Introduction
A Go implementation of the Snell proxy protocol — full TCP wire compatibility with the official Surge snell-server, plus a reverse-engineered QUIC proxy mode.
OpenSnell is a Go implementation of the Snell proxy protocol,
versions 4 and 5 — server-side and client-side, with end-to-end
interoperability against the official Surge snell-server v5.0.1 verified
for every code path it implements.
Snell v5's UDP/QUIC proxy mode is supported on the server only; pair it with the Surge client (or any other v5-capable client) when you need HTTP/3 acceleration for downstream applications.
Two branches, one wire format
OpenSnell ships two parallel branches:
main (stable)
Interop-pure with the official Surge snell-server. Use this if you
just want a drop-in replacement.
alpha (experimental)
Tracks main and layers features Surge does not ship — currently
tcp-brutal congestion control, TUN inbound capture, and fake-IP DNS.
Both branches keep full on-the-wire compatibility with Surge
snell-server v5.0.1 — alpha only adds features, it never breaks
existing ones.
Feature matrix
| Path | snell-server | snell-client |
|---|---|---|
| TCP CONNECT | ✅ | ✅ |
TCP CONNECT with reuse (CommandConnectV2) | ✅ | ✅ |
| UDP-over-TCP (snell datagram) | ✅ | ✅ |
http / tls obfs | ✅ | ✅ |
| Dynamic Record Sizing (v5) | ✅ | ✅ |
egress-interface (v5) | ✅ | — |
ipv6 outbound family toggle (v5) | ✅ | — |
Custom upstream DNS (dns = …) | ✅ | — |
| TCP Fast Open (Linux only) | ✅ | ✅ |
| QUIC proxy mode (v5) | ✅ | use Surge |
tcp-brutal CC (alpha branch, Linux only) | ✅ | ✅ |
| TUN inbound with fake-IP DNS (alpha branch, Linux + macOS) | — | ✅ |
Why no v1 / v2 / v3?
OpenSnell deliberately drops support for the older Snell protocols.
Their stream framing predates the v4 padding/AEAD redesign and is at
this point trivially fingerprintable on the wire — traffic patterns of
v1/v2/v3 no longer reliably traverse the GFW and they generally are not
recommended for new deployments. If you have a legacy v1/v2 setup you
cannot retire yet, the sibling project
open-snell (and its forks) still
implements those versions; this codebase focuses on the v4/v5 wire
that the current Surge snell-server speaks.
Interop verification
Tested against snell-server v5.0.1 (Nov 19 2025):
| Path | Result |
|---|---|
| Our client → real server, TCP | ✅ 10/10 |
| Our client → real server, UDP-over-TCP | ✅ DNS round-tripped |
| Our client → real server, reuse | ✅ 30 sequential + 20 parallel |
| Our server, QUIC mode, real Surge envelope | ✅ unit test on a real capture |
| HTTP/3 → our server → Cloudflare | ✅ 5/5 (ip= echoes our server, sni=plaintext) |