getting-started
Deploys TunPilot server via SSH, wires up the local `tunpilot` CLI or web admin, and verifies end-to-end connectivity. Use when installing TunPilot, deploying the server, configuring remote access, updating an existing installation, or setting up TunPilot for the first time.
Best use case
getting-started is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Deploys TunPilot server via SSH, wires up the local `tunpilot` CLI or web admin, and verifies end-to-end connectivity. Use when installing TunPilot, deploying the server, configuring remote access, updating an existing installation, or setting up TunPilot for the first time.
Teams using getting-started should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/getting-started/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How getting-started Compares
| Feature / Agent | getting-started | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Deploys TunPilot server via SSH, wires up the local `tunpilot` CLI or web admin, and verifies end-to-end connectivity. Use when installing TunPilot, deploying the server, configuring remote access, updating an existing installation, or setting up TunPilot for the first time.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# TunPilot Getting Started
Guide the user from zero to a working TunPilot setup they can manage from either the web admin or the `tunpilot` CLI.
## Step 0: Detect User State
Ask the user what they need before jumping into deployment:
- **Already have a running TunPilot server?** → Skip to "Configure Client"
- **Already configured but want to update?** → Skip to "Update"
- **Starting from scratch?** → Continue to "Deploy Server"
## Step 1: Deploy Server
### Prerequisites
1. **Ask the user for the target server** — SSH destination (e.g. `root@1.2.3.4` or an alias from `~/.ssh/config`). Must be Linux with root access.
2. **Test SSH connectivity** — the agent cannot enter passwords interactively:
```bash
ssh <server> "echo ok"
```
If this fails, stop and tell the user to set up SSH key-based login first.
3. **Check firewall** — ensure port 3000 is open:
```bash
ssh <server> "command -v ufw && ufw allow 3000/tcp || command -v firewall-cmd && firewall-cmd --add-port=3000/tcp --permanent && firewall-cmd --reload || echo 'no firewall detected'"
```
### Deploy
Run the one-command deploy script:
```bash
ssh <server> "curl -fsSL https://raw.githubusercontent.com/Buywatermelon/tunpilot/main/scripts/deploy.sh | bash"
```
The script automatically:
1. Installs Bun (if not present)
2. Clones/updates the repo to `/opt/tunpilot`
3. Installs dependencies and builds the web admin
4. Generates `TUNPILOT_AUTH_TOKEN` and creates `.env`
5. Creates and starts a systemd service
6. Prints the web admin URL, REST endpoint, and auth token — **capture this output**
### Verify deployment
Parse the script output. It should contain `✔ TunPilot deployed on http://<ip>:3000`.
If it fails, diagnose:
```bash
ssh <server> "journalctl -u tunpilot --no-pager -n 50"
```
Common failures:
- **Port 3000 in use** — another service occupies the port. Change `TUNPILOT_PORT` in `/opt/tunpilot/.env` and restart.
- **Bun install failed** — check network connectivity and disk space.
- **Permission denied** — must run as root.
### Update an existing installation
The deploy script is idempotent. It `git pull`s, rebuilds the web admin, and restarts — preserving `.env` and token:
```bash
ssh <server> "curl -fsSL https://raw.githubusercontent.com/Buywatermelon/tunpilot/main/scripts/deploy.sh | bash"
```
## Step 2: Configure Client
### Verify reachability from the user's machine
Before wiring up a client, confirm the server responds from the client side (run locally, **not** via SSH):
```bash
curl --max-time 5 http://<ip>:3000/health
```
Expected: `{"status":"ok"}`. If this fails:
- **Connection refused** — firewall on the server is blocking port 3000. Go back to Step 1 firewall check.
- **Timeout** — network path issue. Check for NAT/firewall between the user and the server. `nc -zv <ip> 3000` tests TCP reachability.
- **Connection reset** — the service crashed. SSH in: `journalctl -u tunpilot --no-pager -n 30`.
### Pick a client
TunPilot exposes three equivalent entry points. Pick whichever fits the user's workflow — or use the CLI (what this skill standardizes on, because Agents operate through it).
#### Option A — Web Admin (zero install)
Open `http://<ip>:3000` in a browser and paste the token on the login screen. Done.
#### Option B — `tunpilot` CLI (what Agents use)
Install the CLI on the **user's local machine** (not the server):
```bash
bun install -g github:Buywatermelon/tunpilot
```
If the user doesn't have Bun locally:
```bash
curl -fsSL https://bun.sh/install | bash
```
Configure the CLI:
```bash
tunpilot config set server http://<ip>:3000
tunpilot config set token <auth-token>
```
Config lives in `~/.config/tunpilot/config.json`.
