Tailscale and Clash Fighting? Fix TUN Stack, LAN Bypass, and Route Priority Step by Step
Tailscale and Clash are both happiest when they own a clean path to the routing table. Turn on two tunnel stacks at once and you get the classic second-tunnel symptoms: LAN printers disappear, 192.168.x.x hops through the wrong interface, public sites flap between direct and proxy paths, or the mesh CGNAT range collides with an aggressive policy. This article walks through a repeatable sequence: stabilize one layer, introduce the other, then align TUN mode, private-network bypass (including bypass-private-network where your core exposes it), and OS route priority so mesh VPN and transparent proxy can coexist without guessing.
What “fighting stacks” usually looks like
Most reports boil down to three buckets. First, local segmentation breaks: your NAS, HDMI dongle admin page, or office intranet sits on 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, yet packets ride into Clash’s virtual adapter instead of your Ethernet or Wi-Fi NIC. Second, public internet instability: default-route churn makes sessions bounce between Tailscale’s tunnel and Clash’s policy engine, which shows up as intermittent TLS failures or sudden latency spikes even when each product works in isolation. Third, magic DNS or subnet routes from the mesh layer steer traffic you intended to keep domestic into an exit node or peer path that your rule file never accounted for.
The fix is not “uninstall one forever.” It is to make the routing story explicit: which prefixes must stay on the physical LAN, which belong to the mesh, and which should be policy-spliced by Clash after those baseline routes are stable. If you already debug similar overlap in WSL2 mirrored networking with Clash or VMware and Parallels host routing, you will recognize the pattern—we are reconciling two independent network stacks that each think they should intercept “everything interesting.”
Mental model: who intercepts first?
Think in terms of packet capture order and longest-prefix wins. Tailscale installs interface addresses in the 100.64.0.0/10 carrier-grade NAT-style space for peers, advertises mesh routes, and may push subnets from the admin console. Clash TUN creates another virtual NIC, programs routes so userland can classify flows, and (depending on your YAML) may also try to capture broad swaths of corporate or domestic IP space when private bypass is misconfigured. Neither product “knows” about the other’s intent unless you teach your configuration and OS routing table that relationship.
Rule of thumb
Before tuning Clash rules, ensure RFC1918 and your real LAN gateways are not being sucked into the Clash TUN path. Once local prefixes are exempt, mesh routes and public policy routing become dramatically easier to reason about.
Step 0 — Capture a baseline on plain connectivity
Reboot cold or at least toggle both products off, then record three snapshots while everything still works: your default gateway, the output of your platform’s route listing command, and a quick traceroute to an internal IP and a public IP. On Windows, route print -4 and Get-NetRoute are sufficient; on macOS, netstat -rn -f inet; on Linux, ip route. Keep these notes—you will diff against them after each change instead of chasing five variables at midnight.
Minimal baseline checklist
- Physical NIC IP, subnet mask, and gateway for your LAN.
- Whether Tailscale reports an exit node or subnet routes (note exact CIDRs).
- Whether Clash is set to system proxy only versus full TUN.
Step 1 — Bring Tailscale up cleanly
Enable Tailscale alone and confirm mesh connectivity: ping a peer by its 100.x address, hit an advertised subnet if you use one, and verify admin-panel policies (ACLs, split DNS, exit nodes) match what you expect. If you rely on an exit node, remember that it rewrites default routing for internet-bound flows—Clash will inherit that world unless you stage exclusions later. Document the additional routes Tailscale inserts; you will need the same CIDR precision when deciding what Clash may still intercept.
Homelab readers sometimes collide Tailscale’s 100.x addressing with provider CGNAT—you usually do not need to change Tailscale’s net, but you do need to ensure Clash GEOIP or catch-all rules are not blindly steering RFC6598 space into a distant proxy node. When in doubt, add explicit rules for mesh traffic above broad matcher lists.
Step 2 — Introduce Clash TUN without touching LAN yet
Now enable Clash with TUN, but prioritize settings that exclude private networks before you refine public rule sets. In Clash Meta family cores you will often see toggles or YAML under tun: controlling stack mode (system versus gVisor on some platforms) and flags such as bypass-private-network: true (wording varies slightly by release—check your exact schema). The intent is uniform: traffic destined for RFC1918 space should exit via the normal interface metrics, not loop through the policy engine, unless you have a deliberate lab reason to do otherwise.
UI-first clients mirror the same idea with “bypass LAN,” “skip private addresses,” or comparable toggles. If your front-end hides the knob, open the generated profile—you are looking for the TUN stanza that mirrors what the kernel will program.
When bypass is off
Disabling private bypass is useful for exotic lab setups, but in home and office networks it is the fastest way to make printers, routers, and security cameras “vanish” behind a fake stack. Turn it back on before blaming Tailscale.
