Alpha Branch
Tracks main with experimental, non-Surge-standard extensions on top. Use main if you want interop purity; use alpha if you specifically want TUN, fake-IP DNS, tcp-brutal, or related bypass and probe controls.
The alpha branch tracks
main and layers
experimental features that the official Surge snell-server does
not ship: currently TUN inbound, fake-IP DNS, tcp-brutal congestion
control, direct bypass controls, IPv6 probing, and QUIC fast-fail. If
you only need Surge-compatible behavior, use main and its tagged
releases. Use alpha if you specifically want the extra features
documented here.
Alpha builds carry the same on-the-wire compatibility guarantees as
stable (full interop with Surge snell-server v5.0.1 is part of CI),
but the extra features below are not yet part of the official Snell
spec and may be removed or reshaped without warning. Use on
production systems at your own risk.
What's in alpha that isn't in main
| Feature | Where it lives | Platform |
|---|---|---|
tcp-brutal congestion control | server + client, brutal = true in [snell-server]/[snell-client] | Linux only |
| TUN inbound (transparent capture) | client, [snell-tun] section | Linux + macOS |
| Fake-IP DNS | client, part of the TUN inbound pipeline | Linux + macOS |
| Direct IP / Direct Domain bypass | client, direct-ip, direct-domain, upstream-dns in [snell-tun] | Linux + macOS |
| In-tunnel IPv6 reachability probe | client, ipv6, ipv6-probe-* in [snell-tun] | Linux + macOS |
| QUIC fast-fail for UDP/443 | client, ICMP unreachable injection in TUN mode | Linux + macOS |
Everything else — TCP CONNECT, reuse, UDP-over-TCP, obfs, QUIC server,
egress-interface, ipv6 toggle, custom upstream dns = …, TFO — is
identical to main and behaves byte-for-byte the same.
Why these are alpha-only
The official Surge snell-server doesn't speak any of these. The line
is principled rather than arbitrary:
tcp-brutalchanges the kernel congestion control of every inbound TCP connection. That is a per-connection rate enforcement; it doesn't break the snell wire format, but it does break the typical "many parallel streams" workload assumption that snell is built on (snell has no mux). The semantics belong in a separate channel.- TUN inbound + fake-IP DNS is a client-side concern only — it
changes how the local OS funnels traffic into the snell client.
The snell server sees ordinary
CONNECT host:portrequests. But the feature involves nftables, sing-tun, kernel route table manipulation, ICMP fast-fail behavior, dynamic bypass routes, andnetworksetupon macOS — none of which fit in the Surge "drop-in protocol library" mental model.
If any of these features prove stable and useful enough to graduate,
they may eventually move to main. None of that is promised.
Installer integration
The one-line installer carries an --alpha flag that pulls from the
rolling pre-release channel published by CI:
bash <(curl -fsSL https://s.ee/opensnell) install --alphaThe channel selection is persisted to /etc/snell/.install_meta, so
subsequent update runs stay on alpha without re-passing the flag.
Run install again without --alpha to switch back to stable.
Deep dives
TCP Brutal congestion control
Per-connection rate-pinned CC. Why it helps on high-loss long-fat paths, and the multiplex trap that makes it a footgun on snell.
TUN mode
Transparent capture of every new outbound TCP connection on the box, plus direct bypass controls, IPv6 probing, and QUIC fast-fail. Linux uses nftables + sing-tun; macOS uses an utun device + DNS service override.
Fake-IP DNS
Why the snell server resolves your hostnames instead of your local
OS, how the userspace fake-IP server hands out 198.18.128.0/17
shadow addresses, and how Direct Domains get real records instead.
Performance
Where the Go implementation stood vs. the official C/libuv binary, what we changed, and where we land today.
TCP Brutal Congestion Control
A per-connection, rate-pinned kernel congestion control algorithm. Useful on high-loss long-fat paths where cubic/bbr collapse — and a sharp footgun on snell, which has no mux.