Settings

Service mode

• VPN: Use the proxy as a "pseudo-VPN" and take over the traffic globally through the VPN service (TUN virtual interface) provided by the system.

  • As a proxy rather than a VPN, it obviously only supports transport layer protocols TCP and UDP, and does not support other transport layer protocols or protocols on lower layers (e.g. ICMP in the network layer), unless you want to twistedly fork the existing proxy protocols to support carrying network layer traffic.

  • ICMP echo replies and ICMPv6 echo replies are forged. Enable "discard ICMP" to discard ICMP and ICMPv6if you don't like this behavior.

• Proxy only: Only launch the proxy instance and do not take over the traffic.

TCP/IP stack

Proxies like SOCKS or HTTP CONNECT operate at the transport layer, while most VPNs operate at the network layer. In order to use the proxy as a "pseudo-VPN", TCP/IP stack is required to proceed the conversion between the network layer (IP packet) and the transport layer (TCP or UDP).

• gVisor: Use the userspace TCP/IP stack implemented by gVisor to proceed the conversion between the network layer and the transport layer.

• System: Use the operating system's TCP/IP stack (through a trick called "double NAT" by some) to proceed the conversion between the network layer and the transport layer. This approach does not have a precise name and the word "system" may be invented by Clash.

MTU

Maximum transmission unit. Defaults to 1500 in this software.

• In practice, Clash and others use an MTU value of 9000 only for a higher score in benchmarks. However, such a large MTU may lead to some network transmission issues.

• An MTU value greater than 16384 is out of the consideration of this software. Using an MTU value greater than 16384 may lead to unpredictable consequences.

Enable PCAP

When using gVisor as the TCP/IP stack, enable its packet capture function and dump traffic. Dumped PCAP files help in network analysis and troubleshooting.

Metered hint

Only available on Android 10+. If enabled, the VPN will be marked as metered. If disabled, the VPN will inherit the meteredness from the upstream interface.

Discard ICMP

Discard ICMP and ICMPv6 rather than forging ICMP echo replies and ICMPv6 echo replies.

App traffic statistics

App traffic statistics only applies to TUN under VPN mode. Many "Android" devices from China modified the permission of querying installed packages, you may need to manually grant it in system settings or other locations.

Root CA provider

• System: Use system Root CA store. Read CA files in /system/etc/security/cacerts only. This is consistent with the behavior on Android of most TLS libraries. However, this is in fact a bug of Go, not the expected behavior.

• Mozilla: Use the Root CA store provided by Mozilla^{[1] [2]}. It is useful for some devices which lack system updates and are unable to update Root CA store.

• System and user: Until Go fixes the bug, correct its behavior of reading certificate store. If Go eventually fixes this, this option will get removed.

  • Prefer system certificates in /apex/com.android.conscrypt/cacerts (path since Android 14), and fallback to /system/etc/security/cacerts
  • Trust user-installed certificates in /data/misc/user/[user id]/cacerts-added
  • Do not trust user-disabled system certificates in /data/misc/user/[user id]/cacerts-removed

• Custom: Place a custom root_store.certs file (in PEM format) in Android/data/[package name]/files or import it as a route asset to use a custom root store.

IPv6 route

Only set IPv4 address for VPN if disabled. Set both IPv4 address and IPv6 address for VPN if enabled.

Per-app VPN

Exclude selected applications from VPN or include selected applications in VPN.

In "proxy" mode, only the traffic from selected applications are proceed by VPN. In "bypass" mode, all traffic except for those from selected applications are proceed by VPN.

• Many "Android" devices from China modified the declare-only "query all packages" (android.permission.QUERY_ALL_PACKAGES) permission and break the normal behavior of software. You may need to manually grant the so-called "get installed apps" (or other similar names, com.android.permission.GET_INSTALLED_APPS) runtime permission in system settings or other locations.

• Applications without the "have full network access" permission (android.permission.internet) are not shown. e.g. Gemini (com.google.android.apps.bard) does not have Internet permission and it connects to the Internet through the app named "Google" (com.google.android.googlequicksearchbox). You should search for "Google" rather than "Gemini".

• Multi-user support: Android VpnService only applies to the current user. You need to install this application separately for each and every user that needs to use this application.

• "Per-app VPN" is actually "per-UID VPN". Applications with the same UID (android:sharedUserId) share whether they are included or excluded from the VPN. Therefore, selecting one of these applications in the user interface will automatically select all others.

Allow apps to bypass VPN

Allow applications to use system-provided methods such as bindProcessToNetwork to bypass VPN on their own.

