Clash TUN on Windows: Fix Wintun & No Internet

Why Windows Users Reach for TUN (and Why It Breaks More Often Than a Browser Proxy)

On Windows, most “just turn on the proxy” workflows only affect applications that honor the WinHTTP or WinINET proxy settings. Games, Electron utilities, background updaters, and more than a few command-line tools will cheerfully ignore those knobs and talk to the internet directly. TUN mode changes the game by presenting a virtual network adapter and steering traffic at the IP layer, which is why privacy-conscious users and anyone chasing true global routing usually insist on it.

That power comes with two costs. First, the stack needs a kernel driver—almost always Wintun—which must install cleanly under Windows Driver Signature Enforcement. Second, once the adapter exists, your default route, DNS, and firewall all interact with Clash in ways that can produce a total blackout: the tunnel looks “up,” yet every tab spins forever. The rest of this article is an ordered field manual for both failure modes.

If you are still choosing a client, our Clash Verge Rev tutorial explains how modern Mihomo-based GUIs expose TUN toggles, UAC elevation, and Windows service integration—topics that overlap heavily with what you are debugging here.

What Wintun Is (and What “Clash TUN” Actually Controls)

Wintun is a lightweight Layer 3 TUN driver maintained by the WireGuard project. Mihomo-class cores do not reinvent that wheel; they create a virtual interface, assign it an address from your profile, and install routes so user traffic is pulled into userspace where policy-based rules can run. From Windows’ perspective, you have simply gained another NIC—think of it as a narrow bridge between the kernel forwarding plane and the Clash engine.

Because the adapter is virtual, Device Manager entries such as “Wintun Userspace Tunnel” or similarly named devices are normal. What is not normal is a yellow warning icon, a device stuck “initializing,” or multiple orphaned adapters left behind after uninstall sprees. Those states often precede GUI errors about failing to start the tunnel even when the core binary launches.

Before You Enable TUN: Baseline Hygiene That Prevents Ghost Issues

Start with a boring but high-signal checklist. Update Windows to a supported build, reboot once after major cumulative updates, and pause third-party “network optimizers” that rewrite adapters or filter drivers. Run your Clash GUI as Administrator the first time you enable TUN so the driver can register; many Verge-class clients also offer a service mode so you are not dependent on an elevated Explorer session forever.

Confirm you are not stacking two capture solutions. A commercial VPN, corporate Always-On VPN, or another TUN consumer may refuse to coexist politely. If you must combine them, decide which stack owns the default route and disable overlapping kill switches. For foundational routing and mode vocabulary, skim the documentation hub before you treat a routing clash as a broken node.

When Wintun “Cannot Install” or Device Manager Shows Code 39 / Code 52

Driver install failures rarely come with a polite essay. You might see a generic “failed to start tunnel” toast, while Event Viewer or Device Manager carries the real reason. Code 52 frequently points to signature or integrity policy: Windows is refusing to load a driver it considers untrusted. Code 39 often indicates corruption, a partial install, or a mismatch between the driver userspace expects and what is actually bound to the adapter.

Work through these steps methodically:

Remove stale Wintun instances. In Device Manager, enable “View → Show hidden devices” and uninstall duplicate “Wintun” or tunnel entries that are not in use. Reboot, then let the client reinstall cleanly.
Verify secure boot and HVCI posture. Hypervisor-enforced Code Integrity can block some third-party drivers depending on build and policy. If you are on a managed machine, IT policy may simply forbid custom adapters—no amount of YAML fixes that.
Temporarily rule out endpoint security. Corporate antivirus loves to quarantine Wintun staging files. Create a controlled exception for your Clash install folder, reinstall, and watch the vendor logs—not the GUI—for denials.
Prefer the bundled Wintun. Mixing a random wintun.dll from the internet with a mismatched driver version is a reliable way to get silent failures. Let the maintained client bundle drive versions.

If installation still fails, capture the exact error string and compare it with release notes for your client. Mihomo and GUI wrappers ship frequent fixes around Windows 11 24H2-era networking changes; running an outdated shell atop a fresh core (or the reverse) is a common mismatch.

TUN Shows Enabled, Yet Windows Reports “No Internet” — Work Top-Down

Assume your subscription validates and nodes work in Global mode without TUN. When the virtual adapter appears, the failure is almost always local routing or DNS, not the remote exit. Follow this order to avoid chasing red herrings:

Confirm the tunnel interface has an address. In PowerShell, Get-NetIPAddress filtered by the interface name your client documents should show an IPv4 assignment. No address means the core never completed setup—return to driver and permission checks.
Look at default routes. Get-NetRoute -DestinationPrefix 0.0.0.0/0 should show sane metrics. If multiple default routes fight, Windows may prefer the wrong NIC and starve the tunnel.
Test IP reachability before DNS. Ping or curl a raw IP you trust. If IPs work but names fail, you are in a DNS-only failure mode—extremely common immediately after enabling TUN with aggressive fake-ip settings.
Temporarily switch to Global mode with TUN still on. If connectivity returns, your rules are steering critical flows to a dead outbound or an unexpected DIRECT path that cannot reach the resolver you need.

