Skip to main content

Tunneled RDP Connections

Remote Desktop Protocol (RDP) is a standard for using a desktop computer remotely. It was released by Microsoft and is most commonly used to access Windows systems, but can be used for macOS and Linux systems as well.

Long-lived connections behavior

When you create a TCP or Websocket connection, Pomerium validates the access policy at the time the connection is made.

Currently, there is no mechanism in place to terminate long-running connections if a policy becomes invalid.

tip

This example assumes you've already created a TCP route for this service.

Basic Connection

  1. Create a TCP tunnel, using either pomerium-cli or the Pomerium Desktop client:

    pomerium-cli tcp aService.corp.example.com:3389 --listen :3389
    --listen

    The --listen flag is optional. It lets you define what port the tunnel listens on locally. If not specified, the client will choose a random available port.

  2. Initiate your RDP connection, pointing to localhost. This example uses the Remmina client, but the procedure should be similar for other tools:

    A new connection profile in Remmina

    caution

    The first connection attempt will initiate a redirect to authenticate you in the browser. Once you're signed in, subsequent connections will succeed. If your client isn't configured to retry the connection, you may have to reconnect manually.

Always Tunnel through Pomerium

Some clients, like Remmina, support running commands before and after connection. The script below (adopted from this example using SSH tunnels) starts and stops an instance of pomerium-cli:

#!/bin/bash
script_name="$(basename $0)"

if [ $# -lt 3 ]
then
echo "Usage: $script_name start | stop POMERIUM_ROUTE LOCAL_PORT"
exit
fi

case "$1" in

start)
echo "Starting Pomerium Tunnel to $2"
pomerium-cli tcp $2 --listen $3 &
;;
stop)
echo "Stopping Pomerium tunnel to $3"
kill $(pgrep -f "pomerium-cli tcp $2 --listen $3")
;;
*)
echo "Did not understand your argument, please use start|stop"
;;

esac
  1. Save the script above to your home folder (~/), and make it executable:

    cd ~/
    wget https://github.com/pomerium/pomerium/blob/main/examples/tcp/pomerium-tunnel.sh
    chmod +x pomerium-tunnel.sh
  2. Update your client profile to execute the script before and after the connection:

    A connection profile in Remmina invoking a custom script

caution

Flatpak versions of client software may not be able to read external scripts or programs.

More Resources