• Enable this if you want the attempt of bypassing VPN from FCM^{[1] [2]} to take effect.

Bypass private addresses

Exclude private addresses from VPN. Some LAN communication applications need this enabled to work. TUN route addresses are set to 0.0.0.0/0 and ::/0 if disabled.

If "allow clients to use VPNs" LineageOS (and other systems) does not work with this enabled: Click to view

Domain strategy

See V2Ray documentation "domainStrategy".

It is for the distorting demand that enables traffic with a domain name destination able to match IP rules, yet uses the domain name as the destination address.

• In the case of TUN, the destination address is always an IP address. If you don't use fake DNS or "override destination" or HTTP/SOCKS inbound, these options have almost no difference.

Enable sniffing

sniffing in V2Ray. Sniff the domain name (from HTTP Host, TLS SNI and QUIC SNI) and protocol type of the traffic.

It is for the distorting demand that enables traffic with an IP address destination able to match domain name rules.

Override destination

Sniffed domain name from "enable sniffing" is used for route only if disabled. Sniffed domain name from "enable sniffing" is used as the destination address if enabled.

It is for the distorting demand that enables traffic with an IP address destination able to match domain name rules, yet uses the sniffed domain name as the destination address.

• Enable this only when you know about its side effects. These are some examples stop working with it enabled: Tor, Apple Push, MTProto.

Hijack DNS

Hijack DNS queries not sent to TUN DNS address (e.g. dig in Termux) with DNS sniffer, so that they are handled by the internal DNS module.

• Some false positives and false negatives are expected. This option is not enabled by default.

• DNS queries sent to TUN DNS address are always handled by the internal DNS module.

• This software complements V2Ray's built-in DNS module and make it able to handle non-A/AAAA DNS queries according to DNS rules. So-called "nonIPQuery" is meaningless for this software.

• This software complements V2Ray's built-in DNS module and make it able to return the correct TTL except for system DNS. So-called "responseTtl" is meaningless for this software.

Resolve destination

For proxied traffic, if the destination address is a domain name, resolve the domain name to an IP address as the destination address.

• In the case of TUN, the destination address is always an IP address. If you don't use fake DNS or "override destination" or HTTP/SOCKS inbound, this option takes almost no effect. Enable fake DNS If you must make it work.

• Do not report "Prefer IPv4/6 not working" like SagerNet/sing-box#932 and those linked duplicate issues.

• You may not want the server receives UDP traffic with a domain name as the destination address, because the NAT mapping behavior of UDP traffic with a domain name as the destination address is nearly impossible to handle correctly.

Resolve destination (direct)

For direct traffic, if the destination address is a domain name, resolve the domain name to an IP address as the destination address.

If disabled, the operating system resolves the domain name to IP address through upstream interface DNS address.

• In the case of TUN, the destination address is always an IP address. If you don't use fake DNS or "override destination" or HTTP/SOCKS inbound, this option takes almost no effect. Enable fake DNS If you must make it work.

• Do not report "Prefer IPv4/6 not working" like SagerNet/sing-box#932 and those linked duplicate issues.

Resolve destination (server address)

If the server address is a domain name, resolve the domain name to an IP address and establish connection to the IP address.

If disabled, the operating system resolves the domain name to IP address through upstream interface DNS address.

Connection test URL

URL to test proxies connectivity. Set it to an HTTPS URL to prevent "airports" from hijacking traffic and spoof the latency.

• Some other software use HTTP RTT or other values as test results to pleasure the eyeballs of users, which does not reflect the actual experience.

Enable TLS Client Hello fragmentation

Apply TLS record fragmentation or TCP Segmentation or both to TLS Client Hello. It may help circumvent SNI censorship in some regions. This is only applicable to protocols that core supports, and not applicable to plugins.

• Around 2023 to 2025, it was reported^{[1] [2]} exempted from SNI censorship in certain regions, but it also creates extremely obvious characteristics. Use it only if you know what you are doing.

• Due to too large post-quantom key size that leads to too large TLS Client Hello, Go standard TLS library, and uTLS library, has had to apply TCP Segmentation to TLS Client Hello, but the complete SNI is still present in the first segment.

• Not TLS Client Hello fragmentation, but related to it: for the TLS variant that QUIC uses, it was reported in 2025 that fragmenting and re-ordering QUIC Client Initial and its CRYPTO frames were exempted from SNI censorship in certain regions, although originally it is so-called "Chaos Protection" for preventing protocol ossification in Chromium quiche. The de facto standard Go QUIC library quic-go has integrated and adopted to this mechanism.

