Troubleshooting 2026-04-19 · About 15 min read

How to Fix Internet When Clash Quits: Reset System Proxy on Windows & macOS

You closed Clash, maybe even rebooted, yet Chrome or Edge still spins and every tab claims the network is unreachable. Nine times out of ten the link layer is fine—your Wi-Fi icon is cheerful—but HTTP traffic is still steered at a local proxy port that no longer has a listener. Clash clients that enable system proxy or a PAC script can leave those settings behind after a crash, force-quit, or failed update. This guide is the companion to DNS-focused pages: here we walk Windows and macOS through turning proxies off, clearing PAC URLs, checking WinHTTP, and removing stray environment variables, then proving the path is clean.

Why “everything breaks” the moment Clash disappears

Modern Clash front-ends can flip operating-system knobs so browsers pick up configuration without manual per-app setup. When things go well, that feels magical. When the core exits unexpectedly, the OS keeps the last written values: a manual proxy like 127.0.0.1:7890, a PAC URL that pointed at Clash’s embedded HTTP server, or—on Windows—a separate WinHTTP stack still pinned to an old endpoint. From the browser’s perspective it must tunnel through that hop; from Clash’s perspective there is nothing listening anymore, so TLS handshakes never complete and pages look “offline.”

The failure mode is easy to misread. People blame DNS, IPv6, or the ISP because ping to 8.8.8.8 still works while HTTPS fails. That asymmetry is exactly what you see when only the HTTP proxy layer is wrong. If your symptoms match—ping OK, browser dead, curl through proxy hangs—work through the sections below in order instead of toggling subscription nodes.

Try the polite path first

Reopen your Clash GUI, disable System Proxy / Set system proxy / TUN from inside the app, then quit cleanly. Many builds restore previous OS defaults on exit when they get a normal shutdown signal—skipping that step makes manual cleanup longer than it needs to be.

Windows: Settings app and manual proxy

On Windows 10 and 11 the primary user-facing switch lives under Settings → Network & internet → Proxy. You want two ideas clear: manual proxy (host + port) and automatic proxy setup (script / PAC).

Windows checklist (GUI)

  1. Open Settings → Network & internet → Proxy.
  2. Under Manual proxy setup, turn Use a proxy server Off.
  3. Under Automatically detect settings, leave as preferred (usually On) unless your org mandates otherwise.
  4. Under Use setup script, turn it Off and delete any leftover script URL (often http://127.0.0.1:... or a file:// path).
  5. Close every Chromium-based browser completely and reopen; they cache proxy decisions aggressively.

Corporate laptops sometimes reapply proxy policy minutes later. If the toggles snap back on, open Local Group Policy Editor (gpedit.msc) or check Settings → Accounts → Access work or school for MDM profiles, then talk to IT. For personal machines the GUI path above is usually sufficient.

Legacy control panels still exist: Internet Options → Connections → LAN settings mirrors some of the same fields. If you lived through older VPN utilities, peek there when Settings refuses to show what you expect—just avoid checking boxes unless you know why they exist.

Windows: WinHTTP is not the same as IE proxy

Some services—Windows Update components, certain .NET stacks, and assorted enterprise agents—read the WinHTTP proxy instead of the user WinINET profile. Clash installers rarely touch this, but third-party helper scripts sometimes run netsh winhttp import proxy source=ie and then forget to undo it.

Open an elevated Command Prompt or PowerShell and inspect the current mapping:

netsh winhttp show proxy

If you see a direct address you did not configure—or a bypass list that still references loopback—reset to defaults:

netsh winhttp reset proxy

Re-run show proxy and confirm it reports a direct connection. This step is safe on typical home PCs; servers with deliberate WinHTTP forwarding should snapshot settings before resetting.

Do not confuse stacks

Clearing WinHTTP does not replace clearing the Settings-app manual proxy, and vice versa. When troubleshooting stubborn apps, assume you need both until proven otherwise.

macOS: Network service proxies and PAC

On macOS Ventura and later, open System Settings → Network, select the active interface (Wi-Fi or Ethernet), click Details…, then the Proxies tab. Earlier macOS versions expose the same structure under System Preferences → Network → Advanced → Proxies.

macOS checklist

  1. Uncheck Web Proxy (HTTP) and Secure Web Proxy (HTTPS); clear host and port fields.
  2. Uncheck Automatic Proxy Configuration and remove the PAC URL (Clash often used http://127.0.0.1:... or a local file).
  3. Review SOCKS proxy if you enabled it manually; disable unless you still need it.
  4. Click OK, Apply, then toggle Wi-Fi off and on once to flush stale CFNetwork state.

If you run a Clash fork that installs a system extension or VPN profile for TUN, also read our Clash Verge Rev macOS setup article for permission flows. A leftover VPN interface can hijack routing even when HTTP proxies look empty.

PAC files and “automatic configuration” edge cases

PAC tells the browser how to choose a proxy per URL. Clash-era PAC often returns PROXY 127.0.0.1:7890 for most hosts while sending intranet names DIRECT. That is efficient until the proxy process dies: every rule still resolves to a dead hop, so even “direct” exceptions may never run if the PAC file itself is unreachable.

When you disable PAC, also delete custom entries from:

  • Windows Use setup script field (remove the entire URL).
  • macOS Automatic Proxy Configuration path.
  • Browser-only policies: Chrome’s --proxy-pac-url launch flag, enterprise policies, or managed preference profiles.

