Create a bastion server behind cloudflare to give access to internal resources - including Apple remote desktop.
With the current events of the world going on around us, Cloudflare have kindly provided their Argo tunnel / Teams / Access systems for free.
Although we have a VPN here, I'm anticipating in the coming weeks that we may need alternate approaches to connecting in to our systems if / when we get forced to work from home.
We have a lot of autonomous Apple mac systems here the perform tasks for us to keep the company running. Altough Cloudflare show how to connect SSH and Microsoft RDP over Argo, they don't have information on other protocols.
While I was on a call to Sam Rhea - the product manager for Argo at Cloudflare, I asked if there were other protocols we could send over Argo tunnel. I must admit I was expecting a no, but Sam went - Oh yes you can! So, I got a couple of tid bits of info and decided to have a go when I was back at work the next day.
The short version of this is: Yes you can, I've done it!
The longer version is here:
- A Cloudflare account
- A Mac to connect to
- A computer to connect from
I'm going to show how to do this using an Ubuntu server (just a small VM I spooled up for this very purpose) to create bastion server to connect to all our internal 'oddities' that may get in trouble.
- Download and install cloudflared
curl https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb --output cloudflared.deb sudo dpkg -i cloudflared.deb [sudo] password for alex: Selecting previously unselected package cloudflared. (Reading database ... 102950 files and directories currently installed.) Preparing to unpack cloudflared.deb ... Unpacking cloudflared (2020.2.1) ... Setting up cloudflared (2020.2.1) ...
- Get your credentials by loging in with
Copy the link into your browser, sign in and authorize argo tunnel for your domain
cloudflared login Please open the following URL and log in with your Cloudflare account: https://dash.cloudflare.com/argotunnel?callback=https%3A%2F%2Flogin.argotunnel.com%2FxDroLc6MnqHyZ-fQFqbCzGM-6Iy6PsO52O-JQsM9zBo%3D Leave cloudflared running to download the cert automatically. You have successfully logged in. If you wish to copy your credentials to a server, they have been saved to: /home/alex/.cloudflared/cert.pem
- Quick test:
cloudflared --hostname testtunnel.mydomain.co.uk --hello-world
Make sure when you try connecting to
https://testtunnel.mydomain.co.uk you get a Cloudflare success page
- Now another test for the bouncingg of RDP (just to be sure!):
cloudflared --hostname testtunnel.mydomain.co.uk --url rdp://myserver.mydomain.local:3389
This create a tunnel for an RDP server we have, and gives me a known quantity to check the other side of things - connecting from a client.
Then on your client computer:
cloudflared access rdp --hostname testtunnel.mydomain.co.uk --url localhost:2244
And configure an RDP connection in Microsoft Remote Desktop to connect to
All works so far!
- Testing Apple ARD (VNC over argo tunnel)
cloudflared --hostname testtunnel.mydomain.co.uk --url ssh://192.168.10.137:5900
We are using the
ssh protocol as according to Sam the way this works, SSH is closer to normal TCP than RDP - I'm going to have to take his word on this, but it was his immediate suggestion and it works.
cloudflared access ssh --hostname testtunnel.mydomain.co.uk --url localhost:5900
Then on your client, on Finder
command + k to load up connect to server and connect to
localhost:5900 and away you go!
I'll add more information here when (if) I get a chance as to how I have configured the Bastion server to run multiple instances of the servcice to connect to multiple internal machines.
But, as a recap, you can use Argo Tunnel / Access to provide secure access to your internal infrastructure for HTTP/s SSH RDP VNC and probably a host of other services I haven't even begin to think about.
Stay safe everyone.