Open Snell.
Server, client, QUIC.

A Go implementation of the Snell proxy protocol — both sides. Full TCP wire compatibility with the official Surge snell-server, a SOCKS5 client to match, and a reverse-engineered v5 QUIC envelope so HTTP/3 traffic actually goes over QUIC end-to-end.

Read the docsAlpha featuresGitHub
install one-liner · Linux + systemd
$ bash <(curl -fsSL https://s.ee/opensnell)

Or build from source — full instructions

≈ 98%
of native C/libuv under concurrency
~ 90×
fewer read syscalls after the bufio fix
v4 + v5
TCP wire — plus QUIC server (v5)
GPL-3.0
open source, all platforms
What's in the box

Surge-pure on main, daring on alpha.

The main branch implements exactly what the official snell-server speaks. The alpha branch layers experimental, non-spec features on top — feature-flagged, opt-in, and CI-verified.

Surge-interop pure

main branch ships only what the official snell-server v5.0.1 speaks. CI verifies end-to-end against the closed-source reference binary.

QUIC proxy mode

v5 QUIC envelope reverse-engineered from real Surge HTTP/3 captures. Server decodes the first Initial packet and forwards the rest as raw QUIC.

98% of native C/libuv

A 64 KB bufio read buffer cut syscalls ~90× and closed the throughput gap to the official binary from −30% to −1.8%.

alpha

alpha: TCP Brutal

apernet/tcp-brutal congestion control pinned per-connection. Linux only, experimental, and not part of the Surge spec.

alpha

alpha: TUN inbound

Transparent capture of every new outbound TCP connection on Linux + macOS — no SOCKS5 awareness required from the application.

alpha

alpha: Fake-IP DNS

The snell server does its own (clean) DNS resolution, bypassing local ISP poisoning of names like docker.io, github.com, googlevideo.com.

How it works

The v5 QUIC envelope, in one packet.

The first UDP packet on a flow is wrapped in a snell-encrypted envelope carrying (host, port). Every subsequent packet — in either direction — is forwarded as raw QUIC. The proxy effectively disappears after packet 1.

QUIC mode deep diveFull protocol reference
QUIC envelope · client → server
[salt(16B random)]
[AEAD-Seal(K, nonce=0, header)]
[padding(padLen)]
[AEAD-Seal(K, nonce=1,
            request_header || inner_QUIC)]

# K = Argon2id(psk, salt, 3, 8 KiB, 1, 32)[:16]
# AEAD = AES-128-GCM
experimental channel

The alpha branch goes places Surge doesn't.

TCP Brutal congestion control, transparent TUN capture of every new outbound TCP connection, fake-IP DNS for clean upstream resolution. On-the-wire still 100% Surge-compatible — alpha only adds, never breaks.

Read the alpha docs

Start in one line.

The installer picks a port, generates a PSK, writes a systemd unit, and opens the firewall. About 15 seconds.

Installation guide