RDP: ERR failed to connect to origin error="websocket: bad handshake"

Hi, I am attempting to connect to a server (Windows 10 Enterprise) I have via RDP on macOS (11.3) and am unable to connect. The errors I receive are as following:

macOS Error output (Client trying to connect to server):

    % cloudflared access rdp --hostname rdp.domain.net --url localhost:2244
    2021-04-28T10:30:31Z INF Start Websocket listener host=localhost:2244
    A browser window should have opened at the following URL:

    https://rdp.domain.net/cdn-cgi/access/cli?redirect_url=https%3A%2F%2Frdp.domain.net%3Ftoken%3D{$TOKEN}%253D&send_org_token=true&token={$TOKEN}%3D

    If the browser failed to open, please visit the URL above directly in your browser.
    2021-04-28T10:32:15Z ERR failed to connect to origin error="websocket: bad handshake" originURL=https://rdp.domain.net

Windows 10 Enterprise error output (Server running tunnel, awaiting connection)

    PS C:\Cloudflared\bin> .\cloudflared.exe tunnel run
    2021-04-28T10:24:45Z INF Starting tunnel tunnelID={$UUID}
    2021-04-28T10:24:45Z INF Version 2021.4.0
    2021-04-28T10:24:45Z INF GOOS: windows, GOVersion: go1.15.7, GoArch: amd64
    2021-04-28T10:24:45Z INF Settings: map[cred-file:C:\Users\Admin\.cloudflared\${UUID}.json credentials-file:C:\Users\Admin\.cloudflared\${UUID}.json]
    2021-04-28T10:24:45Z INF cloudflared will not automatically update on Windows systems.
    2021-04-28T10:24:45Z INF Generated Connector ID: 8ab03d36-3d44-4fdd-9af0-ec4e7625ce5b
    2021-04-28T10:24:45Z INF Initial protocol h2mux
    2021-04-28T10:24:45Z INF Starting metrics server on 127.0.0.1:51437/metrics
    2021-04-28T10:24:46Z INF Connection d5ff74d1-a212-4208-a536-b120fe014b81 registered connIndex=0 location=AMS
    2021-04-28T10:24:46Z INF Connection cd587217-37e1-4f63-92b1-53aa07962e01 registered connIndex=1 location=LHR
    2021-04-28T10:24:47Z INF Connection 72b205e7-b09a-47df-a996-42f0414926d9 registered connIndex=2 location=AMS
    2021-04-28T10:24:48Z INF Connection ef33e060-034b-4c7c-991c-81048ea5cc86 registered connIndex=3 location=LHR
    2021-04-28T10:32:12Z ERR localhost:3389 is not a http service
    2021-04-28T10:32:12Z ERR CF-RAY: 646fa02738d954b7-MAN Proxying to ingress 0 error: Not a http service

I followed the setup instructions as described in this document.

Steps ran on Windows 10 Enterprise server:

    Windows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.

    Try the new cross-platform PowerShell https://aka.ms/pscore6

    PS C:\Windows\system32> cd C:\Cloudflared\bin\
    PS C:\Cloudflared\bin> .\cloudflared.exe service uninstall
    2021-04-28T08:58:55Z INF Uninstalling Argo Tunnel Windows Service windowsServiceName=Cloudflared
    2021-04-28T08:58:55Z INF Argo Tunnel agent service is uninstalled windowsServiceName=Cloudflared
    PS C:\Cloudflared\bin> .\cloudflared.exe tunnel login
    A browser window should have opened at the following URL:

    https://dash.cloudflare.com/argotunnel?callback=https%3A%2F%2Flogin.argotunnel.com%2F${DIGEST}%3D

    If the browser failed to open, please visit the URL above directly in your browser.
    You have successfully logged in.
    If you wish to copy your credentials to a server, they have been saved to:
    C:\Users\Admin\.cloudflared\cert.pem
    PS C:\Cloudflared\bin> .\cloudflared.exe tunnel create RDP
    Tunnel credentials written to C:\Users\Admin\.cloudflared\${UUID}.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.

    Created tunnel RDP with id ${UUID}
    PS C:\Cloudflared\bin> .\cloudflared.exe service install
    2021-04-28T10:13:14Z INF Installing Argo Tunnel Windows service
    2021-04-28T10:13:14Z INF Argo Tunnel agent service is installed windowsServiceName=Cloudflared
    PS C:\Cloudflared\bin> .\cloudflared.exe tunnel ingress validate
    Validating rules from C:\Users\Admin\.cloudflared\config.yml
    OK
    PS C:\Cloudflared\bin> .\cloudflared.exe tunnel run

Steps run on macOS client:

    [email protected] ~ % sudo port install cloudflared
    [email protected] ~ % cloudflared login
    A browser window should have opened at the following URL:

    https://dash.cloudflare.com/argotunnel?callback=https%3A%2F%2Flogin.argotunnel.com%2F{$DIGEST}%3D

