Clash Tutorial: Subscription Import, Proxy Groups, Rules, and Troubleshooting

2/19/2026 · 5 min

Clash Tutorial: From Setup to Mastery

Clash is a powerful and highly configurable cross-platform proxy client that supports multiple protocols like Shadowsocks, VMess, and Trojan. Its core strength lies in rule-based traffic routing and flexible proxy group management. This tutorial will guide you through the entire process from basic setup to advanced usage.

1. Importing and Configuring Subscription Links

Subscription links are the most convenient way to obtain proxy server configurations. Clash supports standard YAML-formatted subscriptions.

  1. Obtain a Subscription Link: Get a Clash-compatible subscription link (usually starting with https://) from your service provider.
  2. Import into the Client:
    • Clash for Windows/macOS: Open the client, navigate to the "Profiles" page. Click "Download from a URL" or the "+" icon, paste your subscription link, give it a name, and click "Download". Once downloaded, click on the profile name to activate it.
    • ClashX (macOS) or Clash for Android: In the configuration/subscription management page, select "Download from URL" or "Add Subscription", paste the link, and save.
    • Third-party GUIs (e.g., Clash Verge): The process is similar, usually found under "Config" or "Subscription" sections.
  3. Updating Subscriptions: To ensure you have the latest node information, regularly update your subscription (e.g., weekly) by clicking the "Update" button in the profiles section.

Upon successful import, the client fetches and parses the subscription content, generating a complete configuration file containing proxy nodes, proxy groups, and rules.

2. Understanding and Configuring Proxy Groups

Proxy groups are the heart of Clash's intelligent routing. You can combine different proxy nodes or groups and assign them a selection mode.

  • Common Proxy Group Types:

    • select: Manual selection mode. The user manually chooses one node or sub-group from the list for persistent use.
    • url-test: Latency test mode. Periodically tests the latency and availability of all nodes in the group and automatically selects the fastest one.
    • fallback: Fallback mode. Tests nodes in order and selects the first available one.
    • load-balance: Load balancing mode. Distributes traffic among nodes in the group according to a strategy.

  • Configuration Example and Strategy: A typical routing strategy involves creating multiple proxy groups, for example:

    1. PROXY group: Type url-test or fallback, containing all overseas proxy nodes, used for traffic that requires circumvention.
    2. DOMESTIC group: Type select, containing DIRECT or domestic relay nodes, used for accessing domestic websites.
    3. Apple, Microsoft, etc.: Groups for specific services, which can point to PROXY or DIRECT.
    4. FINAL group: The final rule. All traffic not matched by previous rules will be handled according to this group's policy, typically set to DIRECT or PROXY.

    By directing traffic for different domains or IP ranges to different proxy groups in the rules section, you achieve granular traffic splitting.

3. Deep Dive into the Rule System

Clash's rules determine the path of network traffic. Rules are matched from top to bottom; once a match is found, the corresponding action is taken (direct to a proxy group, DIRECT, or REJECT).

  • Rule Types:

    • DOMAIN-SUFFIX: Matches domain suffixes, e.g., google.com matches www.google.com.
    • DOMAIN: Matches exact domain names.
    • DOMAIN-KEYWORD: Matches keywords within domain names.
    • GEOIP: Matches IP addresses by geographic location, e.g., GEOIP,CN matches IPs geolocated in China.
    • IP-CIDR: Matches IP address ranges.
    • SRC-IP: Matches source IP addresses.
    • DST-PORT: Matches destination ports.
    • PROCESS-NAME: Matches process names (supported on some platforms).

  • Rule Configuration Logic: Rule files are usually provided by the subscription, but you can also customize them. A logical rule order is: precise matches first (e.g., specific app domains), then broad matches (e.g., social media suffixes), followed by geographic IP matches, and finally a catch-all rule (pointing to the FINAL group).

4. Troubleshooting Common Issues

When encountering connection problems, follow these steps to diagnose:

  1. Subscription Issues: Verify the subscription link is valid and not expired. Try opening the subscription link in a browser to see if you can download a YAML file.
  2. Proxy Not Running: Confirm the Clash core is running and the system proxy or TUN mode is correctly enabled. Check the client's main interface for a "Connected" status or uptime counter.
  3. Rule/Proxy Group Errors: Check if the target website's domain is correctly covered by a rule and if the corresponding proxy group contains available nodes. You can temporarily change the FINAL rule to DIRECT or PROXY to test whether it's a rule problem or a node problem.
  4. Node Issues: In the client's "Proxies" page, manually test the latency and connectivity of individual nodes. If all nodes timeout, it might be a local network or provider issue.
  5. DNS Issues: Some connection failures can be related to DNS pollution. Try enabling an enhanced-mode (like redir-host or fake-ip) in the dns section of your configuration file and configure reliable DNS servers (e.g., 8.8.8.8, 1.1.1.1).
  6. Check Logs: Enable Clash's logging function (usually a Log Level setting) and review error or warning level logs for specific error messages.

