Tutorial 2026-04-05 · ~15 min read

Set Up Clash Verge Rev on macOS: Permissions, Kernel Pick, and Subscription Verification

After installing a Clash Verge–style Meta GUI on a Mac, three things confuse people the most: permission dialogs, the kernel dropdown, and subscriptions that seem to do nothing. This guide follows a single path — first launch → permissions and extensions → kernel → subscription → proxy toggles → verification — so you reach a working connection without guessing. If you still see odd DNS behaviour afterwards, we link to a dedicated DNS troubleshooting article.

What is Clash Verge Rev, and what does “Meta family” mean?

Clash Verge Rev is a actively maintained GUI line built on top of the Clash Verge experience. It usually drives the mihomo core (formerly known as Clash Meta). People call these clients “Meta family” because they rely on Meta/mihomo features: newer protocols, extended rule syntax, and richer policy groups than legacy Clash Premium–only setups.

Labels move between releases, but the mental model is stable. A profile holds the YAML your provider’s subscription generates. The kernel executes that YAML. System proxy and TUN decide how macOS applications hand traffic to Clash. First-time setup is simply making those three layers line up: downloaded, selected, and enabled.

Before you start

Checklist

  • macOS on a current stable release, so System Settings exposes the full Privacy & Security and System Extensions workflow.
  • A trustworthy installer from the project’s release page or another source you deliberately trust.
  • A Clash- or Meta-compatible subscription URL (typically https://). If the dashboard only shows a single format, ask support whether mihomo is supported.
  • An administrator password ready — approving system extensions, helper tools, or TUN services always prompts for it.

Some subscription endpoints only resolve or respond after you are already proxied — the classic chicken-and-egg problem. Mitigations include a domestic mirror URL from your provider, tethering briefly through a phone that already has connectivity, or fetching the profile from another working device and transferring the file securely.

Install the app and pass Gatekeeper

Drag the app from the .dmg into Applications, then launch it from there. If macOS says the app cannot be opened because the developer cannot be verified, do not hammer-click the icon. Instead, Control-click → Open once and confirm — that is Apple’s documented first-run path for unidentified developers.

Tip

Running straight from the mounted DMG volume can cause inconsistent permission prompts and update behaviour. Copy to Applications first.

macOS permissions you actually need to understand

Verge-style apps may request several capabilities. Group them by purpose so you know what you are approving:

  • Local network access lets the app bind proxy ports and talk to other processes on the machine. Denying it can leave the UI “fine” while browsers never reach 127.0.0.1:PORT.
  • Login items / background execution affects auto-launch at sign-in. Refusing does not break manual sessions.
  • Keychain prompts sometimes appear when persisting proxy settings or stored credentials. If you deny by mistake, macOS may fail to apply system proxy toggles until stale keychain entries are cleared.
  • System extensions and Network Extensions underpin TUN. TUN requires explicit approval under System Settings → Privacy & Security, and occasionally a reboot before the extension loads.

Heads-up

MDM-managed Macs may block system extensions entirely. If that is your case, plan around system proxy only and accept that some apps ignore it.

For browser-first workflows, start with system proxy only. Prove Google or GitHub loads under Rule mode, then layer TUN on top when you truly need full-process capture. Jumping straight into TUN plus DNS tweaks multiplies variables and makes the first hour painful.

Kernel choice: Meta (mihomo) vs Clash Premium

Settings may expose Meta / mihomo and Clash Premium (wording varies). Use this decision tree:

  • Default to Meta when your subscription includes vless, hysteria, tuic, or other extensions — Premium will simply not understand those profiles.
  • Premium is niche now. Only switch as a controlled experiment when your provider explicitly tests against Premium and your nodes are classic SS/VMess stacks. If anything breaks, return to Meta and reload the profile.
  • After switching kernels, restart the core or trigger a full reload. Stale processes are a frequent reason people think a “good subscription” failed.

