Understanding Clash Through Configuration

January 2, 2025 · 10 min read · Page View:

Across the Great Wall we can reach every corner in the world. - 20:55 on September 20th, 1987.

If you have any questions, feel free to comment below.

We can learn the proxy process of clash through the configuration file.

Clash #

Clash is a popular tool which can use different protocols to access the resources.

To use the proxy, you may have received the subscription link. So what’s inside? We can dig it out.

About configuration #

When you fill the subscription link into the Clash, you will get a configuration file.

I select some example items from the configuration file. And we’re able to conduct a detailed analysis.

mixed-port: 7890
allow-lan: true
bind-address: '*'
mode: rule
log-level: info
external-controller: '127.0.0.1:9090'
dns:
    enable: true
    ipv6: false
    default-nameserver: [223.5.5.5, 119.29.29.29]
    enhanced-mode: fake-ip
    fake-ip-range: 198.18.0.1/16
    use-hosts: true
    nameserver: ['https://doh.pub/dns-query', 'https://dns.alidns.com/dns-query']
    fallback: ['https://doh.dns.sb/dns-query', 'https://dns.cloudflare.com/dns-query', 'https://dns.twnic.tw/dns-query', 'tls://8.8.4.4:853']
    fallback-filter: { geoip: true, ipcidr: [240.0.0.0/4, 0.0.0.0/32] }
proxies:
    - { name: HK02, type: ss, server: domain-or-ip, port: port-num, cipher: chacha20-ietf-poly1305, password: a-example-password, udp: true }
    - { name: 'HK03 x2', type: ss, server: domain-or-ip, port: port-num, cipher: chacha20-ietf-poly1305, password: a-example-password, udp: true }
proxy-groups:
    - { name: custom-policy-group, type: select, proxies: [HK02, 'HK03 x2'] }
    - { name: Netflix, type: select, proxies: [HK02, 'HK03 x2'] }
    - { name: auto, type: url-test, proxies: [HK02, 'HK03 x2'], url: 'http://www.gstatic.com/generate_204', interval: 86400 }
    - { name: fallback, type: fallback, proxies: [HK02, 'HK03 x2', 'Antarctic'], url: 'http://www.gstatic.com/generate_204', interval: 7200 }
rules:
    - 'DOMAIN-SUFFIX,services.googleapis.cn,custom-policy-group'
    - 'DOMAIN-KEYWORD,netflixdnstest,Netflix'
    - 'DOMAIN,netflix.com.edgesuite.net,Netflix'
    - 'DOMAIN-SUFFIX,fast.com,Netflix'
    - 'IP-CIDR,8.41.4.0/24,Netflix,no-resolve'
    - 'IP-CIDR,23.246.0.0/18,Netflix,no-resolve'
    - 'DOMAIN-KEYWORD,guanggao,REJECT'
    - 'DOMAIN-SUFFIX,icloud.com,DIRECT'
    - 'DOMAIN-SUFFIX,zhihu.com,DIRECT'
    - 'DOMAIN-KEYWORD,gmail,custom-policy-group'
    - 'IP-CIDR,91.108.4.0/22,custom-policy-group,no-resolve'
    - 'IP-CIDR6,2001:67c:4e8::/48,custom-policy-group,no-resolve'
    - 'DOMAIN-SUFFIX,cn,DIRECT'
    - 'DOMAIN-KEYWORD,-cn,DIRECT'
    - 'GEOIP,CN,DIRECT'
    - 'MATCH,custom-policy-group'

Basic #

In the path, we can divide the locations where the traffic passes into three layers:

1. From your traffic source to the proxy software, such as your browser to the Clash you use.
2. From the proxy software to the remote server, such as from the Clash you use to a server in Hong Kong.
3. From the remote server to the target server, such as from a server in Hong Kong to the Google server.

But no matter what software you use, these software will listen on the specific port, which will take over the traffic to the port. Generally, the port will use socks5 or http proxy. Http only can proxy the http request. But socks5 can proxy the tcp or udp request.

mixed-port: 7890
allow-lan: true
bind-address: '*'
mode: rule
log-level: info
external-controller: '127.0.0.1:9090'

The mixed-port is the port that HTTP(S) and SOCKS4(A)/SOCKS5 proxy services share to listen on. The allow-lan is whether to allow connections from other LAN IP addresses. The bind-address is the address that the proxy software listens on(Only valid when allow-lan is true). The mode is the mode of the proxy software(rule, global, direct). The log-level is the log level of the proxy software(info / warning / error / debug / silent). The external-controller is the address that the RESTful Web API listens on.

