Creating a Cloudflare Argo tunnel to

Posted on Fri 13 March 2020 in Cloudflare, Apple, Argo Tunnel, RDP, VNC , Apple remote desktop

Create a bastion server behind cloudflare to give access to internal resources - including Apple remote desktop.

With the current events of the world going on around us, Cloudflare have kindly provided their Argo tunnel / Teams / Access systems for free.

Although we have a VPN here, I'm anticipating in the coming weeks that we may need alternate approaches to connecting in to our systems if / when we get forced to work from home.

We have a lot of autonomous Apple mac systems here the perform tasks for us to keep the company running. Altough Cloudflare show how to connect SSH and Microsoft RDP over Argo, they don't have information on other protocols.

While I was on a call to Sam Rhea - the product manager for Argo at Cloudflare, I asked if there were other protocols we could send over Argo tunnel. I must admit I was expecting a no, but Sam went - Oh yes you can! So, I got a couple of tid bits of info and decided to have a go when I was back at work the next day.

The short version of this is: Yes you can, I've done it!

The longer version is here:

How?

Pre-requisites:

  • A Cloudflare account
  • A Mac to connect to
  • A computer to connect from

I'm going to show how to do this using an Ubuntu server (just a small VM I spooled up for this very purpose) to create bastion server to connect to all our internal 'oddities' that may get in trouble.

  • Download and install cloudflared

Linux:

curl https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb  --output cloudflared.deb

sudo dpkg -i cloudflared.deb
[sudo] password for alex:
Selecting previously unselected package cloudflared.
(Reading database ... 102950 files and directories currently installed.)
Preparing to unpack cloudflared.deb ...
Unpacking cloudflared (2020.2.1) ...
Setting up cloudflared (2020.2.1) ...
  • Get your credentials by loging in with cloudflared

Copy the link into your browser, sign in and authorize argo tunnel for your domain

cloudflared login
Please open the following URL and log in with your Cloudflare account:

https://dash.cloudflare.com/argotunnel?callback=https%3A%2F%2Flogin.argotunnel.com%2FxDroLc6MnqHyZ-fQFqbCzGM-6Iy6PsO52O-JQsM9zBo%3D

Leave cloudflared running to download the cert automatically.
You have successfully logged in.
If you wish to copy your credentials to a server, they have been saved to:
/home/alex/.cloudflared/cert.pem
  • Quick test:
cloudflared --hostname testtunnel.mydomain.co.uk --hello-world

Make sure when you try connecting to https://testtunnel.mydomain.co.uk you get a Cloudflare success page

  • Now another test for the bouncingg of RDP (just to be sure!):
cloudflared --hostname testtunnel.mydomain.co.uk --url rdp://myserver.mydomain.local:3389

This create a tunnel for an RDP server we have, and gives me a known quantity to check the other side of things - connecting from a client.

Then on your client computer:

cloudflared access rdp --hostname testtunnel.mydomain.co.uk --url localhost:2244

And configure an RDP connection in Microsoft Remote Desktop to connect to localhost:2244

All works so far!

  • Testing Apple ARD (VNC over argo tunnel)

Bastion machine:

cloudflared --hostname testtunnel.mydomain.co.uk --url ssh://192.168.10.137:5900

Note: We are using the ssh protocol as according to Sam the way this works, SSH is closer to normal TCP than RDP - I'm going to have to take his word on this, but it was his immediate suggestion and it works.

Client Machine:

cloudflared access ssh --hostname testtunnel.mydomain.co.uk --url localhost:5900

Then on your client, on Finder command + k to load up connect to server and connect to localhost:5900 and away you go!

I'll add more information here when (if) I get a chance as to how I have configured the Bastion server to run multiple instances of the servcice to connect to multiple internal machines.

But, as a recap, you can use Argo Tunnel / Access to provide secure access to your internal infrastructure for HTTP/s SSH RDP VNC and probably a host of other services I haven't even begin to think about.

Stay safe everyone.

Alex