Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Connect to Remote Desktop through Cloudflare Tunnel

The Remote Desktop Protocol (RDP) provides a graphical interface for users to connect to a computer remotely. RDP is most commonly used to facilitate simple remote access to machines or workstations which users cannot physically access. However, this also makes RDP connections the frequent subject of attacks, since a misconfiguration can inadvertently allow unauthorized access to the machine.

With Cloudflare Zero Trust, you can enjoy the convenience of making your RDP server available over the Internet without the risk of opening any inbound ports on your local server.

Cloudflare Zero Trust offers two solutions to provide secure access to RDP servers:

​​ Set up an RDP server in GCP

This example walks through how to set up an RDP server on a Google Cloud Platform (GCP) virtual machine (VM), but you can use any machine that supports RDP connections.

  1. In your Google Cloud Console, create a new project.
  2. Go to Compute Engine > VM instances.
  3. Select Create instance.
  4. Name your VM instance, for example windows-rdp-server.
  5. Configure your VM instance:
    1. Scroll down to Boot Disk and select Change.
    2. For Operating system, select Windows Server.
    3. Choose a Version with Desktop Experience, for example Windows Server 2016 Datacenter.
  6. Once your VM is running, open the dropdown next to RDP and select View gcloud command to reset password.
  7. Select Run in Cloud Shell.
  8. Run the command in the Cloud Shell terminal. You will be asked to confirm the password reset.
  9. Copy the auto-generated password and username to a safe place.

​​ Install Microsoft Remote Desktop

You can use any RDP client to access and configure the RDP server.

To access the server through Microsoft Remote Desktop:

  1. Download and install Microsoft Remote Desktop.
  2. Once downloaded, open Microsoft Remote Desktop and select Add a PC.
  3. For PC name, enter the public IP address of your RDP server. In GCP, this is the External IP of the VM instance.
  4. For User account, select Add User Account and enter your auto-generated password and username.
  5. Select Add. The PC will display in Microsoft Remote Desktop.
  6. To test basic connectivity, double-click the newly added PC.
  7. When asked if you want to continue, select Continue.

You can now remotely access and configure your RDP server.

​​ Connect to RDP server with WARP to Tunnel

You can use Cloudflare Tunnel to create a secure, outbound-only connection from your server to Cloudflare’s edge. This requires running the cloudflared daemon on the server. Users reach the service by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can access the service unless you build policies to allow or block specific users.

​​ 1. Connect the server to Cloudflare

  1. Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network.

  2. In the Private Networks tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP). In GCP, the server IP is the Internal IP of the VM instance.

  3. (Optional) Set up Zero Trust policies to fine-tune access to your server.

​​ 2. Set up the client

In order for devices to connect to your Zero Trust organization, you will need to:

To connect your devices to Cloudflare:

  1. Deploy the WARP client on your devices in Gateway with WARP mode. The Cloudflare certificate is only required if you want to display a custom block page or filter HTTPS traffic.
  2. Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.

​​ 3. Route private network IPs through WARP

By default, WARP excludes traffic bound for RFC 1918 space, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your private network, you must configure Split Tunnels so that the IP/CIDR of your private network routes through WARP.

  1. First, check whether your Split Tunnels mode is set to Exclude or Include mode.

  2. If you are using Include mode, add your network’s IP/CIDR range to the list. Your list should also include the domains necessary for Cloudflare Zero Trust functionality.

  3. If you are using Exclude mode:

    1. Delete your network’s IP/CIDR range from the list. For example, if your network uses the default AWS range of 172.31.0.0/16, delete 172.16.0.0/12.
    2. Re-add IP/CDIR ranges that are not explicitly used by your private network. For the AWS example above, you would add new entries for 172.16.0.0/13, 172.24.0.0/14, 172.28.0.0/15, and 172.30.0.0/16. This ensures that only traffic to 172.31.0.0/16 routes through WARP.

By tightening the private IP range included in WARP, you reduce the risk of breaking a user’s access to local resources.

​​ 4. Connect as a user

Once the WARP client is configured, you can use your RDP client to connect to the server’s private IP address (instead of the public IP address used initially).

To connect in Microsoft Remote Desktop:

  1. Open Microsoft Remote Desktop and select Add a PC.
  2. For PC name, enter the private IP address of your RDP server. In GCP, this is the Internal IP of the VM instance.
  3. For User account, enter your RDP server username and password.
  4. To test Zero Trust connectivity, double-click the newly added PC.
  5. When asked if you want to continue, select Continue.

You now have secure, remote access to the RDP server.

​​ Connect to RDP server with cloudflared access

Cloudflare Tunnel can also route applications through a public hostname, which allows users to connect to the application without the WARP client. This method requires having cloudflared installed on both the server machine and on the client machine, as well as an active zone on Cloudflare. The traffic is proxied over this connection, and the user logs in to the server with their Cloudflare Access credentials.

The public hostname method can be implemented in conjunction with routing over WARP so that there are multiple ways to connect to the server. You can reuse the same tunnel for both the private network and public hostname routes.

​​ 1. Connect the server to Cloudflare

  1. Create a Cloudflare Tunnel by following our dashboard setup guide.

  2. In the Public Hostnames tab, choose a domain from the drop-down menu and specify any subdomain (for example, rdp.example.com).

  3. For Service, select RDP and enter the RDP listening port of your server (for example, localhost:3389). It will likely be port 3389.

  4. Select Save hostname.

  5. (Recommended) Add a self-hosted application to Cloudflare Access in order to manage access to your server.

​​ 2. Connect as a user

  1. Install cloudflared on the client machine.

  2. Run this command to open an RDP listening port:

    $ cloudflared access rdp --hostname rdp.example.com --url rdp://localhost:3389

    This process will need to be configured to stay alive and autostart. If the process is killed, users will not be able to connect.

  1. While cloudflared access is running, connect from an RDP client such as Microsoft Remote Desktop:
    1. Open Microsoft Remote Desktop and select Add a PC.
    2. For PC name, enter localhost:3389.
    3. For User account, enter your RDP server username and password.
    4. Double-click the newly added PC.
    5. When asked if you want to continue, select Continue.

When the client launches, a browser window will open and prompt the user to authenticate themselves.