# Tunneled RDP Connections

Remote Desktop Protocol (RDP) is a standard for using a desktop computer remotely. It was released by Microsoft and is most commonly used to access Windows systems, but can be used for macOS and Linux systems as well.

# Basic Connection

  1. Create a TCP tunnel, using either pomerium-cli or the Pomerium Desktop client:

  2. Initiate your RDP connection, pointing to localhost. This example uses the Remmina (opens new window) client, but the procedure should be similar for other tools:

    A new connection profile in Remmina


    The first connection attempt will initiate a redirect to authenticate you in the browser. Once you're signed in, subsequent connections will succeed. If your client isn't configured to retry the connection, you may have to reconnect manually.

# Always Tunnel through Pomerium

Some clients, like Remmina, support running commands before and after connection. The script below (adopted from this example (opens new window) using SSH tunnels) starts and stops an instance of pomerium-cli:

scriptname="$(basename $0)"

if [ $# -lt 3 ]
    echo "Usage: $scriptname start | stop  POMERIUM_ROUTE LOCAL_PORT"

case "$1" in

  echo "Starting Pomerium Tunnel to $2"
  pomerium-cli tcp $2 --listen $3 &
  echo "Stopping Pomerium tunnel to $3"
  kill $(pgrep -f "pomerium-cli tcp $2 --listen $3")
  echo "Did not understand your argument, please use start|stop"

  1. Save the script above to your home folder (~/), and make it executable:

    cd ~/
    wget https://github.com/pomerium/pomerium/blob/master/examples/tcp/pomerium-tunnel.sh
    chmod +x pomerium-tunnel.sh
  2. Update your client profile to execute the script before and after the connection:

    A connection profile in Remmina invoking a custom script


Flatpak versions of client software may not be able to read external scripts or programs.

# More Resources