DNS #

dns:
    enable: true # Whether to enable DNS.
    ipv6: false # Whether to enable IPv6.
    default-nameserver: [223.5.5.5, 119.29.29.29] # The default DNS server.
    enhanced-mode: fake-ip # Use fake IP to resolve the DNS request. https://www.rfc-editor.org/rfc/rfc3089
    fake-ip-range: 198.18.0.1/16 # The CIDR of fake IP.
    use-hosts: true # Whether to use the hosts file to resolve.
    nameserver: ['https://doh.pub/dns-query', 'https://dns.alidns.com/dns-query'] # The DoH server.
    fallback: ['https://doh.dns.sb/dns-query', 'https://dns.cloudflare.com/dns-query', 'https://dns.twnic.tw/dns-query', 'tls://8.8.4.4:853'] # The fallback DNS server.
    fallback-filter: { geoip: true, ipcidr: [240.0.0.0/4, 0.0.0.0/32] } # The fallback filter.

Redir-Host #

The redir-host mode and fake-ip mode are the two modes of TAP/TUN. And most softwares will not use the system proxy, so the proxy system virtualize a network interface which takes over all the traffic(that’s what our phones do). So the TAP/TUN mode is working on the network layer, so it can not get the domain name, it can only get the IP address. So it will use other methods to get the domain name, the mothod is intercepting the DNS request at the 53 port and maintain a mapping table. When the terminal sends a DNS request, it will first check the mapping table, if the domain name is in the mapping table, then it will directly return the IP address. If the domain name is not in the mapping table, then it will send the DNS request to the DNS server, and then update the mapping table.

You can refer to my Real Computer Network to understand the OSI model.

Besides, the TAP/TUN mode will not be able to encapsulate network layer data packets, so it isn’t the VPN(only can encapsulate the network layer data packets can implement the remote networking and can be called as VPN, the feature of VPN is obvious, that means it can be detected easily). Some commands in the network layer(eg. ICMP protocol) like ping will not work. The ttl is the latency between the terminal and the virtual network interface.(If it uses the fake-ip mode, then the ip of target domain such as google.com is also a fake ip).

But if multiple domains are deployed on the same IP, or are polluted to the same IP, then the redir-host will not work(except for Sniff). In this case, the clash will use the fallback DNS(nomorally use the overseas encrypted DNS server to avoid pollution) to resolve the DNS request. But the IP returned is just used as a key in the mapping table, does it really matter? That’s why the fake-ip mode appears.

The default nameserver means the DNS server that the local clash will use to resolve the DNS request, usually used in local resolution(direct mode). If the domain needs proxy, then use the fallback DNS to resolve the DNS request. Fallback means if the default DNS server returns a foreign IP(Always redirect to the unknown foreign IP), then use the fallback DNS servers return to make sure the foreign IP is not polluted.

The Classless Inter-Domain Routing (CIDR) is a method of allocating IP addresses. And the default CIDR of fake IP is 198.18.0.1/16, which is a reserved IP address. When the DNS request is sent to Clash DNS, the Clash kernel will allocate an idle fake-ip address from the pool through the management of the internal domain name and its fake-ip address mapping.

eg. You can find that the 198.18.1.79 is a fake IP, which is allocated by the Clash kernel.

base ❯ curl -v http://google.com
<---- cURL asks your system DNS (Clash) about the IP address of google.com
* Host google.com:80 was resolved.
* IPv6: (none)
* IPv4: 198.18.1.79
----> Clash allocates 198.18.1.79 as google.com
*   Trying 198.18.1.79:80...
<---- cURL connects to 198.18.1.79 tcp/80
----> Clash will accept the connection immediately
* Connected to google.com (198.18.1.79) port 80
----> Clash looks up in its memory and found 198.18.1.79 being google.com
----> Clash looks up in the rules and sends the packet via the matching outbound
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
......

Fake IP #

Why fake IP?

Some regions not only block the specific IP, but also pollute the DNS. In other words, the domain name is resolved to an incorrect IP. Due to the feature of TCP/IP, when the application initiates a TCP connection, it first sends a DNS question (sends an IP Packet), obtains the IP address of the server to be connected, and then directly connects to this IP address.

So we need to proxy the DNS request. The process is that the request needs to be examined locally first, (if needs proxy) then request the remote server DNS, then return the resolution result. Then the clash core maps the IP address to the domain, and then match the rules. In this process, you can find that the DNS request is not necessary. Because the IP returned is just used as a key with the value(domain), but if the fake ip occasionally match specific rules, and was redirected wrongly, which will cause the failure of visiting. Considering these issues, the official has stopped the redir-host mode directly. So, the Fake-IP technology appears.

But in fake IP, the clash core will directly return a fake IP to the client. And the client will use the fake IP to request the resource. Then in the clash core will map the fake IP to the domain name. And then use the domain name to match the rules. This will omit the DNS request. Which not only saves time, but also avoids the DNS leakage.

