My previous Snell installation note was written for CentOS 7 in 2020. Several years later, CentOS 7 is obsolete, predictable network interface names are common, and Snell has moved to version 5.
This guide installs Snell Server on Rocky Linux 9, manages it with systemd, opens the required firewall ports, and optionally limits the server’s outbound network throughput using Linux Traffic Control.
Snell is a lightweight encrypted proxy protocol developed for Surge. The official server is distributed as a single binary with no external runtime dependencies other than glibc. Snell v5 also adds a QUIC proxy mode, which requires the server’s UDP port to be reachable.
1. Update Rocky Linux and install the required tools
Log in as root, or prefix the commands with sudo.
|
The iproute-tc package provides the tc command used later for bandwidth limiting.
Enable and start the firewall:
|
Rocky Linux 9 uses firewalld for common firewall management. Its runtime and permanent configurations are separate, so permanent rules must be explicitly added when they should survive a reboot.
2. Create a dedicated Snell account
Snell does not need an interactive login account:
|
Create the application directory:
|
3. Download Snell Server
At the time of writing, the latest official release is Snell Server 5.0.1.
For a typical x86-64 VPS:
|
For an ARM64 server, use the official AArch64 package instead:
|
The official Snell page currently provides builds for AMD64, i386, AArch64, and ARMv7.
Confirm that the binary runs:
|
4. Generate the Snell configuration
Run the built-in configuration wizard as the snell user:
|
The wizard asks for values such as:
- Listening address
- Listening port
- Pre-shared key, or PSK
- IPv6 support
For example, select port 11666.
After the wizard finishes, verify the generated file:
|
A typical configuration resembles:
|
Protect the configuration because it contains the PSK:
|
Do not publish the real PSK in screenshots, shell history, or a blog post.
5. Create the systemd service
Create /etc/systemd/system/snell.service:
|
Reload systemd and start Snell:
|
Check its status:
|
View recent logs:
|
Follow the logs in real time:
|
Confirm that the selected port is listening:
|
6. Open the Snell port in firewalld
Snell accepts its primary connection over TCP. Snell v5’s QUIC proxy mode additionally uses UDP, so open the same port for both protocols.
|
Verify the rules:
|
Expected output should include:
|
If the server uses a cloud-provider firewall or security group, the same TCP and UDP ports must also be opened there.
7. Configure Surge
Add a proxy entry to the Surge profile:
|
Replace:
YOUR_SERVER_IPwith the VPS public IP address.YOUR_RANDOM_SECRETwith the PSK fromsnell-server.conf.
The Snell v5 server remains backward compatible with v4 clients. However, QUIC proxy mode is a v5 feature.
8. Limit outbound network throughput
Some VPS providers charge for excess bandwidth or impose fair-use limits. Linux Traffic Control can apply a maximum outbound rate to a network interface.
Linux tc manages queueing disciplines that schedule packets as they leave an interface. The Token Bucket Filter, or TBF, is suitable for applying a simple maximum transmission rate.
Find the public network interface
Do not assume that the interface is named eth0. Rocky Linux systems frequently use names such as:
ens3ens18enp1s0enp0s3
Find the interface used by the default route:
|
For example:
|
In this example, the interface is eth0.
You can extract it directly with:
|
Rocky Linux recommends modern tools such as ip and nmcli for network inspection and configuration.
Test the rule manually
The following command limits outbound traffic on eth0 to approximately 36 Mbit/s:
|
Check the active queueing discipline:
|
Remove the rule:
|
The limit applies to traffic transmitted through eth0. It therefore affects Snell, SSH, package downloads, web servers, and any other outbound service using that interface.
It does not directly limit inbound traffic. TCP downloads may nevertheless slow down indirectly because acknowledgements and response traffic leave through the rate-limited interface.
Persist the limit with systemd
Create /etc/systemd/system/netlimit.service:
|
Replace eth0 with the actual public network interface found earlier.
The use of replace, rather than add, makes the service more tolerant of an existing root queueing discipline. The leading - in ExecStop tells systemd not to treat a missing queueing discipline as a fatal stop error.
Enable and start the service:
|
Check its status:
|
Verify the active rate:
|
Example output:
|
Restarting the service reapplies the configured rate:
|
To disable bandwidth limiting:
|
Then confirm that the TBF rule is gone:
|
9. Testing the bandwidth limit
The most reliable test is to transfer a sufficiently large file from the Snell server or run a speed test from a remote client.
Remember the unit conversion:
|
Protocol overhead means that the observed application-level transfer speed will normally be slightly lower than 4.5 MB/s.
You can watch the TBF counters while testing:
|
Pay attention to:
- Sent bytes
- Sent packets
- Dropped packets
- Overlimits
- Backlog
An increasing overlimits counter is normal: it shows that TBF is delaying packets to enforce the configured rate. A large number of dropped packets or a continuously growing backlog may indicate that the burst or latency values need adjustment.
10. Maintenance commands
Restart Snell:
|
Check Snell:
|
View logs:
|
Review the configuration:
|
Check the firewall:
|
Check bandwidth limiting:
|
Check both services after a reboot:
|
11. Upgrading Snell Server
Download and extract the newer binary into a temporary directory, then stop the service and replace the existing executable:
|
The configuration file can normally remain in place, but release notes should be reviewed before each upgrade.
Conclusion
Compared with the old CentOS 7 setup, the Rocky Linux 9 version is mostly familiar:
- Snell still runs as a small standalone binary.
- systemd manages startup and recovery.
firewalldexposes the selected TCP and UDP ports.tcand TBF provide a simple outbound bandwidth ceiling.
The main detail to watch is the network interface name. Copying eth0 blindly may cause netlimit.service to fail on servers whose public interface is named ens3, ens18, or enp1s0.
Finally, remember that the simple TBF rule limits the entire network interface. It is suitable for a dedicated Snell VPS. On a shared server, more advanced tc classes and filters would be required to limit only Snell traffic.