Clash Verge Series Best Practices

About Some Client Authors Stopping Updates#

These clients have stopped updating; does it affect our usage? To know the answer to this question, we first need to understand a concept: software like Clash Verge (open source), Clash for Windows, and Clash X Pro are just a shell used to interface with core functionalities; only this shell has stopped updating.

Common cores include Clash Premium and Clash Meta (open source).

Since both Clash Verge and its switchable core Clash Meta are open source, we should prioritize this combination, which will also be used in the following text.

Can we continue to use them?

Of course, the explanation is as follows:

Just like using a radio (Clash Verge), you wouldn't immediately throw away your radio just because the manufacturer (author) has gone out of business (stopped updating).
All the schematics for the radio's components are public (open source), so you don't need to worry about it possibly having some bad background programs implanted.
The shell buttons (Clash Verge) allow us to more easily control the motherboard components (Clash Meta core) inside the radio to perform their tasks. As long as the way this shell button (Clash Verge) controls the radio motherboard (Clash Meta core) is not problematic, we can use it.
The shell stopping updates means that the radio shell will not gain new buttons.
The core stopping updates means that the radio motherboard will not update its functionalities, and that's all.
The radio can play sound (turn on magic) because you input the correct FM frequency (subscription link). As long as the station (airport) is still broadcasting (service), and as long as your shell and core are still there, it won't affect your ability to play sound (turn on magic).

Finally, we need to clarify that the operations related to privacy protection mentioned below are not absolutely safe. Just like wanting to know what you're doing at home, someone could rummage through your trash downstairs to make inferences, monitor you with a telescope, blow up your ceiling, or force their way in with a cannon to take a look. Network monitoring is similar; it depends on your behavior online and whether it's worth using those advanced methods. You can't just not install a security door because a bulldozer can break it down.

Currently Available Open Source Clash Verge Clients#

There are now several clients based on Clash Verge that continue to be developed and maintained. I highly recommend Clash Verge Rev, which will be demonstrated in the following articles.

The configurations mentioned later have been adapted for Clash Verge Rev ≥ v1.7 and have been used for quite some time, so feel free to use them.

Why this software?

Excellent multi-platform compatibility—Clash Verge Rev supports Windows, macOS, and Linux. If you follow the tutorial below, you will ultimately get a new subscription link. On iOS, you can generate a QR code from this new subscription link, use the Shadowrocket app, click the "+" icon, find "Scan QR Code" below, and import it for use on iOS devices; Stash can directly use the generated link, and the best practice operations below only need to be executed once to apply across multiple devices.

TL;DR Version#

Subscription conversion (mandatory for all platforms)
Enable TUN mode, disable proxy (optional)
Disable browser secure DNS address, set DNS address (optional for all PCs; if you performed step 2, this step is mandatory)
Set system DNS to automatic (optional)
Disable browser QUIC (mandatory for all PCs)
Set local China IP database (optional)

Resolving Subscription Split Rules Issues#

After obtaining the subscription link, the first step should be subscription conversion to improve its split rules (because the split rules provided by the service provider often only have a few hundred entries and are not comprehensive; many people can use Clash but cannot access New Bing, which is a good example).

Online subscription conversion not only converts Shadowsocks, V2ray, and Trojan subscription links into subscription formats used by Clash, Stash, V2ray, Quantumult X, Surge, etc., but it also supports many advanced operations. However, this article will only aim for sufficient functionality, rather than exploring all its features.

Although online subscription conversion websites are useful, they also carry certain privacy risks, so caution is advised. It is recommended that technically skilled friends set up their own online subscription conversion platform.

Subscription Conversion Website#

I have set up a subscription conversion website, which will be used as an example below.

Visit: https://sub.lainbo.com/

Steps to Operate#

Generally, this should already allow for fairly perfect usage, and it includes some additional features from the remote configuration file I wrote.

