I’d like to use Cloudflare Tunnel to provide secure remote access to services behind our firewall. Initially, I’d like to set up RDP. I tried following the instructions at: https://blog.ericcfdemo.net/posts/publish-rdp-securely-using-cloudflare-zero-trust-access/
I can create my tunnel and the status is healthy.
I created a public hostname on the tunnel:
Type is RDP
URL is “localhost:3389”. I also tried “localhost:4489”
I installed cloudflared as a service using:
cloudflared.exe service install xxxxx_very_log_key_xxxxx
I then started an RDP gateway using:
cloudflared access rdp --tunnel-host 192.168.1.10 --url rdp://localhost:4489
I used port 4489 because rdp is already running on this PC.
I try and connect to the public hostname and it doesn’t connect. I tried entering the public hostname by itself, with “:3389”, or with “:4489” with each of the attempts at the public hostname above and no luck either way.
I’ve done more reading and some of my confusion is that I didn’t realize that tunnels are designed to work with http/https. To use any other TCP/IP port, you must have cloudflared also installed on the client:
I installed cloudflared on my client PC and I ran “cloudflared service install” as an administrator.
I still can’t get this to work but I feel like I’m getting closer.
Would someone be kind enough to provide an answer or point me to a document that will help?
I got it to work. I don’t understand how it works though since to me it appears there are two tunnels, one from my client and one from my gateway host. If I have more clients, how does Cloudflare figure out which tunnel to send the connections to? I’m also not sure what steps I did to make it work. Time to see if I can replicate this from a clean slate.
The hostname is equal to the public hostname of your tunnel. I would recommend using Dashboard managed tunnels, as the tutorial guides (which I think you already are). Then you just create the new public hostname for RDP, and then use cloudflare access locally with that hostname and a unused port/url. Once you get it all working, I would create a shortcut for it on your Desktop with those parameters, made it easy to launch and use later.
You also have the option of using WARP Private Networking, which can be harder to set up, but easier to use later, as you can just switch on WARP and get access. There’a section for that in the linked guide as well, but it is a fair more annoying to get setup.
I installed cloudflared on my client because in the URL you referenced, it says you have to:
Cloudflare Tunnel can also route applications through a public hostname, which allows users to connect to the application without the WARP client. This method requires having cloudflared installed on both the server machine and on the client machine, as well as an active zone on Cloudflare. The traffic is proxied over this connection, and the user logs in to the server with their Cloudflare Access credentials.
I thought this meant I had to install the cloudflare.msi and then do both “cloudflared service install” and “cloudflared access …” on my client PC.
First, I installed cloudflared.msi and tried to connect via RDP to the public hostname. That didn’t work.
Next I did “cloudflared service install” and “cloudflared access rdp --hostname PUBLICHOSTNAME --url localhost:4499” and that worked.
Today I’ve started with a fresh client PC. I verified that “rdp PUBLICHOSTNAME” doesn’t work (I didn’t expect it to). I then ran the cloudflared.msi setup file. Once that was done, I opened a CMD window and ran “cloudflared access rdp --hostname PUBLICHOSTNAME --url localhost:4499”. Next, I ran rdp with “localhost:4499”. This opened a webpage for me to authenticate and once authenticated, my rdp session connected!
Thank you for the reassurance that I did not need to do “cloudflared service install” on my client.
I’ve done some additional experimenting and learned that the cloudflared.exe from the windows install can be run without doing the windows install. This is very helpful for end users that don’t have administrator access to their PCs.
