sirfetch-d/codex-proxy

codex-proxy is a small macOS shell script that launches OpenAI's Codex desktop app with a proxy configuration applied, so that all of Codex's network traffic, including WebSocket connections, flows through a local Clash proxy. Clash is a popular proxy client used in mainland China and elsewhere to route traffic through custom rules and remote servers. The motivation is specific. On macOS with Clash running, system-level proxy settings only catch HTTP traffic by default. WebSocket connections do not go through the system proxy unless Clash's TUN mode is enabled. TUN mode creates a virtual network interface that captures all traffic for the whole machine, but it is global, so it affects every app, not just Codex. The Codex desktop app uses WebSocket for two things: the remote-connection feature that lets the ChatGPT mobile app talk to the desktop, and its preferred low-latency channel to OpenAI's backend. When WebSocket cannot reach OpenAI, the README notes that Codex shows Reconnecting 1/5 through 5/5, waiting about 15 seconds per retry, before falling back to plain HTTP. The cumulative wait can reach 75 seconds or more. codex-proxy sidesteps the global TUN approach. It launches Codex.app with HTTP_PROXY, HTTPS_PROXY, and ALL_PROXY environment variables set to point at the Clash listener (default 127.0.0.1:7890). Because these environment variables are inherited only by the Codex process, only Codex's traffic goes through the proxy. Every other GUI app on the machine keeps its original network configuration. Usage is five subcommands: codex-proxy start launches the app with proxy variables set, after first killing any existing Codex process so there is no leftover non-proxied instance, and stop, restart, status, and log do what they say. Logs are written to ~/Library/Logs/codex-proxy.log. Configuration is through environment variables you can put in your .zshrc: CODEX_APP for a custom app path, CODEX_HTTP_PROXY, CODEX_ALL_PROXY for a SOCKS5 endpoint, and CODEX_NO_PROXY for hosts that should bypass the proxy. The prerequisites are macOS, any Clash-compatible client like Clash, Clash Verge, or ClashX, and the default Clash port 7890. The license is MIT.