How to Set Up Clash Android Per-App Proxy: Overseas Apps Only, Step by Step

1. Why Global Proxy Hurts Domestic Apps on Android

Android applications are not all “generic web browsers.” Many high-trust apps pin certificates, validate SIM or carrier metadata, or call regional APIs that assume a domestic IP range. When you flip on a tunnel that sends every packet through an overseas node, those assumptions fail in predictable ways: payment flows time out, DRM checks refuse to start, and government or bank portals display risk warnings that have nothing to do with your password quality.

The user problem is therefore not “Clash is broken,” but “I need split tunneling at the OS boundary.” On Windows you might lean on TUN plus process rules; on Android the cleanest first lever is usually the client’s per-app proxy screen—sometimes labeled Apps VPN mode, Bypass, or Allowed apps depending on the fork. Combined with a sane profile inside the core, you get domestic apps on DIRECT without giving up overseas chat, research, or developer tools that genuinely need a different egress.

Think of per-app routing as a coarse filter in front of your YAML. The rule stack still decides how traffic is classified once it enters Clash, but Android can refuse to hand certain apps to the tunnel at all. That combination is what keeps everyday phone use stable while you still benefit from subscription import, policy groups, and remote rule providers on the apps you select.

2. Pick a Client: Meta for Android vs FlClash

Two widely used options in the Clash Meta ecosystem are Meta for Android (often shortened conversationally to “Clash Meta Android”) and FlClash. Both wrap a modern mihomo-class core, support subscription import from URLs, and expose per-application controls, though exact menu names move between releases. If you already migrated desktop workflows, you may have seen FlClash discussed in our CFW migration and alternatives guide; the Android build shares the same philosophy—bring your profile, keep the UI thin.

When choosing, prioritize maintenance cadence, how comfortably you can read the log, and whether the app’s VPN permission prompt matches your threat model. Some users prefer Meta for Android for proximity to upstream Meta feature work; others like FlClash’s presentation layer. For this article’s purposes, the critical shared capability is explicit Clash Android support for only proxy selected apps or an equivalent inverse mode with a bypass list.

Install only from sources you trust, grant VPN permission when prompted, and avoid running two different VPN-class apps that fight over the same tun interface. If you switch clients, re-import your subscription and re-check per-app selections; those lists are typically stored locally, not inside the remote YAML.

3. Import Your Subscription First

Before touching per-app toggles, you need a working profile: nodes, groups, and rules that match how you actually use the internet. In most clients, subscription import starts from a URL your provider issued. Open the client’s profile or subscription section, add a new remote source, paste the link, assign a refresh interval you can live with, and download once to confirm parsers succeed. If the core rejects the file, fix that first—per-app routing cannot compensate for a broken config.

After import, select a policy group that represents your overseas path—often a select group with United States, Japan, or Singapore nodes—and confirm basic connectivity with a simple browser test. Only then should you narrow which applications may enter the tunnel. Trying to debug DNS leaks, rule order, and app lists simultaneously is how afternoons disappear.

If your provider ships rule providers and GEOIP databases, let the client update those assets on Wi-Fi. Heavy rule sets matter less for “only three overseas apps,” but stale GEOIP data still causes confusing behavior when you later widen scope. Keep the profile single-sourced: one merged override file for personal tweaks, one subscription for nodes, and avoid duplicating the same remote URL under multiple names.

4. Bypass List vs Proxy-Only Selected Apps

Android clients usually implement one of two mental models. The first is a bypass list (sometimes called “apps that do not use VPN”): everything rides the tunnel except packages you exempt. That mode suits people who want broad international coverage but already know which domestic apps are fragile—mobile banking, wallet apps, local government services, or campus portals. You tick a short list, and the rest of the system behaves like a conventional global VPN from Clash’s perspective.

The second model is stricter: only proxy selected apps (whitelist). Here, nothing enters the VPN unless you explicitly allow it. That is the right default when your priority is minimizing surprise: overseas chat clients, a browser you use for research, or a handful of store-region apps, while everything else—including background analytics you forgot about—stays on the normal network path. The trade-off is maintenance: every new app you care about must be added manually.

There is no universal winner. If you constantly install games and social apps from multiple regions, a short bypass list plus a sensible GEOIP or RULE-SET stack inside Clash may feel smoother. If you primarily worry about bank apps misfiring, start with a whitelist, prove stability for a week, then gradually widen. Document the choice in your personal notes; future you will not remember why a specific package was exempted.

