VPN07

Surge iOS & Mac Complete Guide 2026: Protocols, Rules & FAQ

March 3, 2026 20 min read Surge iOS & Mac Professional Guide

About This Guide: Surge is the gold standard for professional-grade proxy clients on iOS and macOS. Developed by Yachen Liu, it is the most technically advanced proxy app available, offering enterprise-level features including full protocol support, powerful rule engine, MITM traffic inspection, and a comprehensive scripting system. This guide covers everything from initial setup to advanced configuration with VPN07.

What Is Surge? The Developer's Choice for iOS & Mac

Surge is widely regarded as the most powerful proxy application in the Apple ecosystem. Unlike consumer-focused apps that prioritize simplicity, Surge is designed for developers, network engineers, and power users who demand complete visibility and control over their network traffic. The app originated as a macOS tool in 2015 and later expanded to iOS, quickly becoming the definitive solution for anyone who takes network routing seriously.

What distinguishes Surge from every other iOS proxy app is its architecture. While apps like Shadowrocket and even Quantumult X operate at the application proxy layer, Surge on iOS implements a full Network Extension framework — meaning it can intercept and process all network traffic at the system level, including traffic from apps that do not respect proxy settings. On macOS, Surge goes even further by offering a true TUN interface and system-wide traffic capture.

Surge Core Strengths

  • True system-level traffic capture (Enhanced Mode)
  • Full MITM with certificate — inspect HTTPS traffic
  • JavaScript scripting engine (cron, triggered, HTTP)
  • Advanced rule engine: 20+ rule types
  • External proxy protocol (Shadowsocks, Snell, HTTP)
  • Real-time network traffic dashboard

Protocols Supported in Surge 5

  • VMess — WebSocket, gRPC, HTTP/2
  • VLESS — TCP, WebSocket, gRPC, Reality
  • Trojan — TLS, WebSocket
  • Shadowsocks — AEAD ciphers
  • Snell — Surge's own high-performance protocol
  • TUIC / Hysteria2 — UDP-based, low latency
  • SSH — Secure shell tunneling

Pricing & Availability

Surge 5 for iOS is available on the App Store (non-China region required) as a one-time purchase with optional premium features. Surge for Mac is subscription-based ($49.99/year or $9.99/month) and is considered the definitive macOS network tool. Both versions are sold separately. The combination represents a premium investment for serious users.

Installing Surge and Initial Configuration

Getting Surge up and running requires a few initial steps. The setup process is more involved than simpler apps, but the extra time investment pays off with capabilities that no other iOS or macOS proxy app can match.

1

Download from the App Store (Non-China Apple ID)

Surge is not available in the China mainland App Store. Use a US, Hong Kong, Japan, or Taiwan Apple ID. On iOS, purchase Surge 5 from the App Store. On Mac, download from nssurge.com or the Mac App Store.

2

Grant VPN Configuration Permission

On first launch, iOS will ask to add a VPN configuration. Tap "Allow" and authenticate with your passcode or Face ID. Surge uses the Network Extension framework which requires this permission to intercept traffic at the system level.

3

Understand the Configuration File Structure

Surge is entirely config-file driven. The .conf file has distinct sections: [General], [Proxy], [Proxy Group], [Rule], [Script], [MITM]. You can edit this file via the Surge UI or any text editor synced through iCloud. Understanding this structure is key to mastering Surge.

4

Enable Enhanced Mode on Mac (Recommended)

On macOS, go to Surge → Dashboard → Enhanced Mode and toggle it on. This installs a virtual network interface that routes ALL traffic through Surge — including traffic from apps that bypass system proxy settings. This is essential for comprehensive coverage.

Importing VPN07 Subscription into Surge

Surge supports managed configuration — a URL-based subscription system where your provider hosts a .conf file that Surge downloads and applies automatically. VPN07 provides Surge-compatible managed configurations that include pre-configured proxy servers, policy groups, and rules.

Import VPN07 into Surge — Step by Step

  1. 1.Log in to your VPN07 account at vpn07.com → navigate to "My Subscription"
  2. 2.Copy the Surge Managed Config URL (distinct from Clash/Quantumult URLs)
  3. 3.Open Surge → tap the profile area (top of screen) → tap the + button
  4. 4.Select "Download from URL" and paste your VPN07 subscription link
  5. 5.Surge will download and validate the config — all VPN07 servers will appear organized by region
  6. 6.Enable auto-update (recommended: every 6 hours) so your node list stays fresh
  7. 7.In Policy Group, select "Auto" to let Surge pick the fastest available VPN07 node
70+
VPN07 Countries
1000Mbps
Max Bandwidth
$1.5
Per Month
10 Yrs
Proven Stable