    If the browser failed to open, please visit the URL above directly in your browser.
    You have successfully logged in.
    If you wish to copy your credentials to a server, they have been saved to:
    /Users/alex97/.cloudflared/cert.pem
    [email protected] ~ % cloudflared access rdp --hostname rdp.domain.net --url localhost:2244
    2021-04-28T10:30:31Z INF Start Websocket listener host=localhost:2244
    A browser window should have opened at the following URL:

    https://rdp.domain.net/cdn-cgi/access/cli?redirect_url=https%3A%2F%2Frdp.domain.net%3Ftoken%3D{$TOKEN}&send_org_token=true&token={$TOKEN}%3D

    If the browser failed to open, please visit the URL above directly in your browser.
    2021-04-28T10:32:15Z ERR failed to connect to origin error="websocket: bad handshake" originURL=https://rdp.domain.net

What my config.yml looks like on the server:

    tunnel: ${UUID}
    credentials-file: C:\Users\Admin\.cloudflared\${UUID}.json

    ingress:
      - hostname: rdp.domain.net
        service: rdp://localhost:3389
      - service: http_status:404
    # Catch-all rule, which responds with 404 if traffic doesn't match any of  
    # the earlier rules
1 Like

Hi:

I’m trying the same but both on Windows, and followed step by step the instructions in the same document, and I’m experiencing exactly the same issue. I’ve tried everything and tried to search for information and after a few hours and lots of tests, I couldn’t make it run correctly.

Just some extra info: if you run the tunnel command with --loglevel debug switch in both the client and the server machines it seems that they are trying to connect through HTTP and not through RDP.

In fact the server machine shows a message saying: “Proxying to ingress 0 error: Not a http service” and clearly shows it’s trying to connect to an HTTP endpoint, not to an RDP one.

Looking at https://developers.cloudflare.com/cloudflare-one/faq/teams-troubleshooting/#i-see-a-websocket-bad-handshake-error - does the following fix the error you’re seeing?

I see a websocket: bad handshake error.

If your Cloudflare account has Universal SSL enabled and the SSL/TLS encryption mode is set to Off, cloudflared will return a “websocket: bad handshake” error. To resolve, set the SSL/TLS encryption mode to any setting other than Off.

Hi Cris:

Yes, I was aware of that, but it’s not the case: I’ve got the “Full” encryption setting. In fact it connects to the tunnel in the RDP computer, but the error in that end says “Not a http service”, which is strange taking into account this is an RDP connection :thinking:

I’ve tried everything I’ve found in the forums. I’ve even activated (and paid for) the Argo Tunnel setting in the domain (something Cloudflare sais in the video at the end of the article, but not in the article itself), to no avail.

Any ideas on why I get the “Not a http service” on the RDP computer’s end?

Thanks

@jmalarcon, did you ever find a solution to the problem?

@alex97 No, sorry. I got stuck exactly at the same point as you. It seems pretty straightforward but it’s not (in the case of RDP). I was trying to get rid of my VPN, but I guess I’d keep using it for now. If you ever find a way to fix this, please let us know here. Thanks.

1 Like

I’m seeking more clarity on these configurations on our end here now and can follow up with additional information.

Have you try doing cloudflared update and try the connection again? That’s how I got my bad handshakes error got resolved.

Hi: thanks for the tip. I was supposedly using the latest version of cloudflared, freshly downloaded, so I think it wasn’t that. Anyway I’ll give a go as soon as I can. Maybe a newest version launched recently has changed something.Thanks!

Experiencing the same websocket issue for accessing a remote ubuntu machine via another ubuntu machine. Even after updating (cloudflared update) both my client and target machine. It works on web rendering, but I would want also to access via SSH and SFTP.

Hello,

Can you check if you have “WebSockets” enabled on your Network tab of your dash.cloudflare.com?
(see RDP issues: failed to connect to origin error=“websocket: bad handshake” · Issue #377 · cloudflare/cloudflared · GitHub for a related discussion)

Hi @nuno.diegues

Finally I’ve been able to make it work. Thanks for your tip about the websockets disabled in Cloudflare. This is missing from the documentation/tutorial on RDP.

The other thing missing is that the config.yml file should be located at the C:\Users\%USERNAME%\.cloudflared\ folder, not in C:\Windows\System32\config\systemprofile\.cloudflared\ as it is indicated in the docs.

With these two changes, everything worked as expected, finally!

I’ll make a pull request to the docs with this couple of additions and let’s see if they can accept them in order to have the tutorial right.

Thanks!

1 Like

Here is my Pull Request with the two additions (and a new screenshot):

Thanks for sharing this feedback @jmalarcon
We will be making this “require Websocket enabled” more prominent in our docs. I believe the default is enabled, so what’s surprising is why a few people have it disabled unknowingly.

We appreciate your PR to the docs, it’ll be reviewed.

Hi @nuno.diegues

Maybe years ago WebSockets was disabled. My Cloudflare account is several years old, and I’ve never needed WebSockets in it, so I never activated it, I don’t know.

Regarding the path, I think it’s due to the fact that, since when you’re following the tutorial you are just trying th tunnel, not making it definitive, the original indicated path in C:\Windows\System32\config\systemprofile\.cloudflared\ it’s not valid because is not a service: you’re running cloudflared from the command line (PowerShell in my case), so cloudflared never find the configuration file despite de fact I initially created it in the cloudflared folder because the tutorial said this is the first place it searches for it, but it’s not.

HTH and thanks!