Table of Contents
Overview
Guide
DuckDNS
Unraid
SWAG
Vaultwarden
fail2ban
Sources
Overview
Hello, I created this guide to document how to setup these containers as well as help people who are also trying to figure this out. The information to set this up is spread out all over the place and this is a way to group up all of the steps together. Please let me know if I did anything wrong. This was how I setup Vaultwarden so if I missed something, I'd like to fix it for my own server as well.
The purpose of this guide is to show you how to install Vaultwarden and allow you to access it safely over the internet through Swag in Unraid.
Vaultwarden is a self-hosted password manager based on Bitwarden.
SWAG - formerly known as letsencrypt is an Nginx webserver and reverse proxy that offers a safe way to host Vaultwarden through the internet. It offers this safety through:
fail2ban - an intrusion prevention software that prevents brute-force attacks
SSL certs - Encrypted data transmission.
Reverse Proxy (From Spaceinvader One video):
Allows online access
Redirects requests made to it to other places behind a firewall
Additional layer of abstraction and therefore additional security.
DuckDNS - Free dynamic DNS. Support the project through their Patreon
This guide is mostly taken from Spaceinvader One's videos but with updated information.
How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX
Easily Setup a Bitwarden/vaultwarden Server on Unraid or a VPS for Password Management
Guide
DuckDNS
DuckDNS allows us to track our WAN IP. This IP changes often depending on your ISP so this is why DuckDNS is needed. With DuckDNS, you can easily access your server at myUnraidServer.duckdns.org
Go to https://www.duckdns.org/
Create an account and add 2 domains.
The first domain points directly to your Unraid server. Example: myUnraidServer.duckdns.org
The second domain points to your Vaultwarden container. Example: myUnraidServerVaultwarden.duckdns.org
Make sure you write this down somewhere, or can remember it
Go to APPS/Unraid Community Applications and install Linuxserver.io's duckdns container
Variables: Value
Repository: linuxserver/duckdns
Network Type: Host
Privileged: On
SUBDOMAINS: myUnraidServer.duckdns.org, myUnraidServerVaultwarden.duckdns.org
TOKEN: yourDuckDNS_TokenYour (token from https://www.duckdns.org/)
Unraid
Port Forward
On your Router port forward your server ports:
External Port | Internal IP | Internal Port
80 | myUnraidServerLanIpAddress | 180
443 | myUnraidServerLanIpAddress | 1443
The Internal Port numbers do not matter, just make sure they're not used by other services on your server and take note of them.
Create a UserDefinedBridge
In Unraid, create a UserDefined Bridge. There are many reasons to do this but here are some from docs.docker
User-defined bridges provide automatic DNS resolution between containers
User-defined bridges provide better isolation
Containers can be attached and detached from user-defined networks on the fly
Each user-defined network creates a configurable bridge
Linked containers on the default bridge network share environment variables
Disable Docker by going to Unraid Settings>Docker>Enable Docker set to No then apply
Under Docker settings and with Advanced View enabled, set Preserve user defined networks to Yes
Reenable Docker Unraid Settings>Docker>Enable Docker set to Yes then apply
Open an Unraid Terminal then run: docker network create myNetName
SWAG
We are now ready to install the SWAG container.
Go to APPS also known as Unraid's Community Applications and install linuxserver's swag:
Overview:
SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.
Variables: Value
Repository: lscr.io/linuxserver/swag
Network Type: myNetName (This is the custom network or UserDefinedBridge)
WebUI: 1443 (This is the custom internal port that was forwarded)
Port 80: 180 (This is the custom internal port that was forwarded)
URL: duckdns.org
VALIDATION: http
SUBDOMAINS: myUnraidServer, myUnraidServerVaultwardenThese are the custom domain names you made in DuckDNS
DNSPLUGIN: duckdns
EMAIL:
[email protected]
STAGING: false
DUCKDNSTOKEN: yourDuckDNS_Token (Your token from https://www.duckdns.org/)
Log Storage Path: /mnt/user/appdata/logs/ (See Log Storage Path)
Appdata: /mnt/user/appdata/swag
2. Apply to pull container.
3. Verify the SWAG container logs to check if it's running properly.
On initialization, the logs should say something along like:
DUCKDNSTOKEN
Under SWAG's docker settings, Add another Path, Port, Variable, Label or Device
Setting: Value
Config Type: Variable
Name: DUCKDNSTOKEN
Key: DUCKDNSTOKEN
Value: yourDuckDNS_Token (Your token from https://www.duckdns.org/)
Default Value:
Log Storage Path
This is used for fail2ban.
