Why Run Clash TUN on Your OpenWrt Router?

Installing a Clash client on each laptop and phone works until you add a smart TV, a game console, or a guest device that cannot load a subscription at all. A single gateway-level transparent proxy solves that: every packet that leaves your LAN passes through one Mihomo (Clash Meta) core on the router, and you maintain routing rules in one place.

On OpenWrt, the most mature path is OpenClash, a LuCI application that wraps Mihomo with TUN support, DNS plugins, and automatic firewall scripts. TUN mode creates a virtual network interface and captures traffic at layer 3, so devices do not need HTTP proxy settings, PAC files, or per-app VPN toggles. That is the same principle as desktop TUN in Clash Verge Rev—applied to your entire household.

Scope note: This tutorial targets OpenWrt 21.02+ and 22.x/23.x with OpenClash 0.45.x or newer. Other firmware (Padavan, Merlin with Entware) can run Mihomo but use different install steps; the TUN and DNS concepts still apply.

Compared with running only a SOCKS port on the router, TUN transparent proxy handles UDP (voice chat, QUIC, game matchmaking) and applications that ignore system proxy settings. Compared with a full-tunnel commercial VPN on the router, Clash gives you split routing—domestic sites direct, foreign sites through your node—so you do not force local banking or streaming CDNs through an overseas hop.

Hardware and Firmware Prerequisites

Transparent TUN is heavier than a simple SOCKS relay. Before flashing or buying hardware, check these minimums:

  • Flash: At least 32 MB free after OpenWrt base install for OpenClash, the Mihomo binary, and GeoIP/GeoSite databases (CN or full rulesets add more).
  • RAM: 128 MB free at runtime is a practical floor; 256 MB+ is comfortable with fake-ip DNS and large rule providers.
  • CPU: Any dual-core ARM or x86 at 1 GHz+ is fine for home broadband; avoid decade-old 16 MB NOR devices for TUN—they often OOM when Geo files update.
  • Kernel modules: kmod-tun must be available; most official OpenWrt images include it.
Backup first: Export your OpenWrt /etc/config/network and LuCI settings before installing OpenClash. A misconfigured transparent proxy can cut WAN access until you disable the service from serial or failsafe mode.

You also need a Clash-compatible subscription (YAML or converted Surge/Quantumult profiles). Test the same subscription on a desktop client first; if nodes fail there, the router will not fix them. For rule syntax fundamentals, see our DOMAIN / GEOIP / MATCH rules guide; for desktop TUN gaming tweaks, see Clash game acceleration with TUN.

Installing OpenClash on OpenWrt

OpenClash ships as an OpenWrt package with a LuCI menu under Services → OpenClash. Installation paths differ slightly by feed, but the flow is consistent:

  1. SSH into the router and ensure WAN and DNS work on stock OpenWrt.
  2. Install dependencies: dnsmasq-full (or configure dnsmasq to forward to OpenClash), bash, curl, ca-bundle, and kmod-tun.
  3. Add the OpenClash software source for your OpenWrt branch (check the project wiki for the exact feed URL matching your version).
  4. Run opkg update and opkg install luci-app-openclash, then refresh LuCI.
  5. Open OpenClash → Plugin Update and download the latest Mihomo (Meta) core matching your CPU architecture (aarch64, mips, x86_64, etc.).
Tip: Store large GeoIP databases on external USB storage if your router has limited flash. OpenClash supports custom paths for rule providers and geo files in its advanced settings.

After installation, go to Config Subscribe and paste your subscription URL. Choose Convert Config if the feed is not native Clash YAML. Click Subscribe to pull nodes, then Commit Settings. Do not enable transparent proxy until DNS and core start cleanly in the log tab.

Configuring TUN Transparent Proxy

OpenClash exposes several running modes. For whole-home capture, select TUN (sometimes labeled TUN mode or fake-ip TUN in newer builds), not Redir-Host alone.

Mode How it works Best for
Redir-Host iptables REDIRECT on TCP ports 7892/7895 Lightweight TCP-only browsing; misses much UDP
TUN Virtual utun interface; layer-3 routing Games, QUIC, mobile apps, consoles, full transparency
Mixed Combines redir + TUN depending on build Transitional setups; prefer pure TUN when RAM allows

In Global Settings → Operation Mode, set mode to TUN. Assign a private TUN stack address (OpenClash defaults such as 198.18.0.1/16 are common for fake-ip). Enable Auto Start only after a successful manual start. The Mihomo config snippet should include a tun: block similar to: 

tun:
  enable: true
  stack: system
  auto-route: true
  auto-detect-interface: true
  dns-hijack:
    - any:53
  mtu: 9000

On resource-constrained routers, try stack: gvisor if you see crashes with system stack. On powerful x86 gateways, system usually offers lower CPU overhead. Match the stack option to what your OpenClash build documents for your kernel version.

Click Start OpenClash and watch Running Log. A healthy boot shows core version, TUN interface creation, and rule provider load. If the core exits immediately, check architecture mismatch (wrong binary), permission on /dev/net/tun, or insufficient RAM.

DNS Hijacking and Firewall Integration

Transparent proxy fails in practice when DNS leaks or resolves to wrong regions. OpenClash integrates with dnsmasq to implement DNS hijacking: LAN clients query the router on port 53, and Mihomo handles resolution via fake-ip or redir-host DNS modes.

