config.yaml Structure Overview

A complete config file is made up of several top-level fields. Once you understand this table, every section below just expands on how to write one of these fields in detail:

FieldPurpose
port / socks-portLocal HTTP / SOCKS5 proxy port
allow-lanWhether LAN devices can connect to the local proxy
modeRun mode: rule (rule-based routing), global (global proxy), direct (global direct connection)
log-levelLog verbosity: silent / error / warning / info / debug
external-controllerRESTful API listen address, used together with dashboard-style clients
dnsDNS routing and leak-protection settings
proxiesManually written node list (subscription nodes don't need to go here)
proxy-groupsProxy group definitions
proxy-providersRemote node provider (the mechanism behind subscription links)
rule-providersRemote rule set provider
rulesThe final effective routing rule list, matched top to bottom
Note: A subscription link is essentially the client requesting this config.yaml (or its proxies/rules sections) on a fixed schedule and merging it into the local config. Understanding this structure makes troubleshooting subscription issues much easier.

Proxy Protocol Parameters

If you need to add nodes manually (instead of relying entirely on a subscription), here are the core parameters for several mainstream protocols under the proxies field:

Shadowsocks

The core fields are cipher (encryption method, e.g. aes-256-gcm, chacha20-ietf-poly1305) and password. Some nodes also include a plugin (like obfs or v2ray-plugin) for traffic obfuscation.

VMess

Requires uuid and alterId (usually 0 in newer setups); cipher is commonly auto. If the node has TLS enabled, you'll also need to set tls and servername (i.e. SNI).

Trojan

The core fields are password and sni. Trojan forces standard TLS by default, disguising traffic as regular HTTPS, so whether sni matches the certificate domain directly affects usability.

Hysteria2

Based on the QUIC protocol, with password and up / down (upload/download bandwidth hints) as core fields. Typically more stable than traditional TCP protocols on weak or high-latency connections.

WireGuard

The field style differs from the others: it needs a private-key, the peer's public-key, and an ip (this device's address within the WireGuard subnet). Configuration is fairly low-level and providers usually hand you a complete snippet directly.

Click to view example fields for each protocol
proxies:
  - name: "ss-node"
    type: ss
    server: example.com
    port: 443
    cipher: aes-256-gcm
    password: "your-password"

  - name: "trojan-node"
    type: trojan
    server: example.com
    port: 443
    password: "your-password"
    sni: example.com

  - name: "hy2-node"
    type: hysteria2
    server: example.com
    port: 443
    password: "your-password"
    up: "50 Mbps"
    down: "200 Mbps"

Complete Rule Syntax Reference

Rules follow a unified RULE-TYPE,MATCH-VALUE,TARGET-POLICY format, matched top to bottom, stopping at the first hit. Here's the full list of common rule types:

Rule TypeMatchesExample
DOMAINExact domain matchDOMAIN,ad.example.com,REJECT
DOMAIN-SUFFIXDomain suffixDOMAIN-SUFFIX,google.com,PROXY
DOMAIN-KEYWORDKeyword contained in a domainDOMAIN-KEYWORD,youtube,PROXY
DOMAIN-REGEXRegex-matched domainDOMAIN-REGEX,^ad\d+\.com$,REJECT
GEOIPIP geolocation (paired with a GeoIP database)GEOIP,CN,DIRECT
IP-CIDR / IP-CIDR6IPv4 / IPv6 address rangeIP-CIDR,192.168.0.0/16,DIRECT
SRC-IP-CIDRLocal source IP range making the requestSRC-IP-CIDR,192.168.1.100/32,DIRECT
SRC-PORT / DST-PORTSource port / destination portDST-PORT,22,DIRECT
PROCESS-NAMEProcess name making the request (the mechanism behind per-app proxying)PROCESS-NAME,com.app.id,PROXY
RULE-SETReferences a Rule Provider rule setRULE-SET,reject,REJECT
MATCHFallback rule, matches all otherwise unmatched trafficMATCH,PROXY
Note: The more specific and frequently matched a rule is, the earlier it should appear. Placing an expensive DOMAIN-REGEX or large RULE-SET ahead of rules that clearly won't match will slow down every request's matching process.

Provider Mechanics: Proxy Provider & Rule Provider

Providers are Clash's unified mechanism for managing "remote, auto-updatable" resources — a subscription link is essentially a Proxy Provider under the hood, and a rule set is a Rule Provider. Both support automatic periodic updates with no need to manually replace files.

proxy-providers:
  my-sub:
    type: http
    url: "https://example.com/api/v1/subscribe?token=xxx"
    interval: 3600
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300

rule-providers:
  reject:
    type: http
    behavior: domain
    url: "https://example.com/rules/reject.txt"
    path: ./rules/reject.txt
    interval: 86400

Here, interval controls the auto-update period (in seconds), health-check has the client periodically batch-test the latency of nodes under the Provider, and behavior tells the client whether the rule set's content is a domain list (domain), an IP range (ipcidr), or full rules (classical).

