Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Setup RDP forwarding - Zero Trust RDP connections to server VMs behind NAT

In simple terms: it’s a combination of

  • application level routing (Network Address Translation via a reverse tunnel which translates between HTTP and TCP for example),

  • authentication (TOTP, PINs, …),

  • DNS management and

  • protocol encapsulation.

You can archive roughly the same with SSH reverse shells and tunnels. But you won’t, because you want someone else to simplify this for you. At scale.

1. install cloudflared on the Server

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/

I use the Systemd integration on Debian 12.

Use Case: cloudflared on a Linux KVM host

How is that possible?

cloudflared runs as an (internal) service on the KVM host. This way it as TCP / UDP level access to the guest. What is does is:

  1. some style of application level NATing

  2. translation of TCP (RDP, SSH) into HTTP for the tunnels

The installed cloudflared tunnel is linked to my Cloudflare Zero Trust tenant.

When a trusted external request from the internet comes in

  • to fuzzing.osroadwarrior.info

  • it's forwarded to the public hostname of that tunnel service,

  • which routes the request to the cloudflared daemon.

  • The daemon takes the request and forwards it to our KVM guest (fuzzing.osroadwarrior.info)

    • a bidirectional connection is established (over multiple application and network level hops)

Behind the scenes, this is complex.

Let’s take a look at the DNS record:

> dig fuzzing.osroadwarrior.info +noall +answer


; <<>> DiG 9.10.6 <<>> fuzzing.osroadwarrior.info +noall +answer
;; global options: +cmd
fuzzing.osroadwarrior.info. 300	IN	A	104.21.6.147
fuzzing.osroadwarrior.info. 300	IN	A	172.67.134.229

That is not the server IP, or the internal guest network IP. These IPs belong to Cloudflare Access / Zero Trust. The forwarding happens via these IPs.

2. Setup a public hostname for the tunnel

3. Access the tunnel for RDP

Essentially, this is application level NATing. Or Zero Trust RDP (smile) 

> cloudflared access rdp --hostname fuzzing.osroadwarrior.info --url rdp://localhost:3389

Then use localhost:3389 as the RDP “endpoint”. No VPN needed.

Limitations

  • this is similar to SSH reverse shells and tunneling, but much more comfortable and feature rich

    • that is, if you trust Cloudflare

  • No labels

Content by https://www.because-security.com/
📧 https://www.because-security.com/contact