Introduction
A Go implementation of the Snell proxy protocol — full TCP wire compatibility with the official Surge snell-server, plus a reverse-engineered QUIC proxy mode.
OpenSnell is a Go implementation of the Snell proxy protocol,
versions 4 and 5 — server-side and client-side, with end-to-end
interoperability against the official Surge snell-server v5.0.1 verified
for every code path it implements.
Snell v5's UDP/QUIC proxy mode is supported on the server only; pair it with the Surge client (or any other v5-capable client) when you need HTTP/3 acceleration for downstream applications.
Snell v6? It is fully reverse-engineered and reimplemented in Go — byte-for-byte identical to the official server — but kept closed-source. See Snell v6 for what changed over v5 and how to run it today.
Two branches, one wire format
OpenSnell ships two parallel branches:
main (stable)
Interop-pure with the official Surge snell-server. Use this if you
just want a drop-in replacement.
alpha (experimental)
Tracks main and layers features Surge does not ship — currently
multi-user server mode, tcp-brutal congestion control, TUN inbound
capture, and fake-IP DNS.
Both branches keep full on-the-wire compatibility with Surge
snell-server v5.0.1 — alpha only adds features, it never breaks
existing ones.
Feature matrix
| Path | snell-server | snell-client |
|---|---|---|
| TCP CONNECT | ||
TCP CONNECT with reuse (CommandConnectV2) | ||
| UDP-over-TCP (snell datagram) | ||
http / tls obfs | ||
| Dynamic Record Sizing (v5) | ||
egress-interface (v5) | — | |
ipv6 outbound family toggle (v5) | — | |
Custom upstream DNS (dns = …) | — | |
| TCP Fast Open (Linux only) | ||
| Multi-user server mode (alpha branch, library API) | per-user PSK | |
| QUIC proxy mode (v5) | use Surge | |
tcp-brutal CC (alpha branch, Linux only) | ||
| TUN inbound with fake-IP DNS (alpha branch, Linux + macOS) | — |
Why no v1 / v2 / v3?
OpenSnell deliberately drops support for the older Snell protocols.
Their stream framing predates the v4 padding/AEAD redesign and is at
this point trivially fingerprintable on the wire — traffic patterns of
v1/v2/v3 no longer reliably traverse the GFW and they generally are not
recommended for new deployments. If you have a legacy v1/v2 setup you
cannot retire yet, the sibling project
open-snell (and its forks) still
implements those versions; this codebase focuses on the v4/v5 wire
that the current Surge snell-server speaks.
Interop verification
Tested against snell-server v5.0.1 (Nov 19 2025):
| Path | Result |
|---|---|
| Our client → real server, TCP | 10/10 |
| Our client → real server, UDP-over-TCP | DNS round-tripped |
| Our client → real server, reuse | 30 sequential + 20 parallel |
| Our server, QUIC mode, real Surge envelope | unit test on a real capture |
| HTTP/3 → our server → Cloudflare | 5/5 (ip= echoes our server, sni=plaintext) |