What Is TUN Mode? How Virtual NIC Proxying Works

TUN (Tunnel) is a virtual network device provided by the OS kernel. When you enable TUN mode in Clash Verge Rev, the system creates a virtual NIC locally (the Mihomo core typically names it Mihomo, or utun on macOS) and injects routing rules into the OS so that all outbound traffic is forwarded through this virtual NIC to the Clash core for processing.

Unlike traditional HTTP or SOCKS5 proxies, TUN mode operates at the network layer (OSI Layer 3). It does not depend on whether applications "respect" the system proxy settings. As long as a packet leaves your machine, the virtual NIC intercepts it and passes it to Clash's rule engine for routing — direct for local IPs, proxied for foreign IPs.

ⓘ Key Advantage
TUN mode works even for native apps that do not support proxy settings (e.g., certain game clients, CLI tools, UDP services), because traffic is intercepted at the network layer regardless of whether the application is aware of a proxy.

TUN Mode vs System Proxy: Key Differences

Before enabling TUN mode, you need to understand how it fundamentally differs from a regular system proxy (HTTP/SOCKS). Many users find that even with a system proxy enabled, some traffic still "leaks" — the root cause is the inherent limitation of system proxies.

Dimension System Proxy (HTTP/SOCKS) TUN Mode
Working Layer Application Layer (Layer 7) Network Layer (Layer 3)
TCP Traffic Only apps that honor proxy settings All captured, no exceptions
UDP Traffic Typically not supported Fully supported (gaming/DNS/real-time)
Native App Bypass Apps bypassing proxy lose traffic Cannot bypass; all traffic handled uniformly
Config Complexity Simple, no extra permissions Requires admin/root; one-time authorization

In short: if you only occasionally visit a blocked site, a system proxy is sufficient. But if you want all traffic — DNS queries, game UDP packets, IDE plugins, and Git clients that bypass the system proxy — to be managed by Clash, you need TUN mode.

Prerequisites Before Enabling TUN Mode

Version Check

TUN mode is provided by the Mihomo core. Clash Verge Rev 1.7.x and later includes a complete TUN implementation. Use the latest version for the best compatibility and performance. Older versions or legacy Clash Premium have unstable TUN support — upgrade the core first if you encounter issues.

System Permissions

  • Windows: Run Clash Verge Rev as Administrator. Right-click the icon and choose "Run as administrator", or enable "Launch as administrator" in Settings.
  • macOS: The first time you enable TUN mode, a system dialog will request permission to install a Network Extension. Enter your password to confirm — this is a one-time step.
  • Linux: Requires CAP_NET_ADMIN capability or running as root.

Back Up Your Config

Before changing any system-level network settings, strongly recommended to export and back up your current config.yaml from Clash Verge Rev's configuration manager. TUN mode modifies the system routing table, and a misconfiguration may cause a brief network outage — a backup lets you roll back quickly.

How to Enable TUN Mode in Clash Verge Rev

Once you have completed the prerequisites, follow these steps:

  1. Open Clash Verge Rev and go to Settings — click the gear icon in the left sidebar, or use the shortcut Ctrl/Cmd + ,.
  2. Find the TUN Mode toggle — below the "System Proxy" section, there is usually a dedicated "TUN Mode" switch. Enable it.
  3. Confirm the system permission dialog — on macOS, confirm the Network Extension installation by entering your password; on Windows, click "Yes" if prompted by UAC.
  4. Verify the virtual NIC is created — in Windows "Network Connections" you should see a virtual adapter named Clash Mihomo; on macOS, run ifconfig | grep utun in Terminal to see the new utun interface.
  5. Check that proxy routing works — visit a foreign site and a local site simultaneously to confirm both are accessible without affecting each other's latency.
⚠ Note
After enabling TUN mode, disabling the system proxy reduces the overhead of double proxying. When both are active, some traffic may be proxied twice, causing unnecessary latency.

DNS Hijacking and Leak Prevention Configuration

In TUN mode, DNS configuration is critical. If DNS queries bypass Clash and reach your ISP's DNS server directly, your ISP can log your domain lookups. Furthermore, the resolved IPs may be unpolluted foreign IPs that GEOIP rules mistakenly classify as direct, causing connection failures.

