MCPcopy Index your code
hub / github.com/SamNet-dev/snix

github.com/SamNet-dev/snix @v0.5.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.5.0 ↗ · + Follow
389 symbols 1,107 edges 56 files 222 documented · 57%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

snix

Cross-platform SNI-spoofing DPI-bypass proxy. Single binary. No cgo. Batteries included.

build release license

snix tricks DPI censorship systems into accepting your TLS connections by injecting a fake ClientHello with a whitelisted SNI during the TCP handshake. The real TLS handshake then proceeds unobstructed. It is a Go rewrite of patterniha/SNI-Spoofing, expanded with multi-platform backends, anti-fingerprinting, a TUI, and a built-in network scanner.

New here? Read the full walkthrough: - 🇬🇧 GUIDE.md — zero-to-finish in English. - 🇮🇷 GUIDE-fa.md — صفر تا صد به فارسی.

Both cover every step from signing up for Cloudflare through a working bypass, including Xray client configs and optional domain setup. Start there if this is the first time you've set up any circumvention tool. The README below is the short reference for everyone else.

Table of contents


What snix does

[your browser or proxy client]
        │
        ▼
[snix on 127.0.0.1:40443]  ──── at TCP handshake time snix:
        │                         1) observes outbound SYN
        │                         2) observes inbound SYN-ACK
        │                         3) observes outbound ACK
        │                         4) injects a fake TLS ClientHello
        ▼                            with a whitelisted SNI such as
[your upstream proxy server, e.g.    `auth.vercel.com` and a deliberately
 VLESS over Cloudflare on port 443]  wrong TCP sequence number
  • The DPI middlebox reads the fake ClientHello first, sees a whitelisted domain (auth.vercel.com), and marks the flow as allowed.
  • The real server receives the fake packet too — but because its sequence number is out-of-window (or its checksum is corrupted) the server silently drops it. No connection damage.
  • The real TLS handshake to your proxy server then proceeds over the already-whitelisted TCP flow and succeeds.

What snix is NOT

snix is a client-side DPI-bypass layer, not a VPN.

You still need: - A proxy server somewhere outside the censored network (Xray/VLESS, VMess, Trojan, sing-box, etc.), ideally on port 443 and fronted via a CDN such as Cloudflare. - A client that speaks that proxy protocol (Xray, v2ray, sing-box, NekoBox, v2rayN, etc.). snix does not speak VLESS/VMess/Trojan yet — that's in the v1.0 roadmap.

snix sits between the client and the internet. Every connection the client opens gets the SNI-spoof treatment.

What you need before installing

  1. A proxy server. If you don't have one, the first-run wizard (snix init --wizard) can walk you through deploying a free Cloudflare Worker that acts as your proxy in about 60 seconds.
  2. Root / Administrator access on the device you're installing on. Packet interception requires kernel-level filter access on both Linux (NFQUEUE + iptables) and Windows (WinDivert).
  3. A TLS-based proxy client already installed. snix is the layer in front; you still need Xray / v2ray / sing-box / NekoBox to speak the proxy protocol itself.

Install — Linux

One-liner (recommended)

curl -fsSL https://get.snix.sh | sudo sh

The script: 1. Detects your distro + architecture. 2. Downloads the signed release tarball from GitHub. 3. Verifies the minisign signature. 4. Places snix into /usr/local/bin. 5. Writes /etc/systemd/system/snix.service (disabled by default). 6. Installs bash + zsh completions.

Then:

sudo snix init --wizard      # create config + pick best SNIs/IPs for your ISP
sudo snix start              # run the engine in your shell, or:
sudo systemctl enable --now snix    # run as a managed service

Manual install

Download from https://github.com/SamNet-dev/snix/releases:

curl -LO https://github.com/SamNet-dev/snix/releases/latest/download/snix-linux-amd64.tar.gz
curl -LO https://github.com/SamNet-dev/snix/releases/latest/download/snix-linux-amd64.tar.gz.minisig

minisign -Vm snix-linux-amd64.tar.gz -P $(cat snix-pubkey.txt)   # verify

tar -xzf snix-linux-amd64.tar.gz
sudo install -m 0755 snix /usr/local/bin/snix

Architectures: amd64, arm64, armv7.

Distribution packages

  • Debian/Ubuntu .deb and Fedora/RHEL .rpm ship with each release.
  • AUR: yay -S snix-bin.
  • Arch: coming soon.

