Setup RDP forwarding - Zero Trust RDP connections to server VMs behind NAT
1. install cloudflared on the Server
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/I use the Systemd integration on Debian 12 here.
Debian 12 (KVM host) → fuzzing.osroadwarrior.info (internal KVM guest with public hostname)
no NAT on the IPtables
How is that possible?
cloudflared runs as an (internal) service on the KVM host. This way it as TCP / UDP level access to the guest. What is does is:
some style of application level NATing
translation of TCP (RDP, SSH) into HTTP for the tunnels
The installed cloudflared tunnel is linked to my Cloudflare Zero Trust tenant.
When a trusted external request from the internet comes in
to
fuzzing.osroadwarrior.infoit's forwarded to the public hostname of that tunnel service,
which routes the request to the
cloudflareddaemon.The daemon takes the request and forwards it to our KVM guest (
fuzzing.osroadwarrior.info)a bidirectional connection is established (over multiple application and network level hops)
Behind the scenes, this is complex.
Let’s take a look at the DNS record:
> dig fuzzing.osroadwarrior.info +noall +answer ; <<>> DiG 9.10.6 <<>> fuzzing.osroadwarrior.info +noall +answer ;; global options: +cmd fuzzing.osroadwarrior.info. 300 IN A 104.21.6.147 fuzzing.osroadwarrior.info. 300 IN A 172.67.134.229
That is not the server IP, or the internal guest network IP. These IPs belong to Cloudflare Access / Zero Trust. The forwarding happens via these IPs.
2. Setup a public hostname for the tunnel
3. Access the tunnel for RDP
Essentially, this is application level NATing. Or Zero Trust RDP 
> cloudflared access rdp --hostname fuzzing.osroadwarrior.info --url rdp://localhost:3389
Then use localhost:3389 as the RDP “endpoint”. No VPN needed.
Limitations
this is similar to SSH reverse shells and tunneling, but much more comfortable and feature rich
that is, if you trust Cloudflare