v4.1.0

Release v4.1.0

Auto-fill the firewall fake-IP whitelist (between # AUTO-BEGIN / # AUTO-END) with IPv4 IP-CIDRs from rule-providers your config uses.

• rules: (all modes): RULE-SET,, lines are included when the action is not treated as local-only (e.g. not DIRECT / REJECT / …).

• dns.fake-ip-filter:
  whitelist: also merge entries as RULE-SET: (colon syntax).
  rule: also merge entries as RULE-SET,,fake-ip (comma routing-style; real-ip lines are ignored).

v4.0.0

Release v4.0.0

hot reload, noresolv fix, fake-ip rule mode, kernel update hardening, UI polish, version footer

• Prevent auto-start on first install (wait for user config)
• Add hot reload via Mihomo API (HTTP/HTTPS) as primary Save action; split-button with "Save & Reload config" / "Save & Restart core"
• Fix noresolv persistence across unclean shutdowns (dnsmasq DNS lost after power loss); move backup to /opt/clash/.dns_backup
• Support fake-ip-filter-mode: rule for IP-CIDR whitelist
• Harden Mihomo kernel update: stop service before replace, explicit chmod 0755, verify exec bit, clearer errors
• Always pick amd64-compatible kernel asset on amd64 (avoid v3 crash on older CPUs)
• Settings UI polish: compact HWID User-Agent/Device OS grid, unified card-style "Additional Settings", consolidated Status panel, single dynamic Proxy Mode hint, deduplicate Restart Service button
• Rulesets UI: empty-state placeholder, destructive Delete button, line-count badge in headers
• Add footer in config.js with author (ZeroChaos), donate link and GitHub update check

v3.9.0

Release v3.9.0

feat: harden TUN/MIXED stability, fix APK config overwrite

clash-rules:

• Add configurable TUN stack (system/gvisor/mixed) with preflight check
• Add self-healing for policy routing: validate + repair on respawn
• Register fw4 include hook so clash-tun firewall rules survive fw4 reload
• Add INPUT accept rule for clash-tun (nft + iptables)
• Add ip rule pref 1000/1001 to avoid conflicts with Tailscale/other policy routing
• Disable bridge-nf-call-iptables when TPROXY active and kmod-br-netfilter loaded
• Fix ip rule regex matching for various fwmark formats (0x3, 3, 0x0003/0xffffffff)
• Use unbounded while loop in teardown to remove all duplicate ip rules
• Suppress repetitive log messages via CLASH_RULES_QUIET env

init.d/clash:

• Wait up to 30s for clash-tun interface in service_started()
• Call repair_forward_rules after tun_route_setup on respawn

hotplug.d/net/99-clash-tun:

• New hotplug script: reacts to clash-tun device add, runs tun_route_setup

settings.js:

• Add TUN Stack selector (visible only when TUN or MIXED mode selected)
• Wire tunStack into config.yaml generation

Makefile:

• Install 99-clash-tun hotplug script
• Fix APK config overwrite on OpenWrt 25: add protected_paths.d/ssclash.list
• Add preinst/postinst backup/restore for transitional APK upgrades
• Conditional install of protected_paths.d (ifdef CONFIG_USE_APK)

v3.8.0

Release v3.8.0

• fix(tun): restore clash-tun route on mihomo respawn in TUN/MIXED mode

Replace one-shot _spawn_tun_route_daemon with a lightweight one-shot
background watcher (_wait_and_set_tun_route) called on every procd
respawn via service_started. Fixes UDP blackout after mihomo restarts
in TUN and MIXED proxy modes.

• feat(hotplug): add 40-clash hotplug script

Automatically updates HTTP proxy-providers and rule-providers via
mihomo REST API when WAN interface comes up. Handles PPPoE late start,
reads API port and secret from config.yaml, URL-encodes provider names,
filters out non-HTTP (static) proxy providers by vehicleType.

• feat(log): show clash-hotplug entries in log viewer

Extend processLogLine regex to match clash-hotplug tag (no PID suffix).
Add orange marker 🟠 for hotplug log entries.

v3.7.0

Release v3.7.0

• fix: avoid early DNS resolves and remove pure shell base64 fallback
• feat: auto cron update and unique subscription IP cache
• fix: some config tweaks
• refactor: short error details
• feat: improve local rulesets yaml usage hint

v3.6.0

Release v3.6.0

• Add TUN route watcher daemon
• fix: unconditional iptables QUIC cleanup
• refactor: clean up loop prevention, settings parser, addHwidToYaml and restart button
• fix: harden startup rollback, stale lock cleanup, and pre-reload config validation

v3.5.0

Release v3.5.0

• Fix MIXED mode UDP routing

v3.4.0

Release v3.4.0

New features

• TPROXY / TUN / MIXED modes — Added support for TPROXY, TUN, and MIXED modes for flexible proxy routing.
• Fake-IP whitelist: IP-CIDR for firewall — In fake-ip whitelist mode, added support for an IP-CIDR list used only by the firewall (nft set/ipset). Traffic to the specified IPs/subnets is marked and sent through the proxy at the firewall level (nftables/iptables), not just domain-based traffic.

Changes and refactoring

• HWID — HWID header injection moved from config.js to settings.js; headers are applied when saving settings instead of on every config save/apply.
• OpenWrt — Package layout refactored for compatibility with OpenWrt feeds.
• TPROXY, dependencies & docs — Updated base-utils dependencies and documentation.
• Tmpfs rules — Tmpfs rules are now optional and controlled via settings.

v3.3.0

Release v3.3.0

Automatically adds device identification headers (x-hwid, x-ver-os,
x-device-model, User-Agent) to proxy-providers in config.yaml.
Supports Remnawave provider requirements.

Features:

• Auto-generate HWID from MAC address (MD5)
• Detect OpenWrt version and device model
• Configurable User-Agent and Device OS
• UI toggle in Settings page

Files changed:

• settings.js: HWID configuration UI
• config.js: YAML header injection
• ACL: added permissions for system info access
• i18n: Russian translations

v3.2.0

Release v3.2.0

Changes

• fix: Tested and fixed iptables support

Packages

• IPK packages for OpenWrt 24.10.x (opkg)
• APK packages for OpenWrt 25.12.x (apk package manager)

Build Information

• Build date: Sun Jan 11 18:01:25 UTC 2026
• Supported architectures: x86/64