Anyone using Cloudflare Tunnels to support external RDP access?

Forums › IT Pro and developers › Anyone using Cloudflare Tunnels to support external RDP access?

dimsim

871 posts

Ultimate Geek
+1 received by user: 151

Trusted

Lifetime subscriber

#324735 18-May-2026 17:16

I have small group of users ~10 that remotely access their Windows desktops and im thinking about replacing our old RDP-Gateway server with a Cloudflare tunnel solution.

We already have a Cloudflare pro account so im thinking this may be a good solution, but just not sure if it can provide the same ease of access to end users.

I've run up a test machine using RDP browser access and that seem to work fairly simply, but the OTP password thing is a bit of a pain point given its another step for the user to have to do.

Is anyone else doing this and is there an easier, more streamlined way to do this with Cloudflare?

Thanks.

freitasm

BDFL - Memuneh
80950 posts

Uber Geek
+1 received by user: 41720

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3493485 18-May-2026 17:37

I will have to give it another try. I have SSH access via tunnels but when I tried RDP it was very unstable.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Handle9

12088 posts

Uber Geek
+1 received by user: 9918

Trusted

Lifetime subscriber

#3493491 18-May-2026 17:52

Is there a reason you wouldn’t use a vpn? Tailscale or WireGuard (if you have a static ip) are lightweight and very easy.

networkn

Networkn
33040 posts

Uber Geek
+1 received by user: 15618

ID Verified

Trusted

Lifetime subscriber

#3493493 18-May-2026 17:53

We know a decent sized MSP who uses it for all their customers.

I can't shake the feeling that when a company the size of cloudflare is giving 50 free users away for a product that has intrinsic value that...

1) If you aren't paying for it, you are the product (ie they are collecting telemetry and other information)

2) It's free until some exec see's the cost and does away with it, or starts charging 'cloudflare enterprise' rates for it, which is essentially the same thing.

It doesn't feel like it has long term sustainability and could be removed at any time.

I'd prefer a product that is sustainable in it's licensing model.

dimsim

871 posts

Ultimate Geek
+1 received by user: 151

Trusted

Lifetime subscriber

#3493500 18-May-2026 18:16

Thanks - yeah I get that and also had the same thought - but we have a pro account anyway helping with website security so we’re already paying and thought we may as well use it if I can make access as simple as using an rdp-gateway.

dimsim

871 posts

Ultimate Geek
+1 received by user: 151

Trusted

Lifetime subscriber

#3493501 18-May-2026 18:18

Handle9:

Is there a reason you wouldn’t use a vpn? Tailscale or WireGuard (if you have a static ip) are lightweight and very easy.

trying to avoid client configuration primarily - they’re users computers we don’t have access to.

dimsim

871 posts

Ultimate Geek
+1 received by user: 151

Trusted

Lifetime subscriber

#3493502 18-May-2026 18:21

freitasm:

I will have to give it another try. I have SSH access via tunnels but when I tried RDP it was very unstable.

I’ve only tested via an external server I have rdp access to (which as you would know is usually slow to draw) but the connection was quick and even worked ok, so so far has an initial pass :)

Dyson

Shop now for Dyson appliances (affiliate link).

Ragnor

8287 posts

Uber Geek
+1 received by user: 591

Trusted

#3493619 19-May-2026 00:58

RDP works fine over Cloudflare's VPN client (now called One formerly called WARP), you'll need to run Cloudflared internally on a host that has access to the network the desktops are on our course (replacing the RDP gateway).

It's a good solution with mature split tunnelling, zero trust settings etc.

You can do a similar thing with mesh based options like Tailscale or Netbird but it can be more complicated to setup (and split tunnel setup can be harder)

Ragnor

8287 posts

Uber Geek
+1 received by user: 591

Trusted

#3493620 19-May-2026 01:01

Handle9:

Is there a reason you wouldn’t use a vpn? Tailscale or WireGuard (if you have a static ip) are lightweight and very easy.

Cloudflare One (ex WARP) is a vpn client, Tailscale and Netbird are good but sometimes you don't want/need a mesh and exit node / subnet router setup can be more complicated than Cloudflared setup for remote worker to internal desktop

BlakJak

1341 posts

Uber Geek
+1 received by user: 750

Trusted

#3494836 22-May-2026 21:36

VPN on your internet edge and client on the remote device. For performance you want the lowest latency and cleanest link you can engineer, and for a defined small number of users this feels cleanest. So long as you can keep your VPN endpoint constantly, frequently patched (esp if it's FortiNet) :-)

No signature to see here, move along...

freitasm

BDFL - Memuneh
80950 posts

Uber Geek
+1 received by user: 41720

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3494862 23-May-2026 11:19

I use the Cloudflare browser-based SSH client, which works well. But as I said, I tried the RDP one and found performance wasn't great, and the configuration was a mess.

Here is what I use:

Tailscale. Tailscale everywhere I need access to.

On my laptop: Royal TS. Brilliant RDP/SSH/VNC management with encrypted secrets and configuration management.

For browser-based remote access, when I don't have my laptop, I have a container running Apache Guacamole on my NAS. This container uses the Tailscale VPN to see all the nodes I need. The browser-based access is accessible via a Cloudflare Tunnel, behind Cloudflare Zero Trust, so I can access it using an SSL-encrypted URL, protected behind access rules - in this case, only authenticated users behind my Office 365 or with my Geekzone email address can access it.

I use Clouflare Tunnels extensively. I only use Cloudflare WARP as a VPN when accessing the Internet from untrusted networks, but only for Internet access, not for my private resources.

It works well, it's fast and I use it all the time. More than Royal TS.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

kiruti

57 posts

Master Geek
+1 received by user: 16

ID Verified

#3494874 23-May-2026 13:44

I just wish we had a better alternative to Tunnels that doesn't require the need to rely on Cloudflare.

Anyway, I run Kasm Workspaces through a Cloudflare Tunnel with Auth0 for SSO (passwordless) login. A Windows VM with the Kasm agent is added as a server with Kasm Workspaces via RDP. A bit over complicated, but I can access it from pretty much anywhere with just a browser and with decent enough latency (around ~25ms in the office)