• Do NOT abuse exemption mechanism if NOT backed into a corner.

Security tips

Display warnings for profiles with equivalent security to cleartext. The transmitted content of the profiles with warning displayed can be decrypt by a man-in-the-middle attacker.

This option is enabled by default and disabling it is strongly discouraged. It is highly recommended not to use configurations with the warning displayed.

The following limitations exist (including but not limited to):

• If the "password" is used for encryption, its strength is not checked;
• For certain protocols, this does not mean replay attack can't be proceeded;
• Custom configurations are not checked;
• If a Shadowsocks configuration uses a plugin other than obfs-local (simple-obfs) or v2ray-plugin, it cannot be checked;
• This does not mean that the fact that you are using a proxy can't be detected;
• This does not mean that if the password or private key, etc. is leaked, the transmitted content still can't be decrypted;
• This does not mean that if your local environment is insecure, the transmitted content still can't be decrypted;
• This does not mean that if this software has unknown vulnerabilities, the transmitted content still can't be decrypted;
• This does not mean that as technology advances, the transmitted content still can't be decrypted by the future technologies;
• Configurations with server addresses of localhost, ::1, or 127.0.0.0/8 will not trigger the warning, but a false positive will occur if the server address is a domain name resolved to ::1 or 127.0.0.0/8.
• Security tips are provided in the hope that it will be useful, but WITHOUT ANY WARRANTY.

Remote DNS/Direct DNS

Format: one per line. No parallel queries.

Supported DNS server type:

Format	Explanation	Bypass route component
host (domain name or IP)	UDP DNS with port 53
udp://host[:port]	UDP DNS
udp+local://host[:port]	UDP DNS	✓
tcp://host[:port]	TCP DNS
tcp+local://host[:port]	TCP DNS	✓
https://[username:password]@host[:port]/dns-query	DNS over HTTPS (HTTP/1.1 and HTTP/2 only)
https+local://[username:password]@host[:port]/dns-query	DNS over HTTPS (HTTP/1.1 and HTTP/2 only)	✓
quic://host[:port]	DNS over QUIC
quic+local://host[:port]	DNS over QUIC	✓
tls://host[:port]	DNS over TLS
tls+local://host[:port]	DNS over TLS	✓
h3://[username:password]@host[:port]/dns-query	DNS over HTTPS (HTTP/3 only)
h3+local://[username:password]@host[:port]/dns-query	DNS over HTTPS (HTTP/3 only)	✓
Use system DNS	Use system API to query DNS through upstream interface DNS address. Querying non-A/AAAA with system DNS is only supported on Android 10+. On Android 9 or lower, it returns "not implemented (NOTIMP)" for non-A/AAAA queries.	✓

Some are added by this software and does not exist in the original V2Ray.

• EDNS client IP: Fill in a valid IP address. According to V2Ray source code, IPv4 uses a CIDR of /24 and IPv6 uses a CIDR of /96.

• Remote/Direct DNS resolve strategy:

  • This is obviously applicable for cleartext hijackable A/AAAA queries only.

  • It is for the distorting demand that control the so-called "IP address preference" of DNS resolving.

  • "UseIPv4" always returns empty response (NOERROR) for AAAA queries, "UseIPv6" always returns empty response (NOERROR) for A queries.

  • PreferIPv4 or PreferIPv6 does not exist. Do not report "Prefer IPv4/6 not working" like SagerNet/sing-box#932 and those linked duplicate issues.

  • If remote DNS address is a domain, the domain is resolved by direct DNS; If direct DNS is a domain without +local and "Resolve destination" enabled, the domain is resolved by Bootstrap DNS. Bootstrap DNS can only be filled with DNS whose address an IP, or DNS with +local.

• Domain rewriting: "hosts". Resolve the specified domain name to the specified IP address and spoof replies. This is obviously applicable for cleartext hijackable A/AAAA queries only. The format is as the following.

  example.com 127.0.0.1 127.0.0.2
  www.example.com 127.0.0.1
  www1.example.com www2.example.com
  

• Enable DNS routing: If enabled, bypassed domains in routing are resolved by direct DNS and proxied domains are resolved by remote DNS. If disabled, both are by resolved by remote DNS. However, the addresses of proxy servers are always resolved by system DNS or direct DNS to prevent loop.

• Enable fake DNS: Use "fake DNS" to spoof DNS replies locally to eliminate the RTT introduced by DNS queries. The spoofed "fake IP" addresses that are unique for each domain name will be recovered to the domain name on connecting.

