github.com/igoogolx/clash@v1.19.8/docs/configuration/outbound.md (about) 1 --- 2 sidebarTitle: Outbound 3 sidebarOrder: 4 4 --- 5 6 # Outbound 7 8 There are several types of outbound targets in Clash. Each type has its own features and usage scenarios. In this page, we'll cover the common features of each type and how they should be used and configured. 9 10 [[toc]] 11 12 ## Proxies 13 14 Proxies are some outbound targets that you can configure. Like proxy servers, you define destinations for the packets here. 15 16 ### Shadowsocks 17 18 Clash supports the following ciphers (encryption methods) for Shadowsocks: 19 20 | Family | Ciphers | 21 | ------ | ------- | 22 | AEAD | aes-128-gcm, aes-192-gcm, aes-256-gcm, chacha20-ietf-poly1305, xchacha20-ietf-poly1305 | 23 | Stream | aes-128-cfb, aes-192-cfb, aes-256-cfb, rc4-md5, chacha20-ietf, xchacha20 | 24 | Block | aes-128-ctr, aes-192-ctr, aes-256-ctr | 25 26 In addition, Clash also supports popular Shadowsocks plugins `obfs` and `v2ray-plugin`. 27 28 ::: code-group 29 30 ```yaml [basic] 31 - name: "ss1" 32 type: ss 33 # interface-name: eth0 34 # routing-mark: 1234 35 server: server 36 port: 443 37 cipher: chacha20-ietf-poly1305 38 password: "password" 39 # udp: true 40 ``` 41 42 ```yaml [obfs] 43 - name: "ss2" 44 type: ss 45 # interface-name: eth0 46 # routing-mark: 1234 47 server: server 48 port: 443 49 cipher: chacha20-ietf-poly1305 50 password: "password" 51 plugin: obfs 52 plugin-opts: 53 mode: tls # or http 54 # host: bing.com 55 ``` 56 57 ```yaml [ws (websocket)] 58 - name: "ss3" 59 type: ss 60 # interface-name: eth0 61 # routing-mark: 1234 62 server: server 63 port: 443 64 cipher: chacha20-ietf-poly1305 65 password: "password" 66 plugin: v2ray-plugin 67 plugin-opts: 68 mode: websocket # no QUIC now 69 # tls: true # wss 70 # skip-cert-verify: true 71 # host: bing.com 72 # path: "/" 73 # mux: true 74 # headers: 75 # custom: value 76 ``` 77 78 ::: 79 80 ### ShadowsocksR 81 82 Clash supports the infamous anti-censorship protocol ShadowsocksR as well. The supported ciphers: 83 84 | Family | Ciphers | 85 | ------ | ------- | 86 | Stream | aes-128-cfb, aes-192-cfb, aes-256-cfb, rc4-md5, chacha20-ietf, xchacha20 | 87 88 Supported obfuscation methods: 89 90 - plain 91 - http_simple 92 - http_post 93 - random_head 94 - tls1.2_ticket_auth 95 - tls1.2_ticket_fastauth 96 97 Supported protocols: 98 99 - origin 100 - auth_sha1_v4 101 - auth_aes128_md5 102 - auth_aes128_sha1 103 - auth_chain_a 104 - auth_chain_b 105 106 ```yaml 107 - name: "ssr" 108 type: ssr 109 # interface-name: eth0 110 # routing-mark: 1234 111 server: server 112 port: 443 113 cipher: chacha20-ietf 114 password: "password" 115 obfs: tls1.2_ticket_auth 116 protocol: auth_sha1_v4 117 # obfs-param: domain.tld 118 # protocol-param: "#" 119 # udp: true 120 ``` 121 122 ### Vmess 123 124 Clash supports the following ciphers (encryption methods) for Vmess: 125 126 - auto 127 - aes-128-gcm 128 - chacha20-poly1305 129 - none 130 131 ::: code-group 132 133 ```yaml [basic] 134 - name: "vmess" 135 type: vmess 136 # interface-name: eth0 137 # routing-mark: 1234 138 server: server 139 port: 443 140 uuid: uuid 141 alterId: 32 142 cipher: auto 143 # udp: true 144 # tls: true 145 # skip-cert-verify: true 146 # servername: example.com # priority over wss host 147 # network: ws 148 # ws-opts: 149 # path: /path 150 # headers: 