Under SWAG's docker settings, Add another Path, Port, Variable, Label or Device
Setting: Value
Config Type: Path
Name: Log Storage Path
Container Path: /logs
Host Path: /mnt/user/appdata/logs/
Default Value:
Access Mode: Read Only
Create a folder wherever you would like(Host Path). In my case I used `/mnt/user/appdata/logs`
vaultwarden.subdomain.conf
Under /appdata/swag/nginx/proxy-confs/ or where Appdata variable is set for swag: swag/nginx/proxy-confs/
Create a new file named vaultwarden.subdomain.conf. There should be samples for different services under swag/nginx/proxy-confs/
Refer to the vaultwarden.subdomain.conf file attached to this guide.
vaultwardensubdomain.txt
Vaultwarden
Install the vaultwarden container.
Go to APPS/Unraid's Community Applications and install vaultwarden:
Variables: Value
Repository: vaultwarden/server
Network Type: myNetName (This is the custom network or UserDefinedBridge)
WebUI HTTP Port: 4743
SIGNUPS_ALLOWED: false
INVITATIONS_ALLOWED: false
WEBSOCKET_ENABLED: true
ADMIN_TOKEN: yourTemporaryPassword (See ADMIN_TOKEN)
LOG_FILE: /logs/vaultwarden.log (This variable has to be manually added. See LOG_FILE and Log Storage)
Log Storage: /mnt/user/appdata/logs/ (This variable has to be manually added. See LOG_FILE and Log Storage)
Storage: /mnt/user/appdata/vaultwarden
ADMIN_TOKEN
Before initial setup
On your Unraid terminal, run:
openssl rand -base64 48
Use the output as your ADMIN_TOKEN
After initial setup
Secure the ADMIN_TOKEN
Important: The ADMIN_TOKEN should be hashed after the initial setup.
While the vaultwarden container is running, on your Unraid terminal:
docker exec -it vaultwarden /vaultwarden hash
LOG_FILE and Log Storage
https://github.com/dani-garcia/vaultwarden/wiki/Logging
You will have to create two variables:
LOG_FILE
Under Vaultwarden's docker settings, Add another Path, Port, Variable, Label or Device
Setting: Value
Config Type: Variable
Name: LOG_FILE
Key: LOG_FILE
Value: /logs/vaultwarden.log
Default Value:
Log Storage
Under Vaultwarden's docker settings, Add another Path, Port, Variable, Label or Device
Setting: Value
Config Type: Path
Name: Log Storage
Container Path: /logs
Host Path: /mnt/user/appdata/logs/
Default Value:
Access Mode: Read/Write
Vaultwarden setup
Click on the Vaultwarden container and press the WebUI button. This should take you to the admin page myUnraidServerLanIpAddress:4743/admin.
Change the Domain URL to https://myUnraidServerVaultwarden.duckdns.org. This should be the DuckDNS domain you created.
Secure the ADMIN_TOKEN. (See ADMIN_TOKEN section above)
Optional: Follow Spaceinvader One's video to enable SMTP Email
Under General settings, temporarily enable Allow new signups
Save/Apply the settings by pressing the Save button on the bottom left of the UI.
Restart the Vaultwarden container.
Go to https://myUnraidServerVaultwarden.duckdns.org and create an account.
Go back to the Vaultwarden admin panel, General settings > disable Allow new signups
IMPORTANT Edit vaultwarden.subdomain.conf at /appdata/swag/nginx/proxy-confs/ to disable the admin panel from WAN access but allow local/LAN access or just disable the admin panel altogether.
fail2ban
Swag also includes fail2ban.
We can setup fail2ban to read Vaultwarden's logs and ban an IP address if attempted logins exceed a certain amount.
On /appdata/swag/fail2ban/jail.local
Add a new jail:
[vaultwarden]
enabled = true
port = http,https
filter = vaultwarden
action = iptables-allports[name=vaultwarden]
logpath = /logs/vaultwarden.log
maxretry = 5
bantime = 14400
findtime = 14400
On /appdata/swag/fail2ban/filter.d/ Create a new file: vaultwarden.conf
# https://github.com/dani-garcia/bitwarden_rs/wiki/Fail2Ban-Setup
# - Set up logging to file > https://github.com/dani-garcia/bitwarden_rs/wiki/Logging
# - Set logging level to warn or error
# Logged in bwdata/logs/identity/Identity/log.txt
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
vaultwarden.txt
Verify fail2ban works by using a VPN and fail login past the maxretry value(default is 5)
Logs are located at /appdata/swag/log/ and /appdata/logs
You can unban an IP using the following command on your Unraid terminal:
sudo docker exec -t fail2ban fail2ban-client set vaultwarden unbanip XX.XX.XX.XX
Extras
Swag Dashboard - Installation Guide - Dashboards for Swag
Maxmind Docker mod for Nginx - Allows IP bans based on geolocation
Sources
How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX
Easily Setup a Bitwarden/vaultwarden Server on Unraid or a VPS for Password Management
SWAG
fail2ban
Vaultwarden
Alternative Link on gist.github
jail.txt