Clash Verge Series Best Practices

About Some Client Authors Stopping Updates#

These clients have stopped updating; does it affect our usage? To know the answer to this question, we first need to understand a concept: software like Clash Verge (open source), Clash for Windows, and Clash X Pro are just a shell used to interface with core functionalities; only this shell has stopped updating.

Common cores include Clash Premium and Clash Meta (open source).

Since both Clash Verge and its switchable core, Clash Meta, are open source, we should prioritize this combination, which will also be used in the following text.

Can we continue to use them?

Of course, the explanation is as follows:

It's like using a radio (Clash Verge); you wouldn't immediately throw away your radio just because the manufacturer (author) went out of business (stopped updating).
All the schematics for the radio's components are public (open source), so you don't have to worry about it possibly having some bad background programs implanted.
The shell buttons (Clash Verge) allow us to easily control the mainboard components (Clash Meta core) inside the radio to perform their tasks. As long as the way this shell button (Clash Verge) controls the radio's mainboard (Clash Meta core) isn't problematic, we can use it.
The shell stopping updates means that the radio shell won't add new buttons.
The core stopping updates means that the radio's mainboard won't update its functionalities, and that's all.
The radio can play sound (turn on magic) because you input the correct FM frequency (subscription link). As long as the station (airport) is still broadcasting (service), and as long as your shell and core are still there, it won't affect your ability to play sound (turn on magic).

Finally, we need to clarify that the privacy protection operations mentioned below are not absolutely secure. Just like wanting to know what you are doing at home, someone can rummage through your trash in the bin downstairs to make guesses, watch you with a telescope, or even blow up your ceiling or force their way in to see. Network monitoring is the same; it depends on your behavior online and whether it's worth it for someone to use those advanced methods. You can't just decide not to install a security door because a digger can break it down with one scoop.

Currently Available Open Source Clash Verge Clients#

There are now many clients based on Clash Verge that continue to be developed and maintained. I highly recommend Clash Verge Rev, and the following articles will demonstrate using this client.

The configurations mentioned later have been adapted for Clash Verge Rev ≥ v1.7 and have been used for quite some time, so feel free to use them.

Why this software?

Excellent multi-platform compatibility—Clash Verge Rev supports Windows, macOS, and Linux. If you follow the tutorial below, you will eventually get a new subscription link. On iOS, you can generate a QR code from this new subscription link, use the Shadowrocket app, click the "+" icon, find "Scan QR Code" at the bottom, and import it for use on iOS devices; Stash allows you to directly input the generated link. The best practice operations below only need to be executed once to apply across multiple devices.

TL;DR Version#

Subscription conversion (mandatory for all platforms)
Enable TUN mode, disable proxy (optional)
Disable browser secure DNS address, set DNS address (optional for all PCs; if you performed step 2, this step is mandatory)
Set system DNS to automatic (optional)
Disable browser QUIC (mandatory for all PCs)
Set local China IP database (optional)

Solving Subscription Split Rules Issues#

After obtaining the subscription link, the first step should be subscription conversion to improve its split rules (because the split rules provided by the service provider that gives you the subscription often only have a few hundred entries, which are quite inadequate; many people can use Clash but can't access New Bing, which is a good example).

Online subscription conversion not only converts Shadowsocks, V2ray, and Trojan subscription links into subscription formats used by Clash, Stash, V2ray, Quantumult X, Surge, etc., but it also supports many advanced operations. However, this article will only aim for sufficient functionality, rather than exploring all the features.

Although online subscription conversion websites are convenient, they also carry certain privacy risks, so caution is advised. It is recommended that technically skilled friends set up their own online subscription conversion platform.

Subscription Conversion Website#

I have set up a subscription conversion website, and the following text will use this website as an example.

Visit: https://sub.lainbo.com/

Steps to Operate#

Generally, this should already allow for quite perfect usage, and it includes some additional features from the remote configuration file I wrote.

