# How to Get Cloudflare Tunnel Credentials ## The Problem `cloudflared tunnel token` doesn't work for existing tunnels. For existing tunnels created via API, you need to use **credentials files** (JSON format), not tokens. ## Solution: Download from Cloudflare Dashboard ### Step 1: Access Cloudflare Dashboard 1. Go to: https://one.dash.cloudflare.com/ 2. Navigate to: **Zero Trust** > **Networks** > **Tunnels** 3. You should see your 3 tunnels: - `tunnel-ml110` (ID: `ccd7150a-9881-4b8c-a105-9b4ead6e69a2`) - `tunnel-r630-01` (ID: `4481af8f-b24c-4cd3-bdd5-f562f4c97df4`) - `tunnel-r630-02` (ID: `0876f12b-64d7-4927-9ab3-94cb6cf48af9`) ### Step 2: Download Credentials for Each Tunnel For each tunnel: 1. Click on the tunnel name 2. Click **"Configure"** tab 3. Scroll to **"Local Management"** section 4. Click **"Download credentials file"** 5. Save the file as: - `credentials-ml110.json` - `credentials-r630-01.json` - `credentials-r630-02.json` ### Step 3: Use the Credentials The credentials file format looks like: ```json { "AccountTag": "52ad57a71671c5fc009edf0744658196", "TunnelSecret": "base64-encoded-secret-here", "TunnelID": "ccd7150a-9881-4b8c-a105-9b4ead6e69a2", "TunnelName": "tunnel-ml110" } ``` ### Step 4: Copy to VMID 102 Once you have the credentials files, run: ```bash cd /home/intlc/projects/proxmox/scripts/cloudflare-tunnels ./scripts/generate-credentials.sh ``` This script will: - Prompt you for each credentials file path - Validate the JSON format - Copy to VMID 102 at `/etc/cloudflared/credentials-.json` - Update config files with correct paths - Set proper permissions (600) ## Alternative: Manual Copy If you prefer to copy manually: ```bash # From your local machine (where you downloaded credentials) scp credentials-ml110.json root@192.168.11.10:/tmp/ scp credentials-r630-01.json root@192.168.11.10:/tmp/ scp credentials-r630-02.json root@192.168.11.10:/tmp/ # Then on Proxmox host ssh root@192.168.11.10 pct push 102 /tmp/credentials-ml110.json /etc/cloudflared/credentials-ml110.json pct push 102 /tmp/credentials-r630-01.json /etc/cloudflared/credentials-r630-01.json pct push 102 /tmp/credentials-r630-02.json /etc/cloudflared/credentials-r630-02.json pct exec 102 -- chmod 600 /etc/cloudflared/credentials-*.json ``` ## Verify After copying credentials: ```bash ssh root@192.168.11.10 "pct exec 102 -- ls -la /etc/cloudflared/" ``` You should see: - `credentials-ml110.json` - `credentials-r630-01.json` - `credentials-r630-02.json` - `tunnel-ml110.yml` - `tunnel-r630-01.yml` - `tunnel-r630-02.yml` ## Start Services Once credentials are in place: ```bash ssh root@192.168.11.10 "pct exec 102 -- systemctl start cloudflared-ml110 cloudflared-r630-01 cloudflared-r630-02" ssh root@192.168.11.10 "pct exec 102 -- systemctl enable cloudflared-*" ``` ## Why Not Tokens? - **Tokens** are used for **new tunnels** created via `cloudflared tunnel create` - **Credentials files** are used for **existing tunnels** (created via API or dashboard) - Our tunnels were created via API, so we need credentials files, not tokens ## Reference - [Cloudflare Tunnel Credentials Documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/#download-the-credentials-file)