How to Enable Per-App Proxy in Clash for Android: Step-by-Step Split Routing

Why per-app proxy matters on Android

On paper, Clash for Android is a profile-driven Mihomo front-end that turns a subscription YAML into a working tunnel. In practice, many users do not want a binary world where either every socket on the phone exits through a remote node or nothing is protected at all. Domestic payment apps, local food delivery clients, and carrier-locked streaming services often behave better on a direct path, while a smaller set of tools—browsers, research apps, certain chat clients—benefits from consistent overseas reachability.

That is where per-app proxy (more precisely, Android split tunneling at the VPN layer) earns its keep. Instead of asking each application to understand HTTP proxies, the client uses Android’s VpnService API to decide which packages are attached to the virtual interface and which are left outside the tunnel. The feature goes by different names in various forks—Access Control, App Filter, Bypass, or Allowed apps—but the underlying idea is stable: maintain a list, pick a mode, restart the VPN if the platform requires it, and verify with a simple before-and-after test.

This article is not a substitute for sound rule design. Even when an app is inside the tunnel, Mihomo still evaluates RULE mode policies, DNS modes, and outbound groups exactly as on desktop. Per-app control answers the question which binaries even enter Clash; your profile still answers what happens next. If you are new to importing a remote profile, start with our Clash subscription import tutorial so the baseline configuration is trustworthy before you tune split routing.

Prerequisites you should not skip

Before touching lists of applications, confirm three facts: the client is allowed to create a VPN interface, a valid profile is loaded, and you understand which mode the dashboard is in—typically Rule, Global, or Direct—because per-app split tunneling does not magically invent policies that your YAML lacks.

VPN permission is a one-time ritual on first connect. Android shows a system sheet; you tap OK. If you previously denied it, open system Settings → Apps → your Clash build → Permissions and re-enable VPN control. Without that grant, none of the following steps matter because the OS will refuse to attach packages to a non-existent tunnel.

Notifications on Android 13 and newer are easy to dismiss forever. Keep at least one notification channel enabled for the VPN status. When OEM skins aggressively “optimize” background services, the persistent icon is often the only obvious clue that the tunnel died two train stops ago.

Finally, install from a source you trust and keep builds updated. If you still need an installer, use our official Clash download page as the primary entry rather than chasing random APK mirrors; supply-chain hygiene matters as much as YAML hygiene.

Bypass list versus allow-only list

Most implementations offer two symmetrical strategies. Learning the vocabulary prevents the classic “I checked Telegram but nothing changed” confusion.

In a bypass (or blacklist-style) arrangement, everything rides the VPN except the packages you explicitly exclude. That matches the mental model “keep my bank and domestic super-app direct; let the rest follow Clash.” It is forgiving when you add new installs often, because newcomers default to tunneled until you exempt them.

In an allow-only (whitelist-style) arrangement, only the selected apps enter the VPN; all other traffic stays on the underlying mobile or Wi-Fi interface. That matches “I only want Firefox and Discord proxied; nothing else should even see the tunnel.” It is stricter and often safer on capped data plans, but you must remember to add each new tool you care about.

Neither mode replaces DNS policy. An app that ships its own DNS-over-HTTPS stack may still resolve names outside Mihomo even when its TCP flows are nominally captured—another reason to pair split tunneling with the DNS section of your profile. For a deeper tour of how rules compete once traffic is inside Clash, read Clash rule routing explained after you stabilize who enters the tunnel.

Step-by-step: enable per-app split routing

The following sequence is written so you can rehearse it on a spare device or emulator without guessing where buttons moved between releases.

1. Load a working profile and start the VPN once

Import your subscription or raw YAML, select a node or policy group that you know is healthy, and tap the large power or Start control so the VPN notification appears. Confirm that a basic IP check inside a browser behaves as expected in default mode before you introduce app exceptions. Debugging two variables at once—profile correctness and package lists—is how afternoons disappear.

2. Open access control settings

From the main screen, enter Settings (gear icon) or a similarly named drawer. Look for a section labeled Network, VPN, or Access Control. Tap it. You should see a toggle that enables application filtering alongside a picker for bypass versus allow-only semantics. Enable the feature; Android may prompt you to confirm that you still trust the VPN provider because splitting paths changes the threat model slightly.