# Illustrative tun stanza — keys differ slightly by core and client
tun:
enable: true
stack: system # or gvisor — pick what your OS supports best
auto-route: true
strict-route: false # often helps reduce circular routes; verify per OS
bypass-private-network: true
After saving, re-run your route snapshot. You should still see concise on-link routes for your LAN prefix and Tailscale’s interface; Clash should add narrowly scoped redirection without erasing gateway reachability to your appliance subnet.
Step 3 — YAML sanity beyond TUN: domestic IP rules
Even with bypass-private-network enabled, GEOIP:cn (or any large domestic bucket) can still reroute corporate RFC1918 if your enterprise uses public address space internally or if remote rule providers ship overlapping CIDRs. Keep high-confidence IP-CIDR exemptions for known LAN ranges above coarse GEOIP lines. If you merge providers automatically, confirm overrides stay near the top after every refresh. For mixed HTTP/SOCKS scenarios on the LAN without forcing everyone through TUN, compare with mixed port and Allow LAN patterns.
Step 4 — Route priority and interface metrics
When two virtual adapters both believe they handle “interesting” destinations, the kernel picks based on prefix length, metric, and ordering—behavior that differs by OS. Symptoms include traffic taking a higher-latency tunnel when a one-hop Wi-Fi path exists, or Tailscale subnet routes losing to a stale Clash entry until you restart either service.
| Platform | What to inspect | Typical lever |
|---|---|---|
| Windows | Get-NetIPInterface, route table ifIndex |
Adapter metric, disable unused miniports |
| macOS | Network service order, VPN profiles | Service priority, Tailscale menu reset |
| Linux | ip route show table all |
policy routing tables, systemd unit order |
As a workflow, adjust one metric at a time, rerun traceroute, and only then touch Clash policy groups. If you edit metrics aggressively on a corporate-managed laptop, document the change—MDM profiles sometimes snap them back after sleep.
Step 5 — DNS order and “split brain” resolution
Clash’s DNS and fake-ip stack interacts poorly with mesh MagicDNS when both try to synthesize answers. Stabilize by choosing a single resolver order for the LAN segment: either let Tailscale push split DNS and keep Clash in redir-host-friendly modes that respect OS resolution for domestic names, or centralize all upstream queries inside Clash but explicitly forward mesh suffixes to Tailscale’s resolver. Mixing without a plan yields “site works in browser but not in CLI” paradoxes because each stack resolves to different address families. If symptoms resemble generic breakage, cross-check connected but no internet DNS and fake-ip before you rip out either tunnel.
Step 6 — Verify with traceroute, not vibes
For each target class—LAN host, Tailscale peer, public site—run traceroute twice: with only Tailscale, then with Clash TUN on. The second hop should not wander into a proxy appliance unless your rule set intends it. If LAN traffic suddenly introduces an extra synthetic hop, private bypass failed or a coarse rule stole the prefix. If public traffic double-bounces through both tunnels, revisit default route metrics and exit-node settings.
Logging discipline
Capture Clash logs with process and rule matcher columns while reproducing. Pair that with Tailscale’s local CLI status output; mismatches between “which adapter answered ARP” and “which rule matched SNI” close cases much faster than toggling cities on your provider panel.
Headscale, Netbird, and other mesh VPNs
Self-hosted Headscale or Netbird follows the same engineering constraints: virtual interface, CGNAT-style peer space, optional subnet routing. The UI differs; the remediation order does not—establish mesh routes first, enable Clash TUN with private bypass, then refine YAML ordering and DNS. Enterprise Zero Trust clients that inject their own filters may add a third layer; treat them like another TUN contender and iterate metrics carefully.
FAQ
LAN dies the instant I enable Clash TUN
Enable bypass-private-network (or equivalent) and confirm no overriding IP-CIDR rule sends RFC1918 to a foreign proxy. Re-check strict-route settings if your OS loops packets.
Tailscale connects but throughput collapses when Clash is on
Inspect exit-node stacking: two encrypted defaults multiply RTT. Consider excluding Tailscale interface traffic from Clash by interface name or CIDR where your core permits.
Windows updates broke the ordering
Re-run adapter metric adjustments after major feature upgrades; Windows sometimes reinstalls filter drivers that reorder miniport metrics.
Final coexistence checklist
- Baseline routes without either tunnel.
- Enable mesh VPN alone; document
100.xand subnet routes. - Enable Clash TUN with private bypass on; diff routing tables.
- Pin LAN CIDR exemptions above coarse GEOIP rules.
- Align DNS so MagicDNS and Clash upstreams do not fight.
- Validate with traceroute for LAN, mesh, and public targets.
Get a maintainable Clash build
Once TUN capture and bypass defaults behave, Tailscale becomes “just another interface” in your mental map—powerful, but predictable. A modern Meta-capable core with transparent logs and clear rule merge behavior keeps the long-term maintenance burden low.
Two tunnels, one routing story
Align Clash TUN bypass settings and OS metrics so mesh VPN and LAN traffic stay on the right interfaces.
Download Clash