But it still has some problems, because any system has a DNS cache mechanism. If one day, due to some reason, you need to turn off the proxy software, then the client will not get any response when requesting this fake IP. You need to manually refresh the system DNS cache to solve it.

proxies #

Then let’s talk about the proxies. About the ratio of the proxy, I have written a lot in the Real Computer Network. You can review it.

proxies:
    - { name: HK02, type: ss, server: domain-or-ip, port: port-num, cipher: chacha20-ietf-poly1305, password: a-example-password, udp: true }
    - { name: 'HK03 x2', type: ss, server: domain-or-ip, port: port-num, cipher: chacha20-ietf-poly1305, password: a-example-password, udp: true }

The type is ss, which means the proxy is using the Shadowsocks protocol.

The udp is to enable the UDP proxy. Or you will not be able to proxy the UDP even in the tun mode.

The cipher is the encryption method of the proxy server. The chacha20-ietf-poly1305 is the encryption method of password. And the encryption methods which are supported by the Shadowsocks protocol are:

• aes-128-gcm
• aes-192-gcm
• aes-256-gcm
• aes-128-cfb
• aes-192-cfb
• aes-256-cfb
• aes-128-ctr
• aes-192-ctr
• aes-256-ctr
• rc4-md5
• chacha20-ietf
• xchacha20
• chacha20-ietf-poly1305
• xchacha20-ietf-poly1305

proxy-groups #

proxy-groups:
    - { name: custom-policy-group, type: select, proxies: [HK02, 'HK03 x2'] }
    - { name: Netflix, type: select, proxies: [HK02, 'HK03 x2'] }
    - { name: auto, type: url-test, proxies: [HK02, 'HK03 x2'], url: 'http://www.gstatic.com/generate_204', interval: 86400 }
    - { name: fallback, type: fallback, proxies: [HK02, 'HK03 x2', 'Antarctic'], url: 'http://www.gstatic.com/generate_204', interval: 7200 }

The proxy-groups can be understood as filters one after another. So when you send a request, at which filter it will be intercepted depends on the match between the request and the rules. You should choose a meaningful name for the proxy-group. The type mainly includes four types:

• select: Select the proxy manually in the proxy-group.
• url-test: Test the response time of the proxy-group. And use the proxy with the shortest response time. The url is used to ensure the connection to network to test the response time. 204 is the response code of the no content page. For more information, you can refer to the rfc7231.
• fallback: Use the first proxy of the proxy-group, if breakdown, use the second proxy of the proxy-group…
• load-balance: Use the proxy with the least number of connections.
• relay: The traffic will be relayed through the proxies in order in the proxy-group. (Not support UDP).

rules #

The basic format of the rules is:

TYPE,ARGUMENT,POLICY(,no-resolve)

rules:
    - 'DOMAIN-SUFFIX,services.googleapis.cn,custom-policy-group'
    - 'DOMAIN-KEYWORD,netflixdnstest,Netflix'
    - 'DOMAIN,netflix.com.edgesuite.net,Netflix'
    - 'DOMAIN-SUFFIX,fast.com,Netflix'
    - 'IP-CIDR,8.41.4.0/24,Netflix,no-resolve'
    - 'IP-CIDR,23.246.0.0/18,Netflix,no-resolve'
    - 'DOMAIN-KEYWORD,guanggao,REJECT'
    - 'DOMAIN-SUFFIX,icloud.com,DIRECT'
    - 'DOMAIN-SUFFIX,zhihu.com,DIRECT'
    - 'DOMAIN-KEYWORD,gmail,custom-policy-group'
    - 'IP-CIDR,91.108.4.0/22,custom-policy-group,no-resolve'
    - 'IP-CIDR6,2001:67c:4e8::/48,custom-policy-group,no-resolve'
    - 'DOMAIN-SUFFIX,cn,DIRECT'
    - 'DOMAIN-KEYWORD,-cn,DIRECT'
    - 'GEOIP,CN,DIRECT'
    - 'MATCH,custom-policy-group'

• DOMAIN: route the request match the DOMAIN to the POLICY.
• DOMAIN-SUFFIX: route the request match the domain suffix to the POLICY.
• DOMAIN-KEYWORD: route the request match the domain keyword to the POLICY.
• IP-CIDR: route the request match the IPv4 address to the POLICY. (if you want to skip DNS resolution, add the no-resolve option, then the domain will not be resolved, so it cannot match the rules, and directly skip this rule)
• IP-CIDR6: route the request match the IPv6 address to the POLICY. (if you want to skip DNS resolution, add the no-resolve option)
• GEOIP: route the request match the country to the POLICY. Use the geolite2 database. Clash will resolve the domain name to the IP address, then find the country code of the IP address. If you want to skip DNS resolution, add the no-resolve option. eg. 'GEOIP,CN,DIRECT' redirect the request targeting CN ip to the DIRECT policy.
• MATCH: route the remaining request to the POLICY.

For more info, you canrefer to the Clash Rules.

Reference #

• https://www.pupboss.com/post/2024/clash-tun-fake-ip-best-practice/
• https://blog.skk.moe/post/what-happend-to-dns-in-proxy/
• https://www.youtube.com/watch?v=qItL005LUik

Related readings

• A Brief Introduction to DNS
• Real Computer Network