Determining if the Rule File Has Been Successfully Applied#

After pulling the subscription, you should see automatic nodes like “🌿 Auto Select”, “🇭🇰 Hong Kong Auto”, “🇨🇳 Taiwan Auto”, “🇸🇬 Singapore Auto”, “🇺🇸 USA Auto”, “🇯🇵 Japan Auto” in the nodes. If you can see these automatic nodes, then you have successfully applied my rules to your subscription.

It is recommended to choose these automatic nodes when there are no special requirements, as the automatic nodes will help you use the node with the lowest latency among the corresponding country/region nodes.

About Remote Configuration#

What is this remote configuration, and what functions can it provide for your subscription? You can open the link to the original "Remote Configuration", where there are annotations at the top.

Resolving DNS Leak Issues#

DNS leak refers to the situation where, while using a VPN or other privacy services, the user's real IP address is sent to the ISP's DNS server (such as China Unicom, China Mobile) through DNS requests instead of through the secure, anonymous DNS server set by the VPN. If you see the Chinese flag on websites like DNS Leak Test or ipleak, you should be aware that DNS leakage may have occurred.

If a leak does occur, what problems might arise? I don't know what it might lead to, but you might receive messages like the ones below:

I think it's best to avoid letting them know about this. Although no one knows the specific detection mechanism, it is likely obtained from the network level. In a typical home network topology, what Wireshark can see, the ISP can also see, so it is very clear what websites you accessed using DNS resolutions like 114.114.114.114 or 223.5.5.5.

This leads to the first usage tip—Enable TUN mode in Clash and disable the system proxy.

The difference from the ordinary system proxy mode is that in TUN mode, Clash creates a virtual network card that takes over all network traffic from the network layer.

The ordinary system proxy mode operates with the permissions of one software to take over the network of other software, and there are always some applications that cannot be intercepted, such as games or command-line tools. Therefore, we should enable TUN mode and disable the system proxy, allowing the network card to handle this instead of the software.

Operation One (Enable TUN Mode)#

First, switch the core of Clash Verge to the open-source Clash Meta core, then restart the entire Clash Verge to ensure it takes effect (the new version of Clash Verge Rev should default to Meta).

(Clash Meta may have different names in different clients later on; if you see the core name as Mihomo, it is also Meta.)
Install the service, enable TUN mode, enable strict routing, and click the numbered sequence in the image below in order.

If the service mode cannot be installed:
- Windows users can try executing sc delete clash_verge_service in the system command line (PowerShell) to delete the previous Clash Verge service. This may be due to a previous installation of Clash Verge that did not write to this service mode during uninstallation, preventing the new installation.
- Mac/Linux users should click the gear icon ⚙️ in the settings of the Clash Core and select "Authorize".
- For other troubleshooting, refer to https://github.com/clash-verge-rev/clash-verge-rev/issues/125.
At this point, you need to restart the Clash software, then click the gear icon ⚙️ next to TUN mode, and select the TUN stack mode as Mixed, which is also the recommended option, and enable "Strict Routing".
- Frontend developers need to note:
  
  If strict routing is enabled, Vite defaults to running npm run vite dev, and the started http://localhost:5173 may not be accessible. The solution is to specify which IP address the Vite server should listen to.
  
  That is: either of the following two methods can solve the issue, choose one:
  1. Modify in package.json (add --host):
    "scripts": { "dev": "vite --host", }
  2. Or modify in vite.config.ts (specify the host as 0.0.0.0 in the server block):
    export default defineConfig({ server: { host: '0.0.0.0', } })

Operation Two (Adjust Group Policy, Mac Skip)#

Resolving this issue is also quite simple. The problem arises because Windows systems default to using multi-homed DNS resolution, which uses all network cards to initiate requests. We just need to disable this feature in Group Policy (this feature is not available in Windows Home Edition) (Win+R, type gpedit.msc, and click OK).

Thus, we have resolved the potential DNS leak issue with Clash on Windows.

However, it cannot guarantee that ipleak will not detect it. Although I can add ipleak to the rules, doing so would be burying my head in the sand. As long as certain blacklisted websites are not leaked, and you do not receive messages like the ones above, I think that is sufficient.