Practice

Change one variable at a time during first connect: keep Meta + system proxy, validate browsing, then explore TUN or DNS overrides.

Subscriptions, updates, and the active profile

Pasting a URL is only halfway. Close the loop deliberately:

  1. Open the Profiles / Subscription section, paste the URL, and run Download or Update until it finishes without errors.
  2. Select that profile so it becomes the active configuration (highlighted row, checkmark, or an explicit “Use” control depending on the build).
  3. Open the proxies view and confirm a non-zero node count. Empty lists mean you should not bother toggling proxies yet.
  4. Set a sane auto-update interval (12–24 hours is typical) so stale nodes do not linger for days.

A very common “subscription does nothing” report is actually an inactive profile: the new file downloaded, but the app still runs the bundled blank profile or an older file, so every request stays on DIRECT or never hits your nodes. Explicitly switching the active profile fixes that immediately.

System proxy vs TUN — which one first?

System proxy directs HTTP/HTTPS-aware apps to Clash’s local listener. Safari and Chrome follow it by default. TUN creates a virtual interface and manipulates routing tables so CLI tools, games, or stubborn binaries also traverse Clash.

  1. On day one, enable System Proxy from the menu bar or dashboard and keep mode on Rule instead of permanent Global.
  2. Make sure no other proxy client still owns the same local ports; quit duplicates before testing.
  3. When you need TUN, install the helper or service first, approve the system extension, reboot if macOS demands it, then enable TUN. Corporate VPNs may conflict — plan for split tunnelling or choose one stack at a time.

Verify connectivity in a sensible order

This sequence separates subscription issues, dead nodes, and DNS/rule oddities without reinstalling everything:

  1. Run the built-in latency test. Widespread timeouts usually mean local time skew, TLS interception, or the entire node set is unreachable — fix that before touching DNS.
  2. Load both an overseas site and a domestic landing page under Rule mode. You should see overseas traffic proxied while domestic sites stay snappy on DIRECT.
  3. Read connection logs. Repeated connection refused or i/o timeout entries point at the exit node. Clean logs but blank pages nudge you toward DNS and rule tuning instead.

Download Clash for free and get online faster — maintained clients with readable logs shrink first-day debugging time compared to random repacked builds.

Still stuck? Narrow it with this matrix

Subscription updates but shows zero nodes

Double-check query tokens, copy-paste whitespace, and whether you grabbed a dashboard HTML link instead of the raw subscription endpoint. Download the URL in a browser: you should see YAML text, not a login page.

System proxy toggle on, browsers ignore it

Inspect System Settings → Network → your interface → Details → Proxies for 127.0.0.1 and the correct port. “Cleaner” utilities sometimes wipe those fields moments after Clash sets them.

Only specific domains fail

That pattern usually means policy or DNS, not “slow nodes”. Temporarily switch to Global as a contrast test: if Global works while Rule fails, refine selectors and domain rules instead of rotating providers blindly.

Once status icons look green and logs show activity, yet browsers still hang, you have likely crossed into DNS, fake-ip, and browser DoH territory. Continue with our article “Clash Connected but No Internet? DNS & Fake-IP” and follow its ordered checklist instead of swapping nodes at random.

Summary: shortest path from install to browsing

  1. Install properly, pass Gatekeeper, and approve system extensions only when you truly need TUN.
  2. Keep the Meta kernel selected and reload after any kernel change.
  3. Import the subscription and mark that profile active; confirm nodes exist.
  4. Enable system proxy, stay on Rule, run latency tests, then verify in a browser.
  5. Use logs to decide whether the next step is nodes, DNS, or rules — and read the DNS guide if needed.

Get the Mac build from a source you trust

Our download hub points to maintained clients so your first profile import matches what the docs describe.

Download Clash (macOS)
Previous
← DeepSeek / Gemini routing
Next
Connected but no internet →

Related posts

Windows

Clash for Windows setup

 Basics

Clash beginner guide

 Hub

macOS tutorial index