# Surge Managed Config format (VPN07 provides this automatically)

[General] loglevel = notify dns-server = 8.8.8.8, 1.1.1.1 skip-proxy = 192.168.0.0/24, 127.0.0.1 ipv6 = false enhanced-mode-by-rule = true [Proxy] VPN07-US = vmess, us-relay.vpn07.com, 443, username=xxx, ... VPN07-JP = vless, jp-relay.vpn07.com, 443, ... VPN07-SG = trojan, sg-relay.vpn07.com, 443, ... [Proxy Group] Auto = url-test, VPN07-US, VPN07-JP, VPN07-SG, url=http://www.gstatic.com/generate_204 [Rule] RULE-SET,https://ruleset.vpn07.com/surge/cn.list,DIRECT FINAL,Auto

Understanding Surge's Rule System

The [Rule] section is where Surge's power becomes most apparent. Rules are processed top-to-bottom; the first matching rule determines the action for each connection. A well-designed rule set ensures domestic traffic goes direct while blocked services automatically use VPN07 — maximizing both speed and access.

Rule Type Example Use Case
DOMAIN-SUFFIX google.com, PROXY Route all Google domains via proxy
DOMAIN-KEYWORD youtube, PROXY Catch domains containing keyword
IP-CIDR 10.0.0.0/8, DIRECT Local network always direct
GEOIP CN, DIRECT China IPs go direct
RULE-SET url, PROXY Remote rule list (auto-updates)
PROCESS-NAME Xcode, DIRECT Per-app routing (macOS only)
FINAL FINAL, PROXY Catch-all fallback rule

Recommended Rule Sets for Surge

Rather than building rules from scratch, use community-maintained remote rule sets that auto-update. Add these URLs to your [Rule] section as RULE-SET entries:

  • • Loyalsoldier/surge-rules: The most comprehensive CN/proxy domain lists for Surge
  • • blackmatrix7/ios_rule_script/Surge: 500+ app-specific rules optimized for Surge syntax
  • • ConnersHua/Profiles: Battle-tested Surge profiles with smart routing logic
  • • ACL4SSR: Anti-censorship rule set widely used in China proxy communities

Policy Groups: Smart Node Selection

Surge's [Proxy Group] section enables intelligent server selection beyond simply picking one node manually. Policy groups let you create logical groupings with automatic selection logic — essential for getting the best performance from VPN07's 70+ country node pool.

url-test

Automatic Speed Test (Recommended)

Surge periodically tests all nodes in the group by sending a request to a test URL (e.g., http://www.gstatic.com/generate_204) and selects the node with the lowest latency.

Auto = url-test, VPN07-US, VPN07-JP, VPN07-SG, url=http://www.gstatic.com/generate_204, interval=300
fallback

Fallback Group (High Availability)

Uses the first working node in the list. When the primary node fails the health check, Surge automatically switches to the backup. Ideal for critical traffic that needs uninterrupted connection.

Failover = fallback, VPN07-HK, VPN07-JP, VPN07-SG, url=http://www.gstatic.com/generate_204
select

Manual Select Group

A simple menu group where you manually choose the active proxy. Useful for region-locked content where you want to control exactly which country's server to use (e.g., US for Netflix US, JP for Japanese content).

load-balance

Load Balancing Group

Distributes connections across multiple nodes using round-robin or consistent hashing. Best for high-throughput scenarios where a single node might become a bottleneck — great when using VPN07's 1000Mbps nodes for bulk file transfers.

MITM & Scripting: Surge's Advanced Features

MITM (Man-in-the-Middle) is Surge's capability to intercept and inspect HTTPS traffic by installing a custom root certificate. Combined with JavaScript scripting, this enables powerful automation that goes far beyond simple proxy routing — you can modify API responses, automatically retrieve authentication tokens, remove advertisements from app traffic, and more.

Setting Up MITM

  1. 1. Go to Surge → More (⚙) → MITM
  2. 2. Tap "Generate CA Certificate"
  3. 3. Install the certificate in iOS Settings → General → VPN & Device Management
  4. 4. Trust it in Settings → General → About → Certificate Trust
  5. 5. Add hostnames to the MITM hostname list

Script Types in Surge

  • • http-request: Modify outgoing HTTP requests before they're sent
  • • http-response: Modify server responses before reaching the app
  • • cron: Run scripts on a schedule (e.g., auto-refresh tokens)
  • • event: Trigger on network changes or app events
  • • dns: Custom DNS resolution logic

MITM Security Warning

Only install the MITM certificate from Surge's own certificate generator. Never install a certificate from an unknown source. The MITM certificate allows decryption of your HTTPS traffic — only use this feature if you understand the security implications.

