Skip to content
On this page

TUN Device

The Premium core has out-of-the-box support of TUN device. Being a Network layer device, it can be used to handle TCP, UDP, ICMP traffic. It has been extensively tested and used in production environments - you can even play competitive games with it.

One of the biggest advantage of using ClashT TUN is the built-in support of the automagic management of the route table, routing rules and nftable. You can enable it with the options and It's a drop-in replacement of the ancient configuration option redir-port (TCP) for the sake of easier configuration and better stability.

TIP is only available on macOS, Windows, Linux and Android, and only receives IPv4 traffic. is only available on Linux(needs netlink support in the kernel).

There are two options of TCP/IP stack available: system or gvisor. In order to get the best performance available, we recommend that you always use system stack unless you have a specific reason or compatibility issue to use gvisor. If that's the case, do not hesitate to submit an issue.

Technical Limitations

  • For Android, the control device is at /dev/tun instead of /dev/net/tun, you will need to create a symbolic link first (i.e. ln -sf /dev/tun /dev/net/tun)

  • DNS hijacking might result in a failure, if the system DNS is at a private IP address (since auto-route does not capture private network traffic).

Linux, macOS or Android

This is an example configuration of the TUN feature:

interface-name: en0 # conflict with ``

  enable: true
  stack: system # or gvisor
  # dns-hijack:
  #   -
  #   - tcp://
  #   - any:53
  #   - tcp://any:53
  auto-route: true # manage `ip route` and `ip rules`
  auto-redir: true # manage nftable REDIRECT
  auto-detect-interface: true # conflict with `interface-name`

Be advised, since the use of TUN device and manipulation of system route/nft settings, ClashT will need superuser privileges to run.

sudo ./clash

If your device already has some TUN device, ClashT TUN might not work - you will have to check the route table and routing rules manually. In this case, fake-ip-filter may helpful as well.


You will need to visit the WinTUN website and download the latest release. After that, copy wintun.dll into ClashT home directory. Example configuration:

  enable: true
  stack: gvisor # or system
    - # when `fake-ip-range` is, should hijack
  auto-route: true # auto set global route for Windows
  # It is recommended to use `interface-name`
  auto-detect-interface: true # auto detect interface, conflict with `interface-name`