5. Step-by-Step: Enable Per-App Routing

Exact labels differ, but the workflow converges. Open your Meta for Android or FlClash install and navigate to the settings area that mentions per-app, App route, or Split apps. Enable the feature globally, then choose either bypass mode or whitelist mode as described above. Android will show an alphabetical list of installed packages with icons; use search if your client provides it.

For a bypass list aimed at domestic stability, select apps that should never enter the tunnel: your bank, local payment apps, carrier tools, government ID or tax utilities, and regional streaming services that license content by country. If an app has multiple processes or helper packages, add the user-visible main package first, test, then watch the log for residual hostnames that still try to exit overseas. Some builds expose system apps in an advanced list—treat those entries carefully; exempting low-level networking helpers can have unintended effects.

For only proxy selected apps, start minimal: mark a browser you trust for international sites, the messenger you need for cross-border teams, and any app with a hard region lock. Leave everything else off until you discover a concrete need. This discipline keeps battery and cognitive load lower than importing fifty apps because they “might” be useful someday.

After selection, fully stop and restart the VPN session. Android’s VPNService lifecycle caches decisions; toggling airplane mode for a second is a blunt but effective way to confirm the new list took effect. Verify both directions: a bypassed bank app should show a domestic IP in its own diagnostics (where available), while a proxied browser should reflect your overseas node.

6. How Android Per-App Settings Interact With Clash Rules

Per-app routing on Android does not replace your profile; it gates which sockets even reach Clash. Once traffic is admitted, the usual rules array applies: DOMAIN-SUFFIX, GEOIP, PROCESS-NAME (where supported), and the final MATCH. That means you should still keep domestic shortcuts—such as sending mainland China destinations to DIRECT when appropriate—because some apps you proxy may call CDNs inside your home region for performance. The UI list is coarse; the YAML remains fine-grained.

DNS deserves a mention. If your profile uses fake-ip, domain-based rules behave differently than in redir-host modes; mobile clients may also offer per-network DNS overrides. When something “works on Wi-Fi but not LTE,” compare DNS settings and whether the carrier is forcing a resolver you did not expect. Our routing and rules reference walks through how rule order interacts with policy groups; the same discipline applies on phones, just with an extra app-selection gate at the front.

# Traffic path is not drawn to scale; illustrative only.
Android app
    → Per-app allow / bypass (VPNService)
    → Clash core (rules, policy groups)
    → Selected outbound (DIRECT or proxy)

If you mirror complex desktop setups, avoid duplicating logic in incompatible ways—for example, forcing global TUN inside the app while also expecting every domestic app to self-bypass. Pick one authoritative layer for “who enters the tunnel,” then let Clash arbitrate destinations.

7. Troubleshooting and Common Pitfalls

“I enabled per-app mode but nothing connects.” Confirm you granted VPN permission, that no other VPN profile is active, and that at least one app is allowed in whitelist mode. In bypass mode, verify you did not accidentally exempt a shared webview component your browser relies on—some OEM skins split packages oddly.

“Domestic apps still see a foreign IP.” Revisit both the per-app list and your rule stack. A banking app might spawn a helper that still routes through Clash, or it might use a captive portal check that ignores your expectations until DNS is consistent. Temporary tests with a minimal profile—few rules, one overseas group—help isolate whether the issue is gating or classification.

Battery anxiety. Whitelist modes reduce tunnel work; global modes with long bypass lists still move a lot of traffic. Combine sane refresh intervals for subscriptions with conservative logging. Turning off unnecessary sniff options you are not using can also trim CPU wakeups on mid-range devices.

Compliance and terms. Technical routing is neutral; your responsibility is to follow local laws and provider agreements. This guide improves clarity and stability—it does not endorse evading lawful restrictions or bypassing payment regions for services that prohibit it.

8. Closing Thoughts

Clash Android shines when you treat the phone as a mixed environment: some apps genuinely need an overseas path, while others assume a domestic network contract. Pairing subscription import with explicit per-app proxy, a thoughtful bypass list, or a disciplined only proxy selected apps setup keeps daily drivers predictable without surrendering the flexibility of modern Meta for Android or FlClash stacks. Compared with blunt global toggles, that layered approach is easier to reason about when something misbehaves—and easier to explain to friends who just want their bank app to work on Tuesday afternoon.

When you are ready to standardize on maintained installers and up-to-date cores across platforms, pulling builds from a single trustworthy download surface beats chasing scattered mirrors. Visit our download center for curated client links that track the ecosystem you already configured on Android, then tune per-app lists before you touch exotic YAML. → Download Clash for free and experience the difference