cloudflared: RDP issues: failed to connect to origin error=“websocket: bad handshake”

Hi all,

I have been having issues trying to get RDP tunneling to work - before posting here I made sure to reach out to the community forums and Cloudflare support. Nothing has come to fruition - so thought it may be worth asking here just in case this might be a bug. The below was performed back in April, so timestamps and version numbers are from then, but I have tried again with version 2021.5.9 and the errors are still the same.

I am attempting to connect to a server (Windows 10 Pro) via RDP on macOS (11.3.1) and am unable to connect. The errors I receive are as following:

macOS Error output (Client trying to connect to server):

% cloudflared access rdp --hostname rdp.domain.net --url localhost:2244
2021-04-28T10:30:31Z INF Start Websocket listener host=localhost:2244
A browser window should have opened at the following URL:

https://rdp.domain.net/cdn-cgi/access/cli?redirect_url=https%3A%2F%2Frdp.domain.net%3Ftoken%3D{$TOKEN}%253D&send_org_token=true&token={$TOKEN}%3D

If the browser failed to open, please visit the URL above directly in your browser.
2021-04-28T10:32:15Z ERR failed to connect to origin error="websocket: bad handshake" originURL=https://rdp.domain.net

Windows 10 Pro error output (Server running tunnel, awaiting connection)

PS C:\Cloudflared\bin> .\cloudflared.exe tunnel run
2021-04-28T10:24:45Z INF Starting tunnel tunnelID={$UUID}
2021-04-28T10:24:45Z INF Version 2021.4.0
2021-04-28T10:24:45Z INF GOOS: windows, GOVersion: go1.15.7, GoArch: amd64
2021-04-28T10:24:45Z INF Settings: map[cred-file:C:\Users\Admin\.cloudflared\${UUID}.json credentials-file:C:\Users\Admin\.cloudflared\${UUID}.json]
2021-04-28T10:24:45Z INF cloudflared will not automatically update on Windows systems.
2021-04-28T10:24:45Z INF Generated Connector ID: 8ab03d36-3d44-4fdd-9af0-ec4e7625ce5b
2021-04-28T10:24:45Z INF Initial protocol h2mux
2021-04-28T10:24:45Z INF Starting metrics server on 127.0.0.1:51437/metrics
2021-04-28T10:24:46Z INF Connection d5ff74d1-a212-4208-a536-b120fe014b81 registered connIndex=0 location=AMS
2021-04-28T10:24:46Z INF Connection cd587217-37e1-4f63-92b1-53aa07962e01 registered connIndex=1 location=LHR
2021-04-28T10:24:47Z INF Connection 72b205e7-b09a-47df-a996-42f0414926d9 registered connIndex=2 location=AMS
2021-04-28T10:24:48Z INF Connection ef33e060-034b-4c7c-991c-81048ea5cc86 registered connIndex=3 location=LHR
2021-04-28T10:32:12Z ERR localhost:3389 is not a http service
2021-04-28T10:32:12Z ERR CF-RAY: 646fa02738d954b7-MAN Proxying to ingress 0 error: Not a http service

---

I followed the setup instructions as described in this document.

Steps ran on Windows 10 Pro server:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Windows\system32> cd C:\Cloudflared\bin\
PS C:\Cloudflared\bin> .\cloudflared.exe service uninstall
2021-04-28T08:58:55Z INF Uninstalling Argo Tunnel Windows Service windowsServiceName=Cloudflared
2021-04-28T08:58:55Z INF Argo Tunnel agent service is uninstalled windowsServiceName=Cloudflared
PS C:\Cloudflared\bin> .\cloudflared.exe tunnel login
A browser window should have opened at the following URL:

https://dash.cloudflare.com/argotunnel?callback=https%3A%2F%2Flogin.argotunnel.com%2F${DIGEST}%3D

If the browser failed to open, please visit the URL above directly in your browser.
You have successfully logged in.
If you wish to copy your credentials to a server, they have been saved to:
C:\Users\Admin\.cloudflared\cert.pem
PS C:\Cloudflared\bin> .\cloudflared.exe tunnel create RDP
Tunnel credentials written to C:\Users\Admin\.cloudflared\${UUID}.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.

Created tunnel RDP with id ${UUID}
PS C:\Cloudflared\bin> .\cloudflared.exe service install
2021-04-28T10:13:14Z INF Installing Argo Tunnel Windows service
2021-04-28T10:13:14Z INF Argo Tunnel agent service is installed windowsServiceName=Cloudflared
PS C:\Cloudflared\bin> .\cloudflared.exe tunnel ingress validate
Validating rules from C:\Users\Admin\.cloudflared\config.yml
OK
PS C:\Cloudflared\bin> .\cloudflared.exe tunnel run

Steps run on macOS client:

alex97@MacBook-Pro-16 ~ % {install macOS pkg from release page}
alex97@MacBook-Pro-16 ~ % cloudflared login
A browser window should have opened at the following URL:

https://dash.cloudflare.com/argotunnel?callback=https%3A%2F%2Flogin.argotunnel.com%2F{$DIGEST}%3D

If the browser failed to open, please visit the URL above directly in your browser.
You have successfully logged in.
If you wish to copy your credentials to a server, they have been saved to:
/Users/alex97/.cloudflared/cert.pem
alex97@MacBook-Pro-16 ~ % cloudflared access rdp --hostname rdp.domain.net --url localhost:2244
2021-04-28T10:30:31Z INF Start Websocket listener host=localhost:2244
A browser window should have opened at the following URL:

https://rdp.domain.net/cdn-cgi/access/cli?redirect_url=https%3A%2F%2Frdp.domain.net%3Ftoken%3D{$TOKEN}&send_org_token=true&token={$TOKEN}%3D

If the browser failed to open, please visit the URL above directly in your browser.
2021-04-28T10:32:15Z ERR failed to connect to origin error="websocket: bad handshake" originURL=https://rdp.domain.net

What my config.yml looks like on the server:

tunnel: ${UUID}
credentials-file: C:\Users\Admin\.cloudflared\${UUID}.json

ingress:
- hostname: rdp.domain.net
service: rdp://localhost:3389
- service: http_status:404
# Catch-all rule, which responds with 404 if traffic doesn't match any of
# the earlier rules

cloudflared.log

Attached debug level log.

I have tried various TLS/SSL settings, nothing different happened. Is the service trying to setup a HTTP tunnel instead of an RDP tunnel?