Eric Guo's blog.cloud-mes.com

Hoping writing JS, Ruby & Rails and Go article, but fallback to DevOps note

Installing Snell Server on Rocky Linux 9 With Network Bandwidth Limiting

Permalink

My previous Snell installation note was written for CentOS 7 in 2020. Several years later, CentOS 7 is obsolete, predictable network interface names are common, and Snell has moved to version 5.

This guide installs Snell Server on Rocky Linux 9, manages it with systemd, opens the required firewall ports, and optionally limits the server’s outbound network throughput using Linux Traffic Control.

Snell is a lightweight encrypted proxy protocol developed for Surge. The official server is distributed as a single binary with no external runtime dependencies other than glibc. Snell v5 also adds a QUIC proxy mode, which requires the server’s UDP port to be reachable.

1. Update Rocky Linux and install the required tools

Log in as root, or prefix the commands with sudo.

dnf update -y
dnf install -y wget unzip firewalld iproute-tc

The iproute-tc package provides the tc command used later for bandwidth limiting.

Enable and start the firewall:

systemctl enable --now firewalld
systemctl status firewalld

Rocky Linux 9 uses firewalld for common firewall management. Its runtime and permanent configurations are separate, so permanent rules must be explicitly added when they should survive a reboot.

2. Create a dedicated Snell account

Snell does not need an interactive login account:

useradd \
--system \
--home-dir /opt/snell \
--create-home \
--shell /sbin/nologin \
snell

Create the application directory:

mkdir -p /opt/snell
chown snell:snell /opt/snell
chmod 750 /opt/snell

3. Download Snell Server

At the time of writing, the latest official release is Snell Server 5.0.1.

For a typical x86-64 VPS:

cd /tmp
wget https://dl.nssurge.com/snell/snell-server-v5.0.1-linux-amd64.zip
unzip snell-server-v5.0.1-linux-amd64.zip
install \
-o snell \
-g snell \
-m 750 \
snell-server \
/opt/snell/snell-server
rm -f snell-server snell-server-v5.0.1-linux-amd64.zip

For an ARM64 server, use the official AArch64 package instead:

https://dl.nssurge.com/snell/snell-server-v5.0.1-linux-aarch64.zip

The official Snell page currently provides builds for AMD64, i386, AArch64, and ARMv7.

Confirm that the binary runs:

/opt/snell/snell-server --help

4. Generate the Snell configuration

Run the built-in configuration wizard as the snell user:

cd /opt/snell
sudo -u snell ./snell-server

The wizard asks for values such as:

  • Listening address
  • Listening port
  • Pre-shared key, or PSK
  • IPv6 support

For example, select port 11666.

After the wizard finishes, verify the generated file:

cat /opt/snell/snell-server.conf

A typical configuration resembles:

[snell-server]
listen = 0.0.0.0:11666
psk = YOUR_RANDOM_SECRET
ipv6 = false

Protect the configuration because it contains the PSK:

chown snell:snell /opt/snell/snell-server.conf
chmod 600 /opt/snell/snell-server.conf

Do not publish the real PSK in screenshots, shell history, or a blog post.

5. Create the systemd service

Create /etc/systemd/system/snell.service:

cat >/etc/systemd/system/snell.service <<'EOF'
[Unit]
Description=Snell Proxy Service
Documentation=https://kb.nssurge.com/surge-knowledge-base/release-notes/snell
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=snell
Group=snell
WorkingDirectory=/opt/snell
ExecStart=/opt/snell/snell-server -c /opt/snell/snell-server.conf
Restart=on-failure
RestartSec=5s
LimitNOFILE=32768
NoNewPrivileges=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ReadWritePaths=/opt/snell
[Install]
WantedBy=multi-user.target
EOF

Reload systemd and start Snell:

systemctl daemon-reload
systemctl enable --now snell

Check its status:

systemctl status snell --no-pager

View recent logs:

journalctl -u snell -n 100 --no-pager

Follow the logs in real time:

journalctl -u snell -f

Confirm that the selected port is listening:

ss -lntup | grep 11666

6. Open the Snell port in firewalld

Snell accepts its primary connection over TCP. Snell v5’s QUIC proxy mode additionally uses UDP, so open the same port for both protocols.

firewall-cmd --permanent --zone=public --add-port=11666/tcp
firewall-cmd --permanent --zone=public --add-port=11666/udp
firewall-cmd --reload

Verify the rules:

firewall-cmd --zone=public --list-ports

Expected output should include:

11666/tcp 11666/udp

If the server uses a cloud-provider firewall or security group, the same TCP and UDP ports must also be opened there.

7. Configure Surge

Add a proxy entry to the Surge profile:

[Proxy]
My-Snell-Server = snell, YOUR_SERVER_IP, 11666, psk=YOUR_RANDOM_SECRET, version=5

Replace:

  • YOUR_SERVER_IP with the VPS public IP address.
  • YOUR_RANDOM_SECRET with the PSK from snell-server.conf.

The Snell v5 server remains backward compatible with v4 clients. However, QUIC proxy mode is a v5 feature.

