My subscription will not refresh. What should I try?

Connect using any working node first, then retry the update. If every node is dead, switch to another network such as mobile hotspot, refresh manually, or ask your provider for a new link.

Complete Clash Setup Guide 2026 (SS/VMess/VLESS)

What Is Clash—and Why People Standardize on It

Clash is one of the most widely deployed open-source proxy front ends because it pairs a flexible rule engine with broad protocol coverage. If your provider hands you nodes over Shadowsocks, VMess, VLESS, Trojan, or newer stacks such as Hysteria2, a maintained Clash derivative can usually consume the same YAML profile without forcing you to rewrite everything by hand. Compared with single-protocol apps or minimalist SOCKS clients, Clash stands out for policy routing: you decide exactly which domains, IP ranges, or geographic regions should hit DIRECT versus PROXY, instead of bluntly sending every packet overseas.

The ecosystem also matured around approachable graphical clients. Delay tests, profile switches, and subscription refresh buttons are now expected defaults, which lowers the barrier if you are onboarding teammates or family members who do not want to live inside a terminal. Cross-platform coverage—Windows, macOS, Linux, Android, and assorted Apple Silicon builds—means you can reuse mental models across machines rather than learning a different UX per operating system.

This guide reflects how power users actually configure Clash in 2026: pick a maintained GUI, import the subscription your reseller publishes, stay on Rule mode for day-to-day browsing, reach for TUN when an app ignores the OS proxy, and know enough YAML to debug Shadowsocks, VMess, and VLESS entries when something breaks.

Step 1: Choose a Clash GUI That Matches Your OS

Upstream Clash is a core; you still need a wrapper application that downloads kernels, renders logs, and exposes toggles for system proxy or TUN. Favor projects that ship timely Mihomo (Clash Meta) builds, because protocol drafts evolve quickly and stale binaries become the root cause of mysterious handshake failures.

Windows

Clash Verge Rev remains the pragmatic default on Windows 10 and Windows 11. It bundles a modern interface, profile manager, override editor, and straightforward shortcuts for system proxy plus TUN. If you previously relied on historic Clash for Windows builds, migrating is mostly a matter of exporting subscription URLs and importing them again—no arcane registry hacks required.

macOS

Apple users typically choose between Clash Verge Rev and ClashX Meta. Verge skews feature-rich and consistent with the Windows build, whereas ClashX Meta stays lighter and menu-bar-centric. On Apple Silicon (M-series chips), download the arm64 artifact so Rosetta is not silently taxing CPU during encrypted bursts.

Android

FlClash and Clash Meta for Android both target users who need Mihomo-level flexibility on mobile, including TUN and decent UDP behavior for real-time apps. Expect slightly different wording in each UI, but the underlying workflow—subscription panel, profile activation, outbound mode switch—is the same story.

💡

Use this site’s download page when you want installers mirrored closer to you instead of chasing GitHub releases during an outage.

Step 2: Import Your Subscription Safely

A subscription URL is effectively a capability secret: anyone who possesses it can mint configuration snapshots tied to your quota. Treat it like an API key—never paste it into public chats, screenshots, or ticket systems unless your provider explicitly asks.

Clash Verge Rev

Open the app and enter the Profiles or Subscriptions section from the sidebar.
Create a new entry and paste the HTTPS link from your provider.
Assign a readable name (“Home reseller”, “Team backup”) so you can spot it later.
Save, wait for the fetch to finish, then activate that profile as the running configuration.
Trigger a manual refresh whenever your dashboard rotates endpoints.

ClashX Meta

Click the menu-bar icon and open the managed configuration panel.
Add a remote config URL identical to the subscription you received.
Let the client download and validate the YAML.
Select the profile before toggling system features.

⚠️

If refreshing fails while every node looks offline, you are stuck in a bootstrap problem: temporarily use another network path (phone hotspot, corporate guest Wi-Fi) just long enough to pull the latest profile.

