Discode Posted March 5 Share Posted March 5 (edited) Table of Contents Overview Guide DuckDNS Unraid SWAG Vaultwarden fail2ban Sources Overview Hello, I created this guide to document how to setup these containers as well as help people who are also trying to figure this out. The information to set this up is spread out all over the place and this is a way to group up all of the steps together. Please let me know if I did anything wrong. This was how I setup Vaultwarden so if I missed something, I'd like to fix it for my own server as well. The purpose of this guide is to show you how to install Vaultwarden and allow you to access it safely over the internet through Swag in Unraid. Vaultwarden is a self-hosted password manager based on Bitwarden. SWAG - formerly known as letsencrypt is an Nginx webserver and reverse proxy that offers a safe way to host Vaultwarden through the internet. It offers this safety through: fail2ban - an intrusion prevention software that prevents brute-force attacks SSL certs - Encrypted data transmission. Reverse Proxy (From Spaceinvader One video): Allows online access Redirects requests made to it to other places behind a firewall Additional layer of abstraction and therefore additional security. DuckDNS - Free dynamic DNS. Support the project through their Patreon This guide is mostly taken from Spaceinvader One's videos but with updated information. How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX Easily Setup a Bitwarden/vaultwarden Server on Unraid or a VPS for Password Management Guide DuckDNS DuckDNS allows us to track our WAN IP. This IP changes often depending on your ISP so this is why DuckDNS is needed. With DuckDNS, you can easily access your server at myUnraidServer.duckdns.org Go to https://www.duckdns.org/ Create an account and add 2 domains. The first domain points directly to your Unraid server. Example: myUnraidServer.duckdns.org The second domain points to your Vaultwarden container. Example: myUnraidServerVaultwarden.duckdns.org Make sure you write this down somewhere, or can remember it Go to APPS/Unraid Community Applications and install Linuxserver.io's duckdns container Variables: Value Repository: linuxserver/duckdns Network Type: Host Privileged: On SUBDOMAINS: myUnraidServer.duckdns.org, myUnraidServerVaultwarden.duckdns.org TOKEN: yourDuckDNS_TokenYour (token from https://www.duckdns.org/) Unraid Port Forward On your Router port forward your server ports: External Port | Internal IP | Internal Port 80 | myUnraidServerLanIpAddress | 180 443 | myUnraidServerLanIpAddress | 1443 The Internal Port numbers do not matter, just make sure they're not used by other services on your server and take note of them. Create a UserDefinedBridge In Unraid, create a UserDefined Bridge. There are many reasons to do this but here are some from docs.docker User-defined bridges provide automatic DNS resolution between containers User-defined bridges provide better isolation Containers can be attached and detached from user-defined networks on the fly Each user-defined network creates a configurable bridge Linked containers on the default bridge network share environment variables Disable Docker by going to Unraid Settings>Docker>Enable Docker set to No then apply Under Docker settings and with Advanced View enabled, set Preserve user defined networks to Yes Reenable Docker Unraid Settings>Docker>Enable Docker set to Yes then apply Open an Unraid Terminal then run: docker network create myNetName SWAG We are now ready to install the SWAG container. Go to APPS also known as Unraid's Community Applications and install linuxserver's swag: Overview: SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention. Variables: Value Repository: lscr.io/linuxserver/swag Network Type: myNetName (This is the custom network or UserDefinedBridge) WebUI: 1443 (This is the custom internal port that was forwarded) Port 80: 180 (This is the custom internal port that was forwarded) URL: duckdns.org VALIDATION: http SUBDOMAINS: myUnraidServer, myUnraidServerVaultwardenThese are the custom domain names you made in DuckDNS DNSPLUGIN: duckdns EMAIL: [email protected] STAGING: false DUCKDNSTOKEN: yourDuckDNS_Token (Your token from https://www.duckdns.org/) Log Storage Path: /mnt/user/appdata/logs/ (See Log Storage Path) Appdata: /mnt/user/appdata/swag 2. Apply to pull container. 