Install OpenClash on OpenWrt: Subscription Import and Whole-Home Proxy Setup
Desktop and phone Clash clients are great for one machine. When you want every TV, console, and phone to share the same rules without per-device apps, OpenWrt plus OpenClash (luci-app-openclash) puts a Clash-class core on the router. This guide walks through subscription import in LuCI, transparent proxy for the LAN, main-router versus bypass-router layouts, and the firewall and DNS details that differ from a PC install—so searches like “OpenWrt OpenClash tutorial” or “bypass router proxy” land on a coherent path.
Why run Clash on the router at all
A router deployment moves policy to the network edge. Clients do not need local proxy settings if you use transparent redirection: TCP (and sometimes UDP) from the LAN is steered through the Clash core before it leaves the WAN. That matches the intent behind queries such as “router Clash subscription” or “whole-home proxy OpenWrt”—one place to update nodes and rules, consistent behavior for guests, and fewer “this app ignores the system proxy” surprises on embedded devices.
The trade-off is responsibility. Your router’s CPU and RAM budget matter; flash wear from frequent writes matters; and mistakes in DNS hijack or forwarding zones can take down internet access for the whole house. Treat router OpenClash as infrastructure: snapshot configs before big changes, and keep a serial or recovery image path if you brick Wi-Fi.
Firmware, hardware, and realistic expectations
OpenWrt should be a stable release that matches your device’s target (aarch64_cortex-a53, x86_64, and so on). OpenClash bundles or depends on a modern Clash core (often Clash Meta / Mihomo lineage in recent builds). Check that you have enough free flash for the core plus GeoIP or rule databases the plugin may download, and enough RAM that enabling large rule sets does not trigger OOM on a busy evening.
Installation paths vary by community: some users add a custom feed, others install a prebuilt ipk from the project’s release page that matches their OpenWrt version and architecture. Do not mix architectures; do not blindly flash a generic binary. After any install, reboot once and confirm LuCI loads—only then layer OpenClash.
Compliance
Use proxies only where your subscription terms and local laws allow. This article is network engineering on hardware you own; it does not endorse bypassing restrictions unlawfully.
Installing luci-app-openclash (high level)
Exact commands depend on your feed layout. The recurring pattern is: update package lists, install luci-app-openclash and dependencies, then refresh LuCI (hard refresh the browser). You should see an OpenClash entry under the Services menu. First launch may download cores or Geo files; allow WAN access temporarily if your firewall is strict.
If the service fails to start, read logread on the router and the OpenClash log panel before changing ten settings at once. Missing iptables or nft backend mismatches between kernel and userspace are common friction points when users mix snapshots with older packages.
Subscription import in LuCI
OpenClash mirrors what you already know from desktop clients: a subscription URL (often HTTPS) returns a profile or a list of nodes. In the plugin UI, add a provider or subscription entry, paste the URL, set an update interval if offered, and run a manual update once to confirm the router can reach the endpoint. TLS failures usually mean wrong system time, missing CA bundle, or a captive portal on WAN—fix WAN first.
After nodes appear, choose a template or profile that matches how you want to split traffic (rules, global, etc.). Importing is only half the job: you still need to decide redir-host versus fake-ip for DNS, whether to use the plugin’s fake-ip filter lists, and which fallback DNS to use when the tunnel is down. If you are new to Clash semantics, our beginner guide explains policy groups and modes before you tune the router.
Subscription checklist
- Confirm WAN is healthy (ping, DNS) without OpenClash.
- Add the subscription URL; verify node count after update.
- Select a stable ruleset profile for your region mix.
- Enable the service and watch connections—not just “running” status.
Main router versus bypass router (旁路由)
Two topologies cover most home labs:
- Main router: OpenWrt is the default gateway for the LAN. DHCP hands clients the router’s LAN IP as gateway and DNS. Transparent proxy rules apply to everyone automatically. Simple mental model, fewer static routes.
- Bypass / side router: An upstream ISP or “primary” router keeps doing NAT to the internet. The OpenWrt box sits on the same Ethernet segment with a static LAN IP (for example
192.168.1.2while the primary is192.168.1.1). Clients that should use Clash are pointed at this IP as default gateway and/or DNS, either per host or via DHCP scope on the primary—if the primary’s DHCP allows custom gateway/DNS—or by running DHCP only on the OpenWrt unit for a dedicated SSID or VLAN.
Bypass mode is popular when you cannot replace ISP firmware or when you want only some devices to pass through Clash. The cost is double NAT or policy routing complexity: you must avoid DHCP conflicts, ensure the bypass device has a route back to clients, and sometimes add static routes on the primary so return traffic is symmetric. Misconfigured bypass setups produce “some sites load, some hang” symptoms that look like DNS but are really asymmetric forwarding.
