How to Use Shadowrocket on iPhone

Shadowrocket is a powerful, rule-based proxy utility for iPhone and iPad that gives you granular control over how each app or website on your device reaches the internet. 

‍

Instead of sending everything through a single “on/off” VPN tunnel, Shadowrocket lets you create smart routing policies, so Netflix goes one way, banking apps go another, ad/tracker domains get blocked locally, and developer tooling can pipe through a specific SOCKS5/HTTP proxy. 

‍

Its core feature set includes request capture, rule-driven routing (domain/keyword/CIDR/GEOIP), traffic measurement, and importing configs from a URL or iCloud.

‍

What Is Shadowrocket?

‍

Shadowrocket is a rule-based proxy client for iPhone and iPad that can capture outbound HTTP/HTTPS/TCP traffic and route it based on rules you define (domain, keyword, CIDR IP ranges, GEOIP, and more). It can also record and display DNS/HTTP(S) requests, measure usage and speed, block by user-agent/domain, and import configuration files from a URL or iCloud Drive. 

‍

Most consumer VPN apps offer a single tunnel for all traffic. Shadowrocket uses Apple’s VPN framework to enable per-destination logic, letting you mix DIRECT/PROXY/REJECT behaviors in one configuration, with a “first-match wins” evaluation model common to modern rule engines.

‍

Why Use Shadowrocket With a Proxy?

‍

Now that you know what Shadowrocket is, the next question is why you’d pair it with a proxy in the first place. From geo-testing and privacy to precise, per-app routing, using a proxy unlocks the real power of Shadowrocket’s rule engine - so you only tunnel what you must and keep everything else fast and direct.

‍

Bypass Geo-Restrictions and Censorship

‍

Marketers, QA teams, and researchers often need to see exactly what users in another region see. With Shadowrocket, you can route only the necessary domains or apps via a regional proxy while keeping everything else direct, much cleaner than toggling full-device VPNs.

‍

Improve Anonymity and Online Privacy

‍

Routing select traffic through trusted HTTP(S)/SOCKS5 endpoints can reduce the amount of trackable information exposed to third parties. Combined with rule-level blocking of trackers, you can meaningfully cut network-level surveillance. (As always, privacy depends on the provider’s logging policy.)

‍

Customize Traffic Routing via Proxy Rules

‍

This is Shadowrocket’s superpower: fine-grained rules. You can write policies like “send *.example.com via Proxy-Tokyo, let banking domains go DIRECT, block certain ad hosts,” and set a clear FINAL default for unmatched traffic. The app natively supports domain/keyword/CIDR/GEOIP matching and per-rule actions. 

‍

How to Set Up Shadowrocket on iPhone

‍

Below is a clean, battle-tested workflow that takes you from zero to fully customized routing on iOS. The exact UI labels may change slightly with updates, but the core flow remains the same.

‍

Step 1 – Install Shadowrocket from the App Store

‍

1. Open the App Store on your iPhone/iPad and search for “Shadowrocket” (publisher: Shadow Launch Technology Limited).
   
   
2. Purchase/download and allow installation to complete.
   
   
3. On first launch, grant the app the network permissions it needs to create and manage the local VPN profile used for traffic redirection.
   
   

Availability varies by country. The app has been removed from the mainland China App Store, so users there typically use a non-mainland Apple ID to download it from another region. Always check your regional App Store listing first for current status.

‍

Shadowrocket has Mac compatibility on Apple Silicon (M-series) with macOS 11+; if you have an M1/M2 or newer Mac, you can install it there from the Mac App Store. (Intel Macs are not supported.)

‍

Step 2 – Add a Proxy Server (Shadowrocket Server Setup)

‍

You can add HTTP, HTTPS, or SOCKS5 proxies directly.

‍

1. Open Shadowrocket → Servers (or the main screen) → tap “+”
   
   
2. Choose Type:
   
   
   • HTTP/HTTPS – common for provider endpoints; typically requires username/password.
     
     
   • SOCKS5 – popular for residential/mobile proxies and dev tunnels.
     