151 # Host: v2ray.com 152 # max-early-data: 2048 153 # early-data-header-name: Sec-WebSocket-Protocol 154 ``` 155 156 ```yaml [HTTP] 157 - name: "vmess-http" 158 type: vmess 159 # interface-name: eth0 160 # routing-mark: 1234 161 server: server 162 port: 443 163 uuid: uuid 164 alterId: 32 165 cipher: auto 166 # udp: true 167 # network: http 168 # http-opts: 169 # # method: "GET" 170 # # path: 171 # # - '/' 172 # # - '/video' 173 # # headers: 174 # # Connection: 175 # # - keep-alive 176 ``` 177 178 ```yaml [HTTP/2] 179 - name: "vmess-h2" 180 type: vmess 181 # interface-name: eth0 182 # routing-mark: 1234 183 server: server 184 port: 443 185 uuid: uuid 186 alterId: 32 187 cipher: auto 188 network: h2 189 tls: true 190 h2-opts: 191 host: 192 - http.example.com 193 - http-alt.example.com 194 path: / 195 ``` 196 197 ```yaml [gRPC] 198 - name: vmess-grpc 199 type: vmess 200 # interface-name: eth0 201 # routing-mark: 1234 202 server: server 203 port: 443 204 uuid: uuid 205 alterId: 32 206 cipher: auto 207 network: grpc 208 tls: true 209 servername: example.com 210 # skip-cert-verify: true 211 grpc-opts: 212 grpc-service-name: "example" 213 ``` 214 215 ::: 216 217 ### SOCKS5 218 219 In addition, Clash supports SOCKS5 outbound as well: 220 221 ```yaml 222 - name: "socks" 223 type: socks5 224 # interface-name: eth0 225 # routing-mark: 1234 226 server: server 227 port: 443 228 # username: username 229 # password: password 230 # tls: true 231 # skip-cert-verify: true 232 # udp: true 233 ``` 234 235 ### HTTP 236 237 Clash also supports HTTP outbound: 238 239 ::: code-group 240 241 ```yaml [HTTP] 242 - name: "http" 243 type: http 244 # interface-name: eth0 245 # routing-mark: 1234 246 server: server 247 port: 443 248 # username: username 249 # password: password 250 ``` 251 252 ```yaml [HTTPS] 253 - name: "http" 254 type: http 255 # interface-name: eth0 256 # routing-mark: 1234 257 server: server 258 port: 443 259 tls: true 260 # skip-cert-verify: true 261 # sni: custom.com 262 # username: username 263 # password: password 264 ``` 265 266 ::: 267 268 ### Snell 269 270 Being an alternative protocol for anti-censorship, Clash has integrated support for Snell as well. 271 272 ::: tip 273 Clash does not support Snell v4. ([#2466](https://github.com/Dreamacro/clash/issues/2466)) 274 ::: 275 276 ```yaml 277 # No UDP support yet 278 - name: "snell" 279 type: snell 280 # interface-name: eth0 281 # routing-mark: 1234 282 server: server 283 port: 44046 284 psk: yourpsk 285 # version: 2 286 # obfs-opts: 287 # mode: http # or tls 288 # host: bing.com 289 ``` 290 291 ### Trojan 292 293 Clash has built support for the popular protocol Trojan: 294 295 ::: code-group 296 297 ```yaml [basic] 298 - name: "trojan" 299 type: trojan 300 # interface-name: eth0 301 # routing-mark: 1234 302 server: server 303 port: 443 304 password: yourpsk 305 # udp: true 306 # sni: example.com # aka server name 307 # alpn: 308 # - h2 309 # - http/1.1 310 # skip-cert-verify: true 311 ``` 312 313 ```yaml [gRPC] 314 - name: trojan-grpc 315 type: trojan 316 # interface-name: eth0 317 # routing-mark: 1234 318 server: server 319 port: 443 320 password: "example" 321 network: grpc 322 sni: example.com 323 # skip-cert-verify: true 324 udp: true 325 grpc-opts: 326 grpc-service-name: "example" 327 ``` 328 329 ```yaml [ws (websocket)] 330 - name: trojan-ws 331 type: trojan 332 # interface-name: eth0 333 # routing-mark: 1234 334 server: server 335 port: 443 336 password: "example" 337 network: ws 338 sni: example.com 339 # skip-cert-verify: true 340 udp: true 341 # ws-opts: 342 # path: /path 343 # headers: 344 # Host: example.com 345 ``` 346 347 ::: 348 349 ## Proxy Groups 350 351 Proxy Groups are groups of proxies that you can use directly as a rule policy. 