Setup RDP forwarding - Zero Trust RDP connections to server VMs behind NAT
| Table of Contents |
|---|
1. install cloudflared on the Server
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/
...
Debian 12 (KVM host) → fuzzing.osroadwarrior.info (internal KVM guest with public hostname)
no NAT on the IPtables
How is that possible?
cloudflared runs as an (internal) service on the KVM host. This way it as TCP / UDP level access to the guest. What is does is:
...
That is not the server IP, or the internal guest network IP. These IPs belong to Cloudflare Access / Zero Trust. The forwarding happens via these IPs.
2. Setup a public hostname for the tunnel
3. Access the tunnel for RDP
Essentially, this is application level NATing. Or Zero Trust RDP 
...
Then use localhost:3389 as the RDP “endpoint”. No VPN needed.
Limitations
this is similar to SSH reverse shells and tunneling, but much more comfortable and feature rich
that is, if you trust Cloudflare
...