Using Cloudflare Access and tunnels to create an RDP jump host
Cloudflare Tunnels are a useful way of allowing private services to be accessed remotely, without exposing the devices to inbound connections. This can be combined with Cloudflare Access to provide a secure way of accessing services such as remote desktop.
These services can be used to setup a bastion inside a private network. The bastion will then permit a connection to be made to a destination device on the private network.
Setting up the Cloudflare Access Application
The first step is to setup an application in Cloudflare Access. This ensures that when the tunnel is created Cloudflare knows what access control measures to apply to incoming connections.
This can be done through the following steps:
- Go to the Cloudflare for Teams Dashboard
- Open the Access menu and select Applications
- Click the Add an application button
- Select self-hosted
- Enter an application name and application domain and click the Next button
- Setup the application policies to suit your requirements and click the Next button
- Click the Add application button
Now that the application is configured, it’s time to install cloudflared as the bastion host on a designated server.
Installing cloudflared
The instructions for installing the cloudflared daemon vary depending on your choice of operating system.
Installing cloudflared on Linux
For Linux, I’d suggest using the Cloudflare Package Repository to make it easy to install and get updates for the cloudflared daemon. Instead of duplicating the steps, I’d recommend following the instructions on the repository page.
Installing cloudflared on Windows
For Windows, you will need to download the cloudflared executable and place it in a folder. I use C:\Cloudflared\bin when using this on Windows.
Creating a Cloudflare Tunnel with cloudflared
The next steps are to authenticate cloudflared with the Cloudflare account, and then use it to create the Cloudflare Tunnel.
Authenticating cloudflared
You can authenticate cloudflared with the Cloudflare account by running the following command.
cloudflared tunnel login
This will provide a URL which you will need to open in a web browser. You will be prompted to login to your Cloudflare account, select the appropriate site and then authenticate cloudflared. This will download a certificate file (named cert.pem) which cloudflared will use to authenticate the tunnel management operations.
Creating the Cloudflare Tunnel
Now that cloudflared is authenticated a tunnel can be created. This can be done by running the following command, and replacing <name> with an appropriate name for your tunnel.
cloudflared tunnel create <name>
After the tunnel has been created, a credentials file named with the UUID of the tunnel will be placed in the coudflared directory. This file is used by cloudflared to authenticate to the tunnel and start accepting connections.
Adding a DNS record for the tunnel
After the tunnel is created, you will need to create a new DNS record in Cloudflare to send requests to the tunnel. You will need to use the tunnel name from the previous step, and the application domain specified when creating the application in Cloudflare Access.
cloudflared tunnel route dns <name> <hostname>
For example, if I create a tunnel with the name mytunnel and a Cloudflare Access Application with the domain myapp.example.com the command would be the following.
cloudflared tunnel route dns mytunnel myapp.example.com
Configuring cloudflared in bastion/jump host mode
The next step is to create a configuration file to indicate to cloudflared how connections should be handled. Create a new file in the cloudflared directory named config.yml. An example configuration file with RDP bastion mode supported is shown below.
tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef
credentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json
ingress:
- hostname: myapp.example.com
service: bastion
- service: http_status:404
If you need to provide access to other services (such as web applications) through the tunnel, you can find more details on the ingress rules page of the Cloudflare documentation.
Install cloudflared as a service
The last step to finish configuring cloudflared is to run it as a service. This will ensure that you are not relying on a user being logged in, to be able to access the private services and the bastion. It will also ensure that the service will start automatically.
The service installation can be done by running the following command on the cloudflared executable.
cloudflared service install
Now that the cloudflared daemon is setup, we need to ensure it is running, and then we can connect from a client.
Connecting to a destination
Now we have the bastion service setup and the cloudflared daemon running, we can use it to connect to a remote machine.
The first step, is to follow the “installing cloudflared” instructions on the client machine, since we will need to use cloudflared to proxy the RDP connection to Cloudflare’s edge and then through the tunnel to the remote machine.
After cloudflared is available on the client machine, you can start the cloudflare connection with the following command.
cloudflared access rdp -–hostname <application domain> --url localhost:3389 -–destination <destination hostname>
You will need to replace the placeholders with your own appropriate values. For example, if I wanted to connect through a tunnel available at the DNS record myapp.example.com to a destination computer with the hostname myremotecomputer.local, the command would be the following.
cloudflared access rdp --hostname myapp.example.com --url localhost:3389 -–destination myremotecomputer.local:3389
If you are using different ports for remote desktop on the remote computer, you will need to amend 3389 to the appropriate port. If you have remote desktop enabled on the client computer with the default port, you will need to specify a different port for the url argument.
After you have done this, you should be able to open remote desktop, enter the address localhost. You will then be prompted for your Cloudflare credentials in a browser window to approve the connection, before returning to remote desktop and being prompted for your credentials for the remote computer.
Tidying up
Now that we have finished our setup steps, I’d recommend removing the cert.pem file from your server. This file is only required to perform management operations on your Cloudflare account. Tunnel authentication takes place using the provided credentials file after the tunnel has been created.
Summary
In the steps above, we have created an application in Cloudflare Access to provide authentication before connections are passed to a remote bastion, setup a Cloudflare tunnel and cloudflared to act as a jump host. We then use cloudflared to connect to the Cloudflare edge and then to the remote computer.
If you’d like more details about what cloudflared can do, I’d recommend taking a look at the following links.