Shadowrocket Rules & Smart Routing: Complete Traffic Split Guide 2026
Why Rules Matter: Shadowrocket's Rule-Based mode is what separates it from a simple VPN. By intelligently routing traffic, you can simultaneously browse Chinese social media at full local speed while accessing Google, YouTube, and foreign banking services through a secure proxy โ all without switching apps or modes.
Understanding Shadowrocket's Routing Architecture
When Shadowrocket receives a network request, it evaluates it against a list of rules in order. The first matching rule determines the action. There are three possible actions:
PROXY
Traffic goes through your VPN07 server. Use for blocked or foreign sites.
DIRECT
Traffic goes directly. Use for local sites, banking, streaming services that geo-block VPNs.
REJECT
Traffic is blocked entirely. Use for ads, trackers, and malicious domains.
Rules are evaluated top to bottom. If a request doesn't match any rule, the Final Rule (at the bottom of your list) determines the default action โ typically PROXY for maximum access or DIRECT for maximum speed.
Rule Types: A Complete Reference
Matches an exact domain name. Does not match subdomains.
DOMAIN,google.com,PROXY
# Matches only google.com (not maps.google.com)
Matches the domain and all its subdomains. Most commonly used rule type.
DOMAIN-SUFFIX,google.com,PROXY
# Matches: google.com, maps.google.com, mail.google.com
DOMAIN-SUFFIX,baidu.com,DIRECT
# Matches: baidu.com, www.baidu.com, m.baidu.com
Matches if the keyword appears anywhere in the domain name. Useful for CDNs and ad networks.
DOMAIN-KEYWORD,youtube,PROXY
# Matches: youtube.com, youtu.be, youtube-nocookie.com
DOMAIN-KEYWORD,ads,REJECT
# Blocks: ads.example.com, adsystem.com
Routes traffic based on the destination server's country. Uses a built-in IP geolocation database. Essential for smart routing.
GEOIP,CN,DIRECT
# All traffic to Chinese IPs goes direct (faster)
GEOIP,US,PROXY
# All US IPs go through proxy (for Netflix US)
Routes a specific IP address range (in CIDR notation). Use for local network bypassing and specific server IPs.
IP-CIDR,192.168.0.0/16,DIRECT
# Local network always goes direct
IP-CIDR,10.0.0.0/8,DIRECT
# Corporate intranet direct access
The catch-all rule at the bottom of your list. Applied when no other rule matches.
FINAL,PROXY
# Default: proxy all unmatched traffic (maximum access)
FINAL,DIRECT
# Default: direct all unmatched traffic (maximum speed)
Ready-to-Use Rule Configurations
Configuration 1: China User Optimal (Most Popular)
Routes Chinese domestic traffic directly (faster) and foreign/blocked traffic through VPN07 proxy. Ideal for users in mainland China.
# VPN07 Optimized Rules for China Users - Copy into Shadowrocket
# === Block Ads ===
DOMAIN-KEYWORD,doubleclick,REJECT
DOMAIN-KEYWORD,adservice,REJECT
DOMAIN-SUFFIX,googlesyndication.com,REJECT
# === Local Network (Always Direct) ===
IP-CIDR,192.168.0.0/16,DIRECT
IP-CIDR,10.0.0.0/8,DIRECT
IP-CIDR,172.16.0.0/12,DIRECT
IP-CIDR,127.0.0.1/8,DIRECT
# === Must Proxy (Blocked Services) ===
DOMAIN-SUFFIX,google.com,PROXY
DOMAIN-SUFFIX,youtube.com,PROXY
DOMAIN-SUFFIX,twitter.com,PROXY
DOMAIN-SUFFIX,instagram.com,PROXY
DOMAIN-SUFFIX,facebook.com,PROXY
DOMAIN-SUFFIX,openai.com,PROXY
DOMAIN-SUFFIX,anthropic.com,PROXY
DOMAIN-SUFFIX,netflix.com,PROXY
# === Chinese Domestic (Always Direct) ===
GEOIP,CN,DIRECT
# === Default: Proxy Everything Else ===
FINAL,PROXY
Configuration 2: Traveler Abroad (Accessing Home Content)
For users traveling outside China who want to access Chinese streaming, banking, and apps while keeping foreign services direct.
# For travelers who need access to Chinese content from abroad
# Local network always direct
IP-CIDR,192.168.0.0/16,DIRECT
IP-CIDR,10.0.0.0/8,DIRECT
# Chinese services PROXY through China node
DOMAIN-SUFFIX,bilibili.com,PROXY
DOMAIN-SUFFIX,iqiyi.com,PROXY
DOMAIN-SUFFIX,youku.com,PROXY
DOMAIN-SUFFIX,weibo.com,PROXY
DOMAIN-SUFFIX,alipay.com,PROXY
GEOIP,CN,PROXY
# Everything else direct (fast local internet)
FINAL,DIRECT
Configuration 3: Privacy Mode (Maximum Protection)
Routes everything through the proxy except local network, while aggressively blocking ads and trackers.
