VPN07

Clash Proxy Rules Explained 2026: Rule Mode, Global Mode & Custom Config

March 1, 2026 16 min read Proxy Rules Advanced Config

What You'll Learn: This guide covers everything about Clash proxy rules โ€” the three proxy modes (Rule, Global, Direct), all rule types and their syntax, how to write custom rules, best practice rule ordering, and ready-to-use rule templates for common scenarios like China access, streaming, and gaming.

The most powerful feature of Clash isn't its protocol support or speed โ€” it's the rule engine. While most VPN apps simply tunnel all your traffic through one server, Clash lets you build a custom routing policy that sends different traffic through different paths based on domain name, IP address, port, process name, and more.

This means you can access local banking apps at full speed while simultaneously streaming blocked content through VPN07. You can route work traffic through a US server, gaming traffic through a Japan server, and domestic services directly. Once you understand Clash rules, you'll never want to use a "one-size-fits-all" VPN again.

The Three Proxy Modes: A Deep Dive

๐Ÿ“‹

Rule Mode

Traffic is routed according to your rule list. Each connection is checked against rules from top to bottom until a match is found.

โœ… Best for most users

๐ŸŒ

Global Mode

ALL traffic goes through the selected proxy server. No rules are applied โ€” everything tunnels through VPN07.

Use for: Quick testing, maximum access

โžก๏ธ

Direct Mode

No proxy โ€” all traffic goes directly to the internet as if Clash isn't running. Clash stays active but doesn't intercept.

Use for: Temporarily disabling proxy

๐Ÿ’ก Why Rule Mode Beats Global Mode

Global mode seems simpler, but it creates problems: local services (home NAS, local printer, intranet) become inaccessible because traffic goes to the proxy instead of your LAN. Rule mode intelligently routes local IPs directly and only proxies the traffic that actually needs it.

In our tests, Rule mode users get 40-60% better average speeds than Global mode for everyday browsing because domestic/local traffic skips the proxy entirely and runs at full ISP speed.

Clash Rule Types: Complete Reference

Clash supports over a dozen rule types. Here's a comprehensive breakdown of the most important ones:

DOMAIN

Matches an exact domain name. DOMAIN,google.com,Proxy will only match google.com, not subdomains like maps.google.com.

Use for: Specific high-priority domain rules

DOMAIN-SUFFIX

Matches a domain and all its subdomains. DOMAIN-SUFFIX,google.com,Proxy matches google.com, maps.google.com, mail.google.com, etc. The most commonly used rule type.

Use for: Service-wide rules for domains with many subdomains

DOMAIN-KEYWORD

Matches any domain containing the specified keyword. DOMAIN-KEYWORD,google,Proxy matches anything with "google" in the domain name. Powerful but broad โ€” use carefully.

Use for: Catching all variations of a service that shares a brand name

IP-CIDR

Matches an IP address range. IP-CIDR,192.168.0.0/16,DIRECT sends all local network traffic directly. Essential for preventing home LAN traffic from going through the proxy.

Use for: LAN exclusions, specific CDN IP ranges, cloud provider IPs

GEOIP

Routes traffic based on the destination IP's geographic location. GEOIP,CN,DIRECT sends all connections to Chinese IP addresses directly, bypassing the proxy. Built on GeoLite2 database, updated monthly.

Use for: Country-based split tunneling, keeping domestic traffic local

RULE-SET

Imports an external rule file (local or remote URL). This is the most powerful feature for large rule sets. RULE-SET,https://ruleset.skk.moe/Clash/non_ip/google.txt,Proxy imports a maintained list of Google domains.

Use for: Community-maintained rule lists, large service domain collections

MATCH

The catch-all rule โ€” always placed last. Any connection that doesn't match any previous rule falls through to MATCH. MATCH,Proxy means "proxy everything else."

Required: Every valid Clash config must end with a MATCH rule

Rule Ordering: Why Order Matters

Clash processes rules from top to bottom and stops at the first match. This means rule order is critical โ€” putting broad rules before specific rules will cause the broad rule to match first, overriding more specific intentions.

