How to create a secure tunnel for (X)RDP with cloudflare

Why should I create a secure tunnel?

With Tunnel, you do not send traffic to an external IP, instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare’s global network-[Network of Contents]: [is the channel in which owners can post their content and the audience can see the contents posted by the owners]; so you can close unused ports with your firewall in your infrastructure. To create your tunnel your infrastructure (domain+name server) must be inside the cloudflare network.

What i need to create a secure tunnel?

An account-[Account]: [an Account contains the personal information that is assigned to those who register and access with email and password] in cloudflare with your domain name linked to your server with the name server configurations; the cloudflared application than can be downloaded for every operating system here: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/

What is Zero Trust application?

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping accessAccess [the simple access to a website as a visitor] to applications and data. When you create your tunnel for (x)RDP with cloudflare you will need to associate it with a Zero Trust application.

Start your secure tunnel

Once cloudflared is downloaded, you can create the first tunnel simply via terminal or by webui.

TERMINAL

Type this command to authenticate:

$ cloudflared tunnel login

Create a tunnel and give it a name:

$ cloudflared tunnel create <NAME>

From the output of the command, take note of the tunnel’s UUID and the path to your tunnel’s credentials file.

Confirm that the tunnel has been successfully created by running:

$ cloudflared tunnel list

Read the official documents to create a tunnel via terminal: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/local/

WEBUI

1. Log in to Zero Trust and go to Access > Tunnels.
2. Select Create a tunnel.
3. Enter a name for your tunnel. We suggest choosing a name that reflects the type of resources you want to connect through this tunnel (for example, enterprise-VPC-01).
4. Select Save tunnel.
5. Next, you will need to install cloudflared and run it. To do so, check that the environment under Choose an environment reflects the operating system on your machine, then copy the command in the box below and paste it into a terminal window. Run the command.
6. Once the command has finished running, your connector will appear in Zero Trust.
7. Select Next.

Read the official documents to create a tunnel via webui: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/remote/

Connect with (X)RDP through Cloudflare Tunnel

The Remote Desktop Protocoll (RDP) enables users to remotely access devices as they sit in front of the machine. With Cloudflare Zero Trust, you can make your (X)RDP server available over the Internet without the risk of opening inbound ports on the server.

Cloudflare Zero Trust offers two solutions to provide secure access to RDP servers:

• Private subnet routing with Cloudflare WARP to Tunnel
• Public hostname routing with cloudflared access

The cloudflared access is the one we have used here. You can use any public subdomain such as xrdp.example.com

Remember that cloudflared is a continuously updated software-[Program/Software]: [the instructions that control what a computer does; computer programs] and it is therefore necessary to read the official documents to be sure that you are using the best possible procedures for the version used.

Use (X)RDP with the RDP Cloudflare Tunnel

(X)RDP is an acronym for X Remote Desktop Protocol. It is an open-source remote desktop protocol (RDP) server, enabling users to establish connections to any server machine from either a remote Windows machine or another Linux system by utilizing the RDP protocol. To use (X)RDP in your clients additional step is required to connect the client to the tunnel; simply open your terminal (from the client you want to connect) and type this command:

$ cloudflared access tcp --hostname xrdp.example.com --url localhost:3389

Next time you want to connect via (X)RDP (with any enabled software) insert as hostname localhost:3389 and the credentials of your (X)RDP username of the server; when you close your terminal, the connection end and will not be possible to connect again until you open the terminal and type again this command. Please note: in Windows system the port 3389 could be already used by the RDP service and won’t work; please use another port, at your choice, and connect with that port to the tunnel.

Adjust security settings

When all procedures work perfectly, you can now close the ports used by RDP (usually port 3389) through the firewall; in this way, only those in possession of the cloudflared application and/or the necessary certificates will be able to connect.

Read always the official documents

As I wrote a while ago, I advise you to always read and learn from the official cloudflare documents because these software could also have changes over time. This document is written without having received any official support from cloudflare and is intended as an example for those who work in our organization.