OpenSnell

Read This First

Why OpenSnell exists, why Snell is the protocol I chose, and why our fully reverse-engineered v6 stays closed-source. Please read this before you deploy.

This page is the one I'd ask everyone to read before using OpenSnell. It isn't about configuration — the rest of the docs cover that. It's about why this project exists, what it values, and the reasoning behind the one decision people ask about most: why v6 is closed-source.

TL;DR — OpenSnell exists because I wanted a Snell implementation that matched the official server's quality. The open-source build stays v4 / v5. Snell v6 is fully reverse-engineered but intentionally not published, for the same reason v6 exists at all: keeping it hard to fingerprint.

How this project started

OpenSnell began with Mihomo. I noticed it had added support for every version of Snell, v1 through v5, and I decided to write my own Snell client and server to understand the protocol properly.

While building it, I found that Mihomo's implementation had a real problem: its approach left a lot of performance on the table, and it ran far slower than the official Snell server. So I reworked that part of the code and opened two pull requests against Mihomo. To this day neither has been merged. That's fine — I'm not a Mihomo user myself; I just wanted the adaptation done well. OpenSnell is what came out of that effort.

Why Snell

I've been a fan of Surge and its developer, Yachen Liu, for a long time, and I think Snell is a genuinely well-designed protocol. A few reasons it's the one I chose:

  1. It's simple, easy to use, and stable. There's very little that can go wrong, and very little to tune.
  2. No TLS, and no pretending to be TLS. I'm not fond of protocols that imitate TLS — the mimicry makes the proxy more complex and adds overhead to latency and throughput for no real benefit.
  3. It's plain TCP. A clean TCP protocol with no TLS layer is, to me, far more appealing than the alternatives.
  4. The design is thoughtful. For example, Snell doesn't require your server's clock to be correct. Even if the server's time is completely wrong, it has no effect on establishing a connection or on normal use — there's no timestamp to get out of sync.

If you want the head-to-head against other protocols, see the protocol comparison.

On the source

OpenSnell didn't start as a deliberate effort to reverse-engineer Snell or to make its internals public. The code had already been made public by someone else; I simply wanted to take it further — make the implementation more complete and add a few features that are actually useful in practice. The alpha branch is where those extras live.

On v6, and why it stays closed

Surge has since released v6, and I tried it the moment it was out. In my own day-to-day use, v6 is a large step up from v5 — see Snell v6 for what actually changed.

We have completed a 100% reverse-engineering of v6 — our implementation is byte-for-byte identical to the official server on the wire. And we have decided not to open-source it.

The reasoning is simple. The Snell developer, the Surge developer, and you reading this all want the same thing: a free internet, and the right to exchange information freely. Snell v6's entire purpose is to be hard to fingerprint. A public, byte-exact v6 emitter would work directly against that goal — it's the kind of thing that gives censors a fixed target to study. Keeping it unpublished lets the protocol mature quietly and stay harder to identify on the wire. For v6 specifically, I think that's the more responsible choice.

Curious whether v6 actually makes you safer against the Great Firewall? See v5 vs v6 against the GFW for an honest, axis-by-axis answer. To run v6 today, the installer can deploy the official Surge snell-server v6.

Where to go next

On this page