Determine if the Rule File Has Been Successfully Applied#

After pulling the subscription, you should see automatic nodes such as “🌿 Auto Select,” “🇭🇰 Hong Kong Auto,” “🇨🇳 Taiwan Auto,” “🇸🇬 Singapore Auto,” “🇺🇸 USA Auto,” “🇯🇵 Japan Auto” in the nodes. If you can see these automatic nodes, then you have successfully applied my rules to your subscription.

It is recommended to choose these automatic nodes when there are no special requirements, as they will help you use the node with the lowest latency among the corresponding country/region nodes.

About Remote Configuration#

What is this remote configuration, and what functions can it provide for your subscription? You can open the link to the original "Remote Configuration", where there are annotations at the top.

Solving DNS Leak Issues#

DNS leaks refer to situations where a user's real IP address is sent to the ISP's DNS server (such as China Unicom, China Mobile) through DNS requests while using a VPN or other privacy services, instead of going through the secure, anonymous DNS server set up by the VPN. If you see the Chinese flag on websites like DNS Leak Test or ipleak, you should be aware that a DNS leak may have occurred.

What problems could arise if there is indeed a leak? I don't know what might happen; perhaps you might receive messages like the ones below.

I think it’s best to avoid letting them know about this. Although no one knows the exact detection mechanism, it is likely obtained from the network layer. In a typical home network topology, what Wireshark can see, the ISP can also see, so it is very clear what websites you accessed using DNS resolutions like 114.114.114.114 or 223.5.5.5.

This leads to the first usage tip—Enable TUN mode in Clash and disable the system proxy.

The difference from the ordinary system proxy mode is that in TUN mode, Clash creates a virtual network card to take over all network traffic from the network layer.

The ordinary system proxy mode takes over the network of other software with the permissions of a single software, which means there are always some applications that cannot be taken over, such as games or command-line tools. Therefore, we should enable TUN mode and disable the system proxy, allowing the network card to handle this instead of the software.

Operation One (Enable TUN Mode)#

First, switch the core of Clash Verge to the open-source Clash Meta core, then restart the entire Clash Verge to ensure it takes effect (the new version of Clash Verge Rev should default to Meta).

(Clash Meta may have different names in different clients later on; if you see the core name as Mihomo, it is also Meta.)
Install the service, enable TUN mode, and enable strict routing by clicking the numbered sequence in the image below.

If the service mode cannot be installed:
- Windows users can try executing sc delete clash_verge_service in the system command line (PowerShell) to delete the previous Clash Verge service. This may be because you previously installed Clash Verge but did not write it in this service mode when uninstalling, causing the new installation to fail.
- Mac/Linux users should click the gear icon ⚙️ in the settings under Clash Core and select "Authorize."
- For other troubleshooting, refer to https://github.com/clash-verge-rev/clash-verge-rev/issues/125.
At this point, you need to restart the Clash software, then click the gear icon ⚙️ next to TUN mode and select the stack mode for Tun as Mixed, which is also the recommended option. Enable "Strict Routing."
- Front-end developers need to note:
  
  If front-end development has strict routing enabled, Vite defaults to running npm run vite dev, and the started http://localhost:5173 may not be accessible. The solution is to specify which IP address the Vite server should listen to.
  
  That is, either of the following two methods can solve the issue:
  1. Modify in package.json (add --host)
    "scripts": { "dev": "vite --host", }
  2. Or modify in vite.config.ts (specify the host as 0.0.0.0 in the server block)
    export default defineConfig({ server: { host: '0.0.0.0', } })

Operation Two (Adjust Group Policy, Mac users can skip)#

Solving this issue is also quite simple. The reason for the problem is that Windows systems default to using multi-homed DNS resolution, which uses all network cards to initiate requests. We just need to disable this feature in the group policy (Windows Home Edition does not have this feature) (Win+R, type gpedit.msc, and click OK).

Thus, we have resolved the potential DNS leak issue with Clash on Windows.

However, it cannot guarantee that ipleak will not detect it. Although I can add ipleak to the rules, doing so would be burying my head in the sand. As long as certain blacklisted websites are not leaked, and you do not receive messages like the ones above, I think that is sufficient.

