Clash Android Per-App Routing: Enable Proxy for Only Selected Apps
On phones you rarely want a blunt global VPN that drags every packet through a remote exit. Per-app routing—sometimes labeled split tunneling, app bypass, or an allowlist—lets a Clash-based Android client send only the messengers, browsers, or storefronts you tick toward your proxy policy while the rest of the OS stays on the carrier path. This guide explains the mental model, how it interacts with TUN versus classic modes, how to pick apps in the UI, and how to prove connectivity so you are not guessing.
Why per-app routing is the default “adult setting” on Android
Android runs dozens of background sync jobs: email, push services, OEM analytics, wallet apps, and carrier provisioning helpers. If you flip a naive “everything through Clash” switch, you inherit three costs at once: higher battery drain from extra encapsulation, surprise latency for traffic that was perfectly fine on your home LTE or Wi-Fi, and harder debugging when one stubborn binary misbehaves behind a commercial node. A curated app list keeps blast radius small: you proxy the destinations that actually need an alternate egress, and you leave sensitive domestic flows on their intended path unless you have a clear reason not to.
Search intent usually splits two ways. Some readers want only WeChat, Telegram, Chrome, or Firefox on the tunnel and everything else direct—great for everyday messaging plus regional banking apps that dislike foreign IP ranges. Others want the opposite: games and voice chat direct for ping stability, while social and news readers still exit through a stable node. Both are the same mechanism with inverted defaults; the UI wording is what trips people up, so we will normalize vocabulary before touching toggles.
TUN, system VPN, and per-app lists are related but not identical
Modern Clash Android forks based on mihomo / Clash Meta often expose TUN mode, which registers an Android VPN interface so the kernel can steer IP packets into userspace. Android still shows the keyhole icon because the OS classifies that as a VPN session, but the policy engine underneath is Clash rules—not a single remote server blindly tunneling every byte. Per-app controls sit at the Android layer: they decide which UIDs are even eligible to enter that VPN session. If you exclude a banking app at the UID level, its packets may never reach Clash rule evaluation at all.
That distinction matters when you compare to desktop PROCESS-NAME tricks. On Windows you might send only steam.exe through TUN; on Android the coarse knob is usually the package list surfaced in settings. Finer splits still exist inside Clash once traffic arrives—DOMAIN-SUFFIX rows, policy groups, and so on—but you cannot apply them to an app you already excluded at the VPN boundary.
Rule of thumb
Treat the Android per-app list as the outer gate and Clash rules: as the inner sorting office. If a session never passes the gate, no YAML cleverness will see it.
Prerequisites: profile health, VPN permission, and subscription sanity
Before you tune splits, confirm the baseline profile actually starts: import your subscription, pick a working node, and run a simple connectivity test inside the client. If import itself fails, fix that first—our Clash Android subscription import troubleshooting guide walks through TLS, user certificates, and URL formatting issues that masquerade as “per-app broken” when the root cause is still profile fetch.
Grant the VPN permission prompt once, then avoid revoking it from system settings unless you mean to. Some OEM builds aggressively kill background VPN holders; if the service disconnects seconds after you leave the app, revisit battery optimizations for your Clash client before blaming the allowlist. Private DNS (dns.google or ADGuard-style hosts) can also change how quickly apps appear “online”; pair per-app tuning with the DNS notes in the DNS and fake-ip article when pages load but APIs hang.
Allowlist versus bypass: read the label twice
Clients disagree on wording, but there are only two families. An allowlist (only these apps use VPN) starts from deny-by-default for VPN UIDs and adds exceptions. A bypass list (these apps skip VPN) starts from full capture and punches holes. Mixing them up is the fastest way to think Telegram is proxied when it is actually bypassed, or to believe your browser is direct while it still rides the tunnel.
| Pattern | Typical UI phrase | Best for |
|---|---|---|
| Allowlist | “Only selected apps”, “Per-app proxy” | Messaging + browser only; minimal side effects |
| Bypass | “Bypass VPN”, “Excluded apps” | Most apps proxied; games or banking direct |
When you switch between patterns, re-open the app picker and verify checkmarks. Android updates sometimes reset VPN configurations after major OS upgrades; keep a short screenshot set of your intended list if you maintain several devices for family members.
Step-by-step: finding the app list in a typical Clash Android UI
Exact menu names differ by fork, but the flow is convergent. Open your client’s Settings or Network pane, locate a section named along the lines of App rules, Access control, Per-app proxy, or Bypass mode, then choose the mode (allowlist versus bypass). Tap Select apps to open the package grid. Use search for long catalogs; remember secondary packages—some messengers ship a main chat binary plus a helper for calls or media.
