URnetwork helper
by @chmikiro
URnetwork Wizard - Complete decentralized privacy network skill for creating HTTPS/SOCKS/WireGuard proxies (consumer mode) and earning rewards by providing e...
clawhub install ur-wizardπ About This Skill
name: ur-wizard description: URnetwork Wizard - Complete decentralized privacy network skill for creating HTTPS/SOCKS/WireGuard proxies (consumer mode) and earning rewards by providing egress bandwidth (provider mode). Use when needing anonymous internet access, setting up VPN connections, scraping through proxies, or running a provider node to earn USDC. Formerly proxy-vpn, now enriched with full official documentation.
URnetwork (proxy-vpn) Skill
URnetwork is a decentralized privacy network where users can either: 1. Consume - Use the network for secure, anonymous internet access via HTTPS/SOCKS/WireGuard proxies 2. Provide - Share egress bandwidth and earn rewards (USDC payouts)
Official Docs: https://docs.ur.io
Endpoints
| Service | URL | |---------|-----| | API | https://api.bringyour.com | | MCP Server | https://mcp.bringyour.com | | API Spec | https://github.com/urnetwork/connect/blob/main/api/bringyour.yml | | Web UI | https://ur.io |
Authentication
All API calls require a JWT token in the Authorization header:
# Get auth code from human (from https://ur.io web UI)
Then exchange for JWT:
curl -X POST https://api.bringyour.com/auth/code-login \
-d '{"auth_code": ""}' | jq ".by_jwt"
Store the JWT and reuse. To refresh, get a new auth code and repeat.
Consumer Mode: Creating Proxies
Proxy Types
| Use Case | Protocol | Config Source |
|----------|----------|---------------|
| Web Scraping/Browsing | HTTPS | proxy_config_result.https_proxy_url |
| Low-level Sockets/UDP | SOCKS5 | proxy_config_result.socks_proxy_url |
| System-wide/OS Level | WireGuard | proxy_config_result.wg_config.config |
SOCKS5 Note: Use access_token as username, empty password. Supports SOCKS5H (remote DNS resolution).
WireGuard Note: Must set proxy_config.enable_wg: true in the auth-client request.
Method 1: MCP Skill (Recommended)
The MCP skill simplifies location search and proxy creation:
1. Ask user for desired location (country/region/city) 2. Search and create proxy via MCP 3. If no matches, broaden search (city β region β country) 4. If still no matches, show top 10 available countries
Method 2: API - By Country
# Step 1: Find locations
curl -X POST -H 'Authorization: Bearer ' \
https://api.bringyour.com/network/find-locations \
-d '{"query": "Germany"}' | jq '.locations'Step 2: Note country_code (e.g., "DE")
Step 3: Create proxy
curl -X POST -H 'Authorization: Bearer ' \
https://api.bringyour.com/network/auth-client \
-d '{
"proxy_config": {
"initial_device_state": {
"country_code": "DE"
}
}
}'
Method 3: API - By Location ID
# Step 1: Find locations
curl -X POST -H 'Authorization: Bearer ' \
https://api.bringyour.com/network/find-locations \
-d '{"query": "Berlin"}' | jq '.locations'Step 2: Note location_id
Step 3: Create proxy with specific location
curl -X POST -H 'Authorization: Bearer ' \
https://api.bringyour.com/network/auth-client \
-d '{
"proxy_config": {
"initial_device_state": {
"location": {
"connect_location_id": {
"location_id": ""
}
}
}
}
}'
Method 4: API - Enumerate Egress IPs
For rotating through multiple providers in a location:
# Step 1-2: Get location_id as aboveStep 3: Find providers (egress IPs) for location
curl -X POST -H 'Authorization: Bearer ' \
https://api.bringyour.com/network/find-providers2 \
-d '{
"specs": [{"client_id": ""}],
"count": 10
}' | jq '.providers'Step 4: Create proxy for each client_id
curl -X POST -H 'Authorization: Bearer ' \
https://api.bringyour.com/network/auth-client \
-d '{
"proxy_config": {
"initial_device_state": {
"location": {
"connect_location_id": {
"client_id": ""
}
}
}
}
}'
Location Types
When searching, filter by location_type:
| Type | Description |
|------|-------------|
| country | Countries |
| region | States, provinces, metro areas |
| city | Cities |
Provider Mode: Earning by Sharing Bandwidth
Advanced: Providers Through Shadowsocks Proxy
Advanced: Providers Through SOCKS5 Proxy (Transparent Routing)
Run URnetwork providers through an upstream SOCKS5 proxy for added anonymity or to match specific egress IPs.
