Clash External Dashboard: Setup & Usage Guide

Published by Clash Official Site. GUI clients handle most daily needs, but when you need to view live connections, diagnose which rule matched which node, or run Mihomo headlessly on a server, the External Controller becomes indispensable. Via a RESTful API, third-party web dashboards (like YACD and metacubexd) can render traffic, logs, and policy group status in your browser — becoming an "operations dashboard" for power users. This article covers how to securely enable external control and use the Dashboard to manage Clash efficiently.

What Is the External Control API

Mihomo / Clash Meta listens on a local or LAN HTTP API port (default 9090), exposing query and control endpoints: read config, switch egress, run speed tests, view connection list, close connections, etc. Many operations in GUI clients are actually executed through this same API under the hood.

A web dashboard doesn't embed inside the core — it's a frontend that connects to the API and visualizes the data. So as long as the API address and secret are configured correctly, you can manage a core instance running on a PC, soft router, or VPS from any device's browser.

The external controller is the "remote control" and the Dashboard is the "screen on the remote" — first open the API, then pair the panel.

Basic Configuration Example

Add external-controller and an optional secret at the top level of your YAML config:

external-controller: 127.0.0.1:9090
secret: "your-random-secret"
external-ui: ./dashboard

127.0.0.1 means localhost-only access — the safest default. To allow management from other devices on the LAN, change to 0.0.0.0:9090, but you must set a sufficiently complex secret and restrict source IPs in your firewall.

Some distributions support external-ui to point to a bundled static dashboard directory. You can also use independently hosted YACD / metacubexd — just enter the API address and secret in the panel settings to connect.

Popular Web Dashboards

• YACD: Classic lightweight panel — connection list, rule testing, policy group switching. Works great on desktop browsers.
• metacubexd: Optimized for the Meta core — modern UI, mobile-friendly, covers logs, connections, and config preview.
• Clash Verge Rev built-in page: Some clients include an integrated dashboard entry, which still connects to the local API underneath.

To connect, enter http://127.0.0.1:9090 (or your server IP) in the panel and fill in the secret from your config. Once connected, you'll see real-time upload/download rates and active connection counts.

What Dashboard Can Do for You

Connections & Log Diagnostics

The "Connections" page lists all active TCP/UDP sessions, showing target domain, matched rule, policy group, and node. When a site isn't loading, you can usually spot in one glance whether the rule is sending it direct or if the node is timing out. Combine with the "Logs" page at debug level to trace DNS resolution and rule matching details.

Policy Groups & Speed Testing

Switch "Node Selection" or trigger url-test directly in the panel without returning to the main client. For cores running on remote servers, this means you can swap nodes from your phone's browser — no SSH required.

Rule Testing

Some panels offer a Rule Test tool — enter a domain or IP to simulate match results and verify whether a new rule correctly sends traffic to DIRECT or PROXY. Far more efficient than making config changes blindly.

Security Notes

Unauthorized API access is equivalent to full exposure of your proxy control. Always follow these principles:

1. For local use, bind to 127.0.0.1 and avoid exposing to the public internet.
2. Always set a strong secret and use HTTPS or TLS reverse proxy for panel connections (recommended for production).
3. If opening port 9090 on a VPS, use firewall rules to restrict to your own IP, or access via SSH tunnel.
4. Never use an open, secretless API on public networks — others could consume your bandwidth or tamper with egress.

CLI Core + Dashboard Typical Workflow

On a Linux server running Mihomo, a common setup is systemd running the core in the background + YACD in the browser. After starting the core, run SSH port forwarding locally: ssh -L 9090:127.0.0.1:9090 user@server, then open the panel in your local browser and connect to the remote API — the management port never needs to be exposed to the internet.

Summary

External control and web Dashboard turn Clash from a "black-box client" into an observable, debuggable system. Most users won't open the panel every day, but when diagnosing rules, optimizing nodes, or remotely managing a server core, it's an irreplaceable tool. Correctly configuring the listening address and secret is the prerequisite for enjoying the convenience while maintaining security.

For a full local client experience, visit the official download page. For first-time config, follow the setup guide to complete subscription import and enable system proxy.

Related Articles

• Clash DNS Configuration Guide
• Proxy Protocols Compared: SS, VMess, Trojan
• Clash Rule Provider Guide
• Load Balancing & Failover: Policy Groups