Recommended baseline for split routing in China-based home networks (adapt if your locale differs):

  • Enable DNS Hijack in OpenClash so devices cannot bypass the router with hard-coded 8.8.8.8.
  • Use fake-ip mode for faster connection setup when rules use DOMAIN keywords; map fake-ip pools to the TUN subnet.
  • Import CN direct name lists (GeoSite cn, or Loyalsoldier rules) so domestic domains resolve to real IPs and go DIRECT.
  • Keep fallback-filter or equivalent enabled so CDN CNAME chains do not force foreign traffic through proxy nodes unnecessarily.
dns:
  enable: true
  listen: 0.0.0.0:7874
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  nameserver:
    - https://223.5.5.5/dns-query
    - tls://1.1.1.1
  fallback:
    - https://1.1.1.1/dns-query
  fallback-filter:
    geoip: true
    geoip-code: CN
    ipcidr:
      - 240.0.0.0/4

OpenClash injects firewall rules automatically when you enable TUN: traffic from br-lan is forwarded into the TUN interface except for marked local traffic. Do not hand-edit nftables unless you understand the restore order—OpenClash re-applies chains on every restart. If you run ad-blocking or parental control packages, check for rule conflicts (double NAT on port 53 is a frequent culprit).

IPv6: If your ISP provides IPv6, either route IPv6 through the same policy or disable IPv6 on LAN until rules are ready. Many leak tests fail because IPv6 bypasses IPv4-only TUN rules.

Split Routing Rules for LAN Devices

A router-wide proxy does not mean every packet should leave the country. The strength of Clash on OpenWrt is policy-based split routing shared by every client. Structure your YAML (or OpenClash custom rules) like this:

  1. Private networks DIRECT — RFC1918, multicast, and your ISP intranet ranges.
  2. GeoIP CN DIRECT (or your country code) — keeps local latency low for domestic services.
  3. Domain suffix lists — streaming, AI, or work tools that need proxy go to a PROXY or auto group.
  4. MATCH — final catch-all; usually PROXY for “foreign default” or DIRECT for “domestic default” depending on your lifestyle.
rules:
  - IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
  - IP-CIDR,10.0.0.0/8,DIRECT,no-resolve
  - IP-CIDR,127.0.0.0/8,DIRECT,no-resolve
  - GEOIP,CN,DIRECT
  - DOMAIN-SUFFIX,google.com,PROXY
  - DOMAIN-SUFFIX,github.com,PROXY
  - MATCH,PROXY

Use policy groups (url-test, fallback, select) in the subscription so the router picks low-latency nodes automatically. For Apple TVs and consoles, you rarely need per-device overrides if domain rules cover their CDNs; for a work PC that must stay direct, add a src-ip-CIDR rule placing that DHCP reservation in a DIRECT group.

OpenClash also supports access control in LuCI: exclude MAC addresses from proxy (guest network, work laptop), or include only certain VLANs if you run segmented Wi-Fi. That is easier than maintaining duplicate clients on each device.

Troubleshooting Common Issues

When the whole house loses connectivity, work through this ordered checklist:

Core will not start

Verify the downloaded Mihomo binary matches CPU architecture, re-run plugin update, and confirm kmod-tun is loaded (lsmod | grep tun). Read /tmp/openclash.log for OOM kills; reduce Geo file size or disable unused rule providers.

Internet works but proxy does not

Ensure operation mode is TUN, not “off” or mis-synced after upgrade. Confirm subscription has valid nodes and test with Connection Check in LuCI. Check that LAN DNS points only to the router (disable DoH in browsers during testing).

Domestic sites slow or broken

Usually missing GEOIP CN DIRECT or fake-ip conflicts with CDN. Add direct rules for affected domains, switch enhanced-mode to redir-host for testing, or update GeoSite data.

Single device still bypasses proxy

The device may use private DNS (Android Private DNS, iCloud Private Relay), a hard-coded VPN, or IPv6. Block DoT on port 853 if needed, or assign the device to a VLAN that OpenClash fully hijacks.

High CPU or router reboots

Lower find-process-mode overhead, reduce concurrent rule providers, schedule Geo updates at night, or move to hardware with more RAM. TUN on 100 Mbps links is modest; on gigabit saturated links, x86 routers scale better than old MIPS.

Frequently Asked Questions

What is the difference between TUN and Redir-Host on OpenClash?

Redir-Host redirects TCP via iptables and is lighter on CPU. TUN captures TCP and UDP at the virtual interface, which is what you want for consoles, QUIC, and apps that ignore proxy settings. For a single “whole-home” profile, prefer TUN when RAM allows.

How much router RAM do I need for OpenClash TUN?

Plan for 128 MB+ free RAM after boot with a medium rule set. Heavy GeoIP plus fake-ip and multiple providers benefits from 256 MB or more. Flash space is separate—budget 20–40 MB for cores and databases or use USB storage.

Will transparent proxy break local NAS or printer access?

Not if RFC1918 DIRECT rules and local DNS records stay in place. Never proxy traffic destined to your LAN subnet; use no-resolve on IP-CIDR rules to avoid DNS loops.

Can I use PassWall or SSR instead of OpenClash?

PassWall and similar LuCI apps target Shadowsocks/V2Ray stacks. They can do transparent forwarding but lack Clash’s unified YAML rules, policy groups, and Mihomo TUN feature parity. If you already standardize on Clash subscriptions across desktop and mobile, OpenClash keeps one config format on the router too.

Do I still need Clash on my PC if the router proxies everything?

Many users run router-only at home and disable clients on LAN. Laptops on public Wi-Fi still need a portable client (Clash Verge Rev, Mihomo Party). The router handles household devices; personal devices off-LAN keep their own profile.

Router plugins that only expose SOCKS5 leave consoles and smart TVs unprotected unless you configure unsupported proxy fields. All-in-one VPN firmware often tunnels every byte abroad, slowing local services. Clash on OpenWrt with TUN combines transparent capture, split rules, and the same Mihomo core used by modern desktop clients—one subscription, one rule file, every device on Wi-Fi covered without touching guest phone settings.

Download Clash free for every platform →