     
3. Enter:
   
   
   • Host/IP (e.g., proxy.example.com)
     
     
   • Port (e.g., 10000)
     
     
   • Username/Password if required
     
     
4. Save.

‍

Integrating with Floxy (recommended)

‍

Floxy provides ready-to-use endpoints for multiple proxy types with both HTTP and SOCKS5 ports, plus rotating and sticky session options. Shadowrocket plugs into these with standard user/pass auth. Key points you’ll use while adding a server:

‍

• Supported credential formats (you’ll get one of these from Floxy; plug into Shadowrocket as Host/Port/Username/Password):
  
  
  • ip:port:user:pass
    
    
  • user:pass@ip:port
    
    
• Common Floxy endpoints & ports (choose the pair that matches your plan):
  
  
  • Residential: residential.floxy.io  -  HTTP 5959, SOCKS5 9595
    
    
  • Mobile: mobile.floxy.io  -  HTTP 8000, SOCKS5 8001
    
    
  • Dedicated Datacenter: datacenter-{country}.floxy.io (e.g., datacenter-us.floxy.io)  -  HTTP 1338, SOCKS5 1339
    
    
  • IPv6: ipv6.floxy.io  -  HTTP 1001, SOCKS5 999
    
    
• Rotating vs. Sticky sessions (how the exit IP behaves):
  
  
  • Rotating: new IP per request; simplest to start with.
    
    
  • Sticky: same IP for a set time; append a session ID (10-char alphanumeric) and TTL to your username as shown below. (TTL unit varies by product, see examples.)

‍

Examples (replace username, password, and session values):

‍

1. Residential – Rotating (any location, HTTP):
   Host: residential.floxy.io  -  Port: 5959
   Username: username-res-any
   Password: password
   
   
2. Residential – Specific city (HTTP):
   Host: residential.floxy.io  -  Port: 5959
   Username: username-res_sc-us_california_losangeles
   Password: password
   (Location strings are lowercase with underscores: country_state_city.)
   
   
3. Residential – Sticky session (HTTP, TTL in seconds):
   Host: residential.floxy.io  -  Port: 5959
   Username: username-res_sc-us_california-lsid-ABc123xyZ9-ttl-600
   Password: password
   (Keeps the same IP for ~600 seconds ≈ 10 minutes.)
   
   
4. Mobile – Country + ASN (HTTP, rotating):
   Host: mobile.floxy.io  -  Port: 8000
   Username: username-country-US-asn-310150-package-mobile
   Password: password
   (Use Floxy’s Countries/ASNs list to choose values.)
   
   
5. Mobile – Sticky session (HTTP, TTL in minutes):
   Host: mobile.floxy.io  -  Port: 8000
   Username: username-country-US-asn-310150-session-ABc123xyZ9-time-5-package-mobile
   Password: password
   
   
6. Dedicated Datacenter – Rotating (HTTP):
   Host: datacenter-us.floxy.io  -  Port: 1338
   Username: username
   Password: password
   
   
7. Dedicated Datacenter – Sticky (HTTP, TTL in minutes):
   Host: datacenter-us.floxy.io  -  Port: 1338
   Username: username-session-ABc123xyZ9-ttl-10
   Password: password

How to choose HTTP vs. SOCKS5:

‍

Shadowrocket supports both. Use HTTP unless your workflow explicitly needs SOCKS5 (some dev tools do). Just pick the matching port from the list above. 

‍

Most reputable providers will show your host, port, and credentials in their dashboard and often offer variants for rotating or sticky sessions. Shadowrocket’s App Store listing confirms support for these proxy types and rule-controlled routing.

‍

Labeling tip: If your provider supports country/city targeting or sticky sessions, label servers accordingly (SOCKS5-US-Sticky, HTTP-DE-Rotating). The app shows friendly names in the list, which makes manual switching painless.

‍

Step 3 – Enable Proxy and Test Connection

‍

1. From Home, toggle the Shadowrocket on/off switch to connect the managed VPN profile.
   
   
2. Select a server from your list to route against temporarily (we’ll apply rules next).
   
   
3. Use Shadowrocket’s speed/latency test to compare endpoints.
   
   
4. Open Safari and visit an IP checker to confirm your public IP/geo matches the selected proxy.
   
   
5. Open Logs to see which domains resolve and how they’re routed - vital for validating rules.
   
   

Shadowrocket’s feature set includes measuring network speed/usage and recording DNS/HTTP(S) requests for inspection which is exactly what you need for validation.

