Snell

Snell is a lean encrypted proxy protocol developed by our team. Here are some highlights:

  • Extreme performance.

  • Support UDP over TCP relay.

  • Single binary with zero dependencies. (except glibc)

  • A wizard to help you start.

  • Proxy server will report remote errors to the client if an error encounters. Clients may choose countermeasures for different scenarios.

The Snell protocol is intended for Surge users only. Please do not reverse-analyze the protocol and make a compatible client of it. We want to keep the user base as small as possible; thanks for your understanding.

https://dl.nssurge.com/snell/snell-server-v5.0.0-linux-amd64.zip
https://dl.nssurge.com/snell/snell-server-v5.0.0-linux-i386.zip
https://dl.nssurge.com/snell/snell-server-v5.0.0-linux-aarch64.zip
https://dl.nssurge.com/snell/snell-server-v5.0.0-linux-armv7l.zip

Release Notes

v5.0.0

Dynamic Record Sizing

该特性将提高在存在丢包的网络环境下延迟表现。技术细节可参考 :Cloudflare Blog

QUIC Proxy Mode

Snell v5 加入了专为 QUIC 流量设计的 QUIC Proxy 模式,该模式工作属于 UDP over UDP,以避免 TCP over UDP 问题。(服务端需开放 UDP 端口)

  • 该工作模式为 QUIC 进行了特殊优化,仅当 Surge 识别到 QUIC 流量时会启用,其他 UDP 流量依然使用 UDP over TCP 模式。

  • QUIC Proxy 只会对 QUIC Handshake 数据包进行强加密,以保护 SNI 和目标主机名,同时进行鉴权。后续的所有 QUIC 数据包,由于本身已经被 QUIC 强加密,将直接以裸包进行转发,大幅降低了不必要的加解密开销。同时由于未引入额外字节,不会影响 QUIC 的 PMTU 探测。

出口控制

  • 支持配置 egress-interface 参数控制出口 interface(需要 root 权限或者给予CAP_NET_RAW/CAP_NET_ADMIN 授权,同时该 interface 上需要有目标地址和 DNS 的路由表)

  • 支持 systemd 的 Socket Activation 机制,可用于配置 network namespace,也可用于出口 interface 配置。我们会在之后提供配置样例。

Snell v5 的服务端可以向下兼容 v4 客户端,如果不想使用 QUIC Proxy Mode 功能,客户端设置为 v4 版本即可,Dynamic Record Sizing 的优化只和服务端有关。

v4.1.1

  • Fix a potential crash that may occur during UDP forwarding.

https://dl.nssurge.com/snell/snell-server-v4.1.1-linux-amd64.zip
https://dl.nssurge.com/snell/snell-server-v4.1.1-linux-i386.zip
https://dl.nssurge.com/snell/snell-server-v4.1.1-linux-aarch64.zip
https://dl.nssurge.com/snell/snell-server-v4.1.1-linux-armv7l.zip

v4.1.0

  • Add a dns parameter for customizing DNS server addresses, supporting multiple address configurations.

  • Update the DNS library c-ares to the latest version to resolve compatibility issues with specific DNS records.

  • Add output of the currently used DNS server at startup.

  • Adjust log output to lower broken pipe error messages to verbose level.

  • Update libuv to v1.48.0 to fix potential crashes when accessing IPv6 addresses on certain systems.

  • Improve log information for DNS errors.

  • Fix an issue where certain invalid DNS records could cause a crash.

v4.0.1

Fixed a bug that UDP packets can't be forwarded to IPv6 addresses.

Surge Mac as Snell Proxy Server

You may also use Surge Mac as a Snell proxy server (Starting from version 3.1.0). Add the following lines to your profile.

[Snell Server]
interface = 0.0.0.0
port = 6160
psk = RANDOM_KEY_HERE

The embedded Snell server in Surge uses the Snell V1 protocol.

PreviousSurge Mac 历史版本

Last updated