Windows RDP behind NAT, with Cloudflare Tunnel

My internet connection is behind NAT, which makes it impossible to serve anything outside (security cameras, file servers, ecc)

I’m trying Cloudflare Zero Trust Tunnel to bypass it, and it seems to work fine. I ran the Windows installer, ran this cmd:

cloudflared.exe service install CLOUDFLARE_TOKEN_HERE

And cofigured the tunnel like this:

Now if I connect to, I can see my website, locally hosted on port 8096, from an external computer.

What I can’t do is connect to Windows RDP: it is locally active on port 3389, with “Require Network Level Authentication” disabled. However, if I open RDP client on an external computer and connect to rdp:// the client simply doesn’t find anything. Why?

Arbitrary TCP connections need to be tunneled from the client as well.


Thanks for your input! Does this apply to Windows File Sharing as well?

Do you think it’s possible in some way to make my local machine accessible to the web for RDP/file sharing, exactly as if it was a Windows VPS (so no need for clients to use Cloudflare)?

I’m kinda missing here what makes RDP an arbitrary TCP and an HTTP server not arbitrary.

Many thanks!

Cloudflare is fundamentally an HTTP(S) proxy. Cloudflare Tunnels creates a persistent http connection to Cloudflare’s edge to proxy traffic from Cloudflare’s edge to the origin.

On the client side, Cloudflare is looking for and expects HTTP based connections (specifically the host header field for our purposes). A protocol like RDP has no concept of a host header or the HTTP protocol… so it has to be encapsulated in a wrapper (cloudflared) to send the header to the edge to be routed and to subsequently be decoded and routed by the tunnel instance to the origin.

The other option (using Cloudflare Warp client and network routing) uses Cloudflare’s routing edge to use identity and destination to determine routing rules.

Otherwise the record would need to be :grey: and exposed at the firewall. Ok… maybe on an Enterprise plan there might be one other possible option (Spectrum + Magic WAN) but that’d be something most enterprises wouldn’t implement for a variety of security reasons.


Thanks for your very insightful and detailed answer, now everything is clear! :pray:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.