Recommended DNS Configuration Block

In your config.yaml, the recommended DNS section is:

dns:
  enable: true
  listen: 0.0.0.0:1053
  ipv6: false              # Disable IPv6 DNS to prevent direct leaks
  enhanced-mode: fake-ip   # Recommended: fake-ip prevents real DNS from leaking
  fake-ip-range: 198.18.0.1/16
  fake-ip-filter:
    - '*.lan'
    - 'localhost.ptlogin2.qq.com'
  default-nameserver:
    - 114.114.114.114       # Bootstrap DNS for resolving nameservers below
    - 8.8.8.8
  nameserver:
    - https://doh.pub/dns-query          # Domestic encrypted DNS
    - https://dns.alidns.com/dns-query
  fallback:
    - https://8.8.8.8/dns-query          # Fallback for overseas domains
    - https://1.1.1.1/dns-query
  fallback-filter:
    geoip: true
    geoip-code: CN
    ipcidr:
      - 240.0.0.0/4

fake-ip Mode vs redir-host Mode

fake-ip mode (recommended): Clash does not perform real DNS resolution. Instead it returns a fake IP (from fake-ip-range) for every requested domain. The application connects to that fake IP, Clash intercepts the connection, applies its rules to decide proxy or direct, and performs real DNS resolution at the proxy node. The ISP never sees any plaintext DNS query.

redir-host mode: Clash first resolves DNS to get a real IP, then applies rule matching. If DNS queries do not go through an encrypted channel in this mode, there is a leak risk. Not recommended when using TUN mode exclusively.

IPv6 Bypass Issues and Routing Optimizations

Many users find that even after enabling TUN mode, some foreign sites are still inaccessible. The culprit is often IPv6 traffic not being captured by TUN. Modern home broadband and mobile networks widely deploy IPv6. If a browser prefers an IPv6 address to reach a target site, but Clash's TUN routing rules only cover IPv4, that IPv6 traffic bypasses the proxy entirely.

Quick Solutions

  • Disable IPv6 in the DNS config: Set ipv6: false to prevent Clash from resolving AAAA records. Browsers will automatically fall back to IPv4.
  • Disable IPv6 at the system level (more thorough): On Windows, uncheck IPv6 in the NIC properties; on macOS, run networksetup -setv6off Wi-Fi for the active interface.
  • Configure IPv6 routing for TUN: If you need to keep IPv6, enable inet6-address in Clash's TUN config and ensure the IPv6 default route also points to the virtual NIC.
💡 Tip
For most proxy use cases, disabling IPv6 is the simplest and most effective solution. The main advantages of IPv6 are address space and P2P communication — IPv4 is perfectly sufficient for accessing overseas services through a proxy.

Troubleshooting Guide

Issue 1: Local network (LAN) is inaccessible after enabling TUN

TUN routing rules can accidentally override LAN subnets. Fix: explicitly add LAN IP range direct rules at the top of your rule set:

rules:
  - IP-CIDR,192.168.0.0/16,DIRECT
  - IP-CIDR,10.0.0.0/8,DIRECT
  - IP-CIDR,172.16.0.0/12,DIRECT
  # ... other rules follow

Issue 2: Browser shows "ERR_NAME_NOT_RESOLVED"

This usually means DNS is not properly routed through Clash. Check: confirm dns.enable: true; confirm the DNS listening port is not blocked by a firewall; if using fake-ip mode, confirm enhanced-mode: fake-ip is active (you can see fake-ip addresses in Clash Verge Rev's Connections panel).

Issue 3: TUN virtual NIC cannot be created on Windows

The WinTun driver may not be installed correctly. In Clash Verge Rev Settings, find "Service Installation", click "Uninstall Service", then "Install Service", and restart Clash Verge Rev with administrator privileges.

Issue 4: TUN mode stops working after a macOS system upgrade

A major OS update may reset Network Extension authorization. Go to System Settings → Privacy & Security, find the Clash-related system extension entry, and click "Allow" to re-authorize.

Issue 5: Game latency increases after enabling TUN

If TUN captures game UDP traffic and the rule set incorrectly routes a domestic game server through the proxy, latency increases. Fix: use GEOIP,CN,DIRECT to route domestic servers directly, and add individual direct rules for game platform domains or IP ranges.

Choosing the Right Clash Client

The full power of TUN mode can only be realized in a well-designed, actively maintained client. Clash Verge Rev is one of the most actively maintained desktop clients in the community, but it is not the only option — it has its own limitations, such as no iOS support, a configuration UI that can be intimidating for beginners, and potential compatibility issues if maintenance ceases.

If you are looking for a Clash client that covers all platforms, is reliably maintained, and suits most users, consider using the version we provide. It is built on the Mihomo core with a built-in one-click TUN mode toggle — no manual YAML editing needed to accomplish everything in this guide. Visual subscription management makes updating nodes intuitive, and when a DNS leak is detected, the client displays a prompt with a fix suggestion directly in the UI.

Versions are available for Windows, macOS, Android, iOS, and Linux, all updated in sync. Every TUN mode technique you've learned in this article can be applied seamlessly in our client.

Free Download Clash Client →