config.yaml Structure Overview
A complete config file is made up of several top-level fields. Once you understand this table, every section below just expands on how to write one of these fields in detail:
| Field | Purpose |
|---|---|
port / socks-port | Local HTTP / SOCKS5 proxy port |
allow-lan | Whether LAN devices can connect to the local proxy |
mode | Run mode: rule (rule-based routing), global (global proxy), direct (global direct connection) |
log-level | Log verbosity: silent / error / warning / info / debug |
external-controller | RESTful API listen address, used together with dashboard-style clients |
dns | DNS routing and leak-protection settings |
proxies | Manually written node list (subscription nodes don't need to go here) |
proxy-groups | Proxy group definitions |
proxy-providers | Remote node provider (the mechanism behind subscription links) |
rule-providers | Remote rule set provider |
rules | The final effective routing rule list, matched top to bottom |
config.yaml (or its proxies/rules sections) on a fixed schedule and merging it into the local config. Understanding this structure makes troubleshooting subscription issues much easier.
Proxy Protocol Parameters
If you need to add nodes manually (instead of relying entirely on a subscription), here are the core parameters for several mainstream protocols under the proxies field:
Shadowsocks
The core fields are cipher (encryption method, e.g. aes-256-gcm, chacha20-ietf-poly1305) and password. Some nodes also include a plugin (like obfs or v2ray-plugin) for traffic obfuscation.
VMess
Requires uuid and alterId (usually 0 in newer setups); cipher is commonly auto. If the node has TLS enabled, you'll also need to set tls and servername (i.e. SNI).
Trojan
The core fields are password and sni. Trojan forces standard TLS by default, disguising traffic as regular HTTPS, so whether sni matches the certificate domain directly affects usability.
Hysteria2
Based on the QUIC protocol, with password and up / down (upload/download bandwidth hints) as core fields. Typically more stable than traditional TCP protocols on weak or high-latency connections.
WireGuard
The field style differs from the others: it needs a private-key, the peer's public-key, and an ip (this device's address within the WireGuard subnet). Configuration is fairly low-level and providers usually hand you a complete snippet directly.
Click to view example fields for each protocol
proxies:
- name: "ss-node"
type: ss
server: example.com
port: 443
cipher: aes-256-gcm
password: "your-password"
- name: "trojan-node"
type: trojan
server: example.com
port: 443
password: "your-password"
sni: example.com
- name: "hy2-node"
type: hysteria2
server: example.com
port: 443
password: "your-password"
up: "50 Mbps"
down: "200 Mbps"
Complete Rule Syntax Reference
Rules follow a unified RULE-TYPE,MATCH-VALUE,TARGET-POLICY format, matched top to bottom, stopping at the first hit. Here's the full list of common rule types:
| Rule Type | Matches | Example |
|---|---|---|
DOMAIN | Exact domain match | DOMAIN,ad.example.com,REJECT |
DOMAIN-SUFFIX | Domain suffix | DOMAIN-SUFFIX,google.com,PROXY |
DOMAIN-KEYWORD | Keyword contained in a domain | DOMAIN-KEYWORD,youtube,PROXY |
DOMAIN-REGEX | Regex-matched domain | DOMAIN-REGEX,^ad\d+\.com$,REJECT |
GEOIP | IP geolocation (paired with a GeoIP database) | GEOIP,CN,DIRECT |
IP-CIDR / IP-CIDR6 | IPv4 / IPv6 address range | IP-CIDR,192.168.0.0/16,DIRECT |
SRC-IP-CIDR | Local source IP range making the request | SRC-IP-CIDR,192.168.1.100/32,DIRECT |
SRC-PORT / DST-PORT | Source port / destination port | DST-PORT,22,DIRECT |
PROCESS-NAME | Process name making the request (the mechanism behind per-app proxying) | PROCESS-NAME,com.app.id,PROXY |
RULE-SET | References a Rule Provider rule set | RULE-SET,reject,REJECT |
MATCH | Fallback rule, matches all otherwise unmatched traffic | MATCH,PROXY |
DOMAIN-REGEX or large RULE-SET ahead of rules that clearly won't match will slow down every request's matching process.
Provider Mechanics: Proxy Provider & Rule Provider
Providers are Clash's unified mechanism for managing "remote, auto-updatable" resources — a subscription link is essentially a Proxy Provider under the hood, and a rule set is a Rule Provider. Both support automatic periodic updates with no need to manually replace files.
proxy-providers:
my-sub:
type: http
url: "https://example.com/api/v1/subscribe?token=xxx"
interval: 3600
health-check:
enable: true
url: http://www.gstatic.com/generate_204
interval: 300
rule-providers:
reject:
type: http
behavior: domain
url: "https://example.com/rules/reject.txt"
path: ./rules/reject.txt
interval: 86400
Here, interval controls the auto-update period (in seconds), health-check has the client periodically batch-test the latency of nodes under the Provider, and behavior tells the client whether the rule set's content is a domain list (domain), an IP range (ipcidr), or full rules (classical).