# Privacy-first configuration
# Block known trackers and ad networks
DOMAIN-KEYWORD,tracker,REJECT
DOMAIN-KEYWORD,telemetry,REJECT
DOMAIN-KEYWORD,analytics,REJECT
DOMAIN-SUFFIX,doubleclick.net,REJECT
DOMAIN-SUFFIX,facebook-analytics.com,REJECT
# Local network bypass
IP-CIDR,192.168.0.0/16,DIRECT
IP-CIDR,10.0.0.0/8,DIRECT
# Everything else through VPN07
FINAL,PROXY
Importing Rule Sets from External URLs
Instead of writing rules manually, Shadowrocket can import pre-built rule lists from URL sources. These community-maintained lists are regularly updated and cover thousands of domains.
Advertising Block Lists
Community-built lists of thousands of ad networks and tracking domains. Set action to REJECT to block all matched traffic.
Format: Settings โ Rules โ Remote Rule Sets โ Add URL
GFW Domain Lists
Auto-maintained lists of domains blocked in China. Updated daily. Import as PROXY rules to ensure newly blocked services are automatically routed correctly.
Popular: gfwlist, loyalsoldier/clash-rules
Rule Priority Warning
When using external rule sets, your manual rules above the imported set take priority. This means you can always override an imported rule by adding a more specific manual rule above it. For example, if an imported ad-block list blocks a domain you need, just add DOMAIN-SUFFIX,needed-domain.com,DIRECT above the imported set.
How to Add and Edit Rules in Shadowrocket
Access the Rules Screen
Open Shadowrocket โ Tap the bottom menu โ Select "Config" (the gear/configuration icon) โ Tap "Rules" in the configuration editor.
Add a New Rule
Tap the + button โ Select rule type from the dropdown โ Enter the match value (domain, keyword, or IP) โ Select the action (PROXY, DIRECT, or REJECT) โ Save.
Reorder Rules
Long-press a rule and drag it to a new position. More specific rules should always come before broader ones. The FINAL rule must always be last.
Import a Config File
Create a .conf file with your rules in the format shown above โ Copy the URL or file โ In Shadowrocket, tap Config (bottom) โ Import from URL โ Paste URL โ Install.
Performance Impact of Rules
Rules are evaluated for every network request. The more rules you have, the more CPU and battery Shadowrocket uses. Here's how to optimize:
| Rule Count | Eval Time per Request | Battery Impact | Recommendation |
|---|---|---|---|
| < 50 rules | < 0.1ms | Negligible | Ideal for most users |
| 50โ500 rules | 0.1โ1ms | Minimal | Acceptable with external lists |
| 500โ5000 rules | 1โ5ms | Moderate | Use GEOIP instead where possible |
| > 5000 rules | > 5ms | Noticeable | Prune redundant rules |
Pro Tip: Use GEOIP Before Long Domain Lists
Instead of adding hundreds of Chinese domain rules, a single GEOIP,CN,DIRECT rule handles all Chinese IP addresses. Place GEOIP rules after your specific domain exceptions (Google, YouTube, etc.) but before the FINAL rule. This reduces rule count dramatically while maintaining accurate routing.
Shadowrocket Script Feature: JavaScript-Powered Routing
For power users, Shadowrocket supports JavaScript scripts that can dynamically modify requests, inject headers, and implement logic that static rules can't handle. This is an advanced feature used by developers and privacy-conscious users.
Example: Dynamic Protocol Selection Script
// Auto-select fastest protocol based on time of day
const hour = new Date().getHours();
if (hour >= 18 && hour <= 23) {'{'}
// Peak hours: use Trojan (more stealth, handles congestion)
$done({'{'} policy: 'Trojan-Node' {'}'});
{'}'} else {'{'}
// Off-peak: use VLESS Reality (maximum speed)
$done({'{'} policy: 'VLESS-Node' {'}'});
{'}'}
Scripts run in Shadowrocket's JavaScript engine (Safari/JavaScriptCore). Access via Settings โ Scripts โ Add Script.
