live-tracker-', 'p2p', 'pcdn'], host contains #)"
douyushit: (network == 'udp' or host contains 'p2p') and host contains 'douyu'
quic: network == 'udp' and dst_port == 443
tailscale: network == 'udp' and dst_port == 12345
if
field is the same as the shortcut syntax and if none of the sub-rules match, then continue to match the next rule.rules:
- if: network == 'tcp'
name: TCP
# engine: expr # the default engine is `expr`, `starlark` is also valid
rules:
- if: dst_port == 443
name: HTTPS
rules:
- MATCH,DIRECT
- DOMAIN-SUFFIX,baidu.com,DIRECT
- DOMAIN-KEYWORD,google,DIRECT
- DOMAIN-KEYWORD,www.bing.com,DIRECT
- MATCH,REJECT
in_ipset
for script and shortcutauto-route
issue for #2720 @Kr328format: text
, one line per item, support #
or //
for comment. For security reasons, path
can only be used under clash $HOMEDIR when format: text
# comment
// domain
.google.com
auto-detect-interface
TUN loopback on Windows in some cases @Kr328fake-ip-filter
lists for the gamepprof
option for debug clash, It is under external-controller (also protected by secret). When external-controller
is 127.0.0.1:9090. The pprof path is http://127.0.0.1:9090/debug/pprof/heap. The default value is false
redir-host
brings a lot of misunderstandings and problems (some of which are even hard to find). I decided to remove it. It is only used in the fake-ip-filter
for a few domain name mappings. I know that it can be bypassed and "recovered" in fake-ip mode. If fake-ip-filter
finds that it has been abused, I will delete the domain mapping mode completely.auto-detect-interface
now would follow the routing table instead of just selecting the default NIC. This will improve the situation where clash and vpn coexist.remote-dns-resolve
on wireguard, default value is true.iperf3 -c 127.0.0.1.sslip.io -P 4
(ensure 127.0.0.1.sslip.io resolve a fakeip). Increased throughput from 5.x Gbps to 10 Gbps, almost ~2x ⚡️. But auto-redir
still the true God with 37 Gbps 😭.Server
field for debug sourcescript:
shortcuts:
curl: resolve_process_name() == 'curl'
# curl: resolve_process_path() == '/usr/bin/curl'
interface Context {
resolve_process_path: (metadata: Metadata) => string
}
proxies:
- name: "wg"
type: wireguard
server: 127.0.0.1
port: 443
ip: 172.16.0.2
# ipv6: your_ipv6
private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
# preshared-key: base64
# dns: [1.1.1.1, 8.8.8.8]
# mtu: 1420
udp: true
For some complicated reason, wireguard does not support relay, but you can use tunnel to support this feature in disguise
tunnels:
- udp,127.0.0.1:2043,yourendpoint:port,ss
proxies:
- name: ss
# ...
- name: "wg"
type: wireguard
server: 127.0.0.1
port: 2043
ip: 172.16.0.2
# ipv6: your_ipv6
private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
# preshared-key: base64
# dns: [1.1.1.1, 8.8.8.8]
# mtu: 1420
udp: true
format=structured
for structured log jsonDBG [DNS] dns response source=dhcp://119.29.29.29:53(en0) qType=A name=google.com. answer=["10.19.10.139"]
auto-route
bypass icmp on linuxsniff-tls-sni
Note This will replace the original domain name, but not all sni are domain, so clash will only replace the host is empty and the sni that is a domain If you find any network requests that are not working properly, remove it
experimental:
sniff-tls-sni: true
auto-route
compatibility @Kr328rules:
- RULE-SET,microsoft,policy,no-resolve
match_provider
to script shortcuts @Kr328script:
shortcuts:
BilibiliUdp: |
network == "udp" and match_provider("Bilibili")
rules:
- SCRIPT,BilibiliUdp,REJECT
auto-route
on Linux (#2071)dns-hijack
support hijack same port traffictun:
enable: true
stack: system # or gvisor
dns-hijack:
- any:53
- tcp://any:53
redirect-to-tun
It requires kernel support, only hook traffic of the egress NIC and conflict with auto-route
interface-name: eth0
routing-mark: 7777
ebpf:
redirect-to-tun:
- eth0
auto-route
and auto-detect-interface
on Linux @Kr328auto-route
clean-dns-bpf
still working? Does it make sense to integrate into clash?+.example.com
), memory 29MB (Old) --> 1.9MB (New)goos: darwin
goarch: arm64
pkg: test
BenchmarkNew-10 3464176 345.4 ns/op 0 B/op 0 allocs/op
BenchmarkOld-10 11119957 106.1 ns/op 48 B/op 1 allocs/op
hosts
fake-ip-filter
fallback-filter
nameserver-policy
domain rule provider
)netip.Addr
to replace net.IP
where possible (reduce memory usage, especially with system TUN)auto-route
on FreeBSD @icpzauto-detect-interface
auto-route
in PPPoE networks on Windows @icpzsystem
and gvisor
TUN stack on Windows (@icpz)macOS-auto-*
to auto-*
(will be backward compatible with several versions)behavior: ipcidr
memory
def main(ctx, metadata):
now = time.now()
if metadata["src_ip"] == "ip" and now.hour >= 18 and now.hour <= 22:
return "REJECT"
return "DIRECT"
profile:
# open tracing exporter API
tracing: true
resolve_process_name
Doc
redir-host
bug on 2020.09.27path
script:
path: ./script.star
classical
rule provider