#### Option C — REST API direct
```bash
curl -H "Authorization: Bearer <token>" http://<ip>:3000/api/v1/nodes
```
Useful for scripting or integration.
### Verify the client works
Run a no-op list command to confirm auth and connectivity:
```bash
tunpilot node list
```
Expected: either a table of nodes, or a "no nodes yet" notice. Any HTTP error (401, 5xx, timeout) means the client config is wrong or the server is unreachable — debug using the checklist above.
## Security Notice
The default deployment uses **plain HTTP**. The auth token is transmitted in cleartext. For production use, consider one of these mitigations:
**Option A — SSH tunnel (simplest, no domain needed):**
```bash
ssh -N -L 3000:localhost:3000 <server>
```
Then point the CLI at `http://localhost:3000` and bind the server to loopback only (`TUNPILOT_HOST=127.0.0.1` in `.env`).
**Option B — Reverse proxy with TLS (requires domain):**
Use Caddy or nginx in front of TunPilot with a TLS certificate. Update `TUNPILOT_BASE_URL` to the HTTPS URL (this also fixes subscription links for clients).
**Option C — Firewall source IP restriction (quick hardening):**
```bash
ssh <server> "ufw default deny incoming && ufw allow from <your-ip> to any port 3000 && ufw allow 22/tcp && ufw enable"
```
Restricts port 3000 to a single source IP.
## What's Next
With the CLI or web admin connected, use the `deploying-hy2-nodes` (Hysteria2) or `deploying-xray-nodes` (Trojan) skill to register your first proxy node. The Agent will drive those flows via `tunpilot node add`, `tunpilot user create`, and friends.Related Skills
testing-nodes
Runs IP reputation checks (risk scores, streaming unlock, blacklists via 9 providers) and network performance tests (BGP, latency, speed, routing to 31 Chinese provinces) on proxy nodes via SSH. Generates structured health reports with actionable recommendations. Use when testing proxy node quality, checking IP risk scores, verifying streaming unlock status, running speed tests, diagnosing latency, or comparing multiple nodes side-by-side.
deploying-xray-nodes
Deploys TCP Trojan proxy nodes on Xray-core with certbot Let's Encrypt or self-signed EC P-256 + SHA-256 certificate fingerprint pinning, TCP Fast Open kernel tuning with BBR, nginx-compatible fallback site, gRPC user sync (not HTTP auth callback), and systemd hardening with strict filesystem isolation. Use when deploying a Trojan node on Xray, pinning a self-signed cert fingerprint, configuring TCP Fast Open, or setting up the Xray gRPC stats API. Not for Hysteria2 — see deploying-hy2-nodes.
deploying-hy2-nodes
Deploys UDP/QUIC Hysteria2 proxy nodes with Brutal or BBR congestion control, inline ACME (or self-signed EC P-256), HTTP masquerade, QUIC receive/send window tuning based on server memory, systemd hardening with CAP_NET_ADMIN, and HTTP auth callback registration in TunPilot. Use when deploying a new Hysteria2 node, choosing Brutal vs BBR, tuning QUIC windows, setting up masquerade, or switching between ACME and self-signed TLS. Not for Xray/Trojan — see deploying-xray-nodes.
getting-started
Use when starting any conversation - establishes how to find and use skills, requiring skill activation before ANY response including clarifying questions
Getting Started with Skills
Skills wiki intro - mandatory workflows, search tool, brainstorming triggers
residuum-getting-started
First-conversation guidance: quick setup that gets the agent doing real work immediately, then deeper exploration workflows
getting-started
Analyze the current repo structure, build system, test setup, and conventions to provide a practical onboarding guide. Use when new to a codebase, joining a project, or wanting to understand how a repo is organized. Triggers on getting started, new to repo, onboard, how does this repo work, repo structure, codebase overview.
gitbook-getting-started
Sub-skill of gitbook: Getting Started.
swe-cli-skills
Senior engineer CLI expertise for AI agents — workflows, safety guardrails, gotchas, and anti-patterns across cloud, IaC, containers, databases, dev tools, and platforms
PicoClaw Fleet
Orchestrate a fleet of remote PicoClaw workers over SSH for fast, ephemeral one-shot tasks.
VibeCollab — Setup Instructions for AI Assistants
You are helping a user set up VibeCollab in their project.
raycast-extension-docs
Guidance for building, debugging, and publishing Raycast extensions using the Raycast documentation set. Use when Codex needs to create or modify Raycast extensions (React/TypeScript/Node), consult Raycast API reference or UI components, build AI extensions, handle manifest/lifecycle/preferences, troubleshoot issues, or prepare/publish extensions to the Raycast Store or Teams.