Step 3: Pick an Outbound Mode You Can Explain

Most YAML bundles expose three high-level behaviors. Understanding them prevents “everything feels slow” support threads.

Mode	Behavior	When to use it
Rule	Evaluates domain/IP policies sequentially	Daily driver for mixed domestic and international traffic
Global	Forces all flows through the chosen proxy group	Short audits or stubborn apps during testing
Direct	Bypasses upstream entirely	Debugging, captive portals, or ISP troubleshooting

Stay on Rule unless you have a compelling reason not to. Providers ship curated rule sets precisely so Chinese mainland destinations remain on DIRECT while foreign assets ride your cheapest latency path.

Step 4: Read the Routing Table Like an Operator

Rules execute top to bottom; the first match wins. Even if you never author YAML manually, recognizing keywords accelerates triage when a single domain misroutes.

Common matchers

DOMAIN pins an exact hostname.
DOMAIN-SUFFIX catches entire subtrees such as youtube.com.
DOMAIN-KEYWORD matches opportunistically—powerful but easy to overfit.
IP-CIDR expresses subnets, often for LAN preservation.
GEOIP shortcuts country buckets like GEOIP,CN,DIRECT.
MATCH terminates the chain as a catch-all.

Proxy groups you will actually click

select — manual picker for city or ASN-specific nodes.
url-test — periodic latency contests among siblings.
fallback — walks an ordered list until something answers.
load-balance — spreads sessions when your reseller allows it.

ℹ️

When only one website fails, switch the governing select group before you blame Clash itself—providers occasionally deprecate individual ingress ports without bumping the subscription version string.

Step 5: Enable the System Proxy Layer

By default Clash listens on localhost ports (commonly mixed HTTP/SOCKS on 7890, variations exist per profile). Flip the System Proxy switch pushes those endpoints into Windows or macOS settings so Chromium-based browsers, Electron apps, and many storefront clients inherit connectivity instantly.

Windows specifics

Clash Verge Rev maps the toggle directly into the OS proxy dialog. After enabling, verify Windows Settings → Network → Proxy shows the loopback address your YAML advertises. Corporate environments sometimes push conflicting PAC files—if traffic still leaks, inspect whether Group Policy reverted your change.

macOS specifics

ClashX Meta labels the action plainly (“Set as system proxy”). On Sonoma and newer builds Apple occasionally prompts for permission the first time; approve it once so future toggles stay frictionless. Remember Terminal sessions spawned before export variables may ignore UI switches until you restart the shell.

Step 6: Deploy TUN When Proxies Are Ignored

TUN installs a virtual NIC so Clash intercepts packets before stubborn apps skip outbound hooks. That matters for UDP-heavy games, some VoIP stacks, and CLI utilities that never consult WinINET or macOS system proxies.

Signals you need TUN

Ping succeeds to domestic hosts but foreign UDP paths collapse.
curl works only after you manually export HTTPS_PROXY.
Game launchers download manifests on DIRECT despite Rule mode showing PROXY.

Activation checklist (Clash Verge Rev)

Exit conflicting VPNs that already occupy the TUN slot.
Launch the client elevated (Administrator on Windows).
Open settings, enable TUN, and approve driver prompts.
Watch the dashboard indicator flip to active; retry your failing app.
If DNS loops appear, align fake-ip settings with your provider documentation.

⚠️

TUN is powerful enough to break captive portals. Toggle it off before joining coffee-shop splash pages, then re-enable once authenticated.

Step 7: Shadowsocks, VMess, and VLESS Field Notes

Subscriptions hide complexity, yet operators still peek at YAML when fingerprints mismatch. Below are minimal skeletons—swap hostnames, UUIDs, and TLS settings to mirror what your reseller publishes.

