Do I paste Base64 text or a subscription URL into Clash?

Most modern clients accept the HTTPS subscription URL your provider lists in the dashboard. If you only have a long Base64 blob, download it as a file or convert it with a trusted sub-converter, then import the resulting YAML profile instead of pasting raw nodes manually.

Why does Clash say download failed or subscription expired?

Check network time sync, confirm the URL still works in a browser, disable conflicting antivirus HTTPS interception temporarily, and ensure outbound UDP or QUIC is not blocked if your provider relies on those transports.

Should beginners start with Rule mode or Global mode?

Rule mode is usually best because domestic destinations stay direct while overseas hosts use the proxy. Global mode is simpler for quick tests but slows mainland websites because everything tunnels abroad.

When do I need TUN mode instead of System Proxy?

Enable TUN when terminal tools, IDEs, or sandboxed apps ignore the OS proxy table. System Proxy covers most browsers and desktop apps that respect Windows or macOS proxy settings.

Clash Beginner Guide: Setup & Subscription

What Clash Is (and What This Guide Covers)

Clash is an open-source rule-based proxy client: it reads a structured profile—often YAML—defines outbound servers provided by your subscription, groups those servers intelligently, then decides how each connection should leave your machine: direct to the internet, through a selected relay, or blocked entirely. Unlike single-link VPN apps that hide everything behind one opaque toggle, Clash exposes routing intent. That transparency helps when you want mainland Chinese sites on a fast domestic path while overseas services still traverse your encrypted tunnel.

This article assumes you are comfortable downloading installers and pasting URLs, but you have never edited proxy rules by hand. We walk from picking a maintained graphical client through importing the subscription your provider emailed or dashboard-linked, enabling either system proxy or TUN, and validating latency. Along the way we translate jargon—profiles, proxy-groups, Rule versus Global—into plain language so you can troubleshoot without opening Stack Overflow threads written for kernel developers.

Use lawfully. Respect network policies where you live or work. This tutorial explains generic client mechanics only; it does not endorse bypassing restrictions illegally.

Core Concepts Before You Click Anything

Think of three stacked layers: the core (the Mihomo-family engine most modern clients embed), the profile (YAML describing proxies, groups, and rules), and the UI shell (Clash Verge Rev, FlClash, and similar apps). Your subscription URL usually downloads a remote profile fragment—servers and groups—or an entire merged configuration depending on provider tooling.

Subscription versus profile

A subscription URL is simply an HTTPS endpoint returning text Clash understands: lists of nodes with types such as ss, vmess, trojan, or newer transports. The UI stores that URL, periodically re-downloads it, and injects the resulting proxies into your active configuration. A profile, meanwhile, is the complete document Clash executes: not only servers but also proxy-groups such as Auto or Proxy, DNS stanza, and the ordered rules: section that chooses DIRECT versus RELAY per hostname.

Proxy groups and modes beginners actually use

Providers ship sensible defaults. You normally interact with:

Rule mode: Most connections consult rules—domestic CDNs go direct; blocked or overseas domains ride your relay. This keeps video sites responsive.
Global mode: Everything proxied except loops explicitly carved out—quick when diagnosing failures but wasteful daily.
Direct mode: Bypass relays entirely—useful before airplane Wi-Fi or when debugging ISP issues.

Within Rule mode you still pick a concrete outbound inside groups labeled Proxy, Auto, or regional buckets your YAML defines. URL-test groups automatically ping endpoints and prefer the fastest healthy server—ideal when you do not want manual hopping.

System Proxy versus TUN

System Proxy toggles the OS-wide HTTP/HTTPS proxy pointers—the same switches browsers honor automatically on Windows and macOS. Lightweight, reversible in seconds, but ignored by many CLI utilities unless they read environment variables. TUN mode installs a virtual adapter so packets traverse Clash at layer three—Git, Docker pulls, and stubborn Electron apps finally obey without exporting HTTPS_PROXY. TUN needs elevated permission once and occasionally fights corporate VPNs; keep System Proxy as your default until something obviously ignores it.

Pick a Client That Will Not Rot Next Month

The ecosystem moved fast after upstream archival drama. Today, prioritizing current Mihomo features, subscription UX, and TLS parity matters more than nostalgic branding. Practical picks:

Windows / macOS / Linux — Clash Verge Rev: Cross-platform Qt UI, scheduled subscription refresh, built-in profile editor with syntax highlighting, TUN helpers, and lively maintenance.
macOS alternatives: Some users prefer native wrappers; verify the fork bundles updated cores before committing.
Android — FlClash: Material You aesthetics, quick tile toggles, per-app split tunneling on newer Android builds, arm64 and x86_64 APK splits.

Avoid downloading mystery binaries from forum attachments. Hash-verify when projects publish checksums, and prefer HTTPS landing pages that link straight to release artifacts.

Install Clash Verge Rev on Windows

Open our official download hub and grab the latest Windows installer (.exe) or portable .zip if you dislike installers touching Program Files.
Launch the installer, approve SmartScreen if Defender flags an unpublished certificate—the open-source builds rotate signatures slower than commercial SaaS.
Finish setup, start Clash Verge Rev, and allow Windows Firewall prompts only for the legitimate executable path you just installed.
Open Settings ▸ Core and confirm the bundled Mihomo binary reports a recent semantic version; refresh if the UI offers an in-app core updater.