Advanced Proxy Group Parameters
Besides the basic type and proxies, proxy groups have a few more advanced parameters worth knowing:
lazy— When enabled forurl-test/fallbackgroups, latency tests only run in the background once the group is actually in use, reducing resource usage while idle;tolerance— Latency tolerance (in ms). A new node only triggers a switch if its latency is lower than the current node's by more than this value, preventing frequent switching caused by latency-test jitter;strategy(forload-balancegroups only) — the load-balancing strategy, commonlyconsistent-hashing(the same destination always routes through the same node, good for scenarios needing session persistence) orround-robin(nodes are cycled through in order);disable-udp— disables UDP forwarding for nodes in this proxy group; useful when certain nodes or routes don't handle UDP well.
Advanced DNS Configuration
Beyond simply toggling leak protection, DNS settings can also fine-tune resolution behavior:
dns:
enable: true
ipv6: false
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/16
nameserver:
- https://dns.google/dns-query
- https://1.1.1.1/dns-query
fallback:
- https://1.0.0.1/dns-query
- https://dns.quad9.net/dns-query
nameserver-policy:
"geosite:private": [192.168.1.1]
fallback-filter:
geoip: true
geoip-code: US
enhanced-mode: fake-ip is the most common mode — the client assigns each domain a virtual IP, then resolves the real domain at the proxy layer, offering the best compatibility. nameserver-policy lets you specify which DNS group to use based on domain ownership — for example, resolving your home router or other LAN hostnames via your local router instead of a public resolver — while fallback-filter is used to judge whether a resolution result "looks" tampered with, and decide whether to re-query using the fallback list. Replace the placeholder geoip-code (US here) with your own country code, and swap the sample IPs/domains for whichever local DNS resolvers you actually use.
TUN Mode Parameters Explained
The core TUN mode parameters are as follows:
tun:
enable: true
stack: system
auto-route: true
auto-detect-interface: true
dns-hijack:
- any:53
stack determines how the virtual adapter is implemented — system offers the best compatibility, while gvisor/mixed perform better in certain scenarios. When auto-route is enabled, the client automatically takes over the system routing table; auto-detect-interface lets the client automatically detect the active physical network interface, avoiding manual configuration; dns-hijack forcibly intercepts DNS requests over UDP port 53, preventing apps from bypassing the system DNS settings to query directly.
External Controller & RESTful API
Once external-controller is set, Clash exposes a RESTful API at the specified address. Paired with a dashboard-style client, you can view connections, switch nodes, and check latency in real time — no client restart required.
external-controller: 127.0.0.1:9090
secret: "your-strong-secret"
secret and make sure external-controller only listens on the local address (127.0.0.1). Binding to 0.0.0.0 without a secret set effectively exposes your proxy's control access to the entire network.
Performance & Security Recommendations
- Prefer referencing rule sets via
RULE-SETinstead of flattening hundreds ofDOMAIN-SUFFIXentries directly intorules— the former matches faster and is easier to maintain; - Place your most frequently hit, most specific rules near the top of the
ruleslist to reduce the average number of match attempts; - Avoid leaving
log-levelset todebuglong-term — verbose logs continuously consume disk space and memory; - Always set a
secretforexternal-controller, and never reuse the same secret across multiple devices or platforms; - Don't set the proxy group's latency-test interval too short — anywhere from tens of seconds to a few minutes is enough to catch node issues promptly; testing too often only adds extra load on nodes and local resources;
- Keep a separate backup of your custom overrides for rules and proxy groups, so you can quickly restore them after a subscription update or client reinstall.
FAQ
Why don't my config changes take effect?
Most clients require you to manually click "Reload Config" or restart the client to apply changes. If your config is managed via a subscription, editing the local file directly may get overwritten on the next auto-update — use the override feature instead.
What's the difference between RULE-SET and writing rules directly?
The effect is the same — the difference is in maintenance. A RULE-SET is a standalone file that can be updated remotely, so changes to the rules don't require re-importing the whole config. Rules written directly in rules require manually editing the config file itself whenever they change.
How do I choose between fake-ip and redir-host mode?
fake-ip offers better compatibility and speed, and is the mainstream choice today. redir-host works by modifying DNS responses, which can cause issues with certain apps that validate the real IP — only consider switching if you hit a clear compatibility problem under fake-ip mode.
What if the external-controller port is already in use?
Just change the port number in external-controller to another unused one — the common default is 9090. You can also use a system command to check which process is using that port before deciding whether to close it.
How do I troubleshoot a proxy group that keeps failing latency tests?
First confirm whether the test address (the url field) is actually reachable from the node — some test addresses get blocked in certain network environments. You can also try a different public connectivity test address, or check whether the node itself has stopped working.
Can I use multiple Rule Providers at the same time?
Yes — rule-providers supports defining any number of rule sets, and you can reference each one by name via RULE-SET wherever needed in the rules list. Matching still follows the top-to-bottom order.
Haven't covered the basics yet? Start with the Beginner's Guide to learn the fundamentals of subscription imports, proxy groups, and rule-based routing.