Confused about argo + arbitrary TCP

Hello all, I am a bit confused about Argo tunnel / access setup for arbitrary TCP connections via a bastion host – in the past I’ve used access for both internal web and RDP without issue – but never used any of the “tunnel” configurations - I presume the RDP mode has some special stuff in it to handle rdp connections? Otherwise I would just use that – but when trying the same setup with tcp://ip:23 – it doesn’t seem to work – I’ve tried a number of– but wanted to make sure what the current and correct instructions are for such a setup

and in a related question – it is unclear to me browsing documentation for the newer teams stuff - if it is possible to tie said arbitrary telnet connections to an authentication provider or is it just validating Argo to your cloudflare account?

So for example:

Cloudflared tunnel –bastion –hostname –url tcp://server:23
(and tried the same with appending run xxx – name of the configured tunnel)
Seems to connect fine on the host end)

And on the client:

cloudflared.exe access tcp --tunnel-host tcp://localhost:23

2021-03-16T23:48:20Z INF Start Websocket listener host=localhost:23
2021-03-16T23:48:37Z ERR failed to connect to origin error=“Empty app domain” originURL=

(after initiating a telnet to localhost)

After doing cloudflared login (just to make sure that’s not related) I get the same error – however as I mentioned ideally I would like to authenticate via cloudflare access rules if possible.

UPDATE: I removed all related rules from access and got the following error when trying to telnet:

2021-03-16T23:58:44Z ERR failed to connect to origin error=“websocket: bad handshake” originURL=

I literally changed everything from tcp to rdp and it worked as expected - including authentication.


1 Like

Hi @boris6!

Thanks for sharing your solution!