OpenWrt OpenClash Setup: Subscription Import and First Split Rules (2026)
Home labs and small offices often outgrow “install Clash on one PC.” They want the same rule-based split routing at the router so phones, TVs, and guests inherit policy without per-device clients. On OpenWrt, OpenClash is the familiar LuCI front-end around a Clash Meta (Mihomo)-class core: you still edit YAML, you still think in proxy-groups and rules, but the failure modes shift to DNS on the gateway, flash space, kernel transparent proxy hooks, and LAN-wide side effects. This guide is the router-shaped walkthrough—subscription import, a conservative first split policy, and the disconnect checklist that desktop tutorials rarely emphasize.
How router OpenClash differs from a Windows or macOS Clash client
Desktop guides assume one user session, one browser, and optional TUN for stubborn apps. A consumer router running OpenWrt is a shared default gateway: every DHCP client sends DNS queries and TCP flows through policies you configure once. That sounds efficient until a mis-ordered rule sends domestic banking traffic overseas, or fake-ip disagrees with clients that pin DNS over HTTPS inside the browser. OpenClash adds LuCI forms for profiles, updates, and tun/redir modes, but underneath you are still maintaining a YAML configuration compatible with modern Clash templates—so vocabulary from our proxy-groups guide transfers directly.
If your household’s pain is “China sites became sluggish after I enabled everything,” treat our GEOIP CN and bypass checklist as the companion piece once you move past first boot: router deployments amplify mistakes in GEOIP,CN placement because every VLAN inherits them.
Prerequisites you should verify before you touch opkg
OpenWrt builds vary by target: flash layout, available kernels, and whether flow offload breaks certain redirect modes. Confirm you have enough free space for a Clash core plus rule-provider bundles—tight 16 MB NOR devices may need external root or a trimmed profile. Set a sane management IP, document your upstream WAN type, and decide whether the router will be the LAN DNS server of last resort. If clients still point at public resolvers while you expect the router to steer lookups, you will debug “random” rule misses forever.
Back up /etc/config/network and firewall before installing proxy packages. Unlike a laptop trial, a bad transparent proxy toggle can lock you out until you serial-console or fail-safe—keep a documented rollback path.
Install OpenClash on OpenWrt (high-level, feed-specific details vary)
Distributions change faster than any static article: some users add a maintainer feed and install luci-app-openclash via opkg; others flash community builds with the package pre-bundled. The stable idea is that OpenClash ships as a LuCI application plus service scripts that download or bundle a compatible Mihomo core. After installation, refresh LuCI, open the OpenClash menu, and confirm the UI can reach the backend—if the page loads but the daemon never starts, read logread before you assume your subscription is wrong.
Upstream OpenClash development lives on GitHub; reading release notes there helps when a kernel upgrade requires a new tun helper. Keep that research separate from day-to-day installs: treat documentation as transparency, while production routers should follow a repeatable package path you actually control.
First launch: cores, permissions, and “why is nothing listening?”
On first start, the plugin may fetch or extract a core binary to persistent storage. If the download fails—captive portal on WAN, TLS inspection, or regional CDN throttling—the UI will look alive while the engine never binds a port. Fix WAN connectivity first, then retry. Permission errors on /etc/openclash or insufficient loop mounts show up in system logs as explicit errno messages; chmod fantasies are a poor substitute for reading the log line.
Pick a management mode that matches how your LAN should be intercepted. Redir/Tun-family modes differ by kernel capabilities; mixed-port listeners matter if you still point some devices at explicit HTTP proxies. The precise toggles move between releases, but the conceptual trade-off is unchanged: broader interception catches more devices, and broader interception breaks more exotic protocols when rules are incomplete.
Subscription import: treat the router like a scheduled fetcher
Most providers issue an HTTPS subscription URL that returns a Clash profile or base64-encoded node list. In OpenClash’s subscription section, create an entry, paste the full URL, assign a short name, and set a refresh interval that respects your provider’s fair-use policy—aggressive polling earns HTTP 429 and looks like “OpenClash broke my nodes.” If URLs expire or rotate, read subscription links FAQ before you blame OpenWrt.
Many dashboards offer a “Clash” or “Clash Meta” format; choose the variant your core expects. After the first successful fetch, open the generated or merged profile preview and confirm proxies is non-empty. An empty list usually means DNS on the router could not resolve the provider hostname, system time skew invalidated TLS, or the remote returned an error page instead of YAML.
curl -A to isolate headers from OpenClash entirely.
YAML on the router: merges, anchors, and where beginners get lost
Whether you upload a profile or let the UI assemble one, the effective config is still YAML consumed by Mihomo. Understand three layers: proxies and proxy-groups declare what you can hop through; rules decide which hop applies; rule-providers load external datasets that expand into more rules at runtime. OpenClash often stores overrides under /etc/openclash/config and may merge user snippets—when in doubt, export the running config from the UI and read the final document end-to-end.
