Securely Connecting to an RDP Server Using Cloudflare Zero Trust and WARP

Ehmad

Accessing Remote Desktop Protocol (RDP) servers securely is critical for managing internal systems without exposing them to the public internet. Cloudflare Zero Trust, combined with Cloudflare Tunnel and the WARP client, provides an effective and secure solution for remote access. This guide walks through the process of securely connecting to your RDP server using these tools.

Benefits of Using Cloudflare Zero Trust for RDP

  • Enhanced Security: No public IP exposure; connections are routed securely through Cloudflare’s network.
  • Access Control: Fine-tune access policies to restrict or grant permissions based on users, devices, or groups.
  • Private Connectivity: Devices act as though they are on the private network, ensuring seamless access.

Step-by-Step Guide

1. Connect Your Server to Cloudflare

The first step is to set up a Cloudflare Tunnel to create an outbound-only connection from your server to Cloudflare’s global network.

  1. Create a Cloudflare Tunnel:

    • Install the cloudflared agent on your RDP server:
      curl -fsSL https://developers.cloudflare.com/cloudflare-one/static/downloads/cloudflared-linux-amd64.deb -o cloudflared.deb
sudo dpkg -i cloudflared.deb
    • Authenticate with your Cloudflare account:
      cloudflared login
    • After login, create a tunnel:
      cloudflared tunnel create rdp-server

  2. Add Private Network Configuration:

    • In the Cloudflare Zero Trust Dashboard, go to AccessTunnels and locate the newly created tunnel.
    • Under the Private Networks tab, add the private IP of your server (e.g., 10.1.15.150) or a range that includes the server’s IP.

  3. Run the Tunnel:

    • Use the following command to start the tunnel:
      cloudflared tunnel run rdp-server

    Alternatively, configure the tunnel to run as a service:

    sudo cloudflared service install
sudo systemctl start cloudflared

2. Configure Cloudflare Zero Trust Policies

Control who can access your RDP server by defining Zero Trust access policies.

  1. Navigate to Access Policies:

    • In the Zero Trust Dashboard, go to AccessApplications and add a new Private Network application.

  2. Add an Application:

    • Name: Enter a descriptive name, such as RDP Access.
    • Private IP: Enter the internal IP of your RDP server (e.g., 10.1.15.150).

  3. Define Access Policies:

    • Specify the users, groups, or devices that are allowed to access this service. For example:
      • Allow access only to specific email addresses.
      • Restrict access to managed devices.
      • Block connections from untrusted locations.

  4. Save and Apply:

    • Save the application and access policies.

3. Set Up the WARP Client on Client Devices

The WARP client routes traffic from remote devices to your private network.

  1. Deploy WARP:

    • Install the Cloudflare WARP client on your devices:

  2. Enroll Devices in Zero Trust:

    • In the Zero Trust Dashboard, go to SettingsDevice Enrollment and create an enrollment policy.
    • Follow the enrollment process on the WARP client:
      • Open WARP.
      • Go to SettingsAccountLogin with Zero Trust.
      • Enter your organization’s Zero Trust domain (e.g., yourorganization.cloudflareaccess.com).

  3. Verify Connection:

    • Confirm that the WARP client connects to your organization. The status should show “Connected.”

4. Route Private Network IPs Through WARP

Ensure WARP routes traffic destined for your private network.

  1. Check Split Tunneling Configuration:

    • By default, WARP excludes traffic bound for private IP ranges (RFC 1918). You need to include your private network range in the split tunneling configuration.

  2. Add Your Network to Split Tunnels:

    • Navigate to SettingsNetwork in the Zero Trust Dashboard.
    • If using Include Mode:
      • Add your private network’s IP range (e.g., 10.1.0.0/16).
    • If using Exclude Mode:
      • Remove the IP range corresponding to your private network.

5. Connect as a User

Once the WARP client is configured, use your RDP client to access the server.

  1. Open RDP Client:

    • For example, use Microsoft Remote Desktop.

  2. Add a New Connection:

    • PC Name: Enter the private IP address of your RDP server (e.g., 10.1.15.150).
    • User Account: Enter your RDP credentials.

  3. Test the Connection:

    • Double-click the newly added PC.
    • Confirm the connection when prompted.
    • You should now be securely connected to the server as though you are on the same network.

Additional Tips and Best Practices

  • DNS Resolution:
    • If using hostnames instead of IPs, configure internal DNS resolution within Cloudflare Zero Trust.
  • Logging and Monitoring:
    • Enable logs in the Zero Trust Dashboard to track user activity and troubleshoot issues.
  • Firewall Rules:
    • Ensure your server firewall allows traffic from Cloudflare’s IP ranges.

Cloudflare Guide

Conclusion

By combining Cloudflare Tunnel, Zero Trust access policies, and the WARP client, you can create a secure, scalable, and flexible solution for accessing RDP servers. This eliminates the need for exposing public IPs or relying on traditional VPNs, enhancing both security and user experience.

You should also read:

Ehmad

Remove apps using ADB (Android Debug Bridge)

You can remove apps using ADB (Android Debug Bridge) by following these steps: Connect Your Device: Verify ADB Connection: adb devices If prompted on your device, grant USB debugging permission. The terminal should display your device’s serial number, confirming the connection. List Installed Apps: adb…

Continue reading...
Ehmad

Setup a V2Ray server

Setup a V2Ray server allows you to create a custom VPN or proxy server with advanced features such as multiple protocols, routing rules, and security measures. V2Ray is often used to bypass internet censorship, improve privacy, or enhance speed for certain applications. Below is a…

Continue reading...