Tunneled RDP Connections
Remote Desktop Protocol (RDP) is a standard for using a desktop computer remotely. It was released by Microsoft and is most commonly used to access Windows systems, but can be used for macOS and Linux systems as well.
This example assumes you've already created a TCP route for this service.
Basic Connection
Create a TCP tunnel, using either
pomerium-cli
or the Pomerium Desktop client:- pomerium-cli
- Pomerium Desktop
pomerium-cli tcp aService.corp.example.com:3389 --listen :3389
--listenThe
--listen
flag is optional. It lets you define what port the tunnel listens on locally. If not specified, the client will choose a random available port.Local AddressThe Local Address field is optional. Using it defines what port the tunnel listens on locally. If not specified, Pomerium Desktop will choose a random available port.
Initiate your RDP connection, pointing to
localhost
. This example uses the Remmina client, but the procedure should be similar for other tools:cautionThe first connection attempt will initiate a redirect to authenticate you in the browser. Once you're signed in, subsequent connections will succeed. If your client isn't configured to retry the connection, you may have to reconnect manually.
Always Tunnel through Pomerium
Some clients, like Remmina, support running commands before and after connection. The script below (adopted from this example using SSH tunnels) starts and stops an instance of pomerium-cli
:
#!/bin/bash
script_name="$(basename $0)"
if [ $# -lt 3 ]
then
echo "Usage: $script_name start | stop POMERIUM_ROUTE LOCAL_PORT"
exit
fi
case "$1" in
start)
echo "Starting Pomerium Tunnel to $2"
pomerium-cli tcp $2 --listen $3 &
;;
stop)
echo "Stopping Pomerium tunnel to $3"
kill $(pgrep -f "pomerium-cli tcp $2 --listen $3")
;;
*)
echo "Did not understand your argument, please use start|stop"
;;
esac
Save the script above to your home folder (
~/
), and make it executable:cd ~/
wget https://github.com/pomerium/pomerium/blob/main/examples/tcp/pomerium-tunnel.sh
chmod +x pomerium-tunnel.shUpdate your client profile to execute the script before and after the connection:
Flatpak versions of client software may not be able to read external scripts or programs.