Operation Three (Use a Stable DNS)#

For DNS, some may suggest using the ISP's DNS. ISP's DNS is only suitable for novice users, as it may not even prevent fraud, so it is recommended to use DNS from major domestic companies.

Disable QUIC in the browser; ISPs in mainland China throttle UDP, causing the excellent QUIC protocol to have a negative effect in mainland China's network.

Set about://flags/#enable-quic to Disabled (click the pop-up below to restart the browser to take effect).
Disable "Secure DNS" in the browser:
- Chrome: chrome://settings/security
  
  【Use Secure DNS】 (In the new version of Chrome, it is called 【Encrypt the names of the websites you visit】), disable it.
- Edge: edge://settings/privacy
  
  Find 【Security】 -【Use secure DNS to specify how to look up the network address of websites】, disable it.

If your Clash Verge Rev version < 1.7:

In Clash Verge's 【Configuration】, click the new button in the upper right corner and perform the following operations.

Right-click the newly created card, select "Edit File", and input the following content, save it, and right-click the card to enable it.

function main(content) {
  const isObject = (value) => {
    return value !== null && typeof value === 'object'
  }

  const mergeConfig = (existingConfig, newConfig) => {
    if (!isObject(existingConfig)) {
      existingConfig = {}
    }
    if (!isObject(newConfig)) {
      return existingConfig
    }
    return { ...existingConfig, ...newConfig }
  }

  const cnDnsList = [
    'https://1.12.12.12/dns-query',
    'https://223.5.5.5/dns-query',
  ]
  
  // Most network requests will go through this, currently using Tencent, Alibaba, and the DNS of 1.0.0.1 for node queries.
  const trustDnsList = [
    'https://doh.pub/dns-query', // Tencent
    'https://dns.alidns.com/dns-query', // Alibaba (this will trigger h3 and normal concurrent queries)
    '180.184.1.1', // ByteDance - Volcano Engine DNS
  ]
  const notionDns = 'tls://dns.jerryw.cn' // Notion accelerated DNS
  const notionUrls = [
    'http-inputs-notion.splunkcloud.com',
    '+.notion-static.com',
    '+.notion.com',
    '+.notion.new',
    '+.notion.site',
    '+.notion.so',
  ]
  const combinedUrls = notionUrls.join(',');
  const dnsOptions = {
    'enable': true,
    'prefer-h3': true, // If the DNS server supports DoH3, it will prioritize using h3 (only Alibaba DNS supports it in this example)
    'default-nameserver': cnDnsList, // Used to resolve other DNS servers and node domain names, must be IP, can be encrypted DNS. Note that this is only used to resolve nodes and other DNS; other network requests are not managed by it.
    'nameserver': trustDnsList, // Other network requests are managed by it.
    
    // This is used to override the above nameserver
    'nameserver-policy': {
      [combinedUrls]: notionDns,
      'geosite:geolocation-!cn': trustDnsList,
      // If you have some internal DNS, it should be defined here, multiple domain names should be separated by commas.
      // '+.companydomain.com, www.4399.com, +.baidu.com': '10.0.0.1'
    },
  }

  // GitHub acceleration prefix
  const githubPrefix = 'https://fastgh.lainbo.com/'

  // Original download addresses for GEO data GitHub resources
  const rawGeoxURLs = {
    geoip: 'https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.dat',
    geosite: 'https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat',
    mmdb: 'https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/country-lite.mmdb',
  }

  // Generate GEO data resource objects with acceleration prefixes
  const accelURLs = Object.fromEntries(
    Object.entries(rawGeoxURLs).map(([key, githubUrl]) => [key, `${githubPrefix}${githubUrl}`]),
  )

  const otherOptions = {
    'unified-delay': true,
    'tcp-concurrent': true,
    'profile': {
      'store-selected': true,
      'store-fake-ip': true,
    },
    'sniffer': {
      enable: true,
      sniff: {
        TLS: {
          ports: [443, 8443],
        },
        HTTP: {
          'ports': [80, '8080-8880'],
          'override-destination': true,
        },
      },
    },
    'geodata-mode': true,
    'geo-auto-update': true,
    'geo-update-interval': 24,
    'geodata-loader': 'standard',
    'geox-url': accelURLs,
    'find-process-mode': 'strict',
  }
  content.dns = mergeConfig(content.dns, dnsOptions)
  return { ...content, ...otherOptions }
}

Images are for interface reference only; actual content should follow the code block above.