Suggested order of operations
- Set Clash to Rule mode with a sane default (often domestic direct + offshore proxy).
- Enable TUN if that is how you plan to run daily; confirm VPN starts without immediate errors.
- Pick allowlist if only a handful of apps should use the tunnel; pick bypass if almost everything should proxy except latency-sensitive titles.
- Select packages, apply, then toggle VPN off and on once so Android reapplies UID filters cleanly.
Dual-app clones and “parallel space” utilities sometimes register extra UIDs. If a cloned messenger never proxies, open the clone vendor’s documentation: you may need to tick the clone container package instead of the store-signed original.
Connectivity verification that survives wishful thinking
Visual icons prove Android accepted a VPN session, not that your split behaved as intended. Build evidence per app. For a browser you expect on-proxy, visit a well-known IP echo service and note the ASN and country; then open a banking app you expect direct and check whether its embedded WebView still shows domestic ranges. For messengers, compare attachment download speeds and observe whether voice calls register new ICE candidates slowly—symptoms of an accidental tunnel when you wanted direct UDP.
Inside Clash, the connection log or traffic pane is authoritative when present: you should see rows for the proxied apps’ destinations with the policy group you selected, while excluded UIDs generate no rows at all. If you see foreign domains from an app you thought was bypassed, revisit whether you enabled bypass globally or only under a specific profile slot.
WebView and in-app browsers
Many “mini browsers” run inside host apps. If the host is proxied, embedded pages inherit that path even when Chrome itself is on your bypass list—split by the host package, not the brand name you see on screen.
Reverse layout: keep games direct, keep social on proxy
Competitive titles benefit from short RTT and predictable UDP. Start from a configuration where VPN capture is broad, then add bypass entries for the game package, your voice chat client if it uses proprietary UDP, and optionally the publisher launcher if anti-cheat probes local networks oddly. Leave Telegram, Discord, X clients, or reader apps unbypassed so they still evaluate Clash rules and pick your offshore group.
When a game still shows high ping after bypassing, the issue may be DNS rather than IP forwarding—especially if the title resolves auth servers through a path that still hits Clash. Cross-check with logs, then adjust only one variable at a time: bypass list, DNS mode, or fake-ip settings.
Work profiles, secondary users, and Android TV
Enterprise work profiles expose a second set of UIDs. Your personal Clash client usually cannot selectively proxy packages inside the work container unless the IT policy allows it; symptoms look like “works for Chrome personal but not Chrome work.” For televisions and set-top boxes, sideload flows differ—see the Android TV sideload and subscription guide—but the same allowlist discipline applies once the client runs.
Troubleshooting quick map
- Nothing proxies after allowlisting: confirm you did not leave the list empty, and that the VPN session is actually running (toggle once).
- Everything still proxies in allowlist mode: some builds expose a master switch for “route all apps”; turn it off or re-import defaults.
- Banking app crashes on VPN start: bypass that package; a few institutions hard-fail when
tun0appears. - IPv6 leaks around splits: if your profile forces IPv4-only assumptions while the OS prefers v6, align IPv6 handling in the profile or disable IPv6 at the OS level temporarily to test.
FAQ
Is per-app routing the same as turning off global mode inside Clash?
No. Global / Rule / Direct inside Clash decides how traffic is classified once it reaches the core. Per-app lists decide which apps enter the VPN at all. You still want Rule mode for most daily setups.
Does per-app routing share proxy to my laptop over hotspot?
Not by itself. Tethered devices are separate computers; sharing Clash generally requires an allow-LAN or HTTP proxy listener setup on another guide path.
Will UDP voice calls respect the list?
Yes for UID-based splits, but NAT behaviors differ by node; if calls fail only when proxied, test another node or protocol before abandoning the split.
Maintenance checklist
- Document whether you are in allowlist or bypass mode.
- After OS upgrades, reopen the picker and confirm checkmarks persisted.
- Re-verify one direct and one proxied app with IP or log evidence quarterly.
- Keep subscription refresh working so tests are not invalidated by expired nodes.
Pick a client that makes splits obvious
Android fragmentation will not disappear in 2026, but the user story is stable: show the app list, show whether each UID is captured, and make toggles resilient to OEM power management. Once the outer gate is trustworthy, your YAML rules can focus on domains and policy groups instead of fighting the wrong binaries.
Proxy only what you tick
Use Android per-app routing with Clash so messengers and browsers use your node while the rest of the phone stays direct—or bypass games and keep social on proxy.
Download Clash