Windows beginners routinely stumble because administrative proxies from enterprise MDM override Clash. If enabling System Proxy does nothing, open Win+I ▸ Network ▸ Proxy and verify no grayed-out corporate PAC scripts linger.

Install on macOS

Download the macOS .dmg or universal archive from the same hub—Apple Silicon and Intel builds often ship separately.
Drag Clash Verge Rev into Applications, first-run via right-click ▸ Open to bypass Gatekeeper quarantine without weakening global security settings.
Grant Network Extension or VPN configuration permission when enabling TUN later; macOS shows a padlock icon in the menu bar while consent dialogs wait.

If menu-bar icons vanish on Sonoma or Sequoia, check System Settings ▸ Login Items—some privacy resets disable helper login items after OS upgrades.

Install FlClash on Android

Identify CPU architecture under Settings ▸ About phone; most 2023+ phones need arm64-v8a.
Sideload the matching APK; Android prompts you to allow installs from that browser once.
Open FlClash, grant VPN permission—the OS treats Clash like any VPN profile.
Disable aggressive OEM battery killers for FlClash if subscriptions stop refreshing overnight.

Import Your Subscription end-to-end

Assume your provider dashboard displays something like https://example.net/sub?token=abcd. Copy it verbatim—query strings matter.

In Clash Verge Rev open Profiles (wording varies slightly per release) and choose New subscription or Download remote profile.
Paste the URL, give it a memorable alias (Spring2026), set an update interval—six hours is a balanced default—and save.
Hit Update or the circular refresh icon; watch logs if the download fails immediately.
Select the imported profile as Active; the dashboard should list proxy groups populated with servers.

If your provider gives separate rulesets or rule-provider URLs, advanced YAML merges them automatically—beginners rarely touch those until customizing split routing.

When imports fail

First open the link in a browser: if it downloads gibberish text, the endpoint still works—Clash expects that. If the browser shows HTTP 403, your token expired or the provider rate-limits stale IPs. Rotate keys from the dashboard. Corporate networks injecting TLS inspection break HTTPS subscriptions unless you import their root certificate—often more headache than tethering briefly from mobile data to refresh profiles.

Turn On System Proxy or TUN Correctly

After a successful import:

Set mode dropdown to Rule unless your provider explicitly demands Global for first boot.
Open the group named Proxy or similar and click Latency test; green bars hint stable routes.
Toggle System Proxy; Windows tray icons or macOS menu indicators should reflect ON.
Only if something still bypasses—try curl https://api.ipify.org in Terminal—enable TUN and accept elevation prompts.

DNS leaks undermine anonymity goals. Enable fake-ip or enhanced DNS profiles only after reading your YAML comments—misconfigured DNS can paradoxically slow lookups. Beginners should stick to provider defaults until pages load reliably.

Daily Workflow Tips That Save Hours

Pin latency-tested servers near airports you physically neighbor—geo labels mislead when Anycast fronts distribute globally.
Schedule off-peak refreshes so subscription edits propagate while you sleep.
Export backups of working YAML before experimenting; Git-friendly diffing reveals accidental indentation slips.
Use split tunnel per-app on Android gaming builds to keep domestic tournament servers direct.

Troubleshooting Playbook

TLS handshake or certificate errors

Often antivirus HTTPS scanning or an expired provider certificate. Temporarily pause SSL inspection, retry, then whitelist Clash paths if corporate policy allows.

Domestic sites crawl despite Rule mode

Stale GEOIP databases mis-tag IPs. Update geo assets inside the client, or temporarily flip to Global-only testing to isolate rule problems versus upstream congestion.

Specific apps break while browsers work

The app probably ignores system proxies—switch to TUN or configure per-app outbound overrides where FlClash exposes them.

Frequently Asked Questions

Do I paste Base64 text or a subscription URL? Prefer the HTTPS subscription URL from your dashboard. Raw Base64 belongs in converters or file imports—manual node typing invites typos.

Why does refresh fail instantly? Check clock skew beyond five minutes, captive portals on hotel Wi-Fi, or expired tokens.

Rule versus Global for beginners? Rule preserves domestic speed; Global is diagnostic glue.

When must I use TUN? Whenever CLI stacks or sandboxed apps skirt the OS proxy table.

Why Clash Still Wins for Power Users and Beginners Alike

Many one-click VPN wrappers prioritize marketing gradients over observability: you cannot see which hostname failed, latency bars lie averaged across continents, and rotating transports requires swapping entire apps. Browser-only SOCKS plugins ignore mail sync and IDE traffic entirely. Clash pairs granular routing with transparent logs—every mismatch surfaces the exact rule—and modern graphical shells removed the YAML intimidation factor for newcomers while preserving upgrade paths toward advanced split tunnels.

If you want one installer that tracks upstream Mihomo improvements instead of freezing on abandoned forks, pairs subscription automation with friendly dashboards, and scales from “just make YouTube load” to intricate GEOIP policies later, Clash remains the rational baseline. Grab verified builds for every platform without hunting stale mirrors:

Download Clash clients