After enabling, click the button again to ensure the settings are correctly applied (any code changes here require clicking this button to manually refresh the runtime configuration).

If your Clash Verge Rev version ≥ 1.7:

Right-click on "Global Extension Configuration" and click "Edit File".

Paste the following code and click "Save".

dns:
  prefer-h3: true
  default-nameserver:
    - 180.184.1.1
    - udp://47.108.230.123:5553
    - https://119.29.29.29/dns-query
  nameserver-policy:
    "http-inputs-notion.splunkcloud.com,+.notion-static.com,+.notion.com,+.notion.new,+.notion.site,+.notion.so": tls://dns.jerryw.cn
    geosite:geolocation-!cn:
      - https://doh.pub/dns-query
      - https://dns.alidns.com/dns-query
      - 180.184.1.1
    nameserver:
      - https://doh.pub/dns-query
      - https://dns.alidns.com/dns-query
      - 180.184.1.1
unified-delay: true
tcp-concurrent: true
profile:
  store-selected: true
  store-fake-ip: true
sniffer:
  enable: true
  sniff:
    HTTP:
      ports:
        - 80
        - 8080-8880
      override-destination: true
    TLS:
      ports:
        - 443
        - 8443
    QUIC:
      ports:
        - 443
        - 8443
geodata-mode: true
geo-auto-update: true
geo-update-interval: 24
geodata-loader: standard
geox-url:
  geoip: https://fastgh.lainbo.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.dat
  geosite: https://fastgh.lainbo.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat
  mmdb: https://fastgh.lainbo.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/country-lite.mmdb

The purpose of this code is to:

Use Alibaba and DNSPod (Tencent's DNS) DoT to resolve nodes and DNS servers.
Use Alibaba, Tencent, and Volcano's DNS servers to resolve other websites (DNS leaks often come from ISPs, and major companies have not been reported to leak).
Use a non-profit organization's DoT to resolve Notion websites.
Use adaptive mode for the TUN stack.
Change the latency calculation method to eliminate additional delays like handshakes.
Enable support for TCP concurrency.
Enable domain sniffing to accurately restore domain names and perform domain splitting.
Set the download source for geodata to a domestic accelerated download source.

Some may say that using DNS resolution websites like Alibaba and Tencent will still leak! I want to say that the issue we are trying to resolve is the data leakage from ISPs (China Telecom, China Unicom, China Mobile), not leaving no trace in DNS queries. If you want your DNS query behavior to leave no trace, please set up your own DNS.

Resolving GEOIP and CN Issues#

Currently, the vast majority of proxy tools on the market rely on the GeoIP2 database to determine the geographical location of addresses. Their rules usually end with a line like GEOIP, CN, which is used to check whether the destination IP address belongs to mainland China, thereby determining whether to connect directly.

The GeoIP2 database commonly used by these proxy tools comes from MaxMind's GeoLite2 free database. This database currently has several issues:

Inconvenient access: Since December 30, 2019, registration is required to download.
Large data size: The database is huge, containing global IP address ranges, about 10 MB.
Low accuracy: It inaccurately determines IP addresses in mainland China, for example, IPs from Alibaba Cloud in Hong Kong are misidentified as being from Singapore or mainland China.

The large data size is meaningless for most users in mainland China, as they only need to determine whether an IP's geographical location is within mainland China; all other countries' IPs should be proxied or connected directly. Excessive data volume increases loading time and reduces query efficiency.

In the script we created earlier, we have already included links to download a more concise and suitable IP database for mainland China; now we just need to manually download and replace it.