Operation Three (Use a Stable DNS)#

For DNS, some may suggest using the ISP's DNS. ISP's DNS is only suitable for novice users because it may even lead to fraud, so it is recommended to use DNS from major domestic companies.

Disable QUIC in the browser; ISPs in mainland China throttle UDP, which causes this excellent protocol to have a negative effect under the network conditions in mainland China.

Set about://flags/#enable-quic to Disabled (click the pop-up to restart the browser for it to take effect).
Disable "Secure DNS" in the browser.
- Chrome: chrome://settings/security
  
  【Use Secure DNS】 (In the new version of Chrome, it is called 【Encrypt the names of the websites you visit】), turn off.
- Edge: edge://settings/privacy
  
  Find 【Security】 - 【Use secure DNS to specify how to look up the network address of websites】, turn off.

If your Clash Verge Rev version < 1.7

In Clash Verge's 【Configuration】, click the new button in the upper right corner and perform the following operations.

Right-click the newly created card, select "Edit File," and input the following content, then save it. Right-click the card to enable it.

function main(content) {
  const isObject = (value) => {
    return value !== null && typeof value === 'object'
  }

  const mergeConfig = (existingConfig, newConfig) => {
    if (!isObject(existingConfig)) {
      existingConfig = {}
    }
    if (!isObject(newConfig)) {
      return existingConfig
    }
    return { ...existingConfig, ...newConfig }
  }

  const cnDnsList = [
    'https://1.12.12.12/dns-query',
    'https://223.5.5.5/dns-query',
  ]
  
  // Most network requests will go through this, currently using Tencent, Alibaba, and the DNS of 1.0.0.1 for node queries.
  const trustDnsList = [
    'https://doh.pub/dns-query', // Tencent
    'https://dns.alidns.com/dns-query', // Alibaba (this will trigger both h3 and normal concurrent queries)
    '180.184.1.1', // ByteDance - Volcano Engine DNS
  ]
  const notionDns = 'tls://dns.jerryw.cn' // Notion accelerated DNS
  const notionUrls = [
    'http-inputs-notion.splunkcloud.com',
    '+.notion-static.com',
    '+.notion.com',
    '+.notion.new',
    '+.notion.site',
    '+.notion.so',
  ]
  const combinedUrls = notionUrls.join(',');
  const dnsOptions = {
    'enable': true,
    'prefer-h3': true, // If the DNS server supports DoH3, it will prioritize using h3 (only Alibaba DNS supports it in this example)
    'default-nameserver': cnDnsList, // Used to resolve other DNS servers and node domain names, must be IP, can be encrypted DNS. Note that this is only used to resolve nodes and other DNS; other network requests are not under its control.
    'nameserver': trustDnsList, // Other network requests are all under its control.
    
    // This is used to override the above nameserver
    'nameserver-policy': {
      [combinedUrls]: notionDns,
      'geosite:geolocation-!cn': trustDnsList,
      // If you have some internal DNS, it should be defined here, multiple domain names should be separated by commas.
      // '+.companydomain.com, www.4399.com, +.baidu.com': '10.0.0.1'
    },
  }

  // GitHub accelerated prefix
  const githubPrefix = 'https://fastgh.lainbo.com/'

  // Original download addresses for GEO data GitHub resources
  const rawGeoxURLs = {
    geoip: 'https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.dat',
    geosite: 'https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat',
    mmdb: 'https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/country-lite.mmdb',
  }

  // Generate GEO data resource objects with accelerated prefixes
  const accelURLs = Object.fromEntries(
    Object.entries(rawGeoxURLs).map(([key, githubUrl]) => [key, `${githubPrefix}${githubUrl}`]),
  )

  const otherOptions = {
    'unified-delay': true,
    'tcp-concurrent': true,
    'profile': {
      'store-selected': true,
      'store-fake-ip': true,
    },
    'sniffer': {
      enable: true,
      sniff: {
        TLS: {
          ports: [443, 8443],
        },
        HTTP: {
          'ports': [80, '8080-8880'],
          'override-destination': true,
        },
      },
    },
    'geodata-mode': true,
    'geo-auto-update': true,
    'geo-update-interval': 24,
    'geodata-loader': 'standard',
    'geox-url': accelURLs,
    'find-process-mode': 'strict',
  }
  content.dns = mergeConfig(content.dns, dnsOptions)
  return { ...content, ...otherOptions }
}

Images are for interface reference only; actual content should follow the code block above.

