Install Clash Meta on Arch Linux: systemd Auto-Start and First Setup (2026)

1. Why Arch and Manjaro Deserve a Dedicated Install Narrative

Arch is famous for documentation culture and a user-centric packaging model, not for shipping every convenience inside the main repositories. The official [core], [extra], and [community] sets are curated; many third-party or rapidly updated tools like mihomo live in the AUR, which means you inherit responsibilities you did not have on Ubuntu with a single .deb: read the PKGBUILD, trust the maintainer, and accept that updates are community-driven. Manjaro users share the same engine with extra stabilisation layers, yet the practical outcome for this guide is similar—you still install from AUR or place binaries yourself, then wire systemd the same way.

Permission and identity models also nudge you toward a conscious choice between a system service (root-owned /etc/mihomo, multi-user.target) and a user service under ~/.config/mihomo with systemctl --user. Rolling releases make that decision more visible: frequent kernel and userspace updates mean the fewer magical assumptions you rely on, the calmer your upgrades stay. A documented unit file, a documented mixed-port, and a journal-first debugging habit beat “I ran it in a terminal once and forgot.”

Finally, users searching for Arch Linux plus Clash Meta plus systemd are usually trying to match mental models from other distros. You should leave this page knowing how your setup relates to a Fedora box next to it on the desk and an Ubuntu LTS in the cloud—same YAML concepts, different package managers touching the file system. That is the complementarity this article is written to deliver.

2. AUR, yay/paru, or Manual Upstream Binary

The high-traffic path is an AUR helper. After installing yay or paru using the distribution’s documented method, you typically run a search for packages whose names match upstream branding—commonly mihomo or mihomo-bin style PKGBUILDs that wrap prebuilt release assets. Always open the PKGBUILD in an editor before you build: confirm the source URL, version pinning, and post-install steps. AUR is not an endorsement from Arch Linux itself; it is a community submission surface. If your organisation forbids AUR, fall back to downloading a release tarball or binary from a source you already trust, verify checksums if your threat model requires it, and place the binary at /usr/local/bin/mihomo with 0755 permissions.

Manual installation keeps you closest to upstream velocity: when a new mihomo release ships, you replace one file, restart the systemd unit, and you are done—no waiting for a third-party maintainer, but also no pacman -Qi line item to show an auditor. Many experienced Arch users choose this hybrid: AUR for convenience on personal laptops, /usr/local installs on production nodes where change control is strict.

Whichever path you take, run command -v mihomo and mihomo -v before you invest time in YAML. A surprising number of “my unit file is broken” reports trace back to a renamed binary after an AUR update or a PATH that differs between your interactive shell and the service environment. The site download hub is the right place to compare cross-platform Clash ecosystem clients for machines where you do not want a bare engine; for Arch, you are often driving the engine directly, but the same transparency principle applies: prefer documented channels over mystery mirrors.

3. Config Directory, Ownership, and Subscription Import

Pick a single home for config.yaml and stick to it. A common system-wide layout is /etc/mihomo with config.yaml owned by root:root and mode 0640 if only root may edit it. A user-scoped layout is $HOME/.config/mihomo (or a subdirectory you standardise) with ownership by your user so you can edit without sudo. The wrong middle ground is “root owns the file but I edit with sudo daily,” which is workable yet easy to desynchronise with your editor’s backup files—if that frustrates you, move to a dedicated system user for the daemon or a pure user service.

Before you enable systemd automation, validate YAML in the foreground: mihomo -d /path/to/config from a terminal, watch for parse errors, confirm that subscription URLs fetch, then interrupt. For step-by-step subscription URL handling and profile structure, use the subscription import walkthrough on this site, then return here to freeze the same profile behind a service. If rule providers or GEOIP bundles download on first run, ensure the process user can write to the cache directory you configured—permission denied in the journal is a frequent first-boot stumble on Arch because operators tighten /etc more aggressively than on stock Ubuntu.

Logging strategy: a simple Type=simple systemd service sends stdout and stderr to the journal, which is usually enough. If you also point file logs under /var/log, add rotation and remember to reduce verbosity after debugging sessions. Rolling releases mean you will read logs more often than on slow-cycle distros; treat a quiet journal as part of the success criteria, not a luxury.

