RDP tunnel - websocket: bad handshake

I need your support. Have read everything, what I could find so far, but it does not help.

A second host usv.secretdomain.de with access to a simple HTTP address is running perfectly.

Please help

Many Thanks - Alexander


  • Cloudflare

Zero Trust → Access → Tunnels

Create a tunnel "Test-name"

Public Hostname
Subdomain rdp
Domain secretdomain.de
Type RDP
URL localhost:4444

(4444 is a randomly selected port, problem with 3389, see below)

Private network
CIDR 192.168.0.0/24
Description Home Network


  • Windows 11 RDP Server

downloaded cloudflared-windows-amd64.msi
running msi

CMD with admin

cloudflared.exe service install eyJhIjoiYWU…
2023-10-18T17:52:52Z INF Installing cloudflared Windows service
2023-10-18T17:52:52Z INF cloudflared agent service is installed windowsServiceName=Cloudflared
2023-10-18T17:52:52Z INF Agent service for cloudflared installed successfully windowsServiceName=Cloudflared

→ Cloudflare Status Tunnel Healthy


  • Windows 11 RDP Client

downloaded cloudflared-windows-amd64.msi
running msi

CMD with admin

cloudflared access rdp --hostname rdp.secretdomain.de --url rdp://localhost:4444
2023-10-18T17:54:08Z INF Start Websocket listener host=localhost:4444

Remote Desktop Connection

computer localhost:4444
user - blank -

!!! No connection !!!

internal error
error code: 0x4
extended error code: 0x0

C:\Windows\System32>cloudflared access rdp --hostname rdp.secretdomain.de --url rdp://localhost:4444
2023-10-19T13:06:16Z INF Start Websocket listener host=localhost:4444
2023-10-19T13:08:34Z ERR failed to connect to origin error=“websocket: bad handshake” originURL=https://rdp.secretdomain.de


  • Problem with 3389

cloudflared access rdp --hostname rdp.secretdomain.de --url rdp://localhost:3389
2023-10-18T17:19:58Z INF Start Websocket listener host=localhost:3389
2023-10-18T17:19:58Z ERR Error on Websocket listener error=“failed to start forwarding server: listen tcp 127.0.0.1:3389: bind: An attempt was made to access a socket in a way forbidden by its access permissions.”
failed to start forwarding server: listen tcp 127.0.0.1:3389: bind: An attempt was made to access a socket in a way forbidden by its access permissions.

Hi Everyone,
I have faced all problems as mentioned above but now I fixed it by following the instruction.
Firstly you have to install cloudflare tunnel on both machine and in cloudflare add new service as rdp and use local ip with port such as 192.168.0.100:3389
After that go to the pc where you want to start rdp client and connect to the server. Link it to the tunnel by installing cloudflare and after that run command
cloudflared access rdp --hostname rdp.example.com --url rdp://localhost:3389
Only replace [quote=“user2687, post:1, topic:570687, full:true”]
I need your support. Have read everything, what I could find so far, but it does not help.

A second host usv.secretdomain.de with access to a simple HTTP address is running perfectly.

Please help

Many Thanks - Alexander


  • Cloudflare

Zero Trust → Access → Tunnels

Create a tunnel "Test-name"

Public Hostname
Subdomain rdp
Domain secretdomain.de
Type RDP
URL localhost:4444

(4444 is a randomly selected port, problem with 3389, see below)

Private network
CIDR 192.168.0.0/24
Description Home Network


  • Windows 11 RDP Server

downloaded cloudflared-windows-amd64.msi
running msi

CMD with admin

cloudflared.exe service install eyJhIjoiYWU…
2023-10-18T17:52:52Z INF Installing cloudflared Windows service
2023-10-18T17:52:52Z INF cloudflared agent service is installed windowsServiceName=Cloudflared
2023-10-18T17:52:52Z INF Agent service for cloudflared installed successfully windowsServiceName=Cloudflared

→ Cloudflare Status Tunnel Healthy


  • Windows 11 RDP Client

downloaded cloudflared-windows-amd64.msi
running msi

CMD with admin

cloudflared access rdp --hostname rdp.secretdomain.de --url rdp://localhost:4444
2023-10-18T17:54:08Z INF Start Websocket listener host=localhost:4444

Remote Desktop Connection

computer localhost:4444
user - blank -

!!! No connection !!!

internal error
error code: 0x4
extended error code: 0x0

C:\Windows\System32>cloudflared access rdp --hostname rdp.secretdomain.de --url rdp://localhost:4444
2023-10-19T13:06:16Z INF Start Websocket listener host=localhost:4444
2023-10-19T13:08:34Z ERR failed to connect to origin error=“websocket: bad handshake” originURL=https://rdp.secretdomain.de


  • Problem with 3389

cloudflared access rdp --hostname rdp.secretdomain.de --url rdp://localhost:3389
2023-10-18T17:19:58Z INF Start Websocket listener host=localhost:3389
2023-10-18T17:19:58Z ERR Error on Websocket listener error=“failed to start forwarding server: listen tcp 127.0.0.1:3389: bind: An attempt was made to access a socket in a way forbidden by its access permissions.”
failed to start forwarding server: listen tcp 127.0.0.1:3389: bind: An attempt was made to access a socket in a way forbidden by its access permissions.
[/quote]

with your subdomain which you added in tunnel and don’t close command prompt or terminal in which you run this command.
After that on remote desktop and enter localhost:3389 as pc name and then give login credentials.
I hope you will get the access if you follow each step correctly.

Hi Everyone,
I have faced all problems as mentioned above but now I fixed it by following the instruction.
Firstly you have to install cloudflare tunnel on both machine and in cloudflare add new service as rdp and use local ip with port such as 192.168.0.100:3389
After that go to the pc where you want to start rdp client and connect to the server. Link it to the tunnel by installing cloudflare and after that run command
`cloudflared access rdp --hostname rdp.example.com --url rdp://localhost:3389`
Only replace rdp.example.com with your subdomain which you added in tunnel and don’t close command prompt or terminal in which you run this command.
After that on remote desktop and enter localhost:3389 as pc name and then give login credentials.
I hope you will get the access if you follow each step correctly.

I would like to share that in my case I realized that Super Bot Fight Mode was causing it. I created exceptions to skip the SBFM under my tunnel subdomains.

I hope this help to you or anyone else.