After enabling, click the button again to ensure the settings have been correctly applied (any code changes here require clicking this button to manually refresh the runtime configuration).

If your Clash Verge Rev version ≥ 1.7

Right-click "Global Extended Configuration" and click "Edit File."

Paste the following code and click "Save."

dns:
  prefer-h3: true
  default-nameserver:
    - 180.184.1.1
    - https://1.12.12.12/dns-query
    - https://119.29.29.29/dns-query
  nameserver-policy:
    "http-inputs-notion.splunkcloud.com,+.notion-static.com,+.notion.com,+.notion.new,+.notion.site,+.notion.so": tls://dns.jerryw.cn
    geosite:geolocation-!cn:
      - https://doh.pub/dns-query
      - https://dns.alidns.com/dns-query
      - 180.184.1.1
    nameserver:
      - https://doh.pub/dns-query
      - https://dns.alidns.com/dns-query
      - 180.184.1.1
unified-delay: true
tcp-concurrent: true
profile:
  store-selected: true
  store-fake-ip: true
sniffer:
  enable: true
  sniff:
    HTTP:
      ports:
        - 80
        - 8080-8880
      override-destination: true
    TLS:
      ports:
        - 443
        - 8443
    QUIC:
      ports:
        - 443
        - 8443
geodata-mode: true
geo-auto-update: true
geo-update-interval: 24
geodata-loader: standard
geox-url:
  geoip: https://fastgh.lainbo.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.dat
  geosite: https://fastgh.lainbo.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat
  mmdb: https://fastgh.lainbo.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/country-lite.mmdb

The purpose of this code is to:

Use Alibaba and DNSPod (Tencent's DNS) DoT to resolve nodes and DNS servers.
Use Alibaba, Tencent, and Volcano's DNS servers to resolve other websites (DNS leaks often occur due to ISP leaks; major companies have not been reported to leak).
Use a non-profit organization's DoT to resolve Notion websites.
Use adaptive mode for the TUN stack.
Change the delay calculation method to remove handshake and other extra delays.
Enable TCP concurrent support.
Enable domain sniffing to accurately restore domain names and perform domain splitting.
Set the download source for geodata to a domestic accelerated download source.

Some may say that using DNS resolution websites like Alibaba and Tencent will still leak! I want to say that the issue we are trying to solve is the data leakage from ISPs (China Telecom, China Unicom, China Mobile), not leaving no trace in DNS queries. If you want your DNS query behavior to leave no trace, please set up your own DNS.

Solving GEOIP and CN Issues#

Currently, the vast majority of proxy tools rely on the GeoIP2 database to determine the geographical location of addresses. Their rules usually end with a line like GEOIP, CN to check whether the destination IP address belongs to mainland China, thus determining whether to connect directly.

The GeoIP2 database commonly used by these proxy tools comes from MaxMind's GeoLite2 free database. This database currently has several issues:

Inconvenient to obtain: Since December 30, 2019, registration is required to download.
Large data volume: The database is huge, containing global IP address ranges, about 10 MB.
Low accuracy: The determination of IP addresses in mainland China is inaccurate; for example, IPs from Alibaba Cloud in Hong Kong are misidentified as being from Singapore or mainland China.

The large data volume is meaningless for most users in mainland China, as they only need to determine whether an IP's geographical location is within mainland China; all other countries' IPs should be proxied/directly connected. Excessive data volume increases loading time and reduces query efficiency.

In the script we created earlier, we have already included links to download a more concise and suitable IP database for mainland China; now we just need to manually download and replace it.