# โœ… Correct Rule Order

rules:
  # 1. Localhost & Private Network (always direct first)
  - IP-CIDR,127.0.0.0/8,DIRECT
  - IP-CIDR,192.168.0.0/16,DIRECT
  - IP-CIDR,10.0.0.0/8,DIRECT

  # 2. Specific overrides (before broad rules)
  - DOMAIN,api.openai.com,US-Proxy
  - DOMAIN-SUFFIX,netflix.com,US-Proxy

  # 3. Broad domain rules
  - DOMAIN-SUFFIX,google.com,Auto-Select
  - DOMAIN-SUFFIX,youtube.com,Auto-Select
  - DOMAIN-KEYWORD,github,Auto-Select

  # 4. GeoIP-based routing (near the end)
  - GEOIP,CN,DIRECT
  - GEOIP,private,DIRECT

  # 5. Final catch-all (always last)
  - MATCH,Auto-Select

โš ๏ธ Common Ordering Mistakes

  • โŒ MATCH before GEOIP: If MATCH comes before GEOIP, all traffic gets proxied and GEOIP is never evaluated
  • โŒ GEOIP,CN before specific proxy rules: Chinese CDN services like Alibaba Cloud that also have foreign content will incorrectly go DIRECT
  • โŒ Broad keyword rules before specific domain rules: DOMAIN-KEYWORD,youtube will override a specific DOMAIN,youtube.com,US rule

Ready-to-Use Rule Templates

Here are battle-tested rule templates for common use cases. VPN07's default Clash subscription includes these rules pre-configured, but you can also customize them to fit your needs.

Template 1: China Access (Most Popular)

For users accessing both Chinese and foreign services

# Key rules for China users
- DOMAIN-SUFFIX,google.com,Proxy
- DOMAIN-SUFFIX,youtube.com,Proxy
- DOMAIN-SUFFIX,twitter.com,Proxy
- DOMAIN-SUFFIX,facebook.com,Proxy
- DOMAIN-SUFFIX,instagram.com,Proxy
- DOMAIN-SUFFIX,openai.com,Proxy
- DOMAIN-SUFFIX,claude.ai,Proxy
- GEOIP,CN,DIRECT
- MATCH,Proxy

Template 2: Streaming Optimization

Routes streaming to geo-appropriate servers

# Streaming services with region-specific routing
- DOMAIN-SUFFIX,netflix.com,US-Node
- DOMAIN-SUFFIX,nflximg.net,US-Node
- DOMAIN-SUFFIX,disneyplus.com,US-Node
- DOMAIN-SUFFIX,hbomax.com,US-Node
- DOMAIN-SUFFIX,hulu.com,US-Node
- DOMAIN-SUFFIX,primevideo.com,US-Node
- DOMAIN-SUFFIX,bbc.co.uk,UK-Node
- GEOIP,CN,DIRECT
- MATCH,Auto-Select

Template 3: Developer / AI Tools

Routes AI services and dev tools through proxy

# AI & Developer tools
- DOMAIN-SUFFIX,openai.com,US-Node
- DOMAIN-SUFFIX,anthropic.com,US-Node
- DOMAIN-SUFFIX,claude.ai,US-Node
- DOMAIN-SUFFIX,github.com,Auto-Select
- DOMAIN-SUFFIX,github.io,Auto-Select
- DOMAIN-SUFFIX,npmjs.com,Auto-Select
- DOMAIN-SUFFIX,pypi.org,Auto-Select
- DOMAIN-SUFFIX,huggingface.co,Auto-Select
- GEOIP,CN,DIRECT
- MATCH,Auto-Select

Using Community Rule Sets (RULE-SET)

Writing individual domain rules for every service is time-consuming. The better approach is to use community-maintained rule sets โ€” large, regularly updated collections of domain rules that you reference with a single line. In Clash Meta, this is done with the rule-providers section.

# Using rule-providers for community rule sets (Clash Meta)

rule-providers:
  reject:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
    path: ./ruleset/reject.yaml
    interval: 86400

  proxy:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt"
    path: ./ruleset/proxy.yaml
    interval: 86400

  direct:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt"
    path: ./ruleset/direct.yaml
    interval: 86400

rules:
  - RULE-SET,reject,REJECT
  - RULE-SET,proxy,Auto-Select
  - RULE-SET,direct,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,Auto-Select

๐ŸŒŸ Loyalsoldier Rule Sets

The most popular community rule set for China users. Maintained by the community, updated daily. Covers 2000+ domains across proxy/direct/reject categories.

github.com/Loyalsoldier/clash-rules

โšก SKK.moe Rule Sets

Highly granular rule sets organized by service category. Excellent for users who want to route different streaming services to different regions.

ruleset.skk.moe

VPN07's Clash subscription includes pre-configured rule-providers with auto-update intervals. This means your rule sets stay current without any manual maintenance โ€” an important advantage when service domains change or new services emerge.

Proxy Groups: Organizing Your Nodes

Rules determine whether traffic gets proxied. Proxy groups determine which proxy handles the traffic. VPN07's Clash config includes several proxy group types that work seamlessly with the rule sets above:

Auto Best (url-test)

Automatically selects the lowest-latency node from all your VPN07 servers. Tests every 5 minutes. This is the default for most rules.

Region Groups (select)

Manually selectable node groups by region โ€” US, UK, Japan, Singapore, etc. Use these in streaming rules where content licensing requires a specific country.