4. mixed-port: One Local Entry for HTTP and SOCKS Clients

The mixed-port key exists so you can expose one local listener that speaks both HTTP(S) proxy and SOCKS to well-behaved clients, instead of chasing separate port numbers for every tool. For a first Arch profile, that consolidation matters because your Linux desktop proxy settings, terminal environment variables, and ad hoc curl tests can all aim at a single loopback address. A conservative default binds to 127.0.0.1 on a high port such as 7890—culturally common in Clash examples but not mandatory; run ss -lntp to ensure nothing else (maybe a local dev server) already claims it.

If you also set allow-lan: true to share the proxy to other devices, you must understand that you are now part of the LAN security boundary, not just loopback. Arch typically ships with nftables (often via the iptables-nft compatibility layer). Open only the port you need, for the source subnets you expect, and document the exception so a future you does not wonder why a random laptop can reach mixed-port on a coffee-shop network.

After the daemon listens, confirm from the same host: curl -x http://127.0.0.1:<port> https://example.com for HTTP clients and your SOCKS consumer’s own check if you rely on SOCKS semantics. Mismatches here are usually client configuration problems, not a broken engine—mihomo is doing its work when both transports share a coherent outbound path through the same policy groups. For a mental bridge to container workflows on the same machine, the Docker through host Clash article explains environment-variable patterns; on bare metal, loopback is simply your “remote host at home.”

# Excerpt for first boot — adjust mode, bind, and tun keys to your file version
mixed-port: 7890
allow-lan: false
# Optional: interface-name, bind-address, or IPv6 toggles; verify with ss -lntp.

5. systemd System Service: Boot, Restart, and Journal Logs

A system unit is the natural fit when the configuration lives under /etc/mihomo and you want the tunnel up for every user session after boot, including greeters and gettys that run before you log in. Create /etc/systemd/system/mihomo.service with an ExecStart that points at the true binary—often /usr/bin/mihomo from AUR or /usr/local/bin/mihomo for manual installs—and passes -d /etc/mihomo (or your directory). Order after network-online.target to reduce first-start races on Wi-Fi where DHCP and DNS need a few seconds to settle; Arch laptops on roaming networks see this more often than wired servers in a rack.

# /etc/systemd/system/mihomo.service
[Unit]
Description=mihomo (Clash Meta) proxy daemon
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/mihomo -d /etc/mihomo
Restart=on-failure
RestartSec=5
LimitNOFILE=1048576

[Install]
WantedBy=multi-user.target

Reload, start, and enable: sudo systemctl daemon-reload, sudo systemctl start mihomo, systemctl status mihomo --no-pager, then sudo systemctl enable mihomo for boot integration. Logs: journalctl -u mihomo -e. When a subscription update fails, the error message in the journal is usually more actionable than a silent tray icon on macOS. Tune Restart=on-failure versus always the same way you would on Fedora or Ubuntu—on-failure respects intentional stops; always with rate limits can help in flaky network environments.

6. User Services and linger: When to Avoid Root-Owned Config

If you keep everything under $HOME/.config/mihomo, a user unit may feel more natural. Place the unit at ~/.config/systemd/user/mihomo.service (or use systemctl --user edit --force --full mihomo.service to let systemd manage the file), set ExecStart to the same binary with -d pointed at your user directory, then run systemctl --user daemon-reload, systemctl --user start mihomo, and systemctl --user enable mihomo. For boot behaviour when nobody is logged in yet, you must enable linger for that user: sudo loginctl enable-linger $USER—without it, the user manager may not start at boot, which surprises people migrating from a system service.

Security nuance: user services run with your uid, so a compromised app running as you can more easily read config.yaml than if it were root-only. That is a fair trade for many personal laptops. Shared lab machines or SSH jump hosts sometimes still prefer a system service with 0600 root-owned files so operators do not accidentally leak subscription URLs to every local account. Pick the model that matches your trust boundary and document it in your internal runbook.

Desktop integration follows the same GNOME and KDE story as in our other Linux pieces: set manual HTTP/HTTPS proxy to 127.0.0.1 and your mixed-port, or export http_proxy in shells and IDEs. Wayland and X11 sessions on Arch are diverse; the stable anchor is the loopback address and the port, not a particular desktop theme.

7. pacman, Mirrors, and Keeping Updates Sane Through the Tunnel

pacman is an HTTPS client. If your rules accidentally send mirror traffic through a congested or misclassified exit, updates look “broken” when the real issue is policy. Add explicit DIRECT (or a stable domestic group) for the mirror hostnames and CDN edges you actually use, informed by a quick grep Server /etc/pacman.d/mirrorlist pass. The routing and rules reference on this site explains how ordering interacts with GEOIP and catch-all rules; on Arch, being explicit about mirror domains beats hoping broad geography rows match a CDN you did not trace.