3. Verify the SWAG container logs to check if it's running properly. On initialization, the logs should say something along like: Quote Congratulations! Your certificate and chain have been saved at: ... DUCKDNSTOKEN Under SWAG's docker settings, Add another Path, Port, Variable, Label or Device Setting: Value Config Type: Variable Name: DUCKDNSTOKEN Key: DUCKDNSTOKEN Value: yourDuckDNS_Token (Your token from https://www.duckdns.org/) Default Value: Log Storage Path This is used for fail2ban. Under SWAG's docker settings, Add another Path, Port, Variable, Label or Device Setting: Value Config Type: Path Name: Log Storage Path Container Path: /logs Host Path: /mnt/user/appdata/logs/ Default Value: Access Mode: Read Only Create a folder wherever you would like(Host Path). In my case I used `/mnt/user/appdata/logs` vaultwarden.subdomain.conf Under /appdata/swag/nginx/proxy-confs/ or where Appdata variable is set for swag: swag/nginx/proxy-confs/ Create a new file named vaultwarden.subdomain.conf. There should be samples for different services under swag/nginx/proxy-confs/ Refer to the vaultwarden.subdomain.conf file attached to this guide. vaultwardensubdomain.txt Vaultwarden Install the vaultwarden container. Go to APPS/Unraid's Community Applications and install vaultwarden: Variables: Value Repository: vaultwarden/server Network Type: myNetName (This is the custom network or UserDefinedBridge) WebUI HTTP Port: 4743 SIGNUPS_ALLOWED: false INVITATIONS_ALLOWED: false WEBSOCKET_ENABLED: true ADMIN_TOKEN: yourTemporaryPassword (See ADMIN_TOKEN) LOG_FILE: /logs/vaultwarden.log (This variable has to be manually added. See LOG_FILE and Log Storage) Log Storage: /mnt/user/appdata/logs/ (This variable has to be manually added. See LOG_FILE and Log Storage) Storage: /mnt/user/appdata/vaultwarden ADMIN_TOKEN Before initial setup On your Unraid terminal, run: openssl rand -base64 48 Use the output as your ADMIN_TOKEN After initial setup Secure the ADMIN_TOKEN Important: The ADMIN_TOKEN should be hashed after the initial setup. While the vaultwarden container is running, on your Unraid terminal: docker exec -it vaultwarden /vaultwarden hash LOG_FILE and Log Storage https://github.com/dani-garcia/vaultwarden/wiki/Logging You will have to create two variables: LOG_FILE Under Vaultwarden's docker settings, Add another Path, Port, Variable, Label or Device Setting: Value Config Type: Variable Name: LOG_FILE Key: LOG_FILE Value: /logs/vaultwarden.log Default Value: Log Storage Under Vaultwarden's docker settings, Add another Path, Port, Variable, Label or Device Setting: Value Config Type: Path Name: Log Storage Container Path: /logs Host Path: /mnt/user/appdata/logs/ Default Value: Access Mode: Read/Write Vaultwarden setup Click on the Vaultwarden container and press the WebUI button. This should take you to the admin page myUnraidServerLanIpAddress:4743/admin. Change the Domain URL to https://myUnraidServerVaultwarden.duckdns.org. This should be the DuckDNS domain you created. Secure the ADMIN_TOKEN. (See ADMIN_TOKEN section above) Optional: Follow Spaceinvader One's video to enable SMTP Email Under General settings, temporarily enable Allow new signups Save/Apply the settings by pressing the Save button on the bottom left of the UI. Restart the Vaultwarden container. Go to https://myUnraidServerVaultwarden.duckdns.org and create an account. Go back to the Vaultwarden admin panel, General settings > disable Allow new signups IMPORTANT Edit vaultwarden.subdomain.conf at /appdata/swag/nginx/proxy-confs/ to disable the admin panel from WAN access but allow local/LAN access or just disable the admin panel altogether. fail2ban Swag also includes fail2ban. We can setup fail2ban to read Vaultwarden's logs and ban an IP address if attempted logins exceed a certain amount. On /appdata/swag/fail2ban/jail.local Add a new jail: [vaultwarden] enabled = true port = http,https filter = vaultwarden action = iptables-allports[name=vaultwarden] logpath = /logs/vaultwarden.log maxretry = 5 bantime = 14400 findtime = 14400 On /appdata/swag/fail2ban/filter.d/ Create a new file: vaultwarden.conf # https://github.com/dani-garcia/bitwarden_rs/wiki/Fail2Ban-Setup # - Set up logging to file > https://github.com/dani-garcia/bitwarden_rs/wiki/Logging # - Set logging level to warn or error # Logged in bwdata/logs/identity/Identity/log.txt [INCLUDES] before = common.conf [Definition] failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$ ignoreregex = vaultwarden.txt Verify fail2ban works by using a VPN and fail login past the maxretry value(default is 5) Logs are located at /appdata/swag/log/ and /appdata/logs You can unban an IP using the following command on your Unraid terminal: sudo docker exec -t fail2ban fail2ban-client set vaultwarden unbanip XX.XX.XX.XX Extras Swag Dashboard - Installation Guide - Dashboards for Swag Maxmind Docker mod for Nginx - Allows IP bans based on geolocation Sources How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX Easily Setup a Bitwarden/vaultwarden Server on Unraid or a VPS for Password Management SWAG fail2ban Vaultwarden Alternative Link on gist.github jail.txt Edited May 7 by Discode Added DUCKDNSTOKEN as a manually added variable to the SWAG container 1 Quote Link to comment
Mura Posted March 6 Share Posted March 6 Thanks. I set up my vaultgarden with your guide. What maybe needs improvment: Secure Admin Token.. How to copy the secure token in the admin and docker config. I know there is a link but what from all this is for me.. Use '' or $$ or nothing.. With what do I log in after that... (with the password you used for the Secure Token) You have to add the LOG_File and Lof_Storage also to the vaultwarden Container. Someone maybe needs the same full explanation as with the swag container for that. fail2ban only worked after I deleted the ms in the log timestamp format. I cant remeber if something else was a problem because I hat a existing swag and so this was a little different. Quote Link to comment
Discode Posted March 7 Author Share Posted March 7 8 hours ago, Mura said: Thanks. I set up my vaultgarden with your guide. What maybe needs improvment: Secure Admin Token.. How to copy the secure token in the admin and docker config. I know there is a link but what from all this is for me.. Use '' or $$ or nothing.. With what do I log in after that... (with the password you used for the Secure Token) You have to add the LOG_File and Lof_Storage also to the vaultwarden Container. Someone maybe needs the same full explanation as with the swag container for that. fail2ban only worked after I deleted the ms in the log timestamp format. I cant remeber if something else was a problem because I hat a existing swag and so this was a little different. Admin Token So you run the command: docker exec -it vaultwarden /vaultwarden hash Example Output: root@UnraidServer:~# docker exec -it vaultwarden /vaultwarden hash Generate an Argon2id PHC string using the 'bitwarden' preset: Password: Confirm Password: ADMIN_TOKEN='$argon2id##################################' Generation of the Argon2id PHC string took: 131.303881ms You then copy the values of ADMIN_TOKEN without the single quotes, i.e: $argon2id################################## Paste it into Vaultwarden's Admin Panel under General Settings: Vaultwarden also says: NOTE: The settings here override the environment variables. Once saved, it's recommended to stop setting them to avoid confusion. This does not apply to the read-only section, which can only be set via environment variables. I guess you can delete the values on the container variable itself. That's why mine is highlighted in yellow. Vaultwarden Container Quote You have to add the LOG_File and Lof_Storage also to the vaultwarden Container. Someone maybe needs the same full explanation as with the swag container for that. Yeah, thanks for this. I forgot to add that those had to be manually added. I'll update the guide. Quote Link to comment
Greygoose Posted April 4 Share Posted April 4 great guide, helped a lot. Anything else you can update, keep thread alive as things change or you learn new tricks that would be great. thank you Quote Link to comment
K18LDP Posted May 3 Share Posted May 3 In the SWAG template I cannot see the DUCKDNSTOKEN listed as an option? Do I need to add this as an addtional variable? Quote Link to comment