Architecture:
βββββββββββββββββββββββββββββββββββββββββββ
β URnetwork Provider Container β
β ββββββββββββββββ ββββββββββββββββ β
β β Provider ββββ Redsocks ββββββΌββββΆ Upstream SOCKS5
β β (egress) β β (iptables) β β (residential/datacenter)
β ββββββββββββββββ ββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββ
Dockerfile Setup:
FROM bringyour/community-provider:g4-latestUSER root
RUN apt-get update && apt-get install -y redsocks iptables supervisor curl
Copy configs
COPY redsocks.conf /etc/redsocks/redsocks.conf
COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
COPY start-proxied.sh /usr/local/bin/start-proxied.sh
RUN chmod +x /usr/local/bin/start-proxied.shEXPOSE 80
ENTRYPOINT ["/usr/local/bin/start-proxied.sh"]
redsocks.conf:
base {
log_debug = off;
log_info = on;
daemon = off;
redirector = iptables;
}redsocks {
local_ip = 0.0.0.0;
local_port = 12345;
ip = ;
port = ;
type = socks5;
login = "";
password = "";
}
start-proxied.sh:
#!/bin/bash
set -eConfigure iptables to redirect all TCP through redsocks
iptables -t nat -N REDSOCKS 2>/dev/null || true
iptables -t nat -F REDSOCKS 2>/dev/null || trueExclude local networks and proxy server
iptables -t nat -A REDSOCKS -d -j RETURN
iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURNRedirect to redsocks
iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
iptables -t nat -A OUTPUT -p tcp -j REDSOCKSStart supervisor (manages redsocks + provider)
exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
Run Container:
docker run --name urnetwork-proxied \
--cap-add=NET_ADMIN \
--mount type=bind,source=$HOME/.urnetwork,target=/root/.urnetwork \
--restart always \
-d urnetwork-proxied:latest
Requirements:
--cap-add=NET_ADMIN (required for iptables)/root/.urnetwork/jwtVerification:
# Check egress IP from inside container
docker exec urnetwork-proxied curl -s http://ipinfo.io/ip
Should match your SOCKS5 proxy IP
Resilience:
--restart always for boot persistenceStandard Provider Mode: Earning by Sharing Bandwidth
What is a Provider?
A provider shares egress capacity (internet connection) with the URnetwork. Users connect through providers to access the internet securely. Providers earn USDC payouts for participating.