By systematically understanding the configuration structure and utilizing these troubleshooting steps, you can resolve most issues encountered while using Clash, leading to a stable and efficient networking experience.

Related reading

Related articles

V2Ray Configuration in Practice: From Basics to Advanced, Building a Stable and Reliable Proxy Environment
This article provides a hands-on guide to V2Ray configuration from scratch, covering basic installation, core protocol setup, advanced features (like load balancing and dynamic ports), and security hardening, aiming to help users build a stable, efficient, and secure proxy environment.
Read more
Practical V2Ray Routing Strategies: A Guide to Fine-Grained Traffic Splitting by Domain and IP
This article delves into the core principles and configuration methods of V2Ray routing strategies, focusing on how to achieve fine-grained traffic splitting based on domain names and IP addresses to optimize network performance, improve access speed, and ensure critical traffic takes the optimal path.
Read more
Frequent VPN Disconnections? Deep Dive into Key Stability Factors and Optimization Solutions
Frequent VPN disconnections severely impact work efficiency and online experience. This article provides an in-depth analysis of key stability factors including network environment, protocol selection, server load, and client configuration, along with practical optimization solutions for reliable VPN connections.
Read more
The Complete Guide to Self-Hosted VPN: From VPS Selection to WireGuard Deployment
This article provides a comprehensive guide to building your own VPN, covering VPS selection, OS choice, WireGuard deployment steps, and performance optimization tips for a secure and efficient private VPN service.
Read more
VPN Optimization for Hybrid Work Environments: Practical Techniques to Improve Remote Access Speed and User Experience
As hybrid work models become ubiquitous, the performance and stability of corporate VPNs are critical to remote collaboration efficiency. This article delves into the key factors affecting VPN speed and provides comprehensive optimization strategies, ranging from network protocol selection and server deployment to client configuration, aiming to help IT administrators and remote workers significantly enhance their remote access experience.
Read more
VLESS Practical Deployment Guide: Building High-Performance Encrypted Tunnels in Restricted Network Environments
This article provides a detailed practical deployment guide for the VLESS protocol, focusing on configuring high-performance, low-latency encrypted proxy tunnels in environments with strict network censorship or limited bandwidth. It covers the complete configuration process for both server and client, TLS camouflage optimization strategies, and tuning techniques for specific network restrictions.
Read more

FAQ

After importing a Clash subscription link, the node list is empty or shows an error. What should I do?
This usually indicates an invalid subscription link, a format not supported by Clash, or a network issue preventing download. Troubleshoot as follows: 1) Verify the subscription link is complete and not expired. 2) Try opening the link directly in your browser; you should be able to download a `.yaml` or `.yml` file. Open it with a text editor to check if the content is normal. 3) Check the client's logs for any download or parsing errors. 4) Temporarily disable your firewall or security software and try again. 5) Contact your service provider to confirm if the subscription supports the Clash format.
How do I set up a separate proxy policy for specific websites or apps (e.g., Netflix, games)?
There are two main approaches: 1) **Using Rules**: In the `rules` section of your configuration file, add a rule for the specific domain (e.g., `DOMAIN-SUFFIX,netflix.com`) or IP range, directing it to a dedicated proxy group (e.g., a `Netflix` group) containing nodes suitable for streaming or low latency. 2) **Using Proxy Groups**: Create a new proxy group (e.g., `Gaming`) of type `select` or `url-test` and place high-quality nodes in it. Then, in your rules, direct the game server domains or IPs to this `Gaming` group. Ensure this specific rule is placed before more general rules in the rule order.
After enabling Clash, some domestic websites become slow or fail to load. How can I fix this?
This is often caused by misrouted domestic traffic due to rule errors. Solutions: 1) Check if rules for `GEOIP,CN` and common domestic domains (e.g., rules related to `DOMESTIC`) point to the `DIRECT` or a `DOMESTIC` (direct connection) group. 2) Verify your `FINAL` rule setting. If you want unmatched traffic to go direct, it should be `FINAL,DIRECT`. 3) Ensure the `DOMESTIC` proxy group does not mistakenly contain overseas nodes. 4) Try enabling the `fake-ip` or `redir-host` enhanced mode in the `dns` section of your config and configure a trusted domestic DNS server (e.g., `114.114.114.114`) to avoid DNS pollution or resolution to foreign IPs.
Read more