Failover (fallback)

Tries nodes in order, switching to the next when the current one fails. Guarantees high availability โ€” if a node goes down, connections instantly reroute with zero interruption.

Load Balance (load-balance)

Distributes connections across multiple nodes. Excellent for high-throughput scenarios like large file downloads or multiple simultaneous streams. VPN07's 1000Mbps nodes enable true multi-stream load balancing.

DNS Configuration: The Hidden Performance Factor

DNS is often overlooked but critically important for Clash performance. Wrong DNS configuration leads to DNS leaks, slow lookups, or connections going to the wrong server. Clash Meta offers three DNS modes:

fake-ip (Recommended)

Returns fake IP addresses immediately, allowing TCP connection to start before DNS completes. Eliminates DNS lookup latency โ€” connections feel near-instant.

Best performance, used by VPN07 default config

redir-host

Resolves the real IP before connecting. More compatible with some applications that check IP validity, but adds latency for each new connection.

Use when fake-ip causes app compatibility issues

normal

Standard DNS resolution. Clash uses your system DNS or configured nameservers without special proxy handling.

Legacy mode, not recommended for most setups

๐Ÿ” Prevent DNS Leaks

To prevent your ISP from seeing which domains you're visiting, configure encrypted DNS in Clash:

dns:
  enable: true
  enhanced-mode: fake-ip
  nameserver:
    - "https://1.1.1.1/dns-query"  # Cloudflare DoH
    - "https://8.8.8.8/dns-query"  # Google DoH
  fallback:
    - "https://1.0.0.1/dns-query"
  fallback-filter:
    geoip: true
    geoip-code: CN

Advanced Rule Techniques & Tips

๐Ÿšซ REJECT Rules: Block Ads and Tracking

Clash can block ad networks and trackers at the proxy level โ€” faster than browser extensions because the block happens at the network layer before any data is downloaded. Add REJECT rules before your proxy rules to block known ad domains. VPN07's config includes a curated REJECT rule set that blocks major ad networks while leaving all other traffic unaffected.

- RULE-SET,ad-domains,REJECT    # Block ad networks
- DOMAIN-SUFFIX,doubleclick.net,REJECT
- DOMAIN-SUFFIX,googleadservices.com,REJECT

๐Ÿ” PROCESS-NAME Rules (Clash Meta Only)

Clash Meta supports routing traffic by application process name โ€” a powerful feature unavailable in other Clash versions. Send only specific apps through the VPN while others go direct. Particularly useful for work setups where you want to route your browser through VPN but keep local development servers going direct.

# Route Chrome through proxy, others direct
- PROCESS-NAME,chrome,Auto-Select
- PROCESS-NAME,firefox,Auto-Select
- PROCESS-NAME,Code,DIRECT       # VS Code direct

๐Ÿ“Š AND / OR / NOT Logic Rules

Clash Meta supports compound rules using AND, OR, and NOT operators, enabling complex routing logic like "route traffic that matches domain X AND comes from port 443." This advanced feature is ideal for enterprise setups that need fine-grained control. Most home users won't need this, but it's available when required.

# Example: Match HTTPS traffic to specific domain
- AND,((DOMAIN-SUFFIX,example.com),(DST-PORT,443)),Proxy

โœ… Rule Configuration Best Practices Summary

  • 1. Always place private IP ranges (127.0.0.0/8, 192.168.0.0/16) as DIRECT at the top
  • 2. Put REJECT rules before PROXY rules to block ads before proxying anything
  • 3. Use RULE-SET for large domain collections instead of individual DOMAIN rules
  • 4. Place GEOIP rules near the bottom, just before the final MATCH rule
  • 5. Always end with MATCH โ€” never leave traffic unrouted
  • 6. Use fake-ip DNS mode for lowest connection latency
  • 7. Set rule-providers to auto-update every 86400 seconds (24 hours)

VPN07: Pre-Configured Rules, Zero Setup

Optimized rule sets included with every VPN07 Clash subscription

VPN07's Clash subscription comes with pre-built rule templates, proxy groups with auto-select, and regularly updated rule-providers. You get all the power of custom Clash rules without writing a single line of YAML. 70+ countries, 1000Mbps bandwidth, 10 years stable operation.

$1.5/mo
Best Price
1000Mbps
Max Bandwidth
70+
Countries
30-Day
Money Back
Start Free Trial View Pricing

Related Articles

Clash Setup

Clash VPN Setup 2026: Complete Guide for All Platforms

Install and configure Clash on Windows, Mac, iOS and Android with step-by-step instructions.

Read More โ†’ Troubleshooting

Clash Not Connecting? Fix 10 Common Errors in 2026

Step-by-step solutions for rule configuration errors, port conflicts, and connection failures.

Read More โ†’
$1.5/mo ยท 10 Years Stable
Try VPN07 Free