Discode Posted May 7 Author Share Posted May 7 (edited) On 5/3/2024 at 12:29 AM, K18LDP said: In the SWAG template I cannot see the DUCKDNSTOKEN listed as an option? Do I need to add this as an addtional variable? Yeah, read this reply. I completely forgot to add it to the guide. On 3/7/2024 at 12:16 AM, Discode said: Admin Token So you run the command: docker exec -it vaultwarden /vaultwarden hash Example Output: root@UnraidServer:~# docker exec -it vaultwarden /vaultwarden hash Generate an Argon2id PHC string using the 'bitwarden' preset: Password: Confirm Password: ADMIN_TOKEN='$argon2id##################################' Generation of the Argon2id PHC string took: 131.303881ms You then copy the values of ADMIN_TOKEN without the single quotes, i.e: $argon2id################################## Paste it into Vaultwarden's Admin Panel under General Settings: Vaultwarden also says: NOTE: The settings here override the environment variables. Once saved, it's recommended to stop setting them to avoid confusion. This does not apply to the read-only section, which can only be set via environment variables. I guess you can delete the values on the container variable itself. That's why mine is highlighted in yellow. Vaultwarden Container Yeah, thanks for this. I forgot to add that those had to be manually added. I'll update the guide. Just in case here it is: DUCKDNSTOKEN Under SWAG's docker settings, Add another Path, Port, Variable, Label or Device Setting: Value Config Type: Variable Name: DUCKDNSTOKEN Key: DUCKDNSTOKEN Value: yourDuckDNS_Token (Your token from https://www.duckdns.org/) Default Value: Edited May 7 by Discode Quote Link to comment
brejzek Posted June 18 Share Posted June 18 "IMPORTANT Edit vaultwarden.subdomain.conf at /appdata/swag/nginx/proxy-confs/ to disable the admin panel from WAN access but allow local/LAN access or just disable the admin panel altogether." What changes do I need to make to achieve this? Using swag is new to me and I like it so far. Thanks! Quote Link to comment
hi2hello Posted June 25 Share Posted June 25 (edited) Nice tutorial though it seems I cannot get any certs from letsenrypt. Trying for a few hours now but I am stucked. Heres what the log says: Quote Requesting a certificate for myservername.duckdns.org Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems: Domain: myservername.duckdns.org Type: dns Detail: DNS problem: SERVFAIL looking up CAA for myservername.duckdns.org - the domain's nameservers may be malfunctioning Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet. Any suggestions? Edited June 25 by hi2hello Quote Link to comment
avinyc Posted July 12 Share Posted July 12 On 6/18/2024 at 12:28 PM, brejzek said: "IMPORTANT Edit vaultwarden.subdomain.conf at /appdata/swag/nginx/proxy-confs/ to disable the admin panel from WAN access but allow local/LAN access or just disable the admin panel altogether." What changes do I need to make to achieve this? Using swag is new to me and I like it so far. Thanks! Just in case this was not explained, you would need to edit your vaultwarden (or in my case bitwardenrs) subdomain conf if you wanted to remove admin access. Open the conf file and find the section that begins with location ~ (/bitwarden)?/admin { further down you should see the following lines: # include /config/nginx/proxy.conf; # include /config/nginx/resolver.conf; # set $upstream_app CONTAINER_NAME; # set $upstream_port PORTNUMBER; # set $upstream_proto http; # proxy_pass $upstream_proto://$upstream_app:$upstream_port; As you see, I added '#' at the beginning of the line, which disables them when you save. Do not put '#' at the beginning for the location or at the end with the closing '}' The curly brackets need to exist, otherwise will enable access again. Save the conf file and restart the swag container. You should still have local access using the ipaddress:port/admin and it should return a 404 error if you try access it with the subdomain. Quote Link to comment
blueink Posted September 5 Share Posted September 5 Thank you for the excellent guide! I followed it and was able to get vaultwarden up and running. I am having trouble with fail2ban. I have gotten my ip banned, or so it seems. I see in the SWAG dashboard that my ip address is in the vaultwarden jail; however, I can access vault warden without any issues. Any idea how I can troubleshoot this? I checked the fail2ban log and there is nothing there beyond the line indicating that the ip address is banned. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.