OpenSnell
Alpha Branch

Alpha Branch

Tracks main with experimental, non-Surge-standard extensions on top. Use main if you want interop purity; use alpha if you specifically want multi-user server mode, TUN, fake-IP DNS, tcp-brutal, or related bypass and probe controls.

The alpha branch tracks main and layers experimental features that the official Surge snell-server does not ship: currently library-level multi-user server mode, TUN inbound, fake-IP DNS, tcp-brutal congestion control, direct bypass controls, IPv6 probing, and QUIC fast-fail. If you only need Surge-compatible behavior, use main and its tagged releases. Use alpha if you specifically want the extra features documented here.

The non-negotiable baseline for alpha development is that the OpenSnell server must remain compatible with the official Surge client. Server-side experiments may add implementation details, operator hooks, or optional behavior, but they must not require a modified client, change the published Snell wire format, or break the standard Surge-client-to-OpenSnell-server path.

Alpha builds carry the same on-the-wire compatibility guarantees as stable (full interop with Surge snell-server v5.0.1 is part of CI), but the extra features below are not yet part of the official Snell spec and may be removed or reshaped without warning. Use on production systems at your own risk.

What's in alpha that isn't in main

FeatureWhere it livesPlatform
Multi-user server modeserver library API, ServerConfig.UserStore + OnAuthorizeall server platforms
tcp-brutal congestion controlserver + client, brutal = true in [snell-server]/[snell-client]Linux only
TUN inbound (transparent capture)client, [snell-tun] sectionLinux + macOS
Fake-IP DNSclient, part of the TUN inbound pipelineLinux + macOS
Direct IP / Direct Domain bypassclient, direct-ip, direct-domain, upstream-dns in [snell-tun]Linux + macOS
In-tunnel IPv6 reachability probeclient, ipv6, ipv6-probe-* in [snell-tun]Linux + macOS
QUIC fast-fail for UDP/443client, ICMP unreachable injection in TUN modeLinux + macOS

Everything else — TCP CONNECT, reuse, UDP-over-TCP, obfs, QUIC server, egress-interface, ipv6 toggle, custom upstream dns = …, TFO — is identical to main and behaves byte-for-byte the same.

Why these are alpha-only

The official Surge snell-server doesn't speak any of these. The line is principled rather than arbitrary:

  • tcp-brutal changes the kernel congestion control of every inbound TCP connection. That is a per-connection rate enforcement; it doesn't break the snell wire format, but it does break the typical "many parallel streams" workload assumption that snell is built on (snell has no mux). The semantics belong in a separate channel.
  • Multi-user server mode adds a panel/embedding API around Snell's single-PSK wire format: the server trial-decrypts the first encrypted frame against a user store, caches the winning user per client IP, and exposes the matched user to authorization hooks. There is no new user field on the wire, and the standalone INI loader still exposes only the standard single psk = ... shape.
  • TUN inbound + fake-IP DNS is a client-side concern only — it changes how the local OS funnels traffic into the snell client. The snell server sees ordinary CONNECT host:port requests. But the feature involves nftables, sing-tun, kernel route table manipulation, ICMP fast-fail behavior, dynamic bypass routes, and networksetup on macOS — none of which fit in the Surge "drop-in protocol library" mental model.

If any of these features prove stable and useful enough to graduate, they may eventually move to main. None of that is promised.

Installer integration

The one-line installer carries an --alpha flag that pulls from the rolling pre-release channel published by CI:

bash <(curl -fsSL https://s.ee/opensnell) install --alpha

The channel selection is persisted to /etc/snell/.install_meta, so subsequent update runs stay on alpha without re-passing the flag. Run install again without --alpha to switch back to stable.

Deep dives

On this page