Cross-platform SNI-spoofing DPI-bypass proxy. Single binary. No cgo. Batteries included.
snix tricks DPI censorship systems into accepting your TLS connections by injecting a fake ClientHello with a whitelisted SNI during the TCP handshake. The real TLS handshake then proceeds unobstructed. It is a Go rewrite of patterniha/SNI-Spoofing, expanded with multi-platform backends, anti-fingerprinting, a TUI, and a built-in network scanner.
New here? Read the full walkthrough: - 🇬🇧 GUIDE.md — zero-to-finish in English. - 🇮🇷 GUIDE-fa.md — صفر تا صد به فارسی.
Both cover every step from signing up for Cloudflare through a working bypass, including Xray client configs and optional domain setup. Start there if this is the first time you've set up any circumvention tool. The README below is the short reference for everyone else.
[your browser or proxy client]
│
▼
[snix on 127.0.0.1:40443] ──── at TCP handshake time snix:
│ 1) observes outbound SYN
│ 2) observes inbound SYN-ACK
│ 3) observes outbound ACK
│ 4) injects a fake TLS ClientHello
▼ with a whitelisted SNI such as
[your upstream proxy server, e.g. `auth.vercel.com` and a deliberately
VLESS over Cloudflare on port 443] wrong TCP sequence number
auth.vercel.com), and marks the flow as allowed.snix is a client-side DPI-bypass layer, not a VPN.
You still need: - A proxy server somewhere outside the censored network (Xray/VLESS, VMess, Trojan, sing-box, etc.), ideally on port 443 and fronted via a CDN such as Cloudflare. - A client that speaks that proxy protocol (Xray, v2ray, sing-box, NekoBox, v2rayN, etc.). snix does not speak VLESS/VMess/Trojan yet — that's in the v1.0 roadmap.
snix sits between the client and the internet. Every connection the client opens gets the SNI-spoof treatment.
snix init --wizard) can walk you through deploying a free
Cloudflare Worker that acts as your proxy in about 60 seconds.curl -fsSL https://get.snix.sh | sudo sh
The script:
1. Detects your distro + architecture.
2. Downloads the signed release tarball from GitHub.
3. Verifies the minisign signature.
4. Places snix into /usr/local/bin.
5. Writes /etc/systemd/system/snix.service (disabled by default).
6. Installs bash + zsh completions.
Then:
sudo snix init --wizard # create config + pick best SNIs/IPs for your ISP
sudo snix start # run the engine in your shell, or:
sudo systemctl enable --now snix # run as a managed service
Download from https://github.com/SamNet-dev/snix/releases:
curl -LO https://github.com/SamNet-dev/snix/releases/latest/download/snix-linux-amd64.tar.gz
curl -LO https://github.com/SamNet-dev/snix/releases/latest/download/snix-linux-amd64.tar.gz.minisig
minisign -Vm snix-linux-amd64.tar.gz -P $(cat snix-pubkey.txt) # verify
tar -xzf snix-linux-amd64.tar.gz
sudo install -m 0755 snix /usr/local/bin/snix
Architectures: amd64, arm64, armv7.
.deb and Fedora/RHEL .rpm ship with each release.yay -S snix-bin.snix-setup.exe from https://github.com/SamNet-dev/snix/releases.snix.exe into C:\Program Files\snix\.WinDivert.dll and WinDivert64.sys alongside it.snix-windows-amd64.zip, extract anywhere.cd to the folder, then:
cmd
snix.exe init --wizard
snix.exe tuiThe zip contains:
snix-windows-amd64/
snix.exe
WinDivert.dll
WinDivert64.sys
LICENSE
README.md
All three files must live in the same directory for snix to find the WinDivert driver.
git clone https://github.com/SamNet-dev/snix.git
cd snix
go build -o snix ./cmd/snix
Requirements: Go 1.23+, no C toolchain, no other tooling. Cross-compile:
GOOS=linux GOARCH=amd64 go build -o snix-linux ./cmd/snix
GOOS=windows GOARCH=amd64 go build -o snix.exe ./cmd/snix
GOOS=darwin GOARCH=arm64 go build -o snix-macos ./cmd/snix
On Windows the engine requires WinDivert. Download v2.2.2 from
https://github.com/basil00/Divert/releases/tag/v2.2.2, extract
x64/WinDivert.dll and x64/WinDivert64.sys, put them next to the built
snix.exe.
Run the wizard:
snix init --wizard
You'll see:
snix first-run wizard
Step 1/5 — Do you have a proxy server already? (y/n)
> y
Step 2/5 — Paste your server address:
Host: my-proxy.example.com
Port [443]: 443
Step 3/5 — Scanning your network for working SNIs and CDN IPs…
SNI probes [████████████████] 55/55 ok=55 reset=0 timeout=0
IP probes [████████████████] 20/20 reachable=18
Top SNIs:
1. auth.vercel.com 12ms
2. cdn.segment.io 14ms
3. static.cloudflareinsights 16ms
Top IPs:
1. 104.21.2.17 3ms
2. 172.65.250.78 3ms
Step 4/5 — Anti-fingerprinting knobs (recommended ON):
Randomize timing? (Y/n) y
Randomize padding? (Y/n) y
Strategy rotation? (Y/n) y
Step 5/5 — Integrate with a proxy client?