352 353 ### relay 354 355 The request sent to this proxy group will be relayed through the specified proxy servers sequently. There's currently no UDP support on this. The specified proxy servers should not contain another relay. 356 357 ### url-test 358 359 Clash benchmarks each proxy servers in the list, by sending HTTP HEAD requests to a specified URL through these servers periodically. It's possible to set a maximum tolerance value, benchmarking interval, and the target URL. 360 361 ### fallback 362 363 Clash periodically tests the availability of servers in the list with the same mechanism of `url-test`. The first available server will be used. 364 365 ### load-balance 366 367 The request to the same eTLD+1 will be dialed with the same proxy. 368 369 ### select 370 371 The first server is by default used when Clash starts up. Users can choose the server to use with the RESTful API. In this mode, you can hardcode servers in the config or use [Proxy Providers](#proxy-providers). 372 373 Either way, sometimes you might as well just route packets with a direct connection. In this case, you can use the `DIRECT` outbound. 374 375 To use a different network interface, you will need to use a Proxy Group that contains a `DIRECT` outbound with the `interface-name` option set. 376 377 ```yaml 378 - name: "My Wireguard Outbound" 379 type: select 380 interface-name: wg0 381 proxies: [ 'DIRECT' ] 382 ``` 383 384 ## Proxy Providers 385 386 Proxy Providers give users the power to load proxy server lists dynamically, instead of hardcoding them in the configuration file. There are currently two sources for a proxy provider to load server list from: 387 388 - `http`: Clash loads the server list from a specified URL on startup. Clash periodically pulls the server list from remote if the `interval` option is set. 389 - `file`: Clash loads the server list from a specified location on the filesystem on startup. 390 391 Health check is available for both modes, and works exactly like `fallback` in Proxy Groups. The configuration format for the server list files is also exactly the same in the main configuration file: 392 393 ::: code-group 394 395 ```yaml [config.yaml] 396 proxy-providers: 397 provider1: 398 type: http 399 url: "url" 400 interval: 3600 401 path: ./provider1.yaml 402 # filter: 'a|b' # golang regex string 403 health-check: 404 enable: true 405 interval: 600 406 # lazy: true 407 url: http://www.gstatic.com/generate_204 408 test: 409 type: file 410 path: /test.yaml 411 health-check: 412 enable: true 413 interval: 36000 414 url: http://www.gstatic.com/generate_204 415 ``` 416 417 ```yaml [test.yaml] 418 proxies: 419 - name: "ss1" 420 type: ss 421 server: server 422 port: 443 423 cipher: chacha20-ietf-poly1305 424 password: "password" 425 426 - name: "ss2" 427 type: ss 428 server: server 429 port: 443 430 cipher: chacha20-ietf-poly1305 431 password: "password" 432 plugin: obfs 433 plugin-opts: 434 mode: tls 435 ``` 436 437 :::