Setup RDP / SSH / HTTP forwarding - Zero Trust
...
connections to server VMs behind an external IP without NAT
NAT is so 90ies… come on…
Panel | |||||
---|---|---|---|---|---|
|
...
| |||
In simple terms: it’s a combination of
You can archive roughly the same with SSH reverse shells and tunnels. But you won’t |
...
because you want someone else to simplify this for you. At scale. |
Table of Contents |
---|
1. install cloudflared on the Server
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/
I use the Systemd integration on Debian 12.
...
Use Case: cloudflared on a Linux KVM host
...
Debian 12 (KVM host) → fuzzing.osroadwarrior.info (internal KVM guest with public hostname)
no NAT on the IPtables
How is that possible?
cloudflared
runs as an (internal) service on the KVM host. This way it as TCP / UDP level access to the guest. What is does is:
some style of application level NATing
translation of TCP (RDP, SSH) into HTTP for the tunnels
The installed cloudflared
tunnel is linked to my Cloudflare Zero Trust tenant.
When a trusted external request from the internet comes in
...
to fuzzing.osroadwarrior.info
...
Schematically, the service architecture looks like this:
Drawio sketch | ||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Cloudflare handles:
access on the Service Edge (perimeter)
DNS (probably)
tunnel termination (cloudflared uses QUIC or Wireguard)
channels get opened, HTTP ↔ï¸ TCP (for SSH or RDP) ↔ï¸ trusted request (identified)
HTTP ↔ï¸ request (reverse tunneled via the Service Edge, CDN - accelerated)
The KVM host handles:
internal IP networking and IP request forwarding (guest WAN access)
keeping
cloudflared
running, and syncing the config (host service)
Note |
---|
If you use Cloudflare as a mere CDN, you have to ensure that requests don’t bypass the CDN front. Clients can override DNS entries and directly connect to the web servers. Sure, that may not be an issue for small-scale services. But it’s an issue because:
Why pay for a CDN security-feature if an attacker needs 10s to bypass all the controls. With the https://www.cloudflare.com/en-gb/ips/ Restricting this channel via AWS Security Groups, IPtables etc. can be complex. |
2. Setup the Zero Trust Service Edge and public hostnames for the Network tunnels
fuzzing.osroadwarrior.info
The Service Edge is served by Cloudflare.
...
Login policies etc. are applied. This is a useless host. When people hear fuzzing, they associate Zero Days. I assure you, if I had many Zero Days, I’d be somewhere in the Bahamas. And I wouldn’t host them this way
A request comes in:
DNS resolution of
fuzzing.osroadwarrior.info
to Service EdgeRequest gets forwarded to the public hostname of that tunnel service
...
(HTTP)
Request gets translated here (RDP), and routed to the
cloudflared
daemon
...
The daemon takes the request and forwards it to our KVM guest (
...
192.168/24
)
a bidirectional connection is established (over multiple application and network level hops)
Behind the scenes, this is complex. Cloudflare does this at scale.
Let’s take a look at the DNS record:
...
That is not the server IP, or the internal guest network IP. These IPs belong to Cloudflare Access / Zero Trust. The forwarding happens via these IPs.
2. Setup a public hostname for the tunnel
3. Access the tunnel for RDP
Essentially, this is application level NATing. Or Zero Trust RDP
On my local laptop here, I may not be on the WARP+ network. WARP is the Wireguard-based VPN service, which is linked to the Zero Trust / Secure Gateway architecture. Essentially, you can use Cloudflare tools to interconnect various systems. With, or without VPN:
Code Block |
---|
> cloudflared access rdp --hostname fuzzing.osroadwarrior.info --url rdp://localhost:3389
|
Then use localhost:3389 as the RDP “endpoint”. No VPN needed. If I use the VPN, I can refer to the 192.160/24 directly. I don’t need to use the Access pages. For HTTP requests, I can simply expose the public tunnel endpoint to the internet.
Limitations
this is similar to SSH reverse shells and tunneling, but much more comfortable and feature rich
that is, if you trust Cloudflare
I don’t think you should use
cloudflared
for high-throughput services. There, the IP-restricted LB / Web endpoint is the way to goThe cryptographic parameters seem to be sound at first glance
if you trust Cloudflare
you will need a Domain
you will need to re-think networking