Shadowsocks

proxies:
  - name: "SS-HK-01"
    type: ss
    server: hk.example.com
    port: 8388
    cipher: aes-256-gcm
    password: your-password
    udp: true

VMess over WebSocket

proxies:
  - name: "VMess-US-443"
    type: vmess
    server: us.example.com
    port: 443
    uuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    alterId: 0
    cipher: auto
    tls: true
    network: ws
    ws-opts:
      path: /mesh
      headers:
        Host: us.example.com

VLESS with TLS flow

proxies:
  - name: "VLESS-JP-vision"
    type: vless
    server: jp.example.com
    port: 443
    uuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    network: tcp
    tls: true
    flow: xtls-rprx-vision

When a protocol upgrade rolls out—say Reality fronts replacing legacy TLS fingerprints—your GUI’s kernel channel must refresh independently of the YAML fetch. If handshake logs mention unknown transport names, update the core before rewriting nodes.

Step 8: Troubleshoot Like Production Staff

Timeouts or every latency test failing

Confirm the reseller status page; regional outages look like client bugs.
Rotate cipher suites or transports if your ISP shapes certain ports.
Whitelist Clash inside Defender or third-party firewalls.
Inspect DNS: polluted responses strand you before TCP even begins.

Subscription fetch loops

Attach to any still-working node manually.
Invoke refresh from that healthy path.
If nothing answers, download out-of-band and import locally.

DNS leakage worries

Encrypted DNS upstreams reduce spoofing risk. A representative snippet:

dns:
  enable: true
  enhanced-mode: fake-ip
  nameserver:
    - https://dns.cloudflare.com/dns-query
    - https://dns.google/dns-query
  fallback:
    - https://1.1.1.1/dns-query

Throughput feels capped

Benchmark multiple cities; congestion is often geographic, not cryptographic.
Validate Rule mode is not accidentally directing CDN hosts overseas.
Schedule heavy pulls outside peak residential evening hours.

Advanced Habits Worth Adopting

Automate subscription polling

Set sane intervals—often twelve to twenty-four hours—so node churn propagates without manual clicks. Pair automation with notifications from your provider when they wholesale swap ingress clusters.

Manage multiple resellers

Power users keep discrete profiles per vendor, then merge select proxy groups through overrides when they want a single mega-selector. Document naming conventions so teammates know which chain owns latency-sensitive traffic.

Prefer overrides to forked YAML

Patching vendor files directly guarantees merge pain tomorrow. Override layers let you append bespoke DIRECT exceptions while preserving upstream updates.

Quick FAQ

Which protocols does Clash support? Mihomo-class cores routinely ship Shadowsocks, VMess, VLESS (plus TLS/Reality variants), Trojan, and adaptive transports such as Hysteria2—confirm against release notes because optional modules differ per build.

Should I use Rule mode or Global mode? Rule mode preserves domestic performance; Global mode is best treated like a temporary wrench, not a lifestyle.

When do I need TUN mode? Whenever applications bypass OS proxy hooks—games, certain SDKs, stubborn CLI tooling—or when UDP must traverse the same policy stack as TCP.

My subscription will not refresh—then what? Bootstrap connectivity first, refresh second. Mobile tethering or an offline bundle from support solves the chicken-and-egg deadlock.

Why Clash Still Wins Against One-Click Alternatives

All-in-one VPN apps optimize for simplicity, but they rarely expose tunable routing matrices or let you pin finance portals to DIRECT while creative SaaS tabs ride low-latency exit nodes. Browser-only extensions cannot rescue desktop IDEs, sync daemons, or mobile push pipelines. Clash gives you inspectable YAML, community rule feeds, and GUI ergonomics that survived years of regulatory pressure precisely because operators could adapt faster than monolithic clients.

If you are graduating from a frozen fork or a proprietary shim that has not shipped security patches lately, migrating to a maintained Mihomo-backed GUI restores protocol parity without sacrificing transparency—you keep the audit trail in Git-friendly text instead of opaque binaries.

Grab verified installers from our download hub when you want dependable mirrors and checksum-friendly releases rather than hunting scattered forks mid-incident.

Download Clash from the official mirror →

Complete Clash Configuration Tutorial 2026: Supports Shadowsocks/VMess/VLESS