My internet connection is behind NAT, which makes it impossible to serve anything outside (security cameras, file servers, ecc)
I’m trying Cloudflare Zero Trust Tunnel to bypass it, and it seems to work fine. I ran the Windows installer, ran this cmd:
cloudflared.exe service install CLOUDFLARE_TOKEN_HERE
And cofigured the tunnel like this:
Now if I connect to
emby.example.com, I can see my website, locally hosted on port
8096, from an external computer.
What I can’t do is connect to Windows RDP: it is locally active on port
3389, with “Require Network Level Authentication” disabled. However, if I open RDP client on an external computer and connect to
rdp://rdp.example.com the client simply doesn’t find anything. Why?
Arbitrary TCP connections need to be tunneled from the client as well.
Thanks for your input! Does this apply to Windows File Sharing as well?
Do you think it’s possible in some way to make my local machine accessible to the web for RDP/file sharing, exactly as if it was a Windows VPS (so no need for clients to use Cloudflare)?
I’m kinda missing here what makes RDP an arbitrary TCP and an HTTP server not arbitrary.
Cloudflare is fundamentally an HTTP(S) proxy. Cloudflare Tunnels creates a persistent http connection to Cloudflare’s edge to proxy traffic from Cloudflare’s edge to the origin.
On the client side, Cloudflare is looking for and expects HTTP based connections (specifically the host header field for our purposes). A protocol like RDP has no concept of a host header or the HTTP protocol… so it has to be encapsulated in a wrapper (cloudflared) to send the header to the edge to be routed and to subsequently be decoded and routed by the tunnel instance to the origin.
The other option (using Cloudflare Warp client and network routing) uses Cloudflare’s routing edge to use identity and destination to determine routing rules.
Otherwise the record would need to be and exposed at the firewall. Ok… maybe on an Enterprise plan there might be one other possible option (Spectrum + Magic WAN) but that’d be something most enterprises wouldn’t implement for a variety of security reasons.
Thanks for your very insightful and detailed answer, now everything is clear!
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.