Alpha Branch
Tracks main with experimental, non-Surge-standard extensions on top. Use main if you want interop purity; use alpha if you specifically want multi-user server mode, TUN, fake-IP DNS, tcp-brutal, or related bypass and probe controls.
The alpha branch tracks
main and layers
experimental features that the official Surge snell-server does
not ship: currently library-level multi-user server mode, TUN
inbound, fake-IP DNS, tcp-brutal congestion control, direct bypass
controls, IPv6 probing, and QUIC fast-fail. If you only need
Surge-compatible behavior, use main and its tagged releases. Use
alpha if you specifically want the extra features documented here.
The non-negotiable baseline for alpha development is that the OpenSnell server must remain compatible with the official Surge client. Server-side experiments may add implementation details, operator hooks, or optional behavior, but they must not require a modified client, change the published Snell wire format, or break the standard Surge-client-to-OpenSnell-server path.
Alpha builds carry the same on-the-wire compatibility guarantees as
stable (full interop with Surge snell-server v5.0.1 is part of CI),
but the extra features below are not yet part of the official Snell
spec and may be removed or reshaped without warning. Use on
production systems at your own risk.
What's in alpha that isn't in main
| Feature | Where it lives | Platform |
|---|---|---|
| Multi-user server mode | server library API, ServerConfig.UserStore + OnAuthorize | all server platforms |
tcp-brutal congestion control | server + client, brutal = true in [snell-server]/[snell-client] | Linux only |
| TUN inbound (transparent capture) | client, [snell-tun] section | Linux + macOS |
| Fake-IP DNS | client, part of the TUN inbound pipeline | Linux + macOS |
| Direct IP / Direct Domain bypass | client, direct-ip, direct-domain, upstream-dns in [snell-tun] | Linux + macOS |
| In-tunnel IPv6 reachability probe | client, ipv6, ipv6-probe-* in [snell-tun] | Linux + macOS |
| QUIC fast-fail for UDP/443 | client, ICMP unreachable injection in TUN mode | Linux + macOS |
Everything else — TCP CONNECT, reuse, UDP-over-TCP, obfs, QUIC server,
egress-interface, ipv6 toggle, custom upstream dns = …, TFO — is
identical to main and behaves byte-for-byte the same.
Why these are alpha-only
The official Surge snell-server doesn't speak any of these. The line
is principled rather than arbitrary:
tcp-brutalchanges the kernel congestion control of every inbound TCP connection. That is a per-connection rate enforcement; it doesn't break the snell wire format, but it does break the typical "many parallel streams" workload assumption that snell is built on (snell has no mux). The semantics belong in a separate channel.- Multi-user server mode adds a panel/embedding API around Snell's
single-PSK wire format: the server trial-decrypts the first encrypted
frame against a user store, caches the winning user per client IP, and
exposes the matched user to authorization hooks. There is no new user
field on the wire, and the standalone INI loader still exposes only
the standard single
psk = ...shape. - TUN inbound + fake-IP DNS is a client-side concern only — it
changes how the local OS funnels traffic into the snell client.
The snell server sees ordinary
CONNECT host:portrequests. But the feature involves nftables, sing-tun, kernel route table manipulation, ICMP fast-fail behavior, dynamic bypass routes, andnetworksetupon macOS — none of which fit in the Surge "drop-in protocol library" mental model.
If any of these features prove stable and useful enough to graduate,
they may eventually move to main. None of that is promised.
Installer integration
The one-line installer carries an --alpha flag that pulls from the
rolling pre-release channel published by CI:
bash <(curl -fsSL https://s.ee/opensnell) install --alphaThe channel selection is persisted to /etc/snell/.install_meta, so
subsequent update runs stay on alpha without re-passing the flag.
Run install again without --alpha to switch back to stable.
Deep dives
Multi-user server mode
How the server authenticates multiple user PSKs without changing the Snell wire format, where the LRU hot path lives, and what policy hooks embedders can use today.
TCP Brutal congestion control
Per-connection rate-pinned CC. Why it helps on high-loss long-fat paths, and the multiplex trap that makes it a footgun on snell.
TUN mode
Transparent capture of every new outbound TCP connection on the box, plus direct bypass controls, IPv6 probing, and QUIC fast-fail. Linux uses nftables + sing-tun; macOS uses an utun device + DNS service override.
Fake-IP DNS
Why the snell server resolves your hostnames instead of your local
OS, how the userspace fake-IP server hands out 198.18.128.0/17
shadow addresses, and how Direct Domains get real records instead.
v5 vs v6 against the GFW
Is Snell v6 actually safer than v5 against the Great Firewall? An honest, axis-by-axis answer — v6's per-deployment diversity defeats protocol-class fingerprinting, but it shares v5's non-TLS / no-replay fundamentals.
Multi-User Server Mode
How alpha-branch OpenSnell authenticates multiple users on one server without changing the Snell wire format.