Enable Clash Verge Rev External Controller on Windows 11: Web Dashboard and Secret Setup (2026)

What external-controller actually does (and what it is not)

Mihomo—the core inside Clash Verge Rev—speaks to clients through two different families of network listeners. Your everyday browsing hits the proxy listeners (mixed-port, socks-port, or TUN capture). The external-controller listener is a separate management REST API: dashboards, scripts, and automation tools call it to read runtime state, flip selector groups, reload configs, and inspect connection tables.

Search results that mention “Clash Web panel” or “external controller” usually describe this API plus a browser UI that wraps it—projects like yacd, metacubexd, or dashboard builds maintained in the Mihomo ecosystem. The native Verge window already exposes much of the same data, but a Web dashboard shines when you want a wide connections grid on a second monitor, a bookmarkable admin page, or a workflow that mirrors what you run on a headless Linux box.

Crucially, external-controller is not allow-lan. Enabling LAN proxy sharing—so your phone uses the PC’s HTTP port—is documented in our Windows 11 LAN proxy and firewall guide. That article opens the data plane port to the subnet. This article configures the control plane. Confusing the two is how people accidentally publish port 9090 to the entire apartment network while only trying to fix Instagram on a tablet.

If Verge is not yet importing subscriptions or system proxy feels broken, pause here and walk through Clash Verge Rev on Windows 11: first install — system proxy vs TUN and no internet fixes. The controller API assumes Mihomo already loads a profile successfully.

Default ports, bind addresses, and the secret field

Community configs often ship with commented lines resembling:

external-controller: 127.0.0.1:9090
secret: "replace-with-a-long-random-string"

The address before the colon is the bind interface. 127.0.0.1 limits API access to programs on the same PC—browsers, curl, local scripts. 0.0.0.0 or a specific LAN IP listens on every matching interface, which is convenient for a tablet on the same Wi‑Fi and dangerous if you skip authentication or firewall rules.

The secret value becomes a shared password. Dashboards send it as a header (commonly Authorization: Bearer … depending on the UI). Mihomo rejects mutating requests when the secret mismatches. Treat it like a VPN credential: generate something long, store it in a password manager, and rotate if you ever pasted it into a screenshot.

Port 9090 is conventional, not mandatory. If another tool already owns 9090—some IDE plugins, legacy CFW sidecars, or corporate agents—pick a high unused port and update every bookmark consistently. On Windows 11, netstat -ano | findstr :9090 still answers “who stole my port?” faster than guessing from error toasts.

Method A: enable the controller through Clash Verge Rev settings

Recent Clash Verge Rev builds surface controller options in the settings area so you do not have to hand-edit YAML for basic cases. Menu labels shift between releases—look for clusters mentioning External Controller, Controller Port, Secret, or Dashboard rather than memorizing one screenshot.

1. Start Mihomo with your usual profile selected and confirm ordinary browsing works. A controller on a crashed core only produces connection refused errors that look like firewall mysteries.
2. Open Verge settings (gear icon or tray menu entry). Find the external controller section.
3. Set the listen address to loopback. Prefer 127.0.0.1 unless you have a written reason to bind wider. Some builds expose a toggle that maps to external-controller automatically.
4. Enter port and secret. Paste a generated secret; do not reuse your subscription token. If the UI offers “generate secret,” use it once and save the result offline.
5. Apply and reload the core. Verge typically restarts Mihomo or hot-reloads config. Watch the log pane for “RESTful API listening” or equivalent wording.
6. Open the dashboard. If Verge includes “Open Dashboard” or “Web UI,” click it. Otherwise continue to Method C with a third-party UI URL.

When settings and YAML disagree, the effective merged config wins. If you toggled GUI options yet the API still listens on an old port, export the runtime YAML Verge shows Mihomo and search for external-controller there—subscription imports sometimes reintroduce stale values until a mixin layer overrides them.

Method B: layer external-controller through mixin overrides

Power users who already maintain merge files—for DNS tweaks, listener collisions, or prepend rules—should patch the controller in the same layer so subscription refreshes do not erase personal choices. The workflow mirrors our Mixin overrides on Windows 11 guide: keep the remote profile read-only, inject local deltas, reload, verify.

A minimal merge fragment might look like:

# Personal merge — management API only
external-controller: 127.0.0.1:9090
secret: "8f3c…your-long-random-string…d21a"

# Optional: tell Mihomo where a bundled static UI lives
# external-ui: dashboard
# external-ui-url: "https://example.com/yacd/"

Save through Verge’s merge editor, reload, and confirm the merged preview lists your controller stanza above provider MATCH rules. If your airport ships an uncommented external-controller: 0.0.0.0:9090 without secret, your mixin should explicitly override both keys—partial merges leave the dangerous half intact.

Advanced builds also support external-controller-tls, external-controller-cors, and separate Unix socket paths on Linux. On Windows 11 the practical trio remains bind address, port, and secret; reach for CORS only when you deliberately host a dashboard origin that differs from the API host and browsers block requests.

Method C: connect a third-party Clash Web dashboard

Verge Rev’s native UI covers daily node picking—see policy groups and manual node selection on Windows 11—but Web dashboards remain popular because they pack dense connection tables and familiar layouts carried over from the Clash for Windows era.

Typical flow:

• Host a static dashboard build locally (some users drop the files into Verge’s dashboard folder when external-ui is enabled) or use a maintained online build you trust.
• Point the UI’s API base URL to http://127.0.0.1:9090 (or your chosen port).
• Paste the same secret string into the UI’s authentication field.
• Reload; proxy groups and traffic charts should populate within seconds.