Surge FAQ: Common Problems & Solutions

Even experienced users encounter issues with Surge. Here are the most frequently asked questions and their solutions, covering both iOS and macOS.

Q: "Surge disconnects every few minutes on iOS"

A: This is usually caused by iOS's Low Power Mode or aggressive app backgrounding. Go to iOS Settings → Battery → disable Low Power Mode. Also check Settings → Screen Time → Downtime isn't cutting network access. Additionally, in Surge's [General], try setting always-real-ip = *.apple.com to prevent DNS issues from triggering disconnects.

Q: "Some apps still don't go through Surge on iOS"

A: By default, Surge on iOS operates in "proxy" mode — some system services and apps that don't respect proxy settings bypass it. Go to Surge → More → Advanced → check if "Include All Networks" is enabled. This routes all traffic through Surge, including cellular data and apps using direct socket connections.

Q: "Managed configuration update fails"

A: The managed config URL must be accessible from your current network location. If you're in China, the URL might be blocked — ensure your VPN07 subscription URL uses a CDN-accelerated domain. Alternatively, use Surge's "Update with Proxy" option which allows the managed config update to go through the currently active proxy.

Q: "GEOIP rules not working correctly"

A: Surge uses MaxMind GeoLite2 for IP geolocation. Add geoip-maxmind-db = https://raw.githubusercontent.com/Loyalsoldier/geoip/release/GeoLite2-Country.mmdb to [General] to use an updated database. The bundled database may be outdated. You can update it via Surge → More → GeoIP Database → Update.

Q: "High CPU usage on Mac with Enhanced Mode"

A: Enhanced Mode captures all system traffic which naturally uses more CPU than regular proxy mode. If you're experiencing performance issues, check Surge's Dashboard tab for any rules that are doing excessive DNS lookups. Adding commonly-used domains to the [Host] section as static entries reduces DNS overhead significantly.

Q: "VMess connection works but is slow"

A: VMess performance depends heavily on transport layer configuration. WebSocket over TLS (wss://) adds latency due to TLS overhead. Try switching to TCP+TLS transport (no WebSocket) for lower latency if your VPN07 nodes support it. Also enable tcp-fast-open = true in [General] for connections that support it.

Surge vs Other iOS Proxy Apps: When to Choose What

Understanding where Surge sits relative to other popular iOS proxy apps helps you make the right choice for your needs.

Feature Surge 5 Quantumult X Shadowrocket
Ease of Use Advanced Moderate Easy
System-Level Capture ✓ Full Partial Limited
MITM Support ✓ Full ✓ Full Basic
Scripting Engine ✓ Advanced JS ✓ JS + Community None
Price Premium ($$$) One-time ($7.99) One-time ($2.99)
Best For Developers, Power Users Script Users General Users

Recommendation

Choose Surge if you're a developer, network professional, or power user who needs complete traffic control and doesn't mind a steeper learning curve. The combination of Surge + VPN07 gives you 1000Mbps bandwidth with professional-grade routing flexibility that no other iOS proxy setup can match.

VPN07: The Perfect Backend for Surge Power Users

🥇

VPN07 — #1 Choice for Surge Users

9.9/10 — Best VPN for Professional Surge Configuration
1000Mbps
Bandwidth
70+
Countries
10 Yrs
Proven Stable
$1.5
Per Month
  • Surge Managed Config URL — download in one tap, auto-updates
  • Supports all Surge protocols: VLESS+Reality, VMess, Trojan, Shadowsocks, TUIC
  • 1000Mbps bandwidth — Surge's url-test always finds the fastest node
  • 30-day money-back guarantee — zero risk to try

VPN07 — Best VPN for Surge

1000Mbps · 70+ Countries · Trusted Since 2015

VPN07 provides Surge-optimized managed configurations with VLESS+Reality, VMess, Trojan, and Shadowsocks protocol support across 70+ countries. With 1000Mbps peak bandwidth, Surge's url-test groups will always select the fastest available node. Running continuously for over 10 years, VPN07 is the trusted backend that serious Surge users depend on.

$1.5
Per Month
1000Mbps
Bandwidth
70+
Countries
30 Days
Money Back
Start Free Trial → View Pricing

Related Articles

Quantumult X Tutorial 2026: Rules, Scripts & VPN Import

Master Quantumult X on iOS — the feature-rich alternative to Surge with a thriving script community and beautiful UI.

Read More →

Shadowrocket Setup Guide 2026: Configure iOS Proxy in 10 Minutes

The quickest way to get started with iOS proxy — perfect for users who want simplicity without sacrificing protocol support.

Read More →
$1.5/mo · 10 Years
Try VPN07 Free