DNS still matters. systemd-resolved, unbound, or a corporate resolver may all coexist with mihomo’s own DNS section. fake-ip modes in particular can make failures resemble TCP timeouts. When in doubt, compare dig with and without the tunnel and read the engine log lines that show which outbound handled a query. That discipline saves hours of blaming pacman or [core] sync when the resolver never returned the address your rules expect.

If you must proxy pacman itself (corporate environment), the same http_proxy variables you use for shells, or a dedicated /etc/pacman.conf proxy line, should match the loopback and mixed-port you validated. Document the split: “user browsers use 127.0.0.1:7890; root’s weekly pacman -Syu may use a different path.” Ambiguity there causes the classic “it worked on Tuesday after I exported variables in a root shell and forgot” incident.

8. nftables, Loopback, and allow-lan on Home Networks

Default Arch networking often leaves the firewall “open on trusted interfaces” depending on your installer choices. If you run allow-lan: true, assume you must explicitly allow the TCP listener in nft rules or a higher-level tool you prefer. A minimal pattern is: allow established and related, allow SSH from management subnets, allow the single proxy port from the LAN CIDR, drop the rest. Re-test with curl -x from a second device only after you see the socket in ss -lntp on the correct address family.

Guest Wi-Fi and client isolation break LAN sharing no matter how perfect your YAML is; do not treat allow-lan as a silver bullet. For single-machine use, keeping listeners on 127.0.0.1 and allow-lan: false is the least surprising baseline on a rolling laptop that moves between home, office, and airport lounges.

9. Optional TUN and Capabilities

Application-level HTTP and SOCKS cover many workflows; TUN is for when you need broader capture without per-app settings. On Linux, that path typically requires capabilities such as CAP_NET_ADMIN. systemd can grant them through unit options, but each widening deserves the same review you would give a firewall change. Test with a short foreground run before you bake assumptions into a headless service, and keep a known-good profile without TUN for rollback. Conceptual background lives in the TUN mode overview on this site; it is platform-agnostic and still applies to an Arch workstation even when your other devices run Windows.

10. Troubleshooting: Ports, Duplicates, and DNS

“systemctl says active, but apps fail.” First run ss -lntp to confirm the process owns mixed-port on the address you think it does. Second, re-read your rules for accidental REJECT on the test hostnames. Third, examine DNS: fake-ip misconfiguration often mimics a dead proxy.

“It worked until I opened another terminal.” A second mihomo instance—often a forgotten .desktop autostart in KDE or GNOME—binds the same port. Search autostart directories and use systemctl status plus ps aux | grep mihomo to spot duplicates. Only one listener wins; the loser crashes or flaps in the journal.

“AUR update broke my unit path.” Re-check which mihomo and update ExecStart if the package moved a shim. Rolling distributions reward operators who read package change logs.

Security. Avoid exposing the external controller socket without authentication, and do not point untrusted applications at a LAN-wide listener you enabled “temporarily for a phone” three months ago. Technical tools are neutral; your network posture is not.

11. Closing Thoughts

Putting Clash Meta on Arch Linux is less about a single “correct” AUR package name and more about habits that survive a rolling world: a trusted install path, one coherent configuration directory, a documented mixed-port, and a systemd contract—system or user—that matches how you use the machine. Compared with a throwaway nohup in a tab, the structured approach is calmer to evolve when you add rule providers, tune DNS, or line this host up with an Ubuntu or Fedora box elsewhere in your life. Boring local proxy infrastructure is what lets you focus on the work instead of the tunnel.

When you want curated clients and cross-platform comparisons beyond a bare mihomo core, the open-source engine’s history and changelogs remain easy to find on GitHub; use that channel for source-level assurance. Day-to-day installers for graphical clients on other operating systems are easier to reason about from a single, transparent index than from scattered social posts that go stale in weeks.

Upstream mihomo development and release artifacts are published in the MetaCubeX/mihomo repository on GitHub. That link is for transparency, issues, and source review; for everyday client distribution across platforms, prefer this site’s download flow over treating GitHub as the primary end-user installer channel.

After you stabilise the service on this machine, browse the official download hub to line up the same logical setup on the phones and laptops you actually carry. Compared with a pile of ad hoc APKs and DMGs, a single place to read version notes keeps your fleet legible. → Download Clash for free and experience the difference