RDP Argo tunnel: ERR failed to connect to origin error="websocket: bad handshake"

So i’ve been trying to set up Argo tunnel for my dedibox running windows to tunnel my RDP

Issue: when I do it on my test domain weeb.news, this works fine, exact commands, exact cname copy pasted, exact SSL settings on both domains too.
Both domains are setup same way and from same registrar as well.
When I do it with the domain I want to do it, I get the following error each time.

Things to note:
Cloudflared version: cloudflared version 2021.6.0 (built 2021-06-22-1034 UTC)
RDP port: 666 (we use a custom port yes)


tunnel: censored-id-here
credentials-file: C:\Users\Bots\.cloudflared\censored-id-here.json

  - hostname: vega123.animekaizoku.com
    service: rdp://localhost:666
  - service: http_status:404

Command run on server: cloudflared tunnel run Vega

C:\>cloudflared tunnel run Vega
2021-07-07T11:43:36Z INF Starting tunnel tunnelID=censored-tunnel-id
2021-07-07T11:43:36Z INF Version 2021.6.0
2021-07-07T11:43:36Z INF GOOS: windows, GOVersion: go1.16.3, GoArch: amd64
2021-07-07T11:43:37Z INF Settings: map[cred-file:C:\Users\Bots\.cloudflared\censored-tunnel-id.json credentials-file:C:\Users\Bots\.cloudflared\censored-tunnel-id.json]
2021-07-07T11:43:37Z INF cloudflared will not automatically update on Windows systems.
2021-07-07T11:43:37Z INF Generated Connector ID: censored-connector-id
2021-07-07T11:43:37Z INF Initial protocol http2
2021-07-07T11:43:37Z INF Starting metrics server on
2021-07-07T11:43:37Z INF Connection d1bef979-censored registered connIndex=0 location=AMS
2021-07-07T11:43:38Z INF Connection e48768c5-censored registered connIndex=1 location=LHR
2021-07-07T11:43:39Z INF Connection 34af3f50-censored registered connIndex=2 location=AMS
2021-07-07T11:43:40Z INF Connection 4a60e9c8-censored registered connIndex=3 location=LHR

Command run on client:

C:\Users\Sawada>cloudflared access rdp --hostname vega123.animekaizoku.com --url localhost:789 --loglevel debug
2021-07-07T11:45:39Z INF Start Websocket listener host=localhost:789
2021-07-07T11:45:46Z DBG Websocket request: GET / HTTP/1.1
Host: vega123.animekaizoku.com

2021-07-07T11:45:47Z ERR failed to connect to origin error="websocket: bad handshake" originURL=https://vega123.animekaizoku.com

I cant begin to explain how mind boggling it is to be stuck with this
Domain SSL settings: same on both domains (flexible)
Universal SSL: On
Websockets: On

Same config works if I change animekaizoku.com to weeb.news and fails when I use animekaizoku.com.

This is bizzaire, both domains are hosted on the same cloudflare account.
Kindky help, I give up on this.

Hi, I had been struggling with the exact same issue with an RDP connection over the Argo Tunnel.

I had websockets enabled for the domain, but still ran into the “websocket: bad handshake” error.

One thing that was different in my implementation from the documentation was that Cloudflare had automatically generated an “AAAA” record for the tunnel. So of course, I could not create the CNAME as indicated in the doc. That record even had a special flag indicating it was managed by an Argo Tunnel.

I deleted the “AAAA” record and manually created the CNAME, pointing the hostname to the tunnel ID ([Tunnel_ID].cfargotunnel.com), and restarted server tunnel and client access listener. It started working. I could then connect over the localhost listener to RDP.

Hope that helps.