Client Configuration
snell-client exposes a local SOCKS5 proxy and tunnels every accepted request through a snell server.
snell-client.conf exposes a local SOCKS5 proxy (TCP CONNECT plus
UDP ASSOCIATE) and tunnels every accepted request through a snell server.
For QUIC / HTTP-3, use Surge as the front-end —
see Surge integration. This Go client is
for tools that already speak SOCKS5 (curl --socks5-hostname, browser
proxy settings, application SOCKS5 hooks, etc.).
Full example
[snell-client]
listen = 127.0.0.1:1080
server = your-server.example.com:2333
psk = your-shared-secret
version = v5
obfs = off
obfs-host = bing.com
reuse = true
tfo = falseRun it:
./snell-client -c snell-client.conf # info level logs
./snell-client -c snell-client.conf -v # debug level logsKeys
listen (required)
Local SOCKS5 listener. Bind to 127.0.0.1 unless you really mean to
expose the proxy to the LAN.
server (required)
Remote snell server, host:port.
psk (required)
Pre-shared key — must match the server's psk byte-for-byte.
version (optional, default v5)
Snell protocol version this client claims to be.
| Value | Behavior |
|---|---|
v4 | explicit v4 client |
v5 | explicit v5 client (recommended) |
v4 and v5 share the same TCP wire format, so this is informational today (logged at startup). The Surge v5 server is documented as backward-compatible with v4 clients.
obfs (optional, default off)
Obfuscation layer. Must match the server's setting.
Valid values: off | http | tls.
obfs-host (optional)
Host header / SNI used by the http/tls obfs layer. Default is to reuse the server hostname.
reuse (optional, default false)
Reuse upstream TCP connections across multiple SOCKS5 requests (snell's
CommandConnectV2). Recommended on for short HTTP requests.
The pool caps each TCP at 2 sessions to match the real Surge server's behavior, and drains the server's half-close zero chunk before putting a connection back so the next reuse starts on a clean frame boundary.
tfo (optional, default false)
TCP Fast Open on outbound dials to the snell server. Linux only —
see the server-side tfo notes
for the kernel sysctl requirements.
Smoke test
In another terminal, with snell-client running on 127.0.0.1:1080:
curl -sS --socks5-hostname 127.0.0.1:1080 \
https://www.cloudflare.com/cdn-cgi/traceExpect a body whose ip= line shows the snell server's egress IP.
Alpha-only knobs
These keys exist only on the alpha branch. See
TCP Brutal and
TUN mode for the full deep dives.
brutal = false
brutal-mbps = 100 ; required when brutal = true; per-conn upload rate
brutal-cwnd-gain = 15 ; optional; tenthsAnd a separate top-level [snell-tun] section for TUN inbound mode,
fake-IP DNS, direct bypass controls, and IPv6 probing:
[snell-tun]
enable = true
interface = snell0
fake-ip-range = 198.18.128.0/17
mtu = 9000
exclude-uid = realm, gost
ipv6 = true
ipv6-probe-target = [2606:4700:4700::1111]:443
ipv6-probe-interval = 5m
direct-ip = 10.0.0.0/8, 192.168.0.0/16, 1.1.1.1
direct-domain = corp.example.com, lan.local
upstream-dns = 223.5.5.5:53See TUN mode and Fake-IP DNS for the full behavior.