Payout Structure:
Installation Methods
#### Option 1: One-line Install (Linux)
curl -fSsL https://raw.githubusercontent.com/urnetwork/connect/refs/heads/main/scripts/Provider_Install_Linux.sh | sh
Uninstall:
curl -fSsL https://raw.githubusercontent.com/urnetwork/connect/refs/heads/main/scripts/Provider_Uninstall_Linux.sh | sh
#### Option 2: Windows (PowerShell)
powershell -c "irm https://raw.githubusercontent.com/urnetwork/connect/refs/heads/main/scripts/Provider_Install_Win32.ps1 | iex"
Uninstall:
powershell -c "irm https://raw.githubusercontent.com/urnetwork/connect/refs/heads/main/scripts/Provider_Uninstall_Win32.ps1 | iex"
#### Option 3: Build from Source
mkdir urnetwork && cd urnetwork
git clone https://github.com/urnetwork/connect
git clone https://github.com/urnetwork/protocol
cd connect/provider
go build # Binary at ./provider
#### Option 4: Docker Container
Images: bringyour/community-provider:g1-latest through g4-latest (g4 = most stable)
# Initialize (first time)
docker run --mount type=bind,source=$HOME/.urnetwork,target=/root/.urnetwork \
bringyour/community-provider:g4-latest authRun provider
docker run --mount type=bind,source=$HOME/.urnetwork,target=/root/.urnetwork \
--restart no -d bringyour/community-provider:g4-latest provide
Setting Up a Provider
1. Get auth code: - Visit https://ur.io - Create/login to network - Click "Copy an Auth Code"
2. Authenticate:
./provider auth
# Paste auth code when prompted
# Saved to ~/.urnetwork/jwt
3. Run provider:
./provider provide
# "Provider XXX started"
4. Set up wallet in app for payouts (USDC on Polygon/Solana)
Running as Background Service
Linux (systemd):
systemctl --user start urnetwork # Start
systemctl --user stop urnetwork # Stop
systemctl --user enable urnetwork # Auto-start on login
systemctl --user disable urnetwork # Disable auto-start
macOS (launchd):
# Download launchd template from GitHub
Edit paths and user
sudo cp urnetwork-provider.plist /Library/LaunchAgents/
sudo launchctl load /Library/LaunchAgents/urnetwork-provider.plist
sudo launchctl start /Library/LaunchAgents/urnetwork-provider.plistCheck logs
tail -f /var/log/system.log | grep -i provider
Windows:
powershell -NoProfile -WindowStyle Hidden -Command \
"Start-Process urnetwork.exe -ArgumentList 'provide' -WindowStyle Hidden"
Multi-Platform Builds
Build for multiple architectures:
cd connect/provider
make buildOutputs to:
build/darwin/amd64/provider
build/darwin/arm64/provider
build/linux/amd64/provider
build/linux/arm64/provider
build/linux/arm/provider
build/linux/386/provider
build/windows/amd64/provider
build/windows/arm64/provider
Or download pre-built binaries from nightly releases.
Additional CLIs
| CLI | Purpose |
|-----|---------|
| provider | Run egress provider (earn rewards) |
| tether | Network interfaces and protocol servers (packet routing) |
| bringyourctl | Manage your own network space deployment |
| warpctl | Continuous deployment into network space |
Trust and Safety
Economic Model Summary
For Users:
For Providers:
Company Phases: 1. Phase 0: Build scalable network 2. Phase 1: Break-even at 4% premium conversion 3. Phase 2: Scale with fixed costs 4. Phase 3: Profitable expansion
Quick Reference
Get JWT:
curl -X POST https://api.bringyour.com/auth/code-login \
-d '{"auth_code": ""}' | jq ".by_jwt"
Find Locations:
curl -X POST -H 'Authorization: Bearer ' \
https://api.bringyour.com/network/find-locations \
-d '{"query": "Germany"}' | jq '.locations'
Create Proxy:
curl -X POST -H 'Authorization: Bearer ' \
https://api.bringyour.com/network/auth-client \
-d '{"proxy_config": {"initial_device_state": {"country_code": "DE"}}}'
Install Provider:
curl -fSsL https://raw.githubusercontent.com/urnetwork/connect/refs/heads/main/scripts/Provider_Install_Linux.sh | sh
Router/IoT Platforms
All support provider binary deployment.
Advanced: Providers Through Shadowsocks Proxy
Run URnetwork providers through a Shadowsocks proxy for enhanced privacy or specific egress routing.