If the page loads but every API call fails with 401 Unauthorized, re-copy the secret from YAML—smart quotes from chat apps ruin more evenings than upstream outages. If the browser console shows CORS errors while you opened the UI from a file:// path or another hostname, serve the dashboard from http://127.0.0.1 on a harmless static port or add the appropriate external-controller-cors allowlist in your merge file, understanding you are widening attack surface.

For read-only sanity checks without a GUI, PowerShell can query the API directly (replace values accordingly):

$headers = @{ Authorization = "Bearer YOUR_SECRET_HERE" }
Invoke-RestMethod -Uri "http://127.0.0.1:9090/proxies" -Headers $headers

A JSON payload listing groups confirms the controller is alive even when a flashy dashboard misconfigured its base URL.

Verification checklist after you enable the controller

Treat controller changes like any infrastructure edit—quick, repeatable checks prevent silent insecurity:

• Loopback bind: From the same PC, http://127.0.0.1:9090 responds while http://YOUR_LAN_IP:9090 should fail when bound to loopback only—proving you did not accidentally publish management to the subnet.
• Secret required: Remove the header or type a wrong secret; mutating endpoints should reject requests instead of silently accepting them.
• Write path: Switch a selector group in the dashboard, then confirm Verge’s Proxies pane shows the same selection—API writes and GUI state stay synchronized.
• Live connections: Load a test site; the dashboard connections table should show fresh rows with expected rule and outbound names—pair with log panel troubleshooting when rows appear but sites still hang.
• Firewall posture: Windows Defender should not need an inbound rule for loopback-only setups. If you created one earlier while experimenting, delete it to avoid future-you binding 0.0.0.0 without noticing.
• Backup hygiene: Before committing merge files to Git, redact secret and subscription URLs—our profile backup guide explains placeholder patterns that keep history safe.

When you genuinely need remote dashboard access

Sometimes the browser must run on another machine—debugging a headless mini PC in the closet, or checking a work laptop while Mihomo stays on a desktop. Resist the shortcut of external-controller: 0.0.0.0:9090 with a weak secret on a flat home LAN. Better patterns:

• SSH local port forward from the remote machine: forward remote 9090 to the PC’s loopback controller, then open the dashboard against 127.0.0.1 on the remote side. SSH already authenticated the tunnel.
• WireGuard or Tailscale with controller still on loopback, plus firewall rules limiting who may reach forwarded ports—see our Tailscale and Clash coexistence notes when overlapping tunnels confuse DNS.
• Reverse proxy with TLS and auth on a dedicated management host when you operate Mihomo like a small service—closer to server guides that install bare Mihomo on CentOS with loopback-only defaults.

Each option keeps the API off the guest Wi‑Fi VLAN while still letting you swap nodes from a couch tablet—without handing every IoT camera on the network a free “change my exit country” button.

Common mistakes that show up in support threads

“Connection refused” on 127.0.0.1:9090

Mihomo is not listening yet, the port differs from your bookmark, or a merge failed silently. Confirm the core is running, grep the effective YAML for external-controller, and check netstat for listeners.

Dashboard loads but groups are empty

Often a read-only API path succeeded while authenticated routes failed—secret mismatch—or the UI points at the wrong port (7890 is proxy, not controller). Align URLs and secrets.

Opened 9090 to LAN “for convenience”

Management APIs expose node names, active destinations, and config snapshots. Attackers on shared networks scan for open 9090. Revert to loopback, add secret, close firewall holes.

Subscription refresh overwrote controller settings

Move controller keys into mixin merges instead of editing the downloaded file. Align refresh cadence with subscription auto-update settings so you notice provider changes quickly.

FAQ: external-controller without the mythology

Does enabling the Web dashboard slow browsing?

The REST listener is lightweight. Heavy cost comes from dashboards polling aggressively or debug logging—not from merely binding 127.0.0.1:9090.

Can I automate node switches with scripts?

Yes—that is why the API exists. Scripts must include the secret header and should run on trusted machines only. Prefer read-only monitoring before granting CI jobs write access.

Should I expose external-controller on a work laptop?

Follow corporate policy. Even on loopback, dashboards reveal browsing metadata on screen. Lock your session when stepping away—same discipline as open terminal tabs with cloud credentials.

Is Verge’s built-in UI enough?

For many Windows 11 users, absolutely. Enable external-controller when you want browser tooling, cross-device admin patterns, or parity with headless Mihomo workflows—not because the tray app is incomplete.

Closing thoughts

A well-configured external-controller turns Mihomo from a black box into an observable control plane: live connections, selector changes, and config reloads you can drive from a Clash Web dashboard on the same machine. The entire feature stays safe when you default to 127.0.0.1, treat secret as mandatory, and separate management ports from the LAN proxy story your phone needs.

Many closed-source “VPN with a settings page” products offer pretty graphs but hide rule logic entirely—fine until you need to prove which domain picked which outbound. The Clash lineage exposes structured YAML, first-match semantics, and a documented REST surface so operators can observe and adjust without vendor tickets. GUI shells like Clash Verge Rev cover daily Windows 11 workflows; the controller API plus Web UI fills the gap when you want browser-scale visibility or automation that outgrows clicking one tray menu.

If you want actively maintained Mihomo builds and transparent upgrade paths, start from the official Clash download page—then layer controller settings through Verge or mixin merges using the checklist above instead of copying random 0.0.0.0 snippets from forums that optimize for convenience over safety.