8. Limit outbound network throughput

Some VPS providers charge for excess bandwidth or impose fair-use limits. Linux Traffic Control can apply a maximum outbound rate to a network interface.

Linux tc manages queueing disciplines that schedule packets as they leave an interface. The Token Bucket Filter, or TBF, is suitable for applying a simple maximum transmission rate.

Find the public network interface

Do not assume that the interface is named eth0. Rocky Linux systems frequently use names such as:

  • ens3
  • ens18
  • enp1s0
  • enp0s3

Find the interface used by the default route:

ip route show default

For example:

default via 192.0.2.1 dev eth0 proto static metric 100

In this example, the interface is eth0.

You can extract it directly with:

ip route show default | awk '{print $5; exit}'

Rocky Linux recommends modern tools such as ip and nmcli for network inspection and configuration.

Test the rule manually

The following command limits outbound traffic on eth0 to approximately 36 Mbit/s:

tc qdisc replace dev eth0 root tbf \
rate 36mbit \
burst 128kbit \
latency 200ms

Check the active queueing discipline:

tc -s qdisc show dev eth0

Remove the rule:

tc qdisc del dev eth0 root

The limit applies to traffic transmitted through eth0. It therefore affects Snell, SSH, package downloads, web servers, and any other outbound service using that interface.

It does not directly limit inbound traffic. TCP downloads may nevertheless slow down indirectly because acknowledgements and response traffic leave through the rate-limited interface.

Persist the limit with systemd

Create /etc/systemd/system/netlimit.service:

cat >/etc/systemd/system/netlimit.service <<'EOF'
[Unit]
Description=Limit outbound network throughput
After=network-online.target
Wants=network-online.target
Before=snell.service
[Service]
Type=oneshot
ExecStart=/usr/sbin/tc qdisc replace dev eth0 root tbf rate 36mbit burst 128kbit latency 200ms
ExecStop=-/usr/sbin/tc qdisc del dev eth0 root
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF

Replace eth0 with the actual public network interface found earlier.

The use of replace, rather than add, makes the service more tolerant of an existing root queueing discipline. The leading - in ExecStop tells systemd not to treat a missing queueing discipline as a fatal stop error.

Enable and start the service:

systemctl daemon-reload
systemctl enable --now netlimit

Check its status:

systemctl status netlimit --no-pager

Verify the active rate:

tc -s qdisc show dev eth0

Example output:

qdisc tbf 8001: root refcnt 2 rate 36Mbit burst 128Kb lat 200ms

Restarting the service reapplies the configured rate:

systemctl restart netlimit

To disable bandwidth limiting:

systemctl disable --now netlimit

Then confirm that the TBF rule is gone:

tc qdisc show dev eth0

9. Testing the bandwidth limit

The most reliable test is to transfer a sufficiently large file from the Snell server or run a speed test from a remote client.

Remember the unit conversion:

36 Mbit/s ÷ 8 = approximately 4.5 MB/s

Protocol overhead means that the observed application-level transfer speed will normally be slightly lower than 4.5 MB/s.

You can watch the TBF counters while testing:

watch -n 1 'tc -s qdisc show dev eth0'

Pay attention to:

  • Sent bytes
  • Sent packets
  • Dropped packets
  • Overlimits
  • Backlog

An increasing overlimits counter is normal: it shows that TBF is delaying packets to enforce the configured rate. A large number of dropped packets or a continuously growing backlog may indicate that the burst or latency values need adjustment.

10. Maintenance commands

Restart Snell:

systemctl restart snell

Check Snell:

systemctl status snell --no-pager

View logs:

journalctl -u snell --since today

Review the configuration:

sudo -u snell cat /opt/snell/snell-server.conf

Check the firewall:

firewall-cmd --zone=public --list-ports

Check bandwidth limiting:

tc -s qdisc show dev eth0

Check both services after a reboot:

systemctl is-active snell netlimit
systemctl is-enabled snell netlimit

11. Upgrading Snell Server

Download and extract the newer binary into a temporary directory, then stop the service and replace the existing executable:

systemctl stop snell
install \
-o snell \
-g snell \
-m 750 \
/path/to/new/snell-server \
/opt/snell/snell-server
systemctl start snell
systemctl status snell --no-pager

The configuration file can normally remain in place, but release notes should be reviewed before each upgrade.

Conclusion

Compared with the old CentOS 7 setup, the Rocky Linux 9 version is mostly familiar:

  • Snell still runs as a small standalone binary.
  • systemd manages startup and recovery.
  • firewalld exposes the selected TCP and UDP ports.
  • tc and TBF provide a simple outbound bandwidth ceiling.

The main detail to watch is the network interface name. Copying eth0 blindly may cause netlimit.service to fail on servers whose public interface is named ens3, ens18, or enp1s0.

Finally, remember that the simple TBF rule limits the entire network interface. It is suitable for a dedicated Snell VPS. On a shared server, more advanced tc classes and filters would be required to limit only Snell traffic.

Comments