Shadowsocks vs SOCKS5:
Architecture:
βββββββββββββββββββββββββββββββββββββββββββ
β URnetwork Provider Container β
β ββββββββββββββββ ββββββββββββββββ β
β β Provider ββββ ss-local ββββββΌββββΆ Shadowsocks Server
β β (egress) β β (SOCKS5:1080)β β (encrypted tunnel)
β ββββββββββββββββ ββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββ
Shadowsocks Config Format:
Shadowsocks/proxy/server/port/method/country/passwordExample:
Shadowsocks/proxy/138.249.106.2/64619/aes-256-gcm/France/NedyYDqp
Dockerfile Setup:
FROM bringyour/community-provider:g4-latestInstall shadowsocks-libev
RUN apt-get update && apt-get install -y \
shadowsocks-libev \
&& rm -rf /var/lib/apt/lists/*Copy config
COPY shadowsocks.json /etc/shadowsocks-libev/config.jsonCopy startup script
COPY start-shadowsocks.sh /start-shadowsocks.sh
RUN chmod +x /start-shadowsocks.shEXPOSE 1080
ENTRYPOINT ["/start-shadowsocks.sh"]
shadowsocks.json:
{
"server": "YOURIP",
"server_port": YOURPORT,
"local_port": YOURPORT,
"local_address": "YOURIP",
"password": "YOURpass",
"timeout": 300,
"method": "YOURMETHOD"
}
start-shadowsocks.sh:
#!/bin/bash
set -eStart shadowsocks client
ss-local -c /etc/shadowsocks-libev/config.json &
SS_PID=$!
echo "Shadowsocks client started (PID: $SS_PID)"Wait for shadowsocks to be ready
sleep 3Verify shadowsocks is listening
if ! netstat -tlnp 2>/dev/null | grep -q ':1080' && \
! ss -tlnp 2>/dev/null | grep -q ':1080'; then
if ! pgrep -x "ss-local" > /dev/null; then
echo "ERROR: Shadowsocks not running"
exit 1
fi
fi
echo "Shadowsocks proxy ready on 127.0.0.1:1080"Start URnetwork provider with proxy environment
export HTTP_PROXY="socks5://127.0.0.1:1080"
export HTTPS_PROXY="socks5://127.0.0.1:1080"
export ALL_PROXY="socks5://127.0.0.1:1080"exec /usr/local/sbin/bringyour-provider provide
Build Image:
docker build -t urnetwork-shadowsocks:latest .
Run Shadowsocks Provider:
# Create JWT directory
mkdir -p ~/.urnetwork-ss-1
echo "" > ~/.urnetwork-ss-1/jwtRun container
docker run -d \
--name urnetwork-shadowsocks-1 \
--restart always \
-v ~/.urnetwork-ss-1:/root/.urnetwork \
-e WARP_ENV=community \
urnetwork-shadowsocks:latest
Scale to Multiple Providers:
JWT=""for i in $(seq 1 10); do
mkdir -p ~/.urnetwork-ss-$i
echo "$JWT" > ~/.urnetwork-ss-$i/jwt
docker run -d \
--name urnetwork-shadowsocks-$i \
--restart always \
-v ~/.urnetwork-ss-$i:/root/.urnetwork \
-e WARP_ENV=community \
urnetwork-shadowsocks:latest
done
Verification:
# Check container status
docker ps --filter "name=urnetwork-shadowsocks"Check shadowsocks logs
docker logs urnetwork-shadowsocks-1 | grep "listening"
Should show: "listening at 0.0.0.0:1080"
Check provider logs
docker logs urnetwork-shadowsocks-1 | grep "Provider"
Should show: "Provider XXX started"
Common Shadowsocks Methods:
| Method | Description |
|--------|-------------|
| aes-256-gcm | Recommended, hardware-accelerated |
| aes-128-gcm | Faster, slightly less secure |
| chacha20-ietf-poly1305 | Good for mobile/ARM devices |
Troubleshooting:
Quick Reference: Proxied Provider
Build Image:
docker build -t urnetwork-proxied:latest .