Click the settings menu in Clash Verge Rev, find "Update GeoData," and click to update.
After downloading, right-click the Clash Verge icon in the tray, select 【More】 - 【Restart Application】 to ensure the database is correctly applied.

How do I ensure that xxx.com does not go through the proxy?#

If your Clash Verge Rev version < 1.7

Click the "Subscription" menu on the left, then click the "New" button in the upper right corner.
Select "Merge" as the type, give it a name, and click save.
Right-click the newly created Merge, click "Edit File," and add to prepend-rules: (Clash's strategy reads rules from top to bottom; once it reads one, it won't look further down, so prepend is used to insert rules at the front).

The format is as follows; you can flexibly combine to add the rules you want, paying attention to the indentation of the YAML file.

(Do not copy the rules below; they are just for demonstration purposes, and the strategies written are very unreasonable!)

prepend-rules:
# ↓ Indicates that `*.baidu.com` will go through the `🔗 No Proxy` strategy group, which defaults to direct connection rather than going through nodes.
- DOMAIN-SUFFIX,baidu.com,🔗 No Proxy

# ↓ Indicates that `abc.baidu.com` will go through the `DIRECT` built-in strategy.
# DIRECT is also a direct connection; the difference is that this rule is not controlled by the `🔗 No Proxy` strategy group.
# The `🔗 No Proxy` strategy group is just named "No Proxy"; you can manually adjust its strategy, but DIRECT cannot be adjusted.
- DOMAIN,abc.baidu.com,DIRECT

# ↓ Indicates that the source process name `Weiyun.exe` will go through the `🛡️ Ad Block` strategy, which defaults to rejecting requests.
- PROCESS-NAME,Weiyun.exe,🛡️ Ad Block

# ↓ Indicates that as long as the request URL contains the keyword `aria2`, it will go through the `REJECT` built-in strategy.
# REJECT also discards requests; the difference is that this rule is not controlled by the `🛡️ Ad Block` strategy group.
# No further explanation; the logic is the same as the no proxy above.
- DOMAIN-KEYWORD,aria2,REJECT

# ↓ Indicates that all requests on port 22 will go through the `✈️ Node Selection` strategy group, which means using the traffic of the selected node.
- DST-PORT,22,✈️ Node Selection

# ↓ Indicates that the specified IP range does not need a proxy; remember to add `,no-resolve` at the end.
# no-resolve tells Clash not to attempt to resolve to match this rule; it only processes "direct IP access" requests.
- IP-CIDR,203.205.254.0/23,🔗 No Proxy,no-resolve
- IP-CIDR6,2a0b:b580::/48,🔗 No Proxy,no-resolve

The above only lists common rules; for more rule types, see the corresponding section in the Clash documentation or Void Terminal Docs.

After writing, right-click the newly created Merge, click "Enable," and then click the "Re-activate Subscription" button in the upper right corner to refresh the configuration.

If your Clash Verge Rev version ≥ 1.7

Right-click "Global Extended Script" and click "Edit File."

The format is as follows; you can flexibly combine to add the rules you want. The combination method is the same as for versions < 1.7; you can refer to it, but the format needs to be written in JavaScript code. If you need to add more rules, please expand the prependRules in the code.

function main(content) {
  const prependRules = [
    'IP-ASN,132203,🔗 No Proxy,no-resolve',
    'DOMAIN-SUFFIX,baidu.com,🔗 No Proxy', // Indicates that `*.baidu.com` will go through the `🔗 No Proxy` strategy group, which defaults to direct connection rather than going through nodes.
    'PROCESS-NAME,Weiyun.exe,🛡️ Ad Block', // Indicates that the source process name `Weiyun.exe` will go through the `🛡️ Ad Block` strategy, which defaults to rejecting requests.
    'DST-PORT,22,✈️ Node Selection', // Indicates that all requests on port 22 will go through the `✈️ Node Selection` strategy group, which means using the traffic of the selected node.
  ]
  if (content.rules?.length) {
    content.rules = prependRules.concat(content.rules) 
  }

  return content
}