The Definitive Clash Configuration Guide: A Complete Workflow from Subscription Import to Proxy Groups and Rule Management

2/20/2026 · 3 min

1. Subscription Import and Basic Configuration

The core functionality of Clash relies on high-quality subscription links. First, obtain a subscription URL from your provider. In the Clash dashboard, navigate to "Subscriptions" -> "Add", enter the URL, and set an update interval (24 hours is recommended). After import, Clash will automatically fetch the node list.

1.1 Verifying Subscription Validity

After import, check if nodes are reachable. Select any node on the "Proxies" page and click "Test Latency". If all time out, the subscription may be invalid or network restrictions apply. Try switching subscriptions or using a proxy to update.

1.2 Configuration File Structure

Clash's configuration file (config.yaml) consists of five main sections: proxies (node list), proxy-groups (policy groups), rules (routing rules), dns (DNS settings), and general (general settings). Users can achieve advanced customization by editing the configuration file directly.

2. Proxy Group Configuration

Proxy groups are key to Clash's intelligent traffic distribution. Common types include:

  • select: Manually choose a node, ideal for frequent switching.
  • url-test: Automatically test node latency and select the best one, suitable for speed-oriented users.
  • fallback: Try nodes in priority order, ideal for high availability.
  • load-balance: Distribute traffic across multiple nodes, suitable for large downloads.

2.1 Configuration Example

proxy-groups:
  - name: "Proxy"
    type: select
    proxies:
      - HK-01
      - JP-02
      - US-03
  - name: "Auto"
    type: url-test
    url: "http://www.gstatic.com/generate_204"
    interval: 300
    proxies:
      - HK-01
      - JP-02

2.2 Nested Proxy Groups

Proxy groups can be nested. For example, create a "Fallback" group containing multiple "Auto" groups for multi-layer fault tolerance.

3. Rule Management

Rules determine which traffic goes through the proxy and which connects directly. Clash rules are matched in order; once a rule matches, subsequent rules are ignored.

3.1 Rule Syntax

Each rule consists of a type, matching content, and a policy. Common types:

  • DOMAIN-SUFFIX: Match domain suffixes, e.g., DOMAIN-SUFFIX,google.com,Proxy.
  • DOMAIN-KEYWORD: Match domain keywords, e.g., DOMAIN-KEYWORD,ad,REJECT.
  • IP-CIDR: Match IP ranges, e.g., IP-CIDR,10.0.0.0/8,DIRECT.
  • GEOIP: Match country IPs, e.g., GEOIP,CN,DIRECT.
  • MATCH: Catch-all rule for unmatched traffic.

3.2 Rule Optimization Tips

  • Place frequently used direct rules (e.g., domestic sites) early to reduce proxy latency.
  • Use RULE-SET to reference external rule sets for easier maintenance.
  • Avoid excessive rules that degrade performance; keep under 200 rules.

4. Common Issues and Troubleshooting

4.1 Unable to Connect

Check if "System Proxy" or "TUN Mode" is enabled. For TUN, ensure the virtual network card driver is installed.

4.2 Rules Not Working

Verify rule order and that policy group names match those in rules.

4.3 High Memory Usage

Reduce the number of proxy groups or lower the url-test interval.

5. Conclusion

By properly configuring subscriptions, proxy groups, and rules, Clash can achieve efficient and stable network proxying. Regularly update subscriptions and rule sets to maintain optimal performance.

Related reading

Related articles

Building a VPN on Cloud Servers: Practical Configuration of Security Groups, Firewalls, and Key Management
This article provides a comprehensive guide on configuring security groups, firewall rules, and key management when building a VPN on cloud servers, ensuring a secure and reliable service from basic network setup to advanced security hardening.
Read more
Enterprise VPN Packet Loss Diagnostic Guide: Precision Localization with MTR and Packet Capture Tools
This article provides a systematic diagnostic approach for common packet loss issues in enterprise VPN environments. Core tools include MTR (My Traceroute) and Wireshark/tcpdump packet capture tools, enabling precise localization of packet loss root causes through hop-by-hop path analysis, latency jitter detection, and protocol layer verification. The article covers the complete workflow from basic configuration checks to advanced packet capture analysis, along with resolution strategies for typical scenarios.
Read more
Complete Guide to Self-Hosted VPN: From Server Configuration to Client Connection
This article provides a comprehensive guide to setting up your own VPN, covering server selection, OS configuration, protocol choices (WireGuard, OpenVPN), server installation and configuration, firewall rules, client connection methods, and security hardening tips. Ideal for tech users seeking full control over network privacy and access.
Read more
From Nodes to Protocols: A Comprehensive Analysis of VPN Airport Service Architecture and Security Risks
This article provides an in-depth analysis of VPN airport technical architecture, covering core components such as node deployment, protocol selection, and load balancing, while systematically examining potential security risks including data leakage, man-in-the-middle attacks, and logging policies, offering comprehensive technical insights and security recommendations for users.
Read more
The Complete Guide to Self-Hosted VPN: From VPS Selection to WireGuard Deployment
This article provides a comprehensive guide to building your own VPN, covering VPS selection, OS choice, WireGuard deployment steps, and performance optimization tips for a secure and efficient private VPN service.
Read more
Hardening Self-Hosted VPN Nodes: A Full-Chain Guide from Certificate Management to Traffic Obfuscation
This article provides a comprehensive guide to hardening self-hosted VPN nodes, covering certificate management, protocol selection, traffic obfuscation, firewall rules, and log auditing to help operators build highly secure private network access points.
Read more

FAQ

What should I do if all nodes time out after importing a subscription?
First, check if the subscription URL is valid by opening it in a browser to see if node information is returned. If not, contact your provider for an update. Second, check if your network environment restricts proxies; try switching networks or using a proxy to update the subscription.
How can I make domestic sites connect directly and foreign sites go through the proxy?
In the rules, set domestic domains (e.g., .cn domains) and domestic IP ranges (e.g., GEOIP,CN) to DIRECT, and add a catch-all rule MATCH,Proxy at the end. It is recommended to use third-party rule sets like ACL4SSR for automatic maintenance.
What is the difference between url-test and fallback in proxy groups?
url-test periodically tests the latency of all nodes and automatically selects the one with the lowest latency; fallback tries nodes in the configured order and only switches to the next when the current node is unavailable. url-test is suitable for speed, while fallback is suitable for stability.
Read more