Keep notes as you go. The pattern that emerges—IP works, DNS does not, versus nothing works at all—cuts debugging time dramatically.

DNS Inside the Tunnel: Fake-IP, Listeners, and the OS Resolver

TUN mode magnifies DNS mistakes because the operating system now expects the tunnel to answer queries or forward them coherently. With fake-ip, the core hands clients synthetic addresses that map back to domain rules, which is powerful but confusing if your YAML still sends DNS to an upstream that is unreachable from inside the tunnel.

Make sure the embedded DNS module is actually enabled when you expect the core to own lookups, and align nameserver, fallback, and nameserver-policy with how your proxy groups are defined. A DoH URL that references a group which itself cannot bootstrap is a classic bootstrap deadlock: the tunnel is up, yet no resolver can be reached to unlock the rest.

For a deeper privacy-oriented treatment—still highly relevant to “why nothing resolves”—read our DNS leak prevention guide. Even if your threat model is not journalistic, the same plumbing causes everyday “no internet” symptoms.

Windows Firewall, Loopbacks, and “Kill Switch” Misreads

Windows Defender Firewall rules sometimes treat a new adapter as a public network until you profile it. If the tunnel cannot accept forwarded flows from local processes, you will see bizarre partial failures—some UWP apps break while Win32 tools work. When testing, note whether the client added allow rules; if not, create a narrow allowlist for the Mihomo executable and the GUI helper rather than disabling firewall entirely.

Also distinguish a deliberate kill switch from a misconfiguration. Some users enable strict blocking to prevent leaks, then forget that the same feature will keep them offline when the only outbound is unhealthy. If you recently toggled experimental hardening options, revert them temporarily to validate baseline connectivity.

Why Some Programs Still Ignore TUN (and What You Can Realistically Do)

TUN is broad, not magical. Applications with custom forwarding stacks, raw sockets, or hardened anti-cheat kernels may still bypass user-mode tunnels. Administrative tools and some browsers in “secure DNS” modes can also short-circuit your policy by speaking DoH directly to a public resolver, which looks like “Clash is broken” when the real issue is an app-level override.

Practical responses include: enforcing OS-level DNS when appropriate, using split rules that accept the behavior, or moving those workloads to a platform with different capture semantics. On mobile, VPNService behaves differently; compare notes with our Android complete guide if you also manage phones.

Service Mode, UAC Prompts, and the “It Works Until I Reboot” Class of Bugs

Many users can start TUN manually after approving UAC, then discover it fails on reboot because the elevated helper never launched. Installing the Windows service component (where your GUI exposes it) bridges that gap. Pair service mode with a sane auto-start policy so the core comes up before background apps attempt silent updates.

If you live on a standard user account, remember that driver operations and some route changes require elevation. A non-admin session can leave the GUI showing “enabled” while underlying steps were skipped—another reason to trust console logs over icon state.

Recovery Playbook: When You Need a Clean Slate

When the stack feels poisoned, reset in stages rather than nuking everything blindly. Disable TUN in the GUI, reboot, confirm vanilla Wi-Fi works, then re-enable. If routes remain corrupted, remove custom Wintun devices, reinstall the client from a verified build on our download page, and import a minimal known-good profile before reapplying exotic rules.

As a last resort, Windows’ network reset feature fixes persistent route tables but also wipes saved SSIDs—trade that cost consciously. Document your SSIDs before you click.

Legal and ethical use: Use Clash only on networks and for purposes you are permitted to access. Respect employer policies, local laws, and provider terms. This article is for troubleshooting your own devices, not bypassing contractual or legal restrictions.

Stable TUN Is a System Problem, Not a Single Toggle

Transparent proxying on Windows succeeds when the driver, routes, DNS policy, and rule graph agree on a single story. Treat every “no internet” incident as a layered diagnosis: adapter health first, IP connectivity second, DNS third, then outbound health and rules. That ordering keeps you from swapping airport nodes when the real bug is a stale Wintun pairing or a resolver that cannot ride through your proxy group.

Compared with juggling one-off VPN clients for full-device capture, a maintained Mihomo-based Clash build keeps rules, DNS, and multiple outbounds in one place—so when something regresses after an OS update, you can diff a text profile instead of clicking through opaque vendor panels. When you are ready to standardize on a current Windows GUI with sane defaults, grab a release from our download page and pair it with the configuration reference for fine-tuning. → Download Clash for free and experience the difference.