Install — Windows

Installer (recommended)

  1. Download snix-setup.exe from https://github.com/SamNet-dev/snix/releases.
  2. Right-click → Run as Administrator. Follow the installer.
  3. The installer:
  4. Puts snix.exe into C:\Program Files\snix\.
  5. Bundles WinDivert.dll and WinDivert64.sys alongside it.
  6. Adds a Start Menu shortcut that launches the TUI with auto-UAC.
  7. Optionally registers a Windows Service for automatic startup.
  8. Launch from the Start Menu. First launch shows the wizard.

Portable zip

  1. Download snix-windows-amd64.zip, extract anywhere.
  2. Open an elevated Command Prompt or PowerShell.
  3. cd to the folder, then: cmd snix.exe init --wizard snix.exe tui

The zip contains:

snix-windows-amd64/
  snix.exe
  WinDivert.dll
  WinDivert64.sys
  LICENSE
  README.md

All three files must live in the same directory for snix to find the WinDivert driver.


Install — build from source

git clone https://github.com/SamNet-dev/snix.git
cd snix
go build -o snix ./cmd/snix

Requirements: Go 1.23+, no C toolchain, no other tooling. Cross-compile:

GOOS=linux   GOARCH=amd64 go build -o snix-linux   ./cmd/snix
GOOS=windows GOARCH=amd64 go build -o snix.exe     ./cmd/snix
GOOS=darwin  GOARCH=arm64 go build -o snix-macos   ./cmd/snix

On Windows the engine requires WinDivert. Download v2.2.2 from https://github.com/basil00/Divert/releases/tag/v2.2.2, extract x64/WinDivert.dll and x64/WinDivert64.sys, put them next to the built snix.exe.


First-time setup

Run the wizard:

snix init --wizard

You'll see:

snix first-run wizard

Step 1/5 — Do you have a proxy server already?  (y/n)
> y

Step 2/5 — Paste your server address:
  Host:        my-proxy.example.com
  Port [443]:  443

Step 3/5 — Scanning your network for working SNIs and CDN IPs…
  SNI probes  [████████████████] 55/55  ok=55  reset=0  timeout=0
  IP probes   [████████████████] 20/20  reachable=18

  Top SNIs:
    1. auth.vercel.com           12ms
    2. cdn.segment.io            14ms
    3. static.cloudflareinsights 16ms
  Top IPs:
    1. 104.21.2.17    3ms
    2. 172.65.250.78  3ms

Step 4/5 — Anti-fingerprinting knobs (recommended ON):
  Randomize timing?   (Y/n) y
  Randomize padding?  (Y/n) y
  Strategy rotation?  (Y/n) y

Step 5/5 — Integrate with a proxy client?
  Detected: xray at /usr/local/bin/xray
  Update Xray config to use snix on 127.0.0.1:40443? (y/N) y
  Backup written to ~/.config/xray/config.json.bak
  Done.

Config written to /root/.config/snix/config.yaml
Run `sudo snix start` to launch.

If you said "n" at Step 1, the wizard offers to deploy a Cloudflare Worker:

  You don't have a proxy server yet. snix can deploy one for free on
  Cloudflare in ~60 seconds.

  Deploy Cloudflare Worker? (Y/n) y
  Open this URL in your browser:
    https://dash.cloudflare.com/?to=/:account/workers/services/new?name=snix-<random>
  After deploy completes, paste the Worker URL here:
  > worker-name.username.workers.dev

Daily usage

Two ways to drive snix: the TUI (interactive) or the CLI (scriptable).

TUI

snix tui        # opens full-screen dashboard

Press 1-7 to switch tabs, ? for help, q to quit. See TUI walkthrough.

CLI + systemd (Linux)

sudo systemctl enable --now snix
journalctl -u snix -f            # follow logs
sudo systemctl stop snix

CLI + Services (Windows)

If you chose "Install as Service" during setup:

sc query snix
sc start snix
sc stop snix

Otherwise, launch from the Start Menu shortcut.


TUI walkthrough

Tab 1 — Home

Shows: - Which config file is loaded. - How many profiles are defined. - Which profile is active and its summary (listen, connect, strategy). - A short explainer of what snix does.

Tab 2 — Profiles

List of profiles. Keys:

key action
↑↓ / jk move cursor
set the selected profile as active (writes config.yaml)
e open the config file in $EDITOR / notepad
r reload config from disk

Right pane shows full details of the highlighted profile including its SNI pool, randomization settings, and fallback IPs.