‍

Step 4 – Apply Rules to Customize Proxy Use

‍

This is where you teach Shadowrocket what to proxy, where, and when.

‍

1. Go to Config (or Rules).
   
   
2. Choose a routing strategy:
   
   
   
   • Allow-list proxying: Only specified targets go through the proxy; everything else is DIRECT.
     
     
   • Deny-list proxying: Most traffic goes via proxy; exceptions go DIRECT (useful for banking or low-latency services).
     
     
   • Hybrid: Mix and match (e.g., direct for local/enterprise subnets, proxy for geo-test domains, block known trackers).
     
     
3. Add rules in top-to-bottom order - the first match wins. For example:

‍

[Rule]
# Direct for local subnets & loopback
IP-CIDR,10.0.0.0/8,DIRECT
IP-CIDR,172.16.0.0/12,DIRECT
IP-CIDR,192.168.0.0/16,DIRECT
IP-CIDR,127.0.0.0/8,DIRECT

‍
# Keep Apple services direct (optional)
DOMAIN-SUFFIX,apple.com,DIRECT
DOMAIN-SUFFIX,icloud.com,DIRECT
‍

‍# Route a test domain via the Tokyo proxy label
DOMAIN-SUFFIX,example-geo-test.com,PROXY_TOKYO
‍

‍# Block a sample ad host
DOMAIN,ads.example.net,REJECT
‍

‍# Fallback: anything unmatched goes DIRECT (or PROXY)
FINAL,DIRECT

‍

Shadowrocket supports DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD, IP-CIDR, GEOIP, user-agent blocking, and more. Rule lists can be imported from a URL or iCloud, and ordering is critical because evaluation stops at the first match.

‍

“Shadowrocker rules” (sic) are the same thing, people sometimes misspell the app’s name when searching for rule recipes.

‍

Understanding Shadowrocket Rules and Configuration

‍

With your first server connected, it’s time to turn Shadowrocket from a simple tunnel into a smart traffic director. This section breaks down the rule types, order of evaluation, and import options you’ll use to shape exactly where and how your iPhone’s traffic flows.

‍

Rule Types (DOMAIN, IP-CIDR, GEOIP, etc.)

‍

Common matchers you’ll use daily:

‍

• DOMAIN – exact hostname (e.g., api.example.com)
  
  
• DOMAIN-SUFFIX – any host ending with that suffix (e.g., example.com covers www.example.com, cdn.eu.example.com)
  
  
• DOMAIN-KEYWORD – hosts containing a keyword (e.g., -KEYWORD,ads,REJECT)
  
  
• IP-CIDR – outbound connections to an IP range in CIDR notation (203.0.113.0/24)
  
  
• GEOIP – match by country based on IP geolocation (GEOIP,US,PROXY)
  
  
• USER-AGENT – optional match on client UA for advanced ad-blocking/troubleshooting
  
  
• FINAL – mandatory catch-all at the bottom
  
  

The App Store feature list explicitly notes domain, suffix, keyword, CIDR, and GEOIP rules, along with ad/user-agent blocking and local DNS mapping.

‍

Rule order matters. Shadowrocket (and similar rule engines) evaluate rules top-down and first match wins, so keep more specific rules above broad ones and end with an explicit FINAL.

‍

Importing Rule Lists

‍

You don’t have to write everything yourself. You can import curated lists (ad/tracker blocks, regional exceptions, streaming configs, etc.) via URL or iCloud Drive, then adapt them.