  • This is obviously applicable for cleartext hijackable A/AAAA queries only.
  • It is also for the distorting demand that enables traffic with an IP address destination able to match domain name rules and optionally uses the recovered domain name as the destination address.
  • It is also for the distorting demand that control the "IP address preference" of DNS resolving.

• You should understand computer networking enough and know the countless side effects and limitations for fake DNS. These issues include but are not limited to: break applications relying on the correct DNS responses to work; break UDP NAT mapping behavior; break proxy-in-proxy.

Enable SOCKS5 inbound

Enable a SOCKS inbound listening on TCP and UDP 127.0.0.1 (:: if "allow connections from LAN" is enabled).

Some applications can explicitly configured to use a SOCKS proxy.

SOCKS5 UDP lacks authentication mechanism. If UDP support is enabled, username/password authentication can always be bypassed.

This SOCKS5 inbound is compatible with SOCKS4 and SOCKS4A if username/password authentication is not enabled.

Enable HTTP inbound

Enable an HTTP inbound listening on TCP 127.0.0.1 (:: if "allow connections from LAN" is enabled).

Some applications can explicitly configured to use an HTTP proxy.

Append HTTP proxy to VPN

Only available on Android 10+. Only available when 'Basic' authentication is not enabled. Some applications respect HTTP proxy appended to VPN and their traffic will not go through the TUN interface.

• Some applications refuse to work normally if they detect the appended HTTP proxy. You can add their domain names in the exception list (one per line). A better method is to bypass them in "per-app VPN".

Enable transparent proxy inbound

Enable an inbound listening on TCP 127.0.0.1 and ::1 (:: if "allow connections from LAN" is enabled) used for Netfilter REDIRECT.

You need to use iptables DNAT/REDIRECT to redirect TCP traffic to the transparent proxy port.

TPROXY is not supported because it requires running JNI code under root privilege. Use the transparent proxy modules for root solutions like Magisk/KernelSU for this purpose.

Enable DNS inbound

Enable a DNS forwarder listening on TCP and UDP 127.0.0.1 (:: if "allow connections from LAN" is enabled).

Allow connections from LAN

Set the listening address to :: (this is dual-stack in Go) instead of 127.0.0.1, to allow other devices to connect to the proxy server through this device by actively configuring a SOCKS or HTTP proxy.

This does not mean that traffic from other devices will unconsciously go through your proxy via hotspot. Unless the system of your device supports "VPN tethering" (vanilla Android does not support this), you need to use VPN Hotspot for this purpose (root required).

Interrupting reused-connections when network changes

Interrupt existing connections when network changes (such as switching between Wi-Fi access points or switching between cellular data and Wi-Fi) to mitigate issues caused by connection-reuse or multiplexing that improperly utilizes obsolete connections. This option only applies to the following connection-reuse or multiplexing protocols (excluding protocols implemented via plugins):

• HTTP/2, HTTP/3, SSH, WireGuard, AnyTLS, Hysteria 2, TUIC, Juicity, mieru
• Protocols with the following "transport": HTTP (also known as H2), gRPC, QUIC, Hysteria 2, XHTTP (only when using HTTP/2 or HTTP/3)
• Protocols with Mux.Cool or sing-mux enabled
• UDP DNS, DNS over HTTPS, DNS over HTTP/3, DNS over QUIC

Although DNS over TCP and DNS over TLS can utilize connection reuse, it is not implemented in this software. Some UDP/QUIC-based protocols are included because they may be carried over a UDP over TCP protocol.

It is not recommended to disable this option. This option may be enforced and removed in the future.

Use alternative method to query installed packages

Instead of using getInstalledPackages or getInstalledApplications to query installed packages, add

<queries>
    <intent>
        <action android:name="android.intent.action.MAIN" />
        <category android:name="android.intent.category.LAUNCHER" />
    </intent>
</queries>

and use getPackagesHoldingPermissions to query packages with the "have full network access" permission (android.permission.internet). This method does not require the android.permission.QUERY_ALL_PACKAGES permission or the so-called com.android.permission.GET_INSTALLED_APPS permission, circumventing the one-size-fits-all regulation (even fair use is prohibited) of android.permission.QUERY_ALL_PACKAGES by some app stores (e.g. Google Play Store) and the deliberate sabotage of android.permission.QUERY_ALL_PACKAGES under the guise of so-called "protecting user privacy" by many "Android" devices from China.

The output result of this method may not be exactly the same as getInstalledPackages or getInstalledApplications. Do not enable if you are not experiencing the issue of being unable query installed apps.

Experimental flags

Click to view