Detected: xray at /usr/local/bin/xray
Update Xray config to use snix on 127.0.0.1:40443? (y/N) y
Backup written to ~/.config/xray/config.json.bak
Done.
Config written to /root/.config/snix/config.yaml
Run `sudo snix start` to launch.
If you said "n" at Step 1, the wizard offers to deploy a Cloudflare Worker:
You don't have a proxy server yet. snix can deploy one for free on
Cloudflare in ~60 seconds.
Deploy Cloudflare Worker? (Y/n) y
Open this URL in your browser:
https://dash.cloudflare.com/?to=/:account/workers/services/new?name=snix-<random>
After deploy completes, paste the Worker URL here:
> worker-name.username.workers.dev
Two ways to drive snix: the TUI (interactive) or the CLI (scriptable).
snix tui # opens full-screen dashboard
Press 1-7 to switch tabs, ? for help, q to quit. See TUI walkthrough.
sudo systemctl enable --now snix
journalctl -u snix -f # follow logs
sudo systemctl stop snix
If you chose "Install as Service" during setup:
sc query snix
sc start snix
sc stop snix
Otherwise, launch from the Start Menu shortcut.
Shows: - Which config file is loaded. - How many profiles are defined. - Which profile is active and its summary (listen, connect, strategy). - A short explainer of what snix does.
List of profiles. Keys:
| key | action |
|---|---|
↑↓ / jk |
move cursor |
⏎ |
set the selected profile as active (writes config.yaml) |
e |
open the config file in $EDITOR / notepad |
r |
reload config from disk |
Right pane shows full details of the highlighted profile including its SNI pool, randomization settings, and fallback IPs.
Probe the network to find which SNIs and CDN IPs work. Keys:
| key | action |
|---|---|
s |
probe candidate SNIs against the target IP |
i |
probe the Cloudflare IP pool for reachability + RTT |
a |
run both concurrently |
t |
edit the SNI-probe target IP |
x |
stop the running scan |
e |
save top results into the active profile (writes config.yaml) |
Live progress bars for each scan type. Top-10 leaderboards update as results arrive.
Starts / stops the bypass engine as a subprocess. Keys:
| key | action |
|---|---|
s |
start engine |
x |
stop engine (SIGINT / Kill) |
r |
restart |
c |
clear logs |
Engine stdout and stderr are tailed live into the Engine Output panel.
Scrollable with ↑↓ / PgUp/PgDn.
Windows: the engine subprocess needs Administrator. If the TUI was launched non-elevated you'll see the missing-privilege error in the log panel; restart the TUI from an elevated shell.
Toggle anti-fingerprinting knobs on the active profile. All changes save to disk immediately. Keys:
| key | action |
|---|---|
↑↓ / jk |
move cursor |
space / ⏎ |
toggle the selected knob |
+ / - |
adjust numeric values |
The right pane explains what the highlighted knob does and why you'd want it.
Scrollable long-form help: what SNI spoofing is, every keybinding, CLI parity table, troubleshooting.
Version, license, credits, support links.
snix init create a starter config at ~/.config/snix/config.yaml
snix init --wizard interactive first-time setup (recommended)
snix status show loaded config + active profile
snix tui launch the full interactive TUI
snix start run the bypass engine (needs root / admin)
snix start -p NAME start using a non-active profile
snix scan sni --target IP probe SNIs against IP (default 1.1.1.1)
snix scan ip probe Cloudflare IPs for reachability + RTT
snix scan all run both scans and print a ready-to-paste profile
snix profile list list profiles
snix profile switch NAME make NAME the active profile
snix update upgrade to the latest release (verifies signature)
snix --version print version
snix --help print top-level help
Global flags:
-c, --config PATH use a non-default config path
-v, --verbose verbose logging
Default location:
- Linux / macOS: ~/.config/snix/config.yaml (or $XDG_CONFIG_HOME/snix/config.yaml).
- Windows: %APPDATA%\snix\config.yaml.
Full example with every field:
```yaml version: 1
snix start. Must match one of profiles[].name.active: default
log: # debug | info | warn | error level: info
profiles: - name: default
# Where snix listens for client connections (Xray, v2ray, etc.).
listen: "127.0.0.1:40443"
connect:
# Your upstream proxy server. Domain or IP.
host: my-proxy.example.com
port: 443
# If `host` fails or its DNS resolution is blocked, snix will try
# these IPs in order. Useful to pin known-working Cloudflare edges.
fallback_ips:
- 104.21.2.17
- 172.65.250.78
spoof:
# Default strategy. Used when `strategy_rotation` is empty.
# wrong_seq — inject fake ClientHello with out-of-window seq
# wrong_checksum — same + corrupted TCP checksum (double-safety)
strategy: wrong_seq
# If set (recommended), snix picks a strategy per flow at random
# from this list. Breaks DPI pattern-matching on packet shape.
strategy_rotation: [wrong_seq, wrong_checksum]
# The SNIs snix rotates through when building the fake ClientHello.
# Run `snix scan sni` to discover which ones work on your ISP.
sni_pool:
- auth.vercel.com
- cdn.segment.io
- static.cloudflareinsights.com
# random (default): uniform random pick pe