Caddy as Remote Desktop Gateway

Is there any configuration/plugin available that enables me to forward all tcp traffic on port 3389 for a certain subdomain to my remote desktop server, eg like.

rdp.test.tk:3389 {proxy / localhost}

The protocoll to be forwarded is the RDP protokoll. Therefore the above cofig is not working.
I tried also the rawpproxy ( https://github.com/1lann/rawproxy ). But no success.

Any hints?

P.

Try the net server type - you should be able to forward all TCP traffic.

https://caddyserver.com/docs/net

1 Like

Thank you, I was able to configure a net server accordingly.

But in may case I would like to you use the outbound port also for http server connections. By the requested domain name either http proxy or net proxy should be used.
(so http and net server must be bound to same port - currently unsupported by caddy)

Do you see any chance to realize this with caddy?

Thx, P.

I don’t think this is possible with any software (that is, sharing a port with another program). Some kind of code needs to determine which packets should go where, and a port is the most granular level, from a networking perspective, to differentiate what service the traffic is intended for.

I have to admit that I’m not that familiar with the net server type, but it does indicate that it can differentiate traffic by hostname, despite being a TCP server. Does it allow multiplexing proxies on a port with different hostnames?

Hope it’s ok to ask a similar question here. I want to access my desktop using remote desktop without exposing/opening port 3389 on my router, would I still use use the net plugin? and what would the Caddyfile look like if I’m using myusername.asuscommm.com to connect? I did read the documentation but I’m a little puzzled.

What purpose would the net plugin serve, exactly?

If you want to RDP to your computer with a different external port, just forward a different external port from your router to port 3389 on your computer. Caddy’s net server type would just be replicating the kind of port forwarding you can just do with your networking hardware, in fact would already have to do (to pass traffic to Caddy in the first place).

I’m being dense, sorry, but isn’t leaving 3389 open a vulnerability, would forwarding the port to another just be moving the vulnerability from one port to another? I wondered if I can use the reverse proxy feature so I don’t need to expose any port?

No worries, no such thing as a stupid question.

Yes, you are simply moving the vulnerability. No, you can’t use any reverse proxy program to remove the requirement to expose a port.

I mean, how do you intend for traffic to reach the reverse proxy if there’s no ports open on the router? If you need access via the public internet, there has to be at least one. You just get to pick which.

Moving it to a non-standard port has benefits. Lots of bots/scripts/etc crawl the internet, testing known default ports. You will dodge much simple automated probing - not all, but most.

I would consider RDP secure enough to use on a non-standard port for non-business-critical or small-scale systems. The gold standard, though, is to have a certificate-based VPN server be the only point of entry to a hardened VLAN, and then authenticate to an RDP gateway over your private network.


One nitpick regarding terminology:

Just to be sure I’m unambiguous, I am not suggesting you forward 3389 to another - I am suggesting that you close 3389 externally, and forward an arbitrary high port number (e.g. 38459) to your RDP host instead.

Thanks @Whitestrake, I think I’ll change the port number to something higher, that will be sufficient for my needs. Thanks for enlightening me!

I’d like to provide the method i use for accessing RDP externally using ONLY ssh port 22. I use Putty to create an ssh tunnel so that localhost:3386 goes through the tunnel to the network where i want to RDP into. and connect to (remote pc):3389. See photo for my setup to tunnel through these ports to be able to RDP to each of these.
Therefore in the RDP client, I’d only have to enter localhost:3385, or :3386, :3387, :3388, and so on…
image

Thanks for the @Namekal, something else for me to try :smiley:

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.