RDP over Cloudflare Tunnel to Warp

Hello,

I’m trying to figure out if it’s possible to essentially do what is outlined in this tutorial - https://developers.cloudflare.com/cloudflare-one/tutorials/rdp/ but rather than using cloudflared on the client, I’d prefer to use Warp if possible. I can’t seem to make it work though.

The challenge I’m ultimately trying to solve is that we have several clients with pretty clunky VPN’s and we’d like to replace all of those VPNs using Cloudflare’s Zero Trust tools.

Ideally I would like to be able to use Warp on the clients because it’s easy to deploy and configure with our MDM and RMM tools, then we can set up tunnels on the resources that they need to connect to. In a perfect world we’d like to expose those as “services” rather than tunneling to the whole network.

Right now I’m trying to figure out how to do RDP but I also want to figure out how to do the same with SMB if that’s possible, although I may be thinking about this slightly wrong, or it might not be something that is actually possible yet.

Yes. Both RDP and SMB work on top of TCP, and we support ZT WARP client traffic to Tunnel origins for TCP (and UDP too in fact).

https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel/ would handle that generically for any such use case

You can also rely on this new UI to simplify some steps: https://blog.cloudflare.com/ridiculously-easy-to-use-tunnels/

Got it, ok. I can make that work.

Quick follow up to that, we do have a couple of situations where the VLAN range which the server is on is the same as where the client is connecting from (for instance one of the servers is on 192.168.0.10/24, and several of that client’s homes are on 192.168.0.0/24). I can’t seem to get that kind of traffic to route correctly when the source and destination VLAN range is the same. Is there a recommended way to handle those kinds of scenarios?

If the client wants to access things both in their local vlan as well as in the remote one, both with same IPs, then I don’t know of a way to make it work.

They won’t need to access both, just the remote one, but even if I remove that range from the “exclude” section of the network settings in the Zero Trust dashboard, it doesn’t seem to allow me to hit the remote destination.

Do I need to switch that to “Include” instead of “Exclude” and approach it from the other direction?

In my experience if I remove it from the Exclude, it will send it via the WARP tunnel to Cloudflare edge.

I’ll give it all a shot again and see if I can get it working. Thank you so much for all of your help.