r/CloudFlare: RDWeb via zero trust and cloudflared

💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/10locvj/rdweb_via_zero_trust_and_cloudflared/

Question

Has anyone managed to get this working? I have my prod subnet presented to cloudflare via cloudflared, this is working well.

DNS is offloaded to local DNS.

I am logged into zero trust on warp and able to RDP to all the servers in that subnet.

RDWeb .rdp file download works fine without warp connected and in vpn, when i connect warp it hangs on loading VM. Certs etc all look good and i cant see any issues in the any of the CF logs.

Ticket logged with CF but hopefully someone in the community has managed to get this working.

RDS environment is server 2019, testing client is Windows 11 22h2 (have created the RDGClientTransport regentry which didnt work and set RDP to TCP instead of UDP but still nothing).

UDP traffic is set to pass through in CF and authentication appears to work but the hand off from the connection broker to the session host seems to be the issue.

Any ideas greatly received, tearing my hair out at the moment!!!

Answer

I assume the RDWeb connection works when you just access it without involving anything Cloudflare?

Did you manually test each DNS connection to see if the name resolution works?

Did you try a traffic capture with Wireshark to see if any packets to the session host get dropped or you can read a helpful error message from the response packet?

Usually, when it hangs on loading the VM, you have a connection problem to the session host.

Comment 1 on Answer

Hi,

Thanks for responding.

Yes the behaviour only occurs over cloudflare and it works perfectly over IPSEC.

DNS resolution over Warp is all good, havent checked wireshark but will get on that and report back.

EDIT: Wireshark is not yielding anything interesting unfortunately, just showing traffic to and from Cloudflare.

My response to comment 1

In that case please run Wireshark in a separate session on the session host itself, to check if the packets coming from the client actually reach the session host.

Comment 1.1 on Answer

I think i can see the issue, running wireshark on client machine is not helpful.

Ran it on RDWeb/connection broker without warp connected, saw lots of RDPUDP traffic, ran it with warp connected and there is no RDPUDP traffic, I have the proxy in cloudflare set to include UDP traffic, have now setup some do not inspect and do not scan and allow rules on the RDS IP range as well but still no dice.

On the connection broker I am not seeing any KRB5 traffic (weird as it is letting me login to the web portal) I wonder if the Cloudflare daemon isnt picking up the QUIC config.

Any idea how i can force it to pick up config from config.yaml or even check?

Thanks again for your time.

My response to comment 1.1

When you say config.yaml, are you configuring the CF tunnel via a local config file?

Except in some very rare edge cases you should always configure the tunnel via the Web GUI, maybe thats also why some settings do not work currently.

Comment 1.2 on Answer

ok thanks, im pretty sure i read in one of the 8,000 config guides that QUIC needed to be enabled by local config file.

I will get rid of it and see what happens.