Mihomo TUN Mode No Network: Ip_forward and UFW Forward Policy

When mihomo runs in TUN mode (stack: system, auto-route: true), starting it kills all network connectivity, including SSH. The problem isn’t the mihomo config — it’s two system forwarding settings that are off.

Cause

stack: system makes mihomo rely on the kernel network stack to forward TUN traffic. auto-route: true takes over the default route and funnels all traffic through the TUN interface. But the kernel needs two things to forward:

1. net.ipv4.ip_forward must be 1
2. The firewall forward chain must not DROP

Arch Linux defaults to ip_forward=0, and UFW defaults to DEFAULT_FORWARD_POLICY="DROP". Both block forwarding, so traffic enters the TUN and goes nowhere.

Fix

Enable ip_forward:

echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/99-mihomo.conf
sudo sysctl -p /etc/sysctl.d/99-mihomo.conf

Set UFW forward to ACCEPT:

sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
sudo ufw reload

Start mihomo after that.

Alternative

If you don’t want to change system forwarding settings, switch tun.stack from system to gvisor in config.yaml. gvisor handles TCP/IP in userspace without relying on kernel forwarding, at a slight performance cost.