What Scripts Can Do
- โข Modify request headers before sending
- โข Rewrite response content
- โข Dynamic node selection based on conditions
- โข Block specific content types (e.g., video autoplay)
- โข Custom logging and monitoring
Script Security Warning
- โข Only install scripts from trusted sources
- โข Scripts have access to request data (URLs, headers)
- โข Malicious scripts can intercept sensitive info
- โข Review script code before installation
- โข Disable scripts when not needed
Per-App Proxy Rules in Shadowrocket
One of Shadowrocket's most useful features is per-app proxy control. Instead of routing all traffic through rules, you can specify exactly which apps use the proxy and which ones bypass it entirely.
Setting Up Per-App Proxy
- 1. Go to Settings (gear icon) in Shadowrocket
- 2. Tap "Per-App Proxy" (or "Managed Apps")
- 3. Browse your installed apps list
- 4. Toggle each app to PROXY or DIRECT
- 5. Apps set to DIRECT bypass the proxy entirely
Recommended per-app settings:
Set to PROXY (needs VPN07)
- โข Safari / Chrome (for blocked sites)
- โข YouTube (if blocked)
- โข Twitter / Instagram / Facebook
- โข ChatGPT / Claude apps
- โข Google Maps / Drive
Set to DIRECT (bypass proxy)
- โข WeChat / WhatsApp (to avoid detection)
- โข Banking apps (geo-verification)
- โข App Store updates
- โข Local food delivery apps
- โข Apple Maps / Apple Music
Frequently Asked Questions
What's the difference between Rule mode and Global mode in Shadowrocket?
In Rule mode, Shadowrocket evaluates each request against your rule list. Matched requests are routed accordingly (proxy, direct, or reject). In Global mode, ALL traffic goes through the proxy regardless of rules. Rule mode is faster for most use cases because local traffic bypasses the proxy entirely.
My banking app doesn't work when Shadowrocket is on. How do I fix this?
Add a DIRECT rule for your bank's domain: DOMAIN-SUFFIX,yourbank.com,DIRECT. Many banking apps also check the IP address, so you may need to add GEOIP,CN,DIRECT (or the country your bank is in) to ensure the IP-based check also passes.
How do I test if a rule is working?
In Shadowrocket, go to the "Activity" tab (bottom navigation). This shows real-time traffic and which rule matched each request. You can see exactly which rule sent traffic to PROXY, DIRECT, or REJECT. This is the fastest way to debug routing issues.
Can VPN07's subscription automatically provide optimized rules?
Yes! When you import a VPN07 subscription URL into Shadowrocket, it includes a base configuration with commonly needed rules pre-configured. You can then customize from that starting point. VPN07's nodes also support all major protocols including VLESS with Reality transport for maximum performance.
Group Policy: Routing Multiple Nodes as One
Instead of specifying a single node in your rules, Shadowrocket lets you create Policy Groups that automatically select the best node from a set. This is essential for resilient setups with VPN07's 70+ node network.
# Policy Group Configuration (add to Config โ Policy Groups)
[Policy]
static=PROXY-AUTO, select, Japan-Node-1, Japan-Node-2, HK-Node-1, SG-Node-1
url-test=PROXY-FAST, url-test, Japan-Node-1, Japan-Node-2, HK-Node-1, url=http://www.gstatic.com/generate_204, interval=600
fallback=PROXY-FALLBACK, fallback, Japan-Node-1, HK-Node-1, SG-Node-1, url=http://www.gstatic.com/generate_204, interval=60
# Use the group in your rules
[Rule]
DOMAIN-SUFFIX,google.com,PROXY-FAST # Auto-select fastest node
GEOIP,CN,DIRECT
FINAL,PROXY-FALLBACK # Auto-failover if primary fails
select
Manual choice from list. You tap to switch. Good for specific streaming services that need a fixed country.
url-test
Auto-selects fastest node by periodically testing latency to a URL. Updates every N seconds. Best for dynamic optimization.
fallback
Uses first available node. Automatically switches if the primary node fails health check. Best for reliability.
VPN07 โ The Perfect Shadowrocket Backend
70+ Countries ยท 1000Mbps ยท Optimized Subscription Config
VPN07's subscription URL works seamlessly with Shadowrocket's rule system. Import one URL and get all 70+ nodes plus a pre-configured rule set that you can customize. With 1000Mbps bandwidth across Japan, Hong Kong, Singapore, US and more, Shadowrocket's smart routing with VPN07 delivers the fastest possible speeds for each type of traffic.
Related Articles
Shadowrocket Setup Guide 2026: Configure iOS Proxy in 10 Minutes
The complete beginners guide to getting Shadowrocket running with VPN07 subscription import.
Read More โBest VPN for Shadowrocket 2026: Subscription Import & Speed Test
What makes a VPN great for Shadowrocket? Speed tests, protocol support, and import guide for VPN07.
Read More โ