Rule-based WireGuard

Overview

Rule-based WireGuard means WireGuard traffic is selected by Clash rules instead of sending everything through one tunnel. This keeps normal rule routing behavior while allowing WireGuard outbounds for specific traffic.

Routing model

Rules still decide which policy is used. The policy can point to a proxy group that contains a WireGuard outbound, so only matching traffic uses it.

Configuration notes

Check endpoint reachability, UDP availability, MTU and allowed IPs. A WireGuard outbound that works in one network may need another review when UDP is restricted.

Support Checks

Test with a single DOMAIN rule first. If it has a problem, inspect handshake logs and verify whether DNS resolves before or after the intended rule.

Related pages

• Rule-based OpenConnect
• Integrating Clash in Go
• What Is Clash?

Reference examples

These examples mirror the corresponding Chinese documentation page so the English page carries the same configuration material.

[Interface]
PrivateKey = ...
Address = 172.16.0.1/32
MTU = ...
Table = off
PostUp = ip rule add from 172.16.0.1/32 table 6666

[Peer]
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
PublicKey = ...
Endpoint = ...

proxy-groups:
  - name: Wireguard
    type: select
    interface-name: wg0
    proxies:
      - DIRECT
rules:
  - DOMAIN,google.com,Wireguard