Configuration · Approx. 8 min read

Clash TUN Virtual NIC Explained

Why are curl, git clone, and docker pull still slow even with a proxy on? Because system proxies don't touch them—this is where TUN mode shines.

1. Limits of System Proxy

"System Proxy" simply writes a proxy address (e.g., 127.0.0.1:7890) to the OS settings. Only apps that actively read these settings are affected, such as:

✅ Supports System Proxy

  • • Browsers like Chrome, Firefox, Safari
  • • Desktop apps like Slack, Discord
  • • Most GUI applications

❌ Does NOT support system proxy

  • • Terminal / PowerShell / CMD
  • • git、curl、wget、npm、pip
  • • Docker daemon
  • • Some Games, UWP Apps (like Xbox)

Command-line tools often look for the https_proxy environment variable, but manually setting it for every session is a chore. TUN mode solves this at the network level.

2. How TUN Mode Works

TUN (Tunnel) mode creates a Virtual Network Interface Card (vNIC) and points the system's default route to it, intercepting all outbound traffic at the network layer (L3) for Clash to handle.

3. Who Needs TUN Mode?

Software Developers

Essential for using git, npm, pip, and cargo to access GitHub, npmjs, and other international resources in the terminal.

Docker / Container Users

The Docker daemon doesn't follow system proxy settings. You need TUN mode or specific Docker proxy configs to pull images efficiently.

Gamers

Some game clients (and UWP apps like Xbox Game Pass) ignore system proxies. TUN mode routes game traffic through your smart rules.

Casual Browser Users

If you only use a browser, you don't need TUN mode. Enabling it might add unnecessary system overhead.

4. Enabling TUN in Clash Verge Rev

TUN mode require admin/root privileges. You'll need to install the "Service Mode" once; after that, it works seamlessly.

  1. 1

    Install Service Mode

    Open Clash Verge Rev → Settings → System Settings → Click "Install Service Mode" → Grant admin permissions when prompted.

  2. 2

    Enable TUN Mode

    Toggle the "TUN Mode" switch in Settings. The status icon will turn green when active.

  3. 3

    Verification

    Open a terminal and run curl -I https://www.google.com. A 200 response confirms TUN is working.

5. TUN Configuration Details

tun:
  enable: true
  stack: mixed        # 推荐 mixed;gvisor 更安全但性能略低
  auto-route: true    # 自动设置路由表,接管所有流量
  auto-detect-interface: true
  dns-hijack:         # 劫持 DNS 请求,防止 DNS 泄漏
    - any:53
  inet4-route-address: # 仅路由这些网段(留空=全部)
    - 0.0.0.0/1
    - 128.0.0.0/1

Clash Verge Rev handles this automatically, so you don't need to edit the YAML file manually.

6. Troubleshooting

Help! Browser can't access sites after enabling TUN
Ensure Service Mode is installed correctly (check the tray icon; status should be "Running"). If issues persist, try restarting Clash Verge Rev as an Administrator.
Local websites are slow with TUN mode
Verify your rules include GEOIP,CN,DIRECT and local domain check. TUN intercepts everything, but the Clash core still applies your routing logic to keep local traffic direct.
macOS: "Network Extension" permission denied
Go to System Settings → Privacy & Security → Network Extensions and allow Clash Verge Rev. For macOS 15 (Sequoia), check "Security" for additional authorization.

Related Reading

Config Guide

Advanced Routing & Rule Guide →
Setup Guide

Subscription Import Tutorial →