3. Choose bypass or allow-only to match your intent

Select the mode that mirrors the user story at the top of this guide. If you want only a handful of overseas-facing tools proxied, allow-only is usually clearer. If you want everything proxied except a short list of domestic finance apps, bypass is faster to maintain.

4. Select applications from the roster

The roster is alphabetically sorted by label, not package name. Use search if your OEM provides it. Pay attention to duplicates: some vendors install dual-app or work-profile clones with identical icons; they are separate UID entries and must be toggled independently. If a target app is missing, expand Show system apps cautiously—system components sometimes need exclusion when they break captive portals, but blind ticking can leak more than you intend.

5. Apply, then cycle the VPN session

Many builds apply lists live, but some kernels only re-read package filters when VpnService restarts. Turn the VPN off, wait until the notification clears, then start again. This step is not superstition; it is how you avoid false negatives when validating.

6. Verify with two-app contrast

Keep one browser inside the tunnel and one domestic app outside (or vice versa in allow-only mode). Run parallel IP or latency checks. The expected outcome is a clean split: the tunneled app shows the exit node; the exempt app shows carrier addressing. If both match, you are still in global VPN semantics—return to the mode toggle.

Common pitfalls that look like “Clash is ignoring me”

Even with perfect YAML, Android is a moving collection of power-saving heuristics. The next sections collect the failures we see most often in support threads, translated into a checklist you can work through in order.

Battery optimization and OEM task killers

Modern phones love to hibernate VPN processes to chase standby leaderboard scores. Open system Settings → Apps → your Clash build → Battery (or Power) and set Unrestricted or the OEM equivalent. On MIUI, HyperOS, ColorOS, and One UI, also disable automatic “sleep unused apps” rules that target VPN clients. If the tunnel drops exactly after the screen has been off for minutes, you are debugging power policy, not routing syntax.

Always-on VPN and competing clients

Android allows only one active VPN profile at a time. Another corporate client, ad-blocking VPN, or “NetGuard”-style firewall may seize the slot. Settings → Network → VPN → gear icon next to your Clash entry shows whether Always-on is enabled; misconfigured always-on pairs can fight for precedence. Close the other client entirely—not merely disconnect—before retesting.

Work profile and secondary users

Enterprise enrollments create a separate user space. Per-app lists in the personal profile do not automatically mirror work tiles. If Microsoft Teams or Slack lives in the work container, toggle it there or accept that it will stay direct until an admin pushes a profile.

Captive portals and hotel Wi-Fi

When every app is forced through a tunnel that blocks RFC1918 or local subnet routes, the sign-in page for coffee-shop Wi-Fi never loads. Temporarily switch to Direct mode or add a bypass entry for the browser you use to click “Accept terms.” Some users keep a tiny bypass list containing only the captive-portal helper package for this reason.

IPv6 and split semantics

If your mobile carrier hands you IPv6 and the profile does not align v6 routes with expectations, some apps may appear to “bypass” because they happily speak v6 on the raw interface. Inspect your Mihomo logs for parallel v6 attempts when debugging mysterious splits. Fixing DNS and route sections is usually cleaner than endlessly tweaking app checkboxes.

Security and privacy framing

Split tunneling is a convenience feature, not a guarantee of anonymity. Applications excluded from the VPN disclose their destinations to the carrier exactly as without Clash. Conversely, applications inside the tunnel still leak metadata to the remote exit if the protocol is chatty. Combine per-app choices with sane rules, TLS everywhere, and realistic threat models.

Also remember that Android’s package list is visible to the local user, not secret. Shared-family devices should use separate user accounts if siblings should not toggle one another’s banking exemptions.

Closing: reproducible mobile hygiene

Android proxy setups that survive daily use share a pattern: VPN permission granted once, battery hands-off granted deliberately, access-control mode chosen to match a written policy (“these five apps direct, everything else tunneled”), and a quick two-app verification after each profile update. When you treat split routing as part of device hygiene rather than a one-time hack, Clash stops feeling fragile on mobile.

Compared with all-or-nothing global VPN apps, a maintained Mihomo-based client gives you structured logging, remote rule-providers, and the same policy vocabulary you already use on desktop—plus the Android-specific knobs that keep domestic life smooth. When you are ready to standardize builds across platforms, download Clash for free from our official page and experience the difference.