Click on the Clash Verge Rev settings menu, find "Update GeoData", and click to update.
After the download is complete, right-click the Clash Verge icon in the tray, select 【More】 - 【Restart Application】 to ensure the database is correctly applied.

How do I ensure that xxx.com does not go through the proxy?#

If your Clash Verge Rev version < 1.7:

Click the "Subscription" menu on the left, and click the "New" button in the upper right corner.
Select "Merge" as the type, give it a name, and click save.
Right-click the newly created Merge, click "Edit File", and add after prepend-rules: (Clash's strategy reads rules from top to bottom; once it reads a rule, it will not look further down, so prepend is used to insert rules at the front).

The format is as follows; you can flexibly combine to add the rules you want, paying attention to the indentation of the YAML file.

(Do not copy the rules below; they are just for demonstration purposes, and the strategies written are very unreasonable!)

prepend-rules:
# ↓ Indicates that `*.baidu.com` will go through the `🔗 No Proxy` strategy group, which defaults to direct connection rather than going through nodes.
- DOMAIN-SUFFIX,baidu.com,🔗 No Proxy

# ↓ Indicates that `abc.baidu.com` will go through the `DIRECT` built-in strategy.
# DIRECT is also a direct connection; the difference is that this rule is not controlled by the `🔗 No Proxy` strategy group.
# The `🔗 No Proxy` strategy group is just named "No Proxy"; you can manually adjust its strategy, but DIRECT cannot be adjusted.
- DOMAIN,abc.baidu.com,DIRECT

# ↓ Indicates that the source process name `Weiyun.exe` will go through the `🛡️ Ad Block` strategy, which defaults to rejecting requests.
- PROCESS-NAME,Weiyun.exe,🛡️ Ad Block

# ↓ Indicates that as long as the request URL contains the keyword `aria2`, it will go through the `REJECT` built-in strategy.
# REJECT also discards requests; the difference is that this rule is not controlled by the `🛡️ Ad Block` strategy group.
# No further explanation; the logic is the same as the above no proxy.
- DOMAIN-KEYWORD,aria2,REJECT

# ↓ Indicates that all requests on port 22 will go through the `✈️ Node Selection` strategy group, which means using the selected node's traffic.
- DST-PORT,22,✈️ Node Selection

# ↓ Indicates that the specified IP range does not need a proxy; remember to add `,no-resolve` at the end.
# no-resolve tells Clash not to attempt to resolve to match this rule, only to process "direct IP access" requests.
- IP-CIDR,203.205.254.0/23,🔗 No Proxy,no-resolve
- IP-CIDR6,2a0b:b580::/48,🔗 No Proxy,no-resolve

The above only lists common types; there are more rule types detailed in the corresponding section of the Clash documentation or Void Terminal Docs.

After writing, right-click the newly created Merge, click "Enable", and then click the "Re-activate Subscription" button in the upper right corner to refresh the configuration.

If your Clash Verge Rev version ≥ 1.7:

Right-click on "Global Extension Script" and click "Edit File".

The format is as follows; you can flexibly combine to add the rules you want. The combination method is the same as for versions < 1.7; you can refer to it, but the format needs to be written in JavaScript code. If you need to add more rules, please expand the prependRules in the code.

function main(content) {
  const prependRules = [
    'IP-ASN,132203,🔗 No Proxy,no-resolve',
    'DOMAIN-SUFFIX,baidu.com,🔗 No Proxy', // Indicates that `*.baidu.com` will go through the `🔗 No Proxy` strategy group, which defaults to direct connection rather than going through nodes.
    'PROCESS-NAME,Weiyun.exe,🛡️ Ad Block', // Indicates that the source process name `Weiyun.exe` will go through the `🛡️ Ad Block` strategy, which defaults to rejecting requests.
    'DST-PORT,22,✈️ Node Selection', // Indicates that all requests on port 22 will go through the `✈️ Node Selection` strategy group, which means using the selected node's traffic.
  ]
  if (content.rules?.length) {
    content.rules = prependRules.concat(content.rules) 
  }

  return content
}