Tunnel RDP connection working using Private Network, but not using Public Hostname

Hi,

I set up a tunnel on a Windows machine, and I can connect to it with RDP if I configure the tunnel using the “Private Network” tab and if I set the private IP of the Windows machine. I enabled my WARP client and I pointed my RDP client to the private IP of the Windows machine and worked.

However, I don’t see how to do the same using a Public Hostname instead of the private ip. I set it as shown in the picture, I enabled the Warp client and i pointed my RDP client to the public hostname, but it does not connect. What am I missing?

Public hostnames is just as it says, for public traffic. That’s outside the realms of what Warp is going to route for you.

You’d need to be running cloudflared locally like described in https://developers.cloudflare.com/cloudflare-one/tutorials/rdp/#connect-to-the-remote-desktop to connect to the setup you showed in the screenshot.

Alternatively, setup Local Domain Fallback so you can connect via the hostname of your devices whilst using the private network functionality.

2 Likes

@KianNH nailed it

Just to add a bit more info, I think cloudflared tunnel --help also portrays this distinction between “Public Hostnames” approach vs “Zero Trust based private networking” approach quite well:

→ cloudflared tunnel --help
NAME:
   cloudflared tunnel - Use Cloudflare Tunnel to expose private services to the Internet or to Cloudflare connected private users.

USAGE:
   cloudflared tunnel command [command options]

DESCRIPTION:
   Cloudflare Tunnel allows to expose private services without opening any ingress port on this machine. It can expose:
     A) Locally reachable HTTP-based private services to the Internet on DNS with Cloudflare as authority (which you can
   then protect with Cloudflare Access).
     B) Locally reachable TCP/UDP-based private services to Cloudflare connected private users in the same account, e.g.,
   those enrolled to a Zero Trust WARP Client.

   You can manage your Tunnels via dash.teams.cloudflare.com. This approach will only require you to run a single command
   later in each machine where you wish to run a Tunnel.

   Alternatively, you can manage your Tunnels via the command line. Begin by obtaining a certificate to be able to do so:

     $ cloudflared tunnel login

   With your certificate installed you can then get started with Tunnels:

     $ cloudflared tunnel create my-first-tunnel
     $ cloudflared tunnel route dns my-first-tunnel my-first-tunnel.mydomain.com
     $ cloudflared tunnel run --hello-world my-first-tunnel

   You can now access my-first-tunnel.mydomain.com and be served an example page by your local cloudflared process.

   For exposing local TCP/UDP services by IP to your privately connected users, check out:

     $ cloudflared tunnel route ip --help

   See https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/ for more info.
1 Like

Thank you!

That’s clear, but I am still missing 3 points.

  1. I’d need to be running cloudflared locally […] to connect to the setup I showed in the screenshot. Why is this required? Since the public hostname is for public traffic, why can’t I just point my rdp client to the public hostname? Isn’t it public?

  2. What’s the use case for public hostnames as opposed to locally reachable TCP/UDP-based private services? If the tunnel is the same, when should I expose services in one or the other way?

  3. what’s the proxy type option depicted in my screenshot and how is it useful for RDP? I can’t find any documentation about when to use it

Thank you!

why can’t I just point my rdp client to the public hostname?

cloudflared only exposes HTTP/HTTPS on it’s own, you need cloudflared running locally in order to access RDP, SSH or arbitrary TCP traffic.

Plus, for obvious reasons, you really don’t want RDP exposed to the internet.

What’s the use case for public hostnames as opposed to locally reachable TCP/UDP-based private services

Mostly for HTTP/HTTPS traffic as previously mentioned but also for the ‘browser rendering’ capabilities of VNC & SSH.

https://developers.cloudflare.com/cloudflare-one/tutorials/vnc-client-in-browser/
https://developers.cloudflare.com/cloudflare-one/tutorials/ssh-browser/

It’s also less involved to access a single endpoint than setting up Warp, Split Tunnels, Gateway proxying, etc

what’s the proxy type option depicted in my screenshot and how is it useful for RDP? I can’t find any documentation about when to use it

Documented in the link below, SOCKS5 seems to be for kubectl usage.
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/#proxytype

2 Likes

Thank you, all clear now: your responses are great!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.