Cloudflare Access bastion mode

Zero Trust Access
1

I am attempting to test out RDP access using Cloudflare access and --bastion mode to enable access to multiple servers but the documentation is unclear to me and I’m not sure what I’m missing. In the below command meant to be run on the server, --hostname should be the sub domain setup in Cloudflare correct?

cloudflared tunnel --hostname rdp.site.com --bastion

Then from the client:

\cloudflared.exe access rdp --hostname rdp.site.com --url localhost:2244 --destination rdpserver:3389

hostname here should be the server I am trying to connect to? And rdpserver:3389 should be the server I setup the tunnel on?

Thanks for any help, I’ve tried all combinations and nothing appears to work. Currently I just get an error saying: failed to connect to COMPUTER with error: dial tcp: lookup COMPUTER: no such host

2

hostname should be the the same as used to create the tunnel in the first step… so if you published an tunnel/bastion host with the name rdp.site.com that would be the fully qualified domain name in DNS of the tunnel running on Cloudflare’s edge.

– destination rdpserver:3389 is the internal name and port of the host you are trying to connect to on your local network via RDP. Whatever rdpserver:3389 is it should be accessible from the bastion host using that name.

1 Like
3

Thank you for the clarificaiton. This is what I’ve tried but when I issue the command:

cloudflared.exe access rdp --hostname RDP_SERVER_WHERE_TUNNEL_IS_RUNNING --url localhost:2244 --destination LOCAL_COMPUTER_TO_RDP_INTO

and then launch a remote desktop to localhost:2244, it remotes into RDP_SERVER_WHERE_TUNNEL_IS_RUNNING instead? Something wrong in my configuration I’m sure but I can’t figure it out.

4

As far as I can tell, this destination parameter doesn’t do anything in my setup. No matter what I put there, when I initiate the RDP connection, it brings me to the machine specified with the --hostname parameter.

5

I would verify your cloudflared tunnel in your internal network environment is running in bastion mode and update to the latest version on both the server and the client. Destination is only used if the tunnel is bastion mode.

\cloudflared.exe access rdp --hostname rdp.site.com --url localhost:2244 --destination rdpserver:3389
1 Like
6

PS C:\Cloudflared\bin> .\cloudflared.exe tunnel --hostname rdp.SITE.org --bastion

This is the command I issue to start the tunnel on the server and I’m using a version built 2020-11-15-0224 UTC so I assume the latest version.

This is what is required to start in bastion mode isn’t it?

7

When running in bastion mode, would the config file on the server still look like this:

hostname: rdp.site.com
url: rdp://localhost:3389
logfile: C:\Windows\System32\config\systemprofile.cloudflared\tunnel.log

specifically, the url parameter?

1 Like
8

If I set the log level to debug, it looks like the header Cf-Access-Jump-Destination does get set properly to the value I supply with the --destination parameter but that value is not the computer that gets logged into when I then RDP to localhost:2244.

9

At this point I’m just wondering if Bastion mode is being used out in the world so I can determine whether to continue trying to make it work or give up? While simple to setup the documentation isn’t great and information is hard to come by.

1 Like
10

I figured it out, not thanks to the documentation. The YML file needs to have ```
service: bastion

instead of the URL RPD line. Found the info here: Using Cloudflare Access and tunnels to create an RDP jump host – James Flower