The Core Difference
Clash has two main ways to intercept traffic: System Proxy and TUN mode. The fundamental difference is at which layer traffic is intercepted.
System Proxy operates at the application layer, relying on the OS proxy configuration API. Only applications that actively respect that setting will route through Clash. TUN mode operates at the network layer, creating a virtual network interface deep in the OS network stack that intercepts virtually all outgoing packets — completely transparent to applications. This fundamental difference defines the capability boundaries of each mode.
Once you understand this distinction, the choice becomes clear: use System Proxy for everyday browsing and most apps; use TUN mode when you need full-stack traffic coverage including UDP, gaming, or proxy-unaware applications. Many power users keep both enabled simultaneously for maximum coverage.
What Is System Proxy?
System Proxy is a built-in proxy configuration mechanism in operating systems. Windows manages it via registry keys and Settings → Network → Proxy; macOS manages it via System Settings → Network → Proxies. When Clash enables System Proxy, it automatically updates these settings to point to Clash's local listening ports (default: HTTP proxy on 7890, SOCKS5 on 7891).
When an application makes a network request, if it reads and respects the system proxy config, the request is first sent to Clash, which then applies your rules to decide whether to connect directly or forward to a remote node. The whole process is invisible to the user.
What Traffic Does System Proxy Cover?
- All major browsers (Chrome, Firefox, Safari, Edge, Arc, Brave, etc.) — they follow system proxy settings by default, making web browsing the primary use case for System Proxy.
- Most proxy-aware desktop apps — Telegram, Slack, VS Code extension downloads, npm/pip package managers (after configuration), and many others.
- Command-line tools — set
http_proxy=http://127.0.0.1:7890andhttps_proxy=http://127.0.0.1:7890in your terminal to route curl, wget, git clone, and similar tools through Clash.
Limitations of System Proxy
- UDP traffic: HTTP/SOCKS5 proxy protocols are fundamentally TCP-based and cannot directly proxy UDP packets. This means online gaming (most game clients use UDP for real-time data), DNS queries, QUIC-based connections, and some video calls won't be routed through System Proxy.
- Windows UWP apps: Microsoft Store apps (Xbox app, Microsoft Store itself, Minecraft UWP, etc.) run in an isolated network sandbox and can't read system proxy settings — they bypass the proxy by default.
- Proxy-unaware programs: Some applications intentionally or by design ignore system proxy settings and establish direct connections. System Proxy has no effect on these.
- ICMP protocol: The
pingcommand uses ICMP, which is completely separate from TCP/UDP — System Proxy has no effect on ICMP traffic.
What Is TUN Mode?
TUN (TUNnel) is a virtual network device interface supported by Linux, macOS, and Windows kernels. When Clash enables TUN mode, it creates a virtual network interface called Meta (or utun on macOS) and modifies the routing table to point the default gateway at that virtual interface.
After that, all outbound traffic from the system passes through this virtual interface into Clash, where the rule engine decides what to do with each packet — connect directly, forward through a proxy, or reject. Since interception happens deep in the network stack, applications are completely unaware of the process — it feels just like using a normal network connection. There's no need for applications to support proxies at all.
The Mihomo core's TUN implementation also includes built-in DNS hijacking: it forwards system DNS queries to Clash's internal DNS resolver, effectively preventing DNS leaks — where DNS queries bypass the proxy and go directly to your ISP's DNS server, potentially revealing which domains you're querying.
Side-by-Side Comparison
| Feature | System Proxy | TUN Mode |
|---|---|---|
| TCP traffic | ✓ Supported | ✓ Supported |
| UDP traffic | ✗ Not supported | ✓ Supported |
| ICMP (ping) | ✗ Not supported | ✓ Supported |
| Game traffic | ✗ Usually not supported | ✓ Supported |
| Windows UWP apps | ✗ Not supported | ✓ Supported |
| Admin privileges | Not required | Required |
| Ease of setup | Easy (one click) | Slightly complex |
| DNS leak prevention | ✗ No effect | ✓ Built-in DNS control |
| Proxy-unaware apps | ✗ Bypasses proxy | ✓ Fully covered |
When to Use Each Mode
Choose System Proxy when:
- You need everyday web browsing and most desktop apps routed through Clash.
- You're on a managed corporate computer and don't have administrator privileges.
- You're just getting started with Clash — System Proxy is simpler to enable and covers the majority of use cases with zero configuration.
- You're on a stable network with low risk of DNS leaks and don't need UDP coverage.
Choose TUN Mode (or both) when:
- You play online games and need UDP traffic routed through the proxy for lower in-game ping or accessing foreign game servers.
- You use Windows UWP apps (Microsoft Store games, Xbox app, etc.) and want them to go through Clash.
- You want all traffic from every application — including those that ignore system proxy — routed through Clash.
- You're on an untrusted network and want DNS leak protection to prevent your ISP from logging your DNS queries.
How to Enable TUN Mode
In Clash Verge Rev, navigate to "Settings" → "Clash Settings" → toggle the "TUN Mode" switch. The first time you enable it, a system authorization dialog will appear — click Allow to grant the required permissions. TUN mode can be used alongside System Proxy (recommended: keep both enabled for maximum traffic coverage). If TUN mode causes connectivity issues on your system, try switching the TUN stack from "Mixed" to "System" in the advanced settings.
TUN Stack Types: Mixed vs. System vs. gVisor
Clash Verge Rev offers three TUN stack implementations, each with different trade-offs:
- Mixed (default): Uses a mixed TCP/UDP stack. Offers the best balance of performance and compatibility for most users. Recommended for everyday use — handles both TCP and UDP traffic efficiently.
- System: Delegates to the OS network stack. More stable on some systems (especially macOS), with slightly higher latency than Mixed. A good fallback if Mixed causes instability.
- gVisor: A user-space TCP/IP implementation from Google. Provides strong isolation and works in environments where kernel-level network access is restricted. Higher CPU overhead than the other two options — use only if System and Mixed don't work on your platform.
For most users, leaving the stack on "Mixed" is the right choice. Only switch if you encounter connection issues or specific platform constraints.
Common TUN Mode Issues
TUN mode is powerful but occasionally requires troubleshooting. Here are the most common issues and fixes:
- No internet after enabling TUN: Usually a routing table conflict. Try disabling and re-enabling TUN mode. If the problem persists, restart Clash Verge Rev with administrator privileges. On Windows, check if any VPN software is running simultaneously — two TUN drivers can conflict.
- DNS not working: TUN mode includes DNS hijacking, which can conflict with local DNS setups. If DNS queries fail, try switching the "DNS Mode" in Clash settings from "ReDirect" to "FakeIP" or vice versa. Ensure the DNS nameservers in your Clash config file point to reliable, reachable servers.
- Authorization prompt on every launch (macOS): This is normal behavior on macOS — creating a TUN interface requires root privileges each session. You can grant persistent access via "System Settings → Privacy & Security" by adding Clash Verge Rev to the list of apps with full network access.
- High CPU usage: TUN mode does add some overhead versus System Proxy due to kernel-userspace context switching. If CPU usage is unacceptably high, try switching from "gVisor" to "Mixed" or "System" stack, or reduce the number of active connections being routed through the proxy simultaneously.
- VPN app stops working: Some VPN applications also create TUN interfaces and may conflict with Clash's TUN. Either use Clash in System Proxy mode alongside your VPN, or configure Clash to route only specific traffic while leaving VPN traffic unaffected by adjusting your rule set.
For more configuration details, see the detailed tutorials or our Help Center. For rule-based traffic splitting, refer to the Rule-Based Routing guide.