Remote desktop connection issues

Traefik Traefik v2 (latest)
1

Hi All.

I am trying to setup Traefik to connect to a windows rd server. Below is my setup.
In the same docker network I have wiregaurd, Pihole for the dns and Traefik. All conenctions I setup in traedik over http work (Meaning I can access them via the domain I have set up with cloudflare)

The only issue is I am unable to conenct to the RD server. From the host I can conenct to the rd server (I did check) there is no logs in traefik. I reviewed all teh ip tables and firewalls and (For testing) i allowed all conenctions and still I am unable to conenct.

Does anyone have any advice?

 tcp:
  routers:
    analogic-host:
      entryPoints:
        - "rdp"
      rule: "HostSNI(`rdp1.guest.example.com`)"
      middlewares:
        #- default-headers
        #- https-redirectscheme
        #- venn-whitelist
      tls:
        passthrough: true
      service: analogic-host
  #services:
  services:
    analogic-host:
      loadBalancer:
        servers:
          - address: "10.X.X.4:3389"

global:
  checkNewVersion: false
  sendAnonymousUsage: false

log:
  level: DEBUG
  filePath: "/traefik_logs/traefik.log"

api:
  dashboard: true
  debug: true
entryPoints:
  rdp:
    address: ":3389"
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: tech@vexample.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
2

You use HostSNI() on the router, therefore Traefik needs a certificate to look into the TLS connection.

You have not assigned the certresolver to entrypoint or router, so Traefik will generate a custom cert (which is probably not accepted by the client). (Except if you have declared your own certs in a dynamic config file)

The traffic is then forwarded encrypted (passthrough) to you RDP target service, which does not know the cert and can not decrypt it without the custom Traefik cert.

You can remove all TLS related params from the (dedicated RDP) entrypoint, router and service and just use HostSNI(`*`) for the rule, then the TCP traffic passes untouched through Traefik.

Restriction: that way you can’t differentiate on HostSNI, so can only use a single target service. Use a different entrypoint/port if you need more.

Also see simple Traefik TCP example.

3

What is strange is there is nothing in my Log File showing errors:
time="2023-08-29T07:50:53Z" level=debug msg="Accepting IP 10.X.1.2" middlewareType=IPWhiteLister middlewareName=venn-whitelist@file
time="2023-08-29T07:50:54Z" level=debug msg="Accepting IP 10.X.1.2" middlewareType=IPWhiteLister middlewareName=venn-whitelist@file
time="2023-08-29T07:50:54Z" level=debug msg="Accepting IP 10.X.1.2" middlewareType=IPWhiteLister middlewareName=venn-whitelist@file
time="2023-08-29T07:50:56Z" level=debug msg="Accepting IP 10.X.1.2" middlewareType=IPWhiteLister middlewareName=venn-whitelist@file
time="2023-08-29T07:50:56Z" level=debug msg="Accepting IP 10.X.1.2" middlewareName=venn-whitelist@file middlewareType=IPWhiteLister

Below is all my configs. I did do a trace route and it ends at Traefik. As mentioned all firewall ports are open (for testing) UFW is disabled aswell.:

global:
  checkNewVersion: false
  sendAnonymousUsage: false

log:
  level: DEBUG
  filePath: "/traefik_logs/traefik.log"

api:
  dashboard: true
  debug: true
entryPoints:
  rdp:
    address: ":3389"
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: tech@example.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

config.yml:
tcp:
  routers:
    analogic-host:
      entryPoints:
        - "rdp"
      rule: "HostSNI(`rdp1.guest.example.com`)"
      middlewares:
        #- default-headers
        #- https-redirectscheme
        #- venn-whitelist
      tls:
        certResolver: cloudflare
      service: analogic-host
  #services:
  services:
    analogic-host:
      loadBalancer:
        servers:
          - address: "10.X.X.4:3389"

Docker-COmpose:
traefik:
    image: traefik:v2.10.4
    container_name: traefik
    ports:
      - 80:80
      - 443:443
      # -- (Optional) Enable Dashboard, don't do in production
      - 8080:8080
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /home/vctech/Dockercompose/Traefik/data/traefik.yml:/traefik.yml:ro
      - /home/vctech/Dockercompose/Traefik/data/acme.json:/acme.json
      - /home/vctech/Dockercompose/Traefik/data/config.yml:/config.yml:ro
      - /home/vctech/Dockercompose/Traefik/log:/traefik_logs
      - /var/run/docker.sock:/var/run/docker.sock:ro
    # -- (Optional) When using Cloudflare as Cert Resolver
    environment:
      - CF_API_EMAIL=tech@example.com
      - CF_DNS_API_TOKEN=token
    # -- (Optional) When using a custom network
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.azure.example.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=User:key"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.azure.example.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=azure.example.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.azure.example.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.guest.example.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"
    restart: unless-stopped
    dns:
      - 10.X.X.3
    networks:
      wg-easy:
        ipv4_address: 10.X.X.4```
4

Format your code with 3 backticks in front and after, or select the code and press </>. In yaml every space matters. And it makes it so much more readable.

The current questions are: is your RDP client using TLS? Which cert does it expect? Which cert is Traefik using? Is your RDP target service using TLS? Which cert?

5

Fixed Thanx I forgot its 3 ticks.

The RDP is just a Windows server on Azure. The server itself does not use tls. Just conenct with username and pass to the IP.

I am trying to use Pihole as the Local DNS (After conencting on a vpn) to then use Traefik to connect to the server. I dont want users to directly conenct from the VPN thus the DNS and Traefik be used.