‍

How to import:

‍

1. Find a reputable rule list (your company repo, a trusted community source, or your own curated set).
   
   
2. Copy the raw URL to the config file.
   
   
3. In Shadowrocket, go to Config → Add/Import from URL and paste the link.
   
   
4. After import, inspect the rules, especially anything that could break critical apps.
   
   

Example (excerpt adapted from common community patterns):

‍

[Rule]
DOMAIN-SUFFIX,local,DIRECT
IP-CIDR,10.0.0.0/8,DIRECT
IP-CIDR,100.64.0.0/10,DIRECT
IP-CIDR,127.0.0.0/8,DIRECT
IP-CIDR,172.16.0.0/12,DIRECT
IP-CIDR,192.168.0.0/16,DIRECT
GEOIP,CN,DIRECT
FINAL,PROXY

‍

This routes private subnets DIRECT, exempts a country code, and finally sends everything else to PROXY, illustrating how many lists are structured.

‍

Security tip: Treat third-party rule lists as code. Review them before enabling; prefer pinned/verified sources.

‍

Auto-Proxy and Direct Mode

‍

Two useful patterns:

‍

• Auto-Proxy (Smart Routing): Your rules decide what’s proxied or not, minimizing latency and proxy bandwidth.
  
  
• Direct Mode: Temporarily bypass proxying for debugging or when you’re on a trusted network.
  
  

Set fallback behavior if a proxy fails - e.g., try a secondary label, or drop to DIRECT to preserve connectivity. The rule-driven model plus measurement/logging make these strategies practical.

‍

Real-World Rule Examples

‍

These snippets solve common needs. Replace PROXY_US, PROXY_TOKYO, etc., with your server labels.

‍

1) Only Route Test Domains via Proxy, Everything Else Direct

‍

[Rule]
# Local networks direct
IP-CIDR,10.0.0.0/8,DIRECT
IP-CIDR,172.16.0.0/12,DIRECT
IP-CIDR,192.168.0.0/16,DIRECT
‍

# Route specific QA targets
DOMAIN-SUFFIX,example-geo-test.com,PROXY_TOKYO
DOMAIN-SUFFIX,another-test.net,PROXY_US
‍

# Everything else direct
FINAL,DIRECT

‍

2) Global Proxy Except for Banking and Local Networks

‍

[Rule]
# RFC1918 direct
IP-CIDR,10.0.0.0/8,DIRECT
IP-CIDR,172.16.0.0/12,DIRECT
IP-CIDR,192.168.0.0/16,DIRECT
‍

# Keep banking off VPN/proxy
DOMAIN-SUFFIX,mybank.com,DIRECT
DOMAIN-SUFFIX,securebanking.net,DIRECT
‍

# Default to proxy
FINAL,PROXY_US

‍

3) Block Trackers, Proxy Streaming, Direct the Rest

‍

[Rule]
# Block some trackers (examples)
DOMAIN-KEYWORD,adservice,REJECT
DOMAIN-KEYWORD,tracker,REJECT
‍

‍# Send streaming/CDN hosts through a regional proxy
DOMAIN-SUFFIX,streaming.example.co.uk,PROXY_LONDON
DOMAIN-SUFFIX,cdn.streaming.example.co.uk,PROXY_LONDON
‍

‍# Default
FINAL,DIRECT

‍

Shadowrocket Alternatives for Other Devices

‍

Shadowrocket shines on iOS (and Apple Silicon Macs), but teams often need the same routing logic on desktops or mixed environments. Here’s how to get comparable results on Windows and Intel Macs, and where a cross-platform proxy provider like Floxy fits into the picture.

Windows: No Native Shadowrocket (Use Alternatives)

‍

There’s no official Shadowrocket for Windows. You’ll find unofficial ports and third-party clients using other cores (e.g., V2Ray/Xray), but they aren’t first-party applications. On Windows, consider system-wide proxy clients (Proxifier-style), per-app proxy settings, or your proxy provider’s tooling.

‍

If you’re primarily after reliable HTTP/HTTPS/SOCKS5 endpoints with geotargeting (residential, mobile, ISP, datacenter), Floxy provides the endpoints you can plug into Windows tools, browsers, or automation scripts the same way you do on iOS.

‍

macOS: Apple Silicon Support (M-series)

‍

The App Store now lists Mac compatibility for Apple Silicon (M1/M2+) with macOS 11+. If you have an M-series Mac, you can install Shadowrocket and reuse your iOS rule logic. If you’re on an Intel Mac or can’t see the app in your region, use alternative macOS proxy clients, browser-level proxies, or your provider’s SDK/API.