Run Proxied Provider:
docker run --name urnetwork-proxied \
--cap-add=NET_ADMIN \
--mount type=bind,source=$HOME/.urnetwork,target=/root/.urnetwork \
--restart always \
-d urnetwork-proxied:latest
Verify Egress IP:
docker exec urnetwork-proxied curl -s http://ipinfo.io/ip
Files Needed:
Dockerfile - extends provider image with redsocks/iptablesredsocks.conf - SOCKS5 proxy configurationstart-proxied.sh - iptables setup + supervisor launchsupervisord.conf - manages redsocks + providerProxy Format:
socks5/45.91.198.75:7778/username/password
Quick Reference: Shadowsocks Provider
Build Image:
docker build -t urnetwork-shadowsocks:latest .
Run Shadowsocks Provider:
docker run -d \
--name urnetwork-shadowsocks-1 \
--restart always \
-v ~/.urnetwork-ss-1:/root/.urnetwork \
-e WARP_ENV=community \
urnetwork-shadowsocks:latest
Shadowsocks Config Format:
Shadowsocks/proxy/server/port/method/country/passwordExample:
Shadowsocks/proxy/138.249.106.2/64619/aes-256-gcm/France/NedyYDqp
Files Needed:
Dockerfile - extends provider image with shadowsocks-libevshadowsocks.json - Shadowsocks client configstart-shadowsocks.sh - starts ss-local + providerProvider Monitoring
Quick Status Check
# All URnetwork containers
docker ps --format "table {{.Names}}\t{{.Status}}" | grep urnetworkCount by type
docker ps --format "{{.Names}}" | grep -c "urnetwork-provider"
docker ps --format "{{.Names}}" | grep -c "urnetwork-proxied"
docker ps --format "{{.Names}}" | grep -c "urnetwork-shadowsocks"
Verify Actually Providing vs Restarting
Check for authentication errors:
# Count "Unauthorized" errors in logs
docker logs urnetwork-provider-1 2>&1 | grep -c "Unauthorized"Check recent restarts
docker ps --format "table {{.Names}}\t{{.Status}}" | grep urnetwork-provider"Up X minutes" = healthy, "Restarting" = auth/connection issues
Check provider logs for success:
# Good: "Provider XXX started" without errors
docker logs urnetwork-proxied-1 2>&1 | grep "Provider.*started"Bad: Stack traces with "401 Unauthorized"
docker logs urnetwork-provider-1 2>&1 | tail -20
Provider Health Summary Script
#!/bin/bash
echo "=== URnetwork Provider Health ==="
for container in $(docker ps -a --format "{{.Names}}" | grep urnetwork | sort); do
status=$(docker ps --filter "name=$container" --format "{{.Status}}")
errors=$(docker logs $container 2>&1 | grep -c "Unauthorized" || echo "0")
if echo "$status" | grep -q "Restarting"; then
echo "β $container: $status (Errors: $errors)"
else
echo "β
$container: $status"
fi
done
Multi-VPS Deployment
Architecture Pattern
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β VPS 1 (Host) β β VPS 2 (DE) β β VPS 3 (US) β
β βββββββββββββ β β βββββββββββββ β β βββββββββββββ β
β β Providers β β β β Providers β β β β Providers β β
β β (10 reg) β β β β (10 reg) β β β β (10 reg) β β
β βββββββββββββ β β βββββββββββββ β β βββββββββββββ β
β βββββββββββββ β β β β β
β β Proxied β β β β β β
β β (10 sock) β β β β β β
β βββββββββββββ β β β β β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β β β
ββββββββββββββββββββββ΄βββββββββββββββββββββ
β
Single JWT on each VPS
/root/.urnetwork/jwt
Deployment Steps
1. Prepare JWT on Host VPS:
# Host VPS (source of truth)
mkdir -p /root/.urnetwork
echo "" > /root/.urnetwork/jwt
2. Deploy to Remote VPS:
VPS_IP="YOURIP"
VPS_USER="YOURuser"
VPS_PASS="YOURpassword"Copy JWT to remote