If you distribute PAC through group policy, stage a “break glass” profile that sets everything direct before uninstalling Clash on managed fleets.

Browser quirks: when the OS is clean but one app is not

Most Chromium builds on Windows and macOS default to system proxy, so clearing the OS settings fixes them together. Exceptions creep in when extensions inject their own forwarding rules, when enterprise policies pin a PAC URL, or when a developer launches Chrome with explicit flags. Firefox maintains an independent Network Settings dialog; if you once chose “Manual proxy configuration” there, it will keep using loopback even after you scrub Windows Settings. Safari on macOS generally follows the Network pane, but Private Relay or third-party content filters can masquerade as connectivity failures—isolate by testing another browser profile or a guest user. The practical rule: if curl works from Terminal but a single browser fails, spend five minutes inside that browser’s proxy UI before reopening Clash.

Environment variables: terminals outlive the GUI

Shell sessions export HTTP_PROXY, HTTPS_PROXY, ALL_PROXY, and lowercase variants. IDEs, test runners, and package managers honor them even when the OS proxy is clean. That is why curl from Terminal still fails while Safari suddenly works.

Inspect current values:

# macOS / Linux-style shells
env | grep -i proxy

# PowerShell
Get-ChildItem Env:*proxy*

Unset for the current session:

# bash/zsh
unset HTTP_PROXY HTTPS_PROXY ALL_PROXY http_proxy https_proxy all_proxy no_proxy NO_PROXY

# PowerShell
Remove-Item Env:HTTP_PROXY, Env:HTTPS_PROXY, Env:ALL_PROXY -ErrorAction SilentlyContinue

Persistent definitions hide in ~/.zshrc, ~/.bash_profile, Windows Environment Variables dialog, and CI secrets templates. For a longer treatment—including Git and npm—see our terminal HTTP and Git proxy guide.

TUN mode, virtual adapters, and client toggles

TUN captures IP traffic before it hits the normal routing table. If Clash crashes while TUN is active, some systems leave a routing shim or disabled adapter that steers flows into nowhere. Always disable TUN inside the client before uninstalling. On Windows, Device Manager may list a Clash or Wintun adapter—disable it only when you understand the dependency chain. On macOS, revisit Network settings for VPN-style interfaces created by your fork.

If you are still building a baseline install rather than recovering from a crash, the Clash for Windows setup guide walks mixed ports, UAC prompts, and first-run checks so fewer half-enabled states occur.

Prove the path is clean

After each batch of changes, validate with tools that bypass browser caches:

  1. Ping or DNS lookup a public name (ping example.com) to confirm basic reachability.
  2. cURL without proxy flags: curl -I https://example.com should return HTTP headers quickly.
  3. Compare against explicit proxy: curl -x http://127.0.0.1:7890 -I https://example.com should fail when Clash is off—proving your default path is direct again.
  4. Visit about:policy or your browser’s proxy diagnostics page if the browser alone misbehaves while curl works.

If curl succeeds but pages still fail, pivot to DNS and fake-ip issues with the DNS and fake-ip walkthrough; that article and this one cover different layers of the same symptom.

Quick reference: where each layer matters

Layer Typical Clash artifact Primary fix
Windows Settings proxy Loopback host + mixed port Disable manual proxy & script
WinHTTP Imported IE proxy netsh winhttp reset proxy
macOS Proxies tab HTTP/HTTPS + PAC URL Uncheck all; clear fields
Shell environment HTTP_PROXY exports unset / remove persistent entries
TUN / VPN interface Stale routes Disable in client; toggle interface

FAQ

Microsoft Edge works but Chrome does not

Both are Chromium; differences usually mean policies or extensions. Check chrome://net-export after reproducing, or test a clean profile. Also confirm no per-user proxy GPO targets only one browser engine.

Only one app is broken

That app may ship its own proxy table (Spotify, some IDEs, containers). Inspect that app’s network settings or inherited environment inside its launcher.

Do I need a reboot?

Rarely, but after removing VPN-style interfaces or kernel extensions, a restart clears dangling routes faster than toggling airplane mode.

One-page checklist

  1. Quit Clash gracefully; disable system proxy and TUN inside the app.
  2. Clear Windows Settings proxies and PAC; reset WinHTTP if needed.
  3. Clear macOS Proxies tab entries and PAC.
  4. Unset shell HTTP_PROXY / HTTPS_PROXY / ALL_PROXY and persistent copies.
  5. Verify with curl direct vs curl -x; if still broken, move to DNS triage.

Keep Clash maintainable

Residual proxies are a reminder to treat Clash like infrastructure: know which toggles your GUI changes, snapshot working routes, and teach muscle memory for “turn system proxy off before sleep.” When the stack is predictable, outages last minutes—not afternoons.

Download Clash for free and get back to a clean, rule-based workflow

Restore direct internet after Clash

Reset OS proxy, PAC, WinHTTP, and shell variables—then verify with curl before you chase DNS rabbit holes.

Download Clash
Previous
← DNS leaks and fake-ip
Next
Terminal HTTP & Git proxy →

Related articles

Tutorial

Clash for Windows and TUN basics

 Tutorial

Clash Verge Rev on macOS

 Tutorial

WSL2 and Windows proxy