‍

Use HTTP/SOCKS5 endpoints with Shadowrocket on Apple Silicon, or with per-app proxy settings on Intel Macs. Providers like Floxy have large proxy networks and developer-friendly APIs that you can also script on desktop.

‍

If you need a cross-platform proxy source that works cleanly with Shadowrocket, Floxy is worth a look. With a large pool (30M+ residential, 500K+ datacenter/ISP), 200+ locations, and 195+ countries, you are sure to fit all your use cases and needs. Floxy offers Residential, Mobile, ISP (static residential), and Datacenter proxies. Prices range from $1.85/IP for ISP to $3/GB for residential/mobile proxies.

‍

Troubleshooting Shadowrocket Proxy Issues

‍

Here are some of the common Shadowrocket proxy issues and solutions. 

‍

Can’t Connect to Proxy Server

‍

• Double-check host/port/auth with your provider’s dashboard.
  
  
• Ensure your subscription is active and your IP is allow-listed if required.
  
  
• Match the proxy type (HTTP vs HTTPS vs SOCKS5).
  
  
• Test a different endpoint; some providers rotate or temporarily throttle.
  
  

App Doesn’t Route Through Proxy

‍

• Confirm Shadowrocket is enabled (VPN icon visible).
  
  
• Open Logs to see which rule matched a request. If it says DIRECT, your rule order likely needs tweaking.
  
  
• Ensure your FINAL rule does what you intend (many imports default to DIRECT).
  
  
• If you imported a large list, add your specific rules above it to override.
  
  

DNS or SSL Errors

‍

• If you use custom DNS, try reverting to system DNS to isolate the issue.
  
  
• For SSL errors on strict apps (banking, corporate), consider routing them DIRECT.
  
  

Battery or Performance Concerns

‍

• Rule-based routing is efficient, but heavy logging can consume resources. Turn off verbose logs when not needed.
  
  
• Favor nearby servers for latency-sensitive traffic.

‍

Conclusion

‍

Shadowrocket turns your iPhone into a programmable network edge. Whether you’re a developer, marketer, QA engineer, researcher, or privacy-minded user, Shadowrocket’s rule-based approach delivers a level of control traditional VPNs rarely offer. 

‍

Pair it with a solid provider like Floxy (cross-platform endpoints, HTTP/SOCKS5, global coverage, and developer APIs) and iterate on your rules until everything is fast, stable, and auditable, across iPhone and Apple Silicon Mac today, with sensible alternatives on Windows and Intel Macs.

‍

Frequently Asked Questions

‍

Is Shadowrocket the same as a VPN?

‍

It uses Apple’s VPN framework to route traffic, but rather than a single tunnel, Shadowrocket’s strength is rule-based routing - you decide what goes where (and what gets blocked). The ability to capture traffic and apply domain/keyword/CIDR/GEOIP rules is part of the official feature list.

‍

Can I import someone else’s big rule list and be done?

‍

You can - many do, but make sure to audit it first. Third-party lists may over-block, break logins, or route the wrong regions. Start small and iterate.

‍

What about GEOIP rules? Are they accurate?

‍

They’re generally good enough for routing. For mission-critical targeting, validate with multiple IP/Geo checkers and your provider’s tooling.

‍

Does Shadowrocket work on iPad?

‍

Yes, iPad is supported (designed for iPad per the App Store page).

‍

Is there Shadowrocket for Windows?

‍

Not officially. You’ll find third-party/clone clients built on other cores, but there’s no first-party Windows app. Use alternatives or system-wide/per-app proxy tools with your provider’s endpoints.

‍

Does Shadowrocket work on Mac?

‍

Yes - on Apple Silicon (M-series) Macs with macOS 11+) per App Store compatibility. If it doesn’t appear in your region or you’re on Intel, use another proxy client or per-app proxy settings.

‍

Why can’t I find Shadowrocket in my country’s App Store?

‍

Availability varies. It’s not available on the mainland China App Store; users there typically use a non-mainland Apple ID. Check your region’s listing.