sshpass -p "$VPS_PASS" scp /root/.urnetwork/jwt $VPS_USER@$VPS_IP:/home/$VPS_USER/.urnetwork/jwtSSH and create /root/.urnetwork (if needed)
sshpass -p "$VPS_PASS" ssh $VPS_USER@$VPS_IP 'sudo mkdir -p /root/.urnetwork && sudo cp /home/'$VPS_USER'/.urnetwork/jwt /root/.urnetwork/jwt'Launch providers on remote
sshpass -p "$VPS_PASS" ssh $VPS_USER@$VPS_IP '
for i in $(seq 1 10); do
docker run -d --name urnetwork-provider-vps-$i \
-v /root/.urnetwork:/root/.urnetwork \
--restart always \
bringyour/community-provider:g4-latest provide
done
'
3. Scale Pattern:
# Launch N providers on current host
launch_providers() {
local count=$1
local prefix=$2
for i in $(seq 1 $count); do
docker run -d --name ${prefix}-$i \
-v /root/.urnetwork:/root/.urnetwork \
--restart always \
bringyour/community-provider:g4-latest provide
done
}Usage
launch_providers 10 "urnetwork-provider"
launch_providers 10 "urnetwork-proxied"
Troubleshooting Guide
401 Unauthorized Errors
Symptoms:
"401 Unauthorized: Not authorized"Causes & Fixes:
| Cause | Fix |
|-------|-----|
| JWT expired | Get fresh auth code from https://ur.io |
| JWT malformed | Re-copy JWT, ensure no extra whitespace |
| Wrong JWT location | Verify mounted at /root/.urnetwork/jwt |
| JWT permissions | Ensure readable: chmod 644 /root/.urnetwork/jwt |
Quick Fix:
# 1. Get new auth code from https://ur.io
2. Exchange for JWT
curl -X POST https://api.bringyour.com/auth/code-login \
-d '{"auth_code": "YOUR_CODE"}' | jq -r ".by_jwt" > /root/.urnetwork/jwt3. Restart all providers
docker restart $(docker ps -q --filter "name=urnetwork")
Restart Loops
Check restart count:
docker ps --format "table {{.Names}}\t{{.Status}}" | grep urnetwork
Common causes:
| Pattern | Likely Cause | Solution |
|---------|--------------|----------|
| Restarting every 5-10s | 401 Unauthorized | Refresh JWT |
| Restarting every 30s | Proxy connection issue | Check SOCKS5/Shadowsocks server |
| Up for hours then restart | Network instability | Check --restart always is set |
Debug restart loop:
# Watch real-time logs
docker logs -f urnetwork-provider-1Check exit code
docker inspect urnetwork-provider-1 --format='{{.State.ExitCode}}'
Proxy Connection Issues (Proxied Providers)
Symptoms:
Diagnose:
# Test SOCKS5 proxy manually
curl -x socks5://username:password@proxy_ip:port http://ipinfo.io/ipCheck shadowsocks is listening
docker exec urnetwork-shadowsocks-1 ss -tlnp | grep 1080Verify iptables rules (for proxied containers)
docker exec urnetwork-proxied-1 iptables -t nat -L REDSOCKS
Fix proxy config:
# Update shadowsocks.json and rebuild
docker build -t urnetwork-shadowsocks:latest .
docker restart urnetwork-shadowsocks-{1..10}
Container Won't Start
Check:
# Port conflicts
docker logs urnetwork-provider-1 2>&1 | grep "bind"Mount issues
docker logs urnetwork-provider-1 2>&1 | grep "mount"Disk space
df -hDocker daemon
docker system info
Mass Operations
Restart all providers:
docker restart $(docker ps -q --filter "name=urnetwork")
Stop all providers:
docker stop $(docker ps -q --filter "name=urnetwork")
Remove all providers (destructive):
docker rm -f $(docker ps -aq --filter "name=urnetwork")
View all logs:
for c in $(docker ps --format "{{.Names}}" | grep urnetwork); do
echo "=== $c ==="
docker logs $c 2>&1 | tail -5
done
Full docs: https://docs.ur.io