Advanced Proxy Group Parameters

Besides the basic type and proxies, proxy groups have a few more advanced parameters worth knowing:

  • lazy — When enabled for url-test / fallback groups, latency tests only run in the background once the group is actually in use, reducing resource usage while idle;
  • tolerance — Latency tolerance (in ms). A new node only triggers a switch if its latency is lower than the current node's by more than this value, preventing frequent switching caused by latency-test jitter;
  • strategy (for load-balance groups only) — the load-balancing strategy, commonly consistent-hashing (the same destination always routes through the same node, good for scenarios needing session persistence) or round-robin (nodes are cycled through in order);
  • disable-udp — disables UDP forwarding for nodes in this proxy group; useful when certain nodes or routes don't handle UDP well.

Advanced DNS Configuration

Beyond simply toggling leak protection, DNS settings can also fine-tune resolution behavior:

dns:
  enable: true
  ipv6: false
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  nameserver:
    - https://dns.google/dns-query
    - https://1.1.1.1/dns-query
  fallback:
    - https://1.0.0.1/dns-query
    - https://dns.quad9.net/dns-query
  nameserver-policy:
    "geosite:private": [192.168.1.1]
  fallback-filter:
    geoip: true
    geoip-code: US

enhanced-mode: fake-ip is the most common mode — the client assigns each domain a virtual IP, then resolves the real domain at the proxy layer, offering the best compatibility. nameserver-policy lets you specify which DNS group to use based on domain ownership — for example, resolving your home router or other LAN hostnames via your local router instead of a public resolver — while fallback-filter is used to judge whether a resolution result "looks" tampered with, and decide whether to re-query using the fallback list. Replace the placeholder geoip-code (US here) with your own country code, and swap the sample IPs/domains for whichever local DNS resolvers you actually use.

TUN Mode Parameters Explained

The core TUN mode parameters are as follows:

tun:
  enable: true
  stack: system
  auto-route: true
  auto-detect-interface: true
  dns-hijack:
    - any:53

stack determines how the virtual adapter is implemented — system offers the best compatibility, while gvisor/mixed perform better in certain scenarios. When auto-route is enabled, the client automatically takes over the system routing table; auto-detect-interface lets the client automatically detect the active physical network interface, avoiding manual configuration; dns-hijack forcibly intercepts DNS requests over UDP port 53, preventing apps from bypassing the system DNS settings to query directly.

External Controller & RESTful API

Once external-controller is set, Clash exposes a RESTful API at the specified address. Paired with a dashboard-style client, you can view connections, switch nodes, and check latency in real time — no client restart required.

external-controller: 127.0.0.1:9090
secret: "your-strong-secret"
Security Tip: Always set a secret and make sure external-controller only listens on the local address (127.0.0.1). Binding to 0.0.0.0 without a secret set effectively exposes your proxy's control access to the entire network.

Performance & Security Recommendations

  • Prefer referencing rule sets via RULE-SET instead of flattening hundreds of DOMAIN-SUFFIX entries directly into rules — the former matches faster and is easier to maintain;
  • Place your most frequently hit, most specific rules near the top of the rules list to reduce the average number of match attempts;
  • Avoid leaving log-level set to debug long-term — verbose logs continuously consume disk space and memory;
  • Always set a secret for external-controller, and never reuse the same secret across multiple devices or platforms;
  • Don't set the proxy group's latency-test interval too short — anywhere from tens of seconds to a few minutes is enough to catch node issues promptly; testing too often only adds extra load on nodes and local resources;
  • Keep a separate backup of your custom overrides for rules and proxy groups, so you can quickly restore them after a subscription update or client reinstall.

FAQ

Why don't my config changes take effect?

Most clients require you to manually click "Reload Config" or restart the client to apply changes. If your config is managed via a subscription, editing the local file directly may get overwritten on the next auto-update — use the override feature instead.

What's the difference between RULE-SET and writing rules directly?

The effect is the same — the difference is in maintenance. A RULE-SET is a standalone file that can be updated remotely, so changes to the rules don't require re-importing the whole config. Rules written directly in rules require manually editing the config file itself whenever they change.

How do I choose between fake-ip and redir-host mode?

fake-ip offers better compatibility and speed, and is the mainstream choice today. redir-host works by modifying DNS responses, which can cause issues with certain apps that validate the real IP — only consider switching if you hit a clear compatibility problem under fake-ip mode.

What if the external-controller port is already in use?

Just change the port number in external-controller to another unused one — the common default is 9090. You can also use a system command to check which process is using that port before deciding whether to close it.

How do I troubleshoot a proxy group that keeps failing latency tests?

First confirm whether the test address (the url field) is actually reachable from the node — some test addresses get blocked in certain network environments. You can also try a different public connectivity test address, or check whether the node itself has stopped working.

Can I use multiple Rule Providers at the same time?

Yes — rule-providers supports defining any number of rule sets, and you can reference each one by name via RULE-SET wherever needed in the rules list. Matching still follows the top-to-bottom order.

Haven't covered the basics yet? Start with the Beginner's Guide to learn the fundamentals of subscription imports, proxy groups, and rule-based routing.