proxmox/scripts/diagnose-tunnels.sh

#!/bin/bash
set -euo pipefail

# Load IP configuration
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true


# Diagnose all Cloudflare tunnels - identify why they're DOWN

set -e

PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.12}"
VMID="${VMID:-102}"

echo "═══════════════════════════════════════════════════════════"
echo "  Cloudflare Tunnels Diagnostic"
echo "═══════════════════════════════════════════════════════════"
echo ""
echo "Target: VMID ${VMID} on ${PROXMOX_HOST}"
echo ""

# Test connection
if ! ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} "pct exec ${VMID} -- echo 'Connected'" 2>/dev/null; then
    echo "❌ Cannot connect to VMID ${VMID} on ${PROXMOX_HOST}"
    echo ""
    echo "Network segmentation detected. Use SSH tunnel:"
    echo "  ./setup_ssh_tunnel.sh"
    echo "  PROXMOX_HOST=localhost ./diagnose-tunnels.sh"
    exit 1
fi

echo "✅ Connected to container"
echo ""

# 1. Check container status
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "1. Container Status"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
CONTAINER_STATUS=$(ssh root@${PROXMOX_HOST} "pct status ${VMID}" 2>/dev/null || echo "unknown")
echo "Status: $CONTAINER_STATUS"
if [[ "$CONTAINER_STATUS" != *"running"* ]]; then
    echo "⚠️  Container is not running!"
    echo "   Fix: ssh root@${PROXMOX_HOST} 'pct start ${VMID}'"
fi
echo ""

# 2. Check cloudflared installation
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "2. cloudflared Installation"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
CLOUDFLARED_PATH=$(ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- which cloudflared" 2>/dev/null || echo "")
if [ -z "$CLOUDFLARED_PATH" ]; then
    echo "❌ cloudflared not found!"
    echo "   Fix: ssh root@${PROXMOX_HOST} 'pct exec ${VMID} -- apt install -y cloudflared'"
else
    echo "✅ cloudflared found: $CLOUDFLARED_PATH"
    VERSION=$(ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- cloudflared --version" 2>/dev/null || echo "unknown")
    echo "   Version: $VERSION"
fi
echo ""

# 3. Check service status
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "3. Tunnel Services Status"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
SERVICES=$(ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl list-units --type=service --state=running,failed | grep cloudflared" 2>/dev/null || echo "")
if [ -z "$SERVICES" ]; then
    echo "❌ No cloudflared services running!"
    echo ""
    echo "Checking for installed services..."
    INSTALLED=$(ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl list-units --type=service --all | grep cloudflared" 2>/dev/null || echo "")
    if [ -z "$INSTALLED" ]; then
        echo "❌ No cloudflared services found!"
        echo "   Services need to be created"
    else
        echo "Found services (not running):"
        echo "$INSTALLED" | while read line; do
            echo "  - $line"
        done
        echo ""
        echo "Fix: ssh root@${PROXMOX_HOST} 'pct exec ${VMID} -- systemctl start cloudflared-*'"
    fi
else
    echo "✅ Running services:"
    echo "$SERVICES" | while read line; do
        echo "  ✅ $line"
    done
fi
echo ""

# 4. Check credentials
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "4. Tunnel Credentials"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
CREDENTIALS=$(ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- ls -1 /etc/cloudflared/credentials-*.json 2>/dev/null" || echo "")
if [ -z "$CREDENTIALS" ]; then
    echo "❌ No credential files found!"
    echo "   Credentials need to be downloaded from Cloudflare Dashboard"
    echo "   Location: Zero Trust → Networks → Tunnels → Download credentials"
else
    echo "✅ Found credential files:"
    echo "$CREDENTIALS" | while read cred; do
        PERMS=$(ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- stat -c '%a' $cred" 2>/dev/null || echo "unknown")
        if [ "$PERMS" != "600" ]; then
            echo "  ⚠️  $cred (permissions: $PERMS - should be 600)"
        else
            echo "  ✅ $cred (permissions: $PERMS)"
        fi
    done
fi
echo ""

# 5. Check network connectivity
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "5. Network Connectivity"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
if ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- ping -c 2 -W 2 8.8.8.8" >/dev/null 2>&1; then
    echo "✅ Internet connectivity: OK"
else
    echo "❌ Internet connectivity: FAILED"
    echo "   Container cannot reach internet"
fi

if ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- curl -s -o /dev/null -w '%{http_code}' --max-time 5 https://cloudflare.com" | grep -q "200\|301\|302"; then
    echo "✅ HTTPS connectivity: OK"
else
    echo "❌ HTTPS connectivity: FAILED"
fi
echo ""

# 6. Check recent logs
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "6. Recent Tunnel Logs (last 20 lines)"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
LOGS=$(ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- journalctl -u cloudflared-* -n 20 --no-pager 2>/dev/null" || echo "No logs found")
if [ "$LOGS" != "No logs found" ] && [ -n "$LOGS" ]; then
    echo "$LOGS"
else
    echo "⚠️  No recent logs found (services may not be running)"
fi
echo ""

# Summary
echo "═══════════════════════════════════════════════════════════"
echo "  Diagnostic Summary"
echo "═══════════════════════════════════════════════════════════"
echo ""
echo "Next steps:"
echo "  1. Review findings above"
echo "  2. Run fix script: ./fix-all-tunnels.sh"
echo "  3. Or manually fix issues identified"
echo ""