--- - name: Diagnose VPN Routing Problem f?r Grafana hosts: production gather_facts: yes become: yes become_user: root tasks: - name: Check WireGuard interface status shell: | echo "=== WireGuard Interface Status ===" ip addr show wg0 2>&1 || echo "WireGuard interface not found" echo "" echo "=== WireGuard Peers ===" wg show 2>&1 || echo "WireGuard not running" register: wg_status ignore_errors: yes failed_when: false - name: Display WireGuard status debug: msg: "{{ wg_status.stdout_lines }}" - name: Check routing table for VPN network shell: | echo "=== Routing Table for 10.8.0.0/24 ===" ip route show | grep 10.8.0 || echo "No routes found for 10.8.0.0/24" echo "" echo "=== Default Route ===" ip route show default || echo "No default route" register: routing_info ignore_errors: yes failed_when: false - name: Display routing information debug: msg: "{{ routing_info.stdout_lines }}" - name: Check Traefik access logs for recent Grafana requests shell: | cd ~/deployment/stacks/traefik echo "=== Recent Grafana Access (Last 10 requests) ===" tail -50 logs/access.log | grep grafana | tail -10 | jq -r '[.ClientAddr, .ClientHost, .RequestHost, .DownstreamStatus] | @tsv' 2>&1 || tail -50 logs/access.log | grep grafana | tail -10 args: executable: /bin/bash register: traefik_access ignore_errors: yes failed_when: false - name: Display Traefik access logs debug: msg: "{{ traefik_access.stdout_lines }}" - name: Test DNS resolution from server shell: | echo "=== DNS Resolution Tests ===" echo "1. Grafana via VPN DNS (10.8.0.1):" dig +short grafana.michaelschiemer.de @10.8.0.1 2>&1 || echo "Failed" echo "" echo "2. Grafana via public DNS (8.8.8.8):" dig +short grafana.michaelschiemer.de @8.8.8.8 2>&1 || echo "Failed" echo "" echo "3. Grafana via system DNS:" dig +short grafana.michaelschiemer.de 2>&1 || echo "Failed" args: executable: /bin/bash register: dns_tests ignore_errors: yes failed_when: false - name: Display DNS test results debug: msg: "{{ dns_tests.stdout_lines }}" - name: Check firewall rules for WireGuard shell: | echo "=== Firewall Rules for WireGuard (port 51820) ===" sudo ufw status | grep 51820 || sudo iptables -L -n | grep 51820 || echo "No firewall rules found" echo "" echo "=== Allowed IPs in WireGuard Config ===" grep -E "AllowedIPs" /etc/wireguard/wg0.conf 2>&1 || echo "WireGuard config not found" args: executable: /bin/bash register: firewall_info ignore_errors: yes failed_when: false - name: Display firewall information debug: msg: "{{ firewall_info.stdout_lines }}" - name: Check Traefik forwardedHeaders configuration shell: | cd ~/deployment/stacks/traefik echo "=== Traefik forwardedHeaders Config ===" grep -A 10 "forwardedHeaders:" traefik.yml || echo "Not found" args: executable: /bin/bash register: forwarded_headers ignore_errors: yes failed_when: false - name: Display forwardedHeaders configuration debug: msg: "{{ forwarded_headers.stdout_lines }}" - name: Check Grafana middleware configuration shell: | cd ~/deployment/stacks/traefik/dynamic echo "=== Grafana VPN Only Middleware ===" grep -A 6 "grafana-vpn-only:" middlewares.yml || echo "Not found" args: executable: /bin/bash register: grafana_middleware ignore_errors: yes failed_when: false - name: Display Grafana middleware configuration debug: msg: "{{ grafana_middleware.stdout_lines }}" - name: Check CoreDNS configuration shell: | cd ~/deployment/stacks/dns echo "=== CoreDNS Corefile ===" cat Corefile 2>&1 || echo "Not found" args: executable: /bin/bash register: coredns_config ignore_errors: yes failed_when: false - name: Display CoreDNS configuration debug: msg: "{{ coredns_config.stdout_lines }}" - name: Test connection to Grafana from server via VPN IP shell: | echo "=== Test Connection to Grafana via VPN IP (10.8.0.1) ===" curl -k -H "User-Agent: Mozilla/5.0" -s -o /dev/null -w "HTTP %{http_code}\n" https://10.8.0.1:443 -H "Host: grafana.michaelschiemer.de" 2>&1 || echo "Connection failed" echo "" echo "=== Test Connection via Domain ===" curl -k -H "User-Agent: Mozilla/5.0" -s -o /dev/null -w "HTTP %{http_code}\n" https://grafana.michaelschiemer.de/ 2>&1 || echo "Connection failed" args: executable: /bin/bash register: connection_tests ignore_errors: yes failed_when: false - name: Display connection test results debug: msg: "{{ connection_tests.stdout_lines }}" - name: Monitor Traefik access logs in real-time (for next request) shell: | echo "=== Instructions ===" echo "1. Connect to VPN with your WireGuard client" echo "2. Ensure DNS is set to 10.8.0.1 in WireGuard config" echo "3. Access https://grafana.michaelschiemer.de in your browser" echo "4. Check the ClientAddr in the access logs below" echo "" echo "=== Last Grafana Access Attempt ===" tail -1 ~/deployment/stacks/traefik/logs/access.log 2>&1 | jq -r '[.ClientAddr, .ClientHost, .DownstreamStatus] | @tsv' || tail -1 ~/deployment/stacks/traefik/logs/access.log args: executable: /bin/bash register: monitoring_info ignore_errors: yes failed_when: false - name: Display monitoring instructions debug: msg: "{{ monitoring_info.stdout_lines }}"