Tab 3 — Scan

Probe the network to find which SNIs and CDN IPs work. Keys:

key action
s probe candidate SNIs against the target IP
i probe the Cloudflare IP pool for reachability + RTT
a run both concurrently
t edit the SNI-probe target IP
x stop the running scan
e save top results into the active profile (writes config.yaml)

Live progress bars for each scan type. Top-10 leaderboards update as results arrive.

Tab 4 — Run

Starts / stops the bypass engine as a subprocess. Keys:

key action
s start engine
x stop engine (SIGINT / Kill)
r restart
c clear logs

Engine stdout and stderr are tailed live into the Engine Output panel. Scrollable with ↑↓ / PgUp/PgDn.

Windows: the engine subprocess needs Administrator. If the TUI was launched non-elevated you'll see the missing-privilege error in the log panel; restart the TUI from an elevated shell.

Tab 5 — Settings

Toggle anti-fingerprinting knobs on the active profile. All changes save to disk immediately. Keys:

key action
↑↓ / jk move cursor
space / toggle the selected knob
+ / - adjust numeric values

The right pane explains what the highlighted knob does and why you'd want it.

Tab 6 — Help

Scrollable long-form help: what SNI spoofing is, every keybinding, CLI parity table, troubleshooting.

Tab 7 — About

Version, license, credits, support links.


CLI reference

snix init                     create a starter config at ~/.config/snix/config.yaml
snix init --wizard            interactive first-time setup (recommended)
snix status                   show loaded config + active profile
snix tui                      launch the full interactive TUI
snix start                    run the bypass engine (needs root / admin)
snix start -p NAME            start using a non-active profile
snix scan sni --target IP     probe SNIs against IP (default 1.1.1.1)
snix scan ip                  probe Cloudflare IPs for reachability + RTT
snix scan all                 run both scans and print a ready-to-paste profile
snix profile list             list profiles
snix profile switch NAME      make NAME the active profile
snix update                   upgrade to the latest release (verifies signature)
snix --version                print version
snix --help                   print top-level help

Global flags:

-c, --config PATH    use a non-default config path
-v, --verbose        verbose logging

Configuration reference

Default location: - Linux / macOS: ~/.config/snix/config.yaml (or $XDG_CONFIG_HOME/snix/config.yaml). - Windows: %APPDATA%\snix\config.yaml.

Full example with every field:

```yaml version: 1

Which profile to use on snix start. Must match one of profiles[].name.

active: default

log: # debug | info | warn | error level: info

profiles: - name: default

# Where snix listens for client connections (Xray, v2ray, etc.).
listen: "127.0.0.1:40443"

connect:
  # Your upstream proxy server. Domain or IP.
  host: my-proxy.example.com
  port: 443
  # If `host` fails or its DNS resolution is blocked, snix will try
  # these IPs in order. Useful to pin known-working Cloudflare edges.
  fallback_ips:
    - 104.21.2.17
    - 172.65.250.78

spoof:
  # Default strategy. Used when `strategy_rotation` is empty.
  # wrong_seq     — inject fake ClientHello with out-of-window seq
  # wrong_checksum — same + corrupted TCP checksum (double-safety)
  strategy: wrong_seq

  # If set (recommended), snix picks a strategy per flow at random
  # from this list. Breaks DPI pattern-matching on packet shape.
  strategy_rotation: [wrong_seq, wrong_checksum]

  # The SNIs snix rotates through when building the fake ClientHello.
  # Run `snix scan sni` to discover which ones work on your ISP.
  sni_pool:
    - auth.vercel.com
    - cdn.segment.io
    - static.cloudflareinsights.com

  # random (default): uniform random pick pe

Extension points exported contracts — how you extend this code

Core symbols most depended-on inside this repo

Shape

Function 195
Method 117
Struct 61
TypeAlias 12
Interface 4

Languages

Go96%
TypeScript4%
Python1%

Modules by API surface

tui/scan.go19 symbols
core/engine/engine.go17 symbols
tui/run.go16 symbols
cfworker/worker.js16 symbols
tui/app.go15 symbols
core/engine/engine_test.go15 symbols
platform/windows/windivert_api.go13 symbols
integrate/integrate.go13 symbols
core/bypass/strategy.go13 symbols
tui/profiles.go12 symbols
core/conntrack/connection.go12 symbols
config/config.go12 symbols

For agents

$ claude mcp add snix \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page