Template authors sometimes ship enormous RULE-SET stacks. On storage-constrained routers, fetching multi-megabyte rule bundles on every boot can wear flash or timeout on slow WANs. Start with a smaller profile, prove end-to-end connectivity, then grow complexity. Our custom rules tutorial explains how to layer DOMAIN and DOMAIN-SUFFIX entries without fighting merge semantics—skills that apply equally to LuCI-managed YAML.
First split rules: a conservative baseline for home routers
“Split routing” on a gateway rarely means exotic per-app magic at first—it means domestic traffic stays direct, sensitive LAN services stay local, and only the destinations that need a remote exit use your provider nodes. A readable first policy often includes:
- LAN and RFC1918 DIRECT: short-circuit hairpinned NAT attempts and local mirrors.
- GEOIP CN → DIRECT (or your provider’s equivalent mainland list) when you operate in mixed Chinese and international contexts—placed before a broad
MATCHthat sends everything toPROXY. - A named proxy-group such as
PROXYwith typeselectfor manual choice, orurl-testwhen you want latency-based failover between nodes.
Order matters: Clash evaluates rules top-down and stops at the first match. Putting MATCH above GEOIP,CN is how people “prove” split routing failed. After edits, reload the service and watch the live log while you browse—seeing which rule hit saves hours compared to guessing.
For conceptual depth on fake-ip, DNS coupling, and why your PC behaved differently, Clash TUN mode explained remains relevant even when the consumer-facing toggle is labeled differently in LuCI.
DNS on OpenWrt: the hidden half of every split policy
Routers amplify DNS mistakes. If clients query 8.8.8.8 directly, your rules never see domain-based matches for those flows resolved earlier. If you enable fake-ip without steering LAN DNS to the local Clash listener, browsers and the resolver disagree about what an IP means. A practical home pattern is: let DHCP hand clients the router’s LAN IP as the only DNS server, run dnsmasq or an equivalent forwarder that chains into Clash’s DNS section, and block or redirect stubborn DoH only after you understand who needs it—IoT devices versus human phones have different constraints.
When troubleshooting, capture three facts: which resolver answered the client, which IP the socket ultimately used, and which rule matched in the Clash log. If any leg is missing, you are debugging with two-thirds of a story.
Transparent proxy and LAN expectations
Unlike a desktop “system proxy” toggle, gateway redirection affects game consoles, voice chat, and multicast in ways users only notice under load. UDP-heavy applications may require additional passes or direct exceptions—similar in spirit to the UDP carve-outs we discuss for Discord in other articles. If a single device must bypass the router entirely for testing, give it a static route or temporary DHCP lease outside the redirected zone before you rewrite global policy.
IPv6 adds another dimension: if your ISP ships dual-stack and your rules assumed IPv4 literals only, some traffic will happily bypass the path you thought you secured. Either align IPv6 policy deliberately or pause IPv6 during first bring-up to shrink variables.
Operational habits: updates, clocks, and monitoring
Treat the router like a tiny server: enable periodic subscription refresh during quiet hours, watch memory after rule-provider updates, and verify NTP so TLS to providers does not flap. Snapshot your working YAML after each successful change; diffing configurations beats re-deriving them from memory after a failed experiment.
If multiple administrators share the house, document the one true profile name and which LuCI page toggles the service. “Works on my laptop” is not a router acceptance test—validate from Wi-Fi phones and wired TVs you actually care about.
Troubleshooting quick map for “everything broke” evenings
No nodes after an update: fetch error, provider maintenance, or WAN DNS failure—check OpenClash’s own log panel and compare timestamps with logread.
International sites OK, domestic sites dead or slow: revisit GEOIP,CN placement and any “bypass mainland” bundles; see the checklist linked earlier.
Intermittent TLS or half-loaded pages: sniffing or mis-sniffed SNI on certain firmware pairs—conceptually parallel to Meta sniffing exceptions on desktops, though the LuCI labels differ.
Only one VLAN misbehaves: you likely have per-interface DNS or firewall zones that skip the redirect path—compare /etc/config/dhcp and firewall forwards alongside OpenClash.
How this complements desktop and phone Clash clients
OpenWrt plus OpenClash excels as a household policy engine; it is not always the best place to experiment with bleeding-edge GUI features meant for single-user desktops. Many readers still run Clash Verge on a workstation for interactive debugging, then promote stable snippets into router-side YAML. When you need maintained installers for macOS, Windows, or Linux rather than opkg workflows, our download page centralizes current builds so you are not hunting release tarballs ad hoc.
For a broader mental model of listeners, modes, and logging, the site’s Clash tutorial remains the orientation pass—read it once, then revisit after your first router deployment when jargon finally sticks.
Closing: a gateway-first split policy you can explain to roommates
OpenClash on OpenWrt rewards patience: install cleanly, import a subscription you can refresh on purpose, write split rules that keep domestic and LAN traffic honest, and align DNS with whatever fake-ip strategy your profile uses. Compared with toggling a consumer VPN app, rule-based Clash routing stays legible in logs—which is why power users adopt it on routers in the first place. When you also need up-to-date desktop or mobile clients outside the gateway, use the same site’s download page as the primary install path—Download Clash for free and experience the difference.