Related read
If you keep Clash on a PC but share the LAN port, see Clash LAN proxy: mixed-port and allow-lan for bind addresses and firewalls—many ideas transfer when comparing “one host as proxy” versus “router as proxy.”
Transparent proxy and DNS on OpenWrt
On a PC, TUN mode grabs traffic from the local machine and can cooperate with OS DNS. On a router, transparent modes typically rely on iptables REDIRECT or nftables rules plus a DNS path through dnsmasq or the plugin’s DNS listener. OpenClash usually offers toggles for “DNS hijack,” “local DNS,” and compatibility between fake-ip and redir-host.
Fake-ip answers clients quickly with synthetic addresses and resolves real destinations inside the proxy; it can break naive applications that probe DNS outside the tunnel. Redir-host is closer to ordinary resolution but may interact differently with CDN locality. If phones show “connected but no internet,” treat DNS before you swap exit nodes—our DNS and fake-ip troubleshooting article is written with Clash in mind and applies to router stacks when symptoms match.
IPv6 adds another layer. If your ISP delegates IPv6 and clients prefer it, half your traffic might bypass IPv4 rules unless you align IPv6 ULA, forwarding, and the plugin’s IPv6 switches. Disable IPv6 temporarily when debugging if you need a clean baseline.
Firewall, zones, and forwarding
Unlike a laptop, an OpenWrt router enforces zone-based firewall: lan → wan forwarding must permit forwarded traffic, and input to the router for DNS or the LuCI port must be intentional. OpenClash may inject NAT and mangle rules; third-party “harderning” scripts sometimes delete them on reload.
When a client uses a bypass gateway, the primary router must not block intra-LAN forwarding to the OpenWrt box. Guest Wi-Fi isolation features on mesh systems often block access to the Clash router’s IP—either move those clients to the main profile or add an explicit allow rule. For manual testing, tcpdump on the OpenWrt WAN and LAN bridges shows whether SYN packets arrive and whether replies return.
| Symptom | Often points to |
|---|---|
| Only HTTPS through proxy works; ICMP odd | Partial redirect or mixed IPv4/IPv6 paths |
| LuCI works, LAN clients do not | DHCP still pointing at upstream gateway/DNS |
| Intermittent “DNS_PROBE” on phones | DoH on clients bypassing router DNS, or fake-ip mismatch |
DHCP, gateway, and DNS handouts
For whole-home coverage, decide a single source of truth for gateway and DNS. If OpenWrt serves DHCP to the LAN, set option 3 (router) and option 6 (DNS) to the router’s LAN address when you want all clients to use the plugin’s DNS chain. If another device serves DHCP, mirror those options there or use per-host reservations.
Some operating systems cache old DHCP leases aggressively. After a gateway change, toggle airplane mode on phones or renew leases on desktops. Static IP experiments are fine for one PC; long-term, automate via DHCP to avoid mystery outages when addresses shift.
How this differs from a desktop Clash client
Desktop clients can use per-process rules with TUN on Windows or macOS; a router generally does not see process names from LAN clients—policy is IP, port, and domain oriented. You lose some granularity and gain coverage. CPU load is shared with NAT, Wi-Fi encryption, and SQM if you run cake or fq_codel. Remote management is through LuCI or SSH, not a tray icon—keep backups of /etc/config and exported OpenClash YAML.
For headless Linux servers (not routers), our Clash Meta on Linux with systemd article complements this one: similar core, different init and networking context.
Operational checklist
- Firmware stable; enough RAM and flash for cores and rules.
- WAN works without OpenClash; time sync sane.
- Subscriptions update; at least one node health-checked.
- Transparent mode on; DNS mode chosen and hijack consistent.
- Firewall zones allow intended forwarding; no duplicate DHCP war.
- Test from two device types (phone + wired PC) after each change.
FAQ
Router CPU maxed; Wi-Fi slows down
Try a lighter rule set, reduce concurrent connections, move to hardware with AES-NI if you use heavy encryption on x86, or offload Clash to a small dedicated box and keep OpenWrt as plain routing.
Bypass topology: intermittent sites
Check symmetric routes, disable client DoH for testing, and verify the primary router is not hairpinning incorrectly. Capture packets on both routers’ LAN ports.
Subscription updates fail on the router only
Verify certificate store, disk space, and that WAN DNS is not filtered. Some ISPs intercept HTTP—use HTTPS subscription URLs.
Where Clash still fits on endpoints
Router OpenClash handles the household baseline; laptops on the road may still run a native Clash client for coffee-shop Wi-Fi. Download Clash for free and keep one familiar UI for rule edits while the router runs a narrower, stable policy at home.
Proxy the whole LAN from one box
OpenWrt plus OpenClash